Captive Portal - What is Allowed?



  • Hello all - hoping someone can enlighten me as I think I am missing something.

    I've been playing with PFSense and its Captive Portal settings. Prior to this I had it set up as a simple NAT router with basic default firewall settings so I could browse the internet and ping things on the internet from behind it. I could also connect to my VPN.

    Then I enable the captive portal and it works - sort of. Once enabled the client cannot access the internet or anything else as expected. When I open the browser the portal page appears and I click continue (I'm not using any vouchers or authentication at the moment). At this point I can then access the internet through the browser as expected. Great. However, I still can't ping anything or connect to my VPN. The only thing the Captive Portal seems to allow through is Internet/Browser traffic. Everything else is still blocked. OK so I can see why you might want this but is there a way to open this up to allow other ports/protocols?

    I checked firewall rules and they are fine. I checked logs and there's literally nothing in them to indicate why stuff would be blocked. I've checked the Captive Portal settings and there don't seem to be any relevant options in there.

    Any ideas? Am I missing something?

    Thanks

    Nat


  • LAYER 8 Netgate

    After you get through the captive portal the users have access to whatever is passed by the rules on that interface (or governed by anything else that might be present outside of pfSense in the infrastructure.)

    Post the rules on the CP interface.



  • Hello and than you for the reply.

    The rules are the default rules as set by the setup wizard and super simple.

    Floating Rules = None
    WAN rules = None
    LAN rules = Allow all out plus the default one you can't change which prevents you locking yourself out of the web interface.

    That's it.

    Strange thing is if I disable the Captive Portal traffic flows just fine including VPN traffic and ICMP so its not firewall rules. Enabling the Captive portal doesn't seem to add any additional rules either.

    Thanks


  • LAYER 8 Netgate

    Enabling captive portal adds rules, but they are not in pf. They are in ipfw.

    https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting



  • Ahhh thank you. So basically yes I was missing something…

    Right I'll go and have a read up on IPFW.

    Very quick last question - can IPFW rules only be configured command line or can they be added in the Gui?

    Thanks

    Nat



  • The rules set for ipfw (ipfw is only use for the captive portal) is hard coded into the captive portal software.
    These rules are non-user editable and normally you don't need to change them except if a total breakage is what is wanted.
    YOUR rules should be put in with "pf" and this one can be edited with the GUI - just select the interface that the captive portal is using.
    Best is that you use a dedicated interface (OPT1) for the captive portal - leaving the LAN for trusted devices only.
    By very nature, a captive portal network IS for non-trusted devices (visitors).

    Said that, know that when you add IP's and MAC's that should pass through without hitting the captive portal, their rules are added to ipfw.
    Se the help page mentioned above, you can see all the ipfw rules and tables.


Log in to reply