No inetnet when catpive portal is enable

trinitech

Hello all,

I have 3 interfaces:
WAN, LAN, DMZ

WAN interface is connected to an adsl modem and get the wan IP via DHCP ( IPv4 Configuration Type )
AS the DHCP / DNS server come from a windows AC server, the LAN is set as a gateway with the following:
IPv4 Configuration Type: Static ipv4
IPv4 Address: 130.1.1.225/24
MTU:9000

In general setup I have:
DNS Servers: 130.1.1.225
8.8.8.8
8.8.4.4
DNS Server Override: enable
Disable DNS Forwarder: enable

For the DMZ interface I have :
IPv4 Configuration Type: static ipv4
IPv4 Address: 192.168.45.1/24

FOr DMZ, I have enable DHCP server with:

Subnet
192.168.45.0

Subnet mask: 255.255.255.0
range: 192.168.45.10 - 192.168.45.150
DNS servers: 192.168.45.1
8.8.8.8
8.8.4.4

Usig the setup above, when I plug a computer in the DMZ interface I have acess to the internet and I an browse all site and ping google.com with no problems..
However, If I emable the captive portal on the DMZ interface, I loose all access to the internet and I cannot ping google anymore..
The CP has no authentification for now as I want to get the basic to work first so in affect the only box that is ticked on the CP page is 'Enable Captive Portal'

I use DNS resolver on LAN,DMZ, localhost

Firewall rule on DMZ interface is
IPv4 * DMZ net * * * * none   Default allow DNZ to any rule

Could anyone please help me understand why I loose everything when the CP is enabled?

Thank you

trinitech

HI all,

I just realise that I can run
ping 8.8.8.8
but ping google.com do not resolved

16:39:12.514556 90:1b:0e:87:1e:a5 > 00:30:18:01:4f:b1, ethertype IPv4 (0x0800), length 73: (tos 0x0, ttl 128, id 4442, offset 0, flags [none], proto UDP (17), length 59)
    192.168.45.10.56797 > 192.168.45.1.53: [udp sum ok] 60945+ A? www.bbc.co.uk. (31)
16:39:12.543225 00:30:18:01:4f:b1 > 90:1b:0e:87:1e:a5, ethertype IPv4 (0x0800), length 73: (tos 0x0, ttl 64, id 56815, offset 0, flags [none], proto UDP (17), length 59)
    192.168.45.1.53 > 192.168.45.10.56797: [udp sum ok] 60945 ServFail q: A? www.bbc.co.uk. 0/0/0 (31)
16:39:12.543849 90:1b:0e:87:1e:a5 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 128, id 4443, offset 0, flags [none], proto UDP (17), length 78)
    192.168.45.10.137 > 192.168.45.255.137: [udp sum ok]

NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xBCE9
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WWW.BBC.CO.UK  NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1

16:39:13.292974 90:1b:0e:87:1e:a5 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 128, id 4444, offset 0, flags [none], proto UDP (17), length 78)
    192.168.45.10.137 > 192.168.45.255.137: [udp sum ok]

NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xBCE9
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WWW.BBC.CO.UK  NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1

16:39:14.042928 90:1b:0e:87:1e:a5 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 128, id 4445, offset 0, flags [none], proto UDP (17), length 78)
    192.168.45.10.137 > 192.168.45.255.137: [udp sum ok]

NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xBCE9
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WWW.BBC.CO.UK  NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1

16:39:14.814061 90:1b:0e:87:1e:a5 > 00:30:18:01:4f:b1, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 128, id 4446, offset 0, flags [none], proto UDP (17), length 56)
    192.168.45.10.56798 > 192.168.45.1.53: [udp sum ok] 54615+ A? google.com. (28)
16:39:14.814440 90:1b:0e:87:1e:a5 > 00:30:18:01:4f:b1, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 128, id 4447, offset 0, flags [none], proto UDP (17), length 56)
    192.168.45.10.56799 > 8.8.8.8.53: [udp sum ok] 60084+ A? google.com. (28)
16:39:14.818177 00:30:18:01:4f:b1 > 90:1b:0e:87:1e:a5, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 4625, offset 0, flags [DF], proto UDP (17), length 72)
    8.8.8.8.53 > 192.168.45.10.56799: [udp sum ok] 60084 q: A? google.com. 1/0/0 google.com. A 216.58.201.238 (44)
16:39:14.821856 90:1b:0e:87:1e:a5 > 00:30:18:01:4f:b1, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 128, id 4448, offset 0, flags [none], proto UDP (17), length 64)
    192.168.45.10.61393 > 192.168.45.1.53: [udp sum ok] 62569+ A? www.googleapis.com. (36)
16:39:14.824711 00:30:18:01:4f:b1 > 90:1b:0e:87:1e:a5, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 64, id 64341, offset 0, flags [none], proto UDP (17), length 56)
    192.168.45.1.53 > 192.168.45.10.56798: [udp sum ok] 54615 ServFail q: A? google.com. 0/0/0 (28)
16:39:14.827578 00:30:18:01:4f:b1 > 90:1b:0e:87:1e:a5, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 14360, offset 0, flags [none], proto UDP (17), length 64)
    192.168.45.1.53 > 192.168.45.10.61393: [udp sum ok] 62569 ServFail q: A? www.googleapis.com. 0/0/0 (36)
16:39:15.688373 90:1b:0e:87:1e:a5 > 00:30:18:01:4f:b1, ethertype IPv4 (0x0800), length 83: (tos 0x0, ttl 128, id 4449, offset 0, flags [none], proto UDP (17), length 69)
    192.168.45.10.53377 > 192.168.45.1.53: [udp sum ok] 62448+ A? fsbwserver.f-secure.com. (41)
16:39:15.693733 00:30:18:01:4f:b1 > 90:1b:0e:87:1e:a5, ethertype IPv4 (0x0800), length 83: (tos 0x0, ttl 64, id 56151, offset 0, flags [none], proto UDP (17), length 69)
    192.168.45.1.53 > 192.168.45.10.53377: [udp sum ok] 62448 ServFail q: A? fsbwserver.f-secure.com. 0/0/0 (41)
16:39:15.694900 90:1b:0e:87:1e:a5 > 00:30:18:01:4f:b1, ethertype IPv4 (0x0800), length 83: (tos 0x0, ttl 128, id 4450, offset 0, flags [none], proto UDP (17), length 69)
    192.168.45.10.59623 > 192.168.45.1.53: [udp sum ok] 56836+ AAAA? fsbwserver.f-secure.com. (41)
16:39:15.695169 00:30:18:01:4f:b1 > 90:1b:0e:87:1e:a5, ethertype IPv4 (0x0800), length 83: (tos 0x0, ttl 64, id 44623, offset 0, flags [none], proto UDP (17), length 69)
    192.168.45.1.53 > 192.168.45.10.59623: [udp sum ok] 56836 ServFail q: AAAA? fsbwserver.f-secure.com. 0/0/0 (41)

Dos this information enable anyone her to help please?

Gertjan

First :  Disable DNS Forwarder
Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall
Do not check that - enable the (local) DNS Resolver (or forwarder).
No DNS means : no resolving (as you already found out).

@trinitech:

….
However, If I emable the captive portal on the DMZ interface, I loose all access to the internet and I cannot ping google anymore..
.....

and then :
@trinitech:

The CP has no authentification for now as I want to get the basic to work first so in affect the only box that is ticked on the CP page is 'Enable Captive Portal'

Note : NO AUTHENTIFICATION => Nothings passes through (except DNS - but that was broken ;) ).