Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal - What is Allowed?

    Scheduled Pinned Locked Moved Captive Portal
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      regnodulous
      last edited by

      Hello all - hoping someone can enlighten me as I think I am missing something.

      I've been playing with PFSense and its Captive Portal settings. Prior to this I had it set up as a simple NAT router with basic default firewall settings so I could browse the internet and ping things on the internet from behind it. I could also connect to my VPN.

      Then I enable the captive portal and it works - sort of. Once enabled the client cannot access the internet or anything else as expected. When I open the browser the portal page appears and I click continue (I'm not using any vouchers or authentication at the moment). At this point I can then access the internet through the browser as expected. Great. However, I still can't ping anything or connect to my VPN. The only thing the Captive Portal seems to allow through is Internet/Browser traffic. Everything else is still blocked. OK so I can see why you might want this but is there a way to open this up to allow other ports/protocols?

      I checked firewall rules and they are fine. I checked logs and there's literally nothing in them to indicate why stuff would be blocked. I've checked the Captive Portal settings and there don't seem to be any relevant options in there.

      Any ideas? Am I missing something?

      Thanks

      Nat

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        After you get through the captive portal the users have access to whatever is passed by the rules on that interface (or governed by anything else that might be present outside of pfSense in the infrastructure.)

        Post the rules on the CP interface.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R
          regnodulous
          last edited by

          Hello and than you for the reply.

          The rules are the default rules as set by the setup wizard and super simple.

          Floating Rules = None
          WAN rules = None
          LAN rules = Allow all out plus the default one you can't change which prevents you locking yourself out of the web interface.

          That's it.

          Strange thing is if I disable the Captive Portal traffic flows just fine including VPN traffic and ICMP so its not firewall rules. Enabling the Captive portal doesn't seem to add any additional rules either.

          Thanks

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Enabling captive portal adds rules, but they are not in pf. They are in ipfw.

            https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • R
              regnodulous
              last edited by

              Ahhh thank you. So basically yes I was missing something…

              Right I'll go and have a read up on IPFW.

              Very quick last question - can IPFW rules only be configured command line or can they be added in the Gui?

              Thanks

              Nat

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                The rules set for ipfw (ipfw is only use for the captive portal) is hard coded into the captive portal software.
                These rules are non-user editable and normally you don't need to change them except if a total breakage is what is wanted.
                YOUR rules should be put in with "pf" and this one can be edited with the GUI - just select the interface that the captive portal is using.
                Best is that you use a dedicated interface (OPT1) for the captive portal - leaving the LAN for trusted devices only.
                By very nature, a captive portal network IS for non-trusted devices (visitors).

                Said that, know that when you add IP's and MAC's that should pass through without hitting the captive portal, their rules are added to ipfw.
                Se the help page mentioned above, you can see all the ipfw rules and tables.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.