Captive Portal acting weird in 2.4(2.4.2-RELEASE-p1)



  • I noticed after upgrading from 2.3.4 to 2.4 that whenever I change any of the settings on the Captive Portal settings page I get locked out of my router, and don't even have access to the internet. If I ping my router(192.168.1.1) I get no respond. Only fix would be to reboot the pfSense box… I cannot find any similar issues to this one, so I'm asking for a fix. I even reinstalled the whole OS but it's got the same issue... Shouldn't be hardware related? Thanks in advance.


  • LAYER 8 Netgate

    Are you making said changes from an interface that is served by the captive portal?

    What sort of change are you making?

    You are going to have to provide far more details if you actually want a bug report to be opened that has a prayer of getting worked.



  • Changing any of the options given on the pfSense control panel under Services > Captive Portal tab. When I change anything and want to apply those changes, by pressing the Save button, the page stars reloading and never finishes. After that, I cannot access the pfSense control panel, nor ping the router. I also lose the internet connection, so the only fix that I found to work was to restart the pfSense machine. Then everything starts working as usual. The settings made in the Captive Portal tab are saved, but if I try to change them again I am met with the same issue. I tried different settings, freeradius ones, https and all get me the same problem. What else information could I get you?


  • LAYER 8 Netgate

    Not sure what to tell you. Working here - and apparently everywhere else.

    So it's something peculiar to your environment.

    You'll have to cut loose with network topology, screen shots, etc.

    A specific set of steps to duplicate, starting from a fresh 2.4.2_1 installation would help too.



  • Hello, thanks for the quick respond. This is a fresh latest pfSense installed, about 6h ago. For all that other information I need to give, could I get an email or some other form of communication, these posts here are hard to manage and may get some of my private info exposed?



  • With no information given at all like:
    What are the interfaces that you have, IP ranges, VLAN information, network diagram (with sensitive information redacted), chipset for NICs, OS used to access firewall or captive portal, Switch setup …..

    I will take a WAG (Wild ASS Guess)

    Do you have both tagged and untagged traffic on the same interface? I know in previous versions of PfSense, Captive Portal would not just work on the VLAN it was supposed to but effect the parent interfaces as well.

    see https://forum.pfsense.org/index.php?topic=65176.msg355224#msg355224

    But this is a guess, and this problem may not even exist anymore.



  • @aleksasiriski:

    This is a fresh latest pfSense installed, about 6h ago. For all that other information I need to give, could I get an email or some other form of communication, these posts here are hard to manage and may get some of my private info exposed?

    pfSense installations can contain information that is considered private, like your login password, maybe some certificate details or even your email.
    Nothing else.

    Posts on the forum can be edited afterwards, with the edit button.

    Real private support is here : https://www.netgate.com/support/

    A typical bare-bone captive portal setup from scratch can be activated in less then 2 minutes :
    If you are running the captive portal on an OPT1 interface (this is where it belongs) : activate it, assign it an IP like 192.168.2.1 (LAN bieng 192.168.1.1/24) - setup a DHCP pool on this interface.
    Add a user the the local user manager, give it "access to portal services" only rights.
    Add a  "pass all (ICMP/UDP/TCP/IPv4 firewall rule" on the OPT1 interface
    Activate the captive portal on the OPT1 interface, selecting "  Authentication Method == Local User Manager / Vouchers" and …. Done.

    If you are activating it on the LAN interface (can also work) :
    No need to setup DHCP, it's already done.
    Check firewall rules for this interface, if you didn't change anything upfront, it's already ok.
    Add a user as usual.
    Activate the captive portal on the LAN interface, selecting "  Authentication Method == Local User Manager / Vouchers" and .... Done.

    All we want to know is : what did you do after installation of pfSense ? What didn't you do ? What is your network setup ? Etc.
    Please understand that we need this description so we can figure out what is wrong.



  • There's no specific config, as I reinstalled the OS I didn't change any settings from the default, just a bit so my internet works, and tried Captive Portal immediately to se if it's fixed. It was not. I'm going to test in a VM rn, will let you know how it goes and then I'll take some screenshots.



  • There, I installed the latest pfSense from the website in a VM and got the same issue, will take some evidence now. *It's the bare bones default config as it can be that's used



  • In the last picture, it just locks me of accessing the WebUI and blocks my internet, I must restart the pfSense box to make it work again, and all I did was enable CP and pressed on "Save" button. That happens with changing ANY of the settings in that CP zone…






















  • Just tested the SAME config on 2.3.5 RELEASE and CP works normally, I can change settings and save, nothing breaks… I'll probably do another reinstall of pfsense to 2.3.5 on my machine then.. until this is fixed. Thanks!



  • Check "Allow users/groups …"
    Set a hard time out - and/or soft time out (didn't know nothing was set on initial setup, although, as stated, one of them need to be set).
    Also : Visit your pfSense, and do not used "admin" to login, but the user you created in the local user manager.

    Did you saw : (see image) ?

    @aleksasiriski:

    reinstall of pfsense to 2.3.5 on my machine then.. until this is fixed. Thanks!

    I'm using the latest version in a professional environment (hotel). Ik rocks. It works just great for me.




  • Tried what you said, same problem.
    I installed pfSense 2.3.5 Release from the website, everything about captive works but, I can't install any packages? They all fail on install…



  • This
    @aleksasiriski:

    …. I can't install any packages? They all fail on install...

    is another subecjet - another forum, but, in a way, good news.
    It shows (to me) that something really isn't right - hardware maybe  ?

    On what hardware are you installing pfSense ?



  • How isn't hardware right? I use my old pc, but I have the same config in a virtual machine and it all has the same issues, it cam't be hardware related.



  • To ease up(same hardware on both configs):
    pfSense 2.4: Captive Portal glitches
    pfSense 2.3.5: Can't install packages
    Please help X. X



  • When re-installing, do you use the saved config file ?
    If so, don't - the stored settings probably break pfSense.
    If not, …. strange.



  • I am not… Especially on vms, I just use the default config and change what I need for testing.
    Now, I was trying to fix packages on pfSense 2.3.5 and somehow the OS broke and I don't have access to webui nor the internet. I am going to reinstall once again and after I may have to switch to OPNSense or smt I really don't know... I love pfSense and don't want to replace it :(



  • @aleksasiriski:

    I am not… Especially on vms,....

    VMS ? Some virtual machine ? Your problems are solved ! Just run pFsense on its own machine and it shines !!
    I'm not saying that pfSense on a VM doesn't work, thousands are doing exactly that, but it needed a good setup for pfSense (the same as non-VM installs ;) ) but also good VM setup …. and that one ... well .... see dedicated forum for more info.

    Example (just guessing) : 2.3.4 (old pfSense version btw) uses an old FreeBSD kernel. 2.4.2_1 uses a newer the Freebsd 11, which needs adapted VM settings.



  • I meant, I do run pfSense on a dedicated machines, my old pc, but today, as I was trying to figure out these problems, I used vms, because I can't do all of my NAT again, I just put it from the backed up file, but in the vms, I do everything from scratch to find out if the problem is with the main machine, and I still have the same problem, on the dedicated pfSense machine with restored some of the settings, and the virtual machine with a completely fresh and default config. So no, not problem solved.



  • I found out the problem for packages not being installed, it's because they are made for that newer kernel, freebsd 11, and so can't be installed on 2.3.5, both 2.3.5 and 2.4 use the same links to packages, which is a bummer, what would be the point of 2.3.5 then? Nonetheless, I'll try 2.4 again to see if it still has the same problem with captive portal and can only hope that if it does, it gets patched soon for me.


  • LAYER 8 Netgate

    System > Update, Update Settings

    Switch to Legacy 2.3.X and you will hit the correct package repo for 2.3.5 / FreeBSD 10.3.



  • OK here we go, finally some kind of error(pfSense 2.4 latest stable):
    Message from syslogd@pfSense
    pfSense nginx: [ emerg ] 99236#100114: bind() to [0.0.0.0]:8002 failed (48: Address already in use)
    Another same one, but instead of 0.0.0.0 it's ::
    Help?



  • @aleksasiriski:

    Message from syslogd@pfSense
    pfSense nginx: [ emerg ] 99236#100114: bind() to [0.0.0.0]:8002 failed (48: Address already in use)

    Ah, now we're getting somewhere  ;D
    Only one instance of nginx process will bound to port "8002" : normally the first instance, your first zone. More zones could be be defined.
    8002 for http access (first zone)
    8003 for https access (first zone)
    8004 for http (second zone)
    and so on.

    But : one is already running on that very port. (NOT normal - a previous instance could not be stopped ?! … )

    On my systems, when everything is running, I see this :

    [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep 'nginx-'
     5611  -  Is       0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
     6159  -  Is       0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal.conf (nginx)
     7546  -  Is       0:00.01 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-cpzone1-CaptivePortal-SSL.conf (nginx)
    
    

    which shows on instance for the GUI  (webConfigurator) and two for the captive portal (CaptivePortalxxxx) (one for http access and one for https access).

    When I stop the captive portal, the latter two will (should !) disappear.

    Btw :

    sockstat -4l | grep 'nginx'
    

    Check out the logs when everything start from boot or reboot and at least one captive portal is active. When changing settings, it should be stopped, and restarted.

    @aleksasiriski:

    Another same one, but instead of 0.0.0.0 it's ::

    The IPv6 counterpart. Useless for the Captive portal, because its IPv4 only.



  • Ok, I tried both of those commands and they are the same for me(not the ids of the services ofcourse). I only have 1 CP zone, so for the first command, it's those 3 lines. Now, where should I check logs for starting up captive portal, or what do I even need to look for in logs? Thanks a lot, finally some advancement :D



  • What I suspect your problem is your are running a captive portal on the same LAN that you are accessing the firewall through. So while you are connected to the pfSense you activate the portal but your state is not dropped. Your mac is not authorized so you are not forwarded to the redirect page and you get the error that you are getting. I bet if you connect another PC, phone or something that was not on the LAN at that time (so it didn't have any open states) that new device will be forwarded to the portal splash screen. The fix would be to clear all your states, but because you can't connect to the firewall you can't do it. That is why restarting pfsense allows you to work once again. Maybe a fix for you would be to create another interface where you can configure the firewall instead of trying to activate a CP on the same interface you are accessing it through.



  • No, you suspect falsely. I already have my macs added, since the pfSense 2.3.0, because that's when I set my everything up. Now in the upgraded 2.4 the only problem with pfSense is when changing some settings under the CP zone tab and saving those options, then the nginx breaks and I have to restart the machine. The changes ARE ACTUALLY SUCCESSFULLY SAVED.



  • @aleksasiriski:

    No, you suspect falsely. I already have my macs added, since the pfSense 2.3.0, because that's when I set my everything up. Now in the upgraded 2.4 the only problem with pfSense is when changing some settings under the CP zone tab and saving those options, then the nginx breaks and I have to restart the machine. The changes ARE ACTUALLY SUCCESSFULLY SAVED.

    See bugs in https://github.com/pfsense/pfsense/pull/3640 maybe this is the problem that you are running into?




  • LAYER 8 Netgate

    Do not administer captive portal from a device subject to the captive portal. Period.

    Please fix that and try again.



  • I don't see my problem in this, but as I see that is some guy who changed the works of captive portal on pfsense? How would I apply his patch then? Thanks in advance. If I don't fix this issue soon, because I just noticed that my captive isn't working at all, not redirecting nor blocking anyone on the network who isn't signed in, even if I manually block the MAC, I'll have to make a switch to 2.3.5, again, as I got a reply on the fix that works for my packages not being installed there.



  • @Derelict:

    Do not administer captive portal from a device subject to the captive portal. Period.

    Please fix that and try again.

    True.
    From an administration point of view, live would be so easy if the captive portal would refuse to be activated on LAN. Only OPTx should be an option.
    On the other hand, many will start to use pfSense with just one ( 1 ! ) NIC, not the 'minimum required' of 2 interfaces (Captive portal : 3).
    Better : no dedicated hardware but VM's - and/or VLAN's as a quick solution.

    Just for the fun, I activated the captive portal on my LAN this morning.
    Added a new zone - gave it a name, filled in and minimum soft- and hard time-out, checked 'local user manager' and "Save".
    My current browser session … timed out, as was stated above, this is actually quiet normal. I launched a second, different navigator (IE8) from the same PC, and found myself facing a login screen, (see image). I had to login to be able to do something, like writing this post.
    Thus, I showed myself that the captive portal works well when activated from (my) LAN.
    Note : I have just one firewall rule on my LAN, an explicit "pass-all for IPv4/IPv6/etc".

    Btw : This https://redmine.pfsense.org/issues/8238 is a very small bug that was surfaced recently - not related right now, as it handles the case of removing a MAC from the captive portal's white-list.
    https://github.com/pfsense/pfsense/pull/3640  : a feature request … not implemented yet.

    @aleksasiriski:

    … not redirecting nor blocking anyone on the network who isn't signed in, even if I manually block the MAC, ...

    Blocking manually a MAC ? How did you do that ?




  • You can block internet access for someone under Captive Portal > MACs



  • @aleksasiriski:

    You can block internet access for someone under Captive Portal > MACs

    You're right !
    Never actually saw the Block option. Thanks.



  • You're welcome!
    I'll be trying to install pfSense 2.3.5 now, again, as I can install packages without a problem on it now, and I'll try captive portal to see if it works. Will let you know soon! :D



  • Yep, I installed pfSense 2.3.5 and set everything up, runs flawlessly, thanks for the help everyone, hope my bug is just random and will be automagically fixed in the next update :D


Log in to reply