[SOLVED] Captive portal is blocking port 80

Albéric

Hi

I have the following issue : when a user is succesfully logged in the captive portal, she is able to access anything except for HTTP. It is as though packets are dropped because the browser times out. That also means an HTTPS connection works fine, and for that matter any protocol will work, but HTTP. I suspect something is wrong with the login interception magic but I can't figure out what.

I have a default configuration (I am using RADIUS auth though but it is working fine). Since I upgraded from at least 2.1, I had to change the NAT rule created by the CP from 8000 to 8002, but it didn't resolve my problem.

Here is some info :

$ ipfw zone list
Currently defined contexts and their members:
2: em3,

$ ipfw -x 2 show
65291    0      0 allow pfsync from any to any
65292    0      0 allow carp from any to any
65301    2     74 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302    0      0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303    0      0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307    0      0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 1018 100441 allow ip from any to table(100) in
65311  934 248174 allow ip from table(100) to any out
65312    0      0 allow ip from any to 255.255.255.255 in
65313    0      0 allow ip from 255.255.255.255 to any out
65314    0      0 pipe tablearg ip from table(3) to any in
65315    0      0 pipe tablearg ip from any to table(4) in
65316    0      0 pipe tablearg ip from table(3) to any out
65317    0      0 pipe tablearg ip from any to table(4) out
65318  695  88423 pipe tablearg ip from table(1) to any in
65319  605 150682 pipe tablearg ip from any to table(2) out
65532  714  82204 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533  648  86753 allow tcp from any to any out
65534  102   6243 deny ip from any to any
65535    0      0 allow ip from any to any

$ ipfw -x 2 table all list
---table(1)---
192.168.30.102/32 mac 78:4f:43:8a:ed:c3 2036
---table(2)---
192.168.30.102/32 mac 78:4f:43:8a:ed:c3 2037
---table(100)---
192.168.30.254/32 0

where 192.168.30.254 is the CP address and 192.168.30.102 is my test client (ubuntu).

Here are the firewall rules for the interface :

NAT

Interface	Protocol	Source Address	Source Ports	Dest. Address	Dest. Ports	NAT IP	NAT Ports	Description	Actions
WIFIEXTERNE	TCP	*	*	*	80 (HTTP)	192.168.30.254	8002

Rules


Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
IPv4            *	*	*	*	*	*	none	 		   
		0 /0 B
IPv4 TCP/UDP	*	*	WIFIEXTERNE address	53 (DNS)	*	none	 		   
		0 /0 B
IPv4 TCP	*	*	192.168.30.254	8002	*	none	 	NAT

I am currently running pfSense 2.3.4.

Thanks for your insight

Gertjan

The automatically generated ipfw firewall rules look good to me.

These rules :

...
65318  695  [b][color]88423 [/color][/b]pipe tablearg ip from table(1) to any in
65319  605 [b][color]150682 [/color][/b]pipe tablearg ip from any to table(2) out
...

indicate - see red numbers - that these two rules are accepting (pass) trafic.
Present in table 1 and 2 are the IP and MAC of your Ubuntu device, which is logged in.
You can see clearly that "logged in against the captive portal" is nothing more then being member of table 1 and 2.

So, concerning 'ipfw', you are logged in. ipfw is transparent for your Ubuntu device.

But, could you mention the reason why you inserted this NAT rule (and the related firewall rule) ?

Now the GUI Firewall rules :
Your first firewall rule is a any-yo-any => pass.
The second rule (everyting that is TCP or UDP, coming from everywhere, going to "WIFIEXTERNE address" : port 53 == DNS => pass . But nothing will reach this rule, everything is already passed by the first rule.
Third rule : …. same thing, this rule will never be reached.

Check out the image.
I added, for testing purposes, your first rule as my first rule in the captive portal firewall list.
A next line is a block all for IPv4 (everything after the second rule will never be reached). **
I can login against the captive portal - and have an internet access (port '80') afterwards.

=> I can't tell you for sure what your problem is. Start by throwing away this NAT rule (and related firewall rule).

** : The captive portal is IPv4 only, IPv6 is not being used.

pfsense20170621.PNG_thumb

Albéric

Thanks for your detailed answer.

But, could you mention the reason why you inserted this NAT rule (and the related firewall rule) ?

I did not. It is automatically created with the captive portal. I'll try and remove it.

Now the GUI Firewall rules :
Your first firewall rule is a any-yo-any => pass.
The second rule (everyting that is TCP or UDP, coming from everywhere, going to "WIFIEXTERNE address" : port 53 == DNS => pass . But nothing will reach this rule, everything is already passed by the first rule.
Third rule : …. same thing, this rule will never be reached.

I'm aware of that. My final ruleset will be less permissive. It was just for testing.

I'll keep you updated shortly.

Thanks

Albéric

Start by throwing away this NAT rule (and related firewall rule).

That did it. Thank you very much for your help.

Gertjan

Great !