No Auth Page

deuce

I have 2.4.3-RELEASE-p1 on a Netgate SG-3100.

I have a VLAN1 (if: mvneta1) 10.47.101.0/24
I have a VLAN20  (if: mvneta1.20) 10.47.201.0/24

The LAN is connected to a EdgeSwitch, vlan1 untagged/vlan20 tagged.
The EdgeSwitch is connected to a Ubiquiti AP Pro, Regular SSID untagged/Guest WiFi tagged 20.

The regular SSID on the VLAN1 works fine, resolves fine, pings gateway fine, peachy.
The guest SSID on the VLAN20 does not ping the gateway (10.47.201.1), but it DOES get internet/resolve fine.

When I turn on the Captive Portal the device connects, and tries to connect to 10.47.201.1:8002 to get the Auth Page.
As it cannot connect to the 10.47.201.1, obviously this is the reason for no auth page.

If I put the MAC in override, it works fine, even with the Captive Portal enabled.

It appears that my problem is that it cannot directly connect to the gateway at 10.47.201.1 but I for the life of me cannot figure out why.

NAT is on automatic, though it didn't change when I put manual entries in.
Firewall Rule on the mvneta1.20 VLAN IF allows all protocols/ports to pass
Routing tables show 10.47.201.0/24 to netif mvneta1.20 as well as 10.47.201.1 to lo0

What am I missing? Why can't my devices connect to the gateway/auth page?

Thanks in advance.

Gloom

Silly question but have you put rules in place to allow the connections to the interface on VLAN20 from the subnet?

Derelict

@Gloom:

Silly question but have you put rules in place to allow the connections to the interface on VLAN20 from the subnet?

Post those rules.

Gertjan

@deuce:

….
What am I missing? Why can't my devices connect to the gateway/auth page?

Don't worry, you are not the only one.
It happens more and more : people try to the use the captive portal (not a straight forward, very known function, but, it actually works after 60 seconds of your "setup time") but then things go down-hill fast : they are used a virtual environment and to make sure that the chance that it works right away is completely obliterated : the are using VLAN's from day one.

I tend to say :
No VLAN's
No Virtual thing.
Just a box loaded with pfSense, and if you have to, activate the portal on LAN, if not, make your live even more easier : use a dedicated interface for the captive portal.
If everything works after some time and many tests : call it a day.
The nest day, add a complexity like VLAN's.
Make it work again. Repeat the whole process.
Etc.
Finally, if you feel up to it, add another layer : "virtual" the whole thing.

An approach like this worked great in the old days. When things started to "not work", we knew when it happens, and very shortly after that, also why. Btw, the small gap between these points was called "learning process"  ;)

deuce

@Gloom:

Silly question but have you put rules in place to allow the connections to the interface on VLAN20 from the subnet?

Hrm What do you mean? Should I need an additional rule besides the Firewall Rule on the mvneta1.20 VLAN IF that allows all protocols/ports to pass?

This is the only rule I have in that IF: