Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [FIXED] Captive Portal blocks all after login too (was Cap.Por. blocks…......)

    Scheduled Pinned Locked Moved Captive Portal
    7 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daniele_dll
      last edited by

      Hi,

      i've noticed that captive portal blocks everything except http requests. There is a way to get all ports working after a login? I was looking to firewall rules and it shouldn't block ports after that a login is done.

      IPFW rules after i logged from browser

      
      00030 skipto 50000 ip from any to any in via re1 keep-state
      00500 allow pfsync from any to any
      00500 allow carp from any to any
      00500 allow ip from 192.168.0.74 to any out via re0
      00501 allow ip from any to 192.168.0.74 in via re0
      01000 skipto 50000 ip from any to any not layer2 not via re0
      01001 allow ip from any to any layer2 not via re0
      01100 allow ip from any to any layer2 mac-type 0x0806
      01100 allow ip from any to any layer2 mac-type 0x888e
      01100 allow ip from any to any layer2 mac-type 0x88c7
      01100 allow ip from any to any layer2 mac-type 0x8863
      01100 allow ip from any to any layer2 mac-type 0x8864
      01100 allow ip from any to any layer2 mac-type 0x8863
      01100 allow ip from any to any layer2 mac-type 0x8864
      01100 allow ip from any to any layer2 mac-type 0x888e
      01101 deny ip from any to any layer2 not mac-type 0x0800
      01102 skipto 20000 ip from any to any layer2
      01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in
      01201 allow udp from any 68 to 192.168.0.74 dst-port 67 in
      01202 allow udp from 192.168.0.74 67 to any dst-port 68 out
      01203 allow icmp from 192.168.0.74 to any out icmptypes 8
      01204 allow icmp from any to 192.168.0.74 in icmptypes 0
      01300 allow udp from any to 192.168.0.74 dst-port 53 in
      01300 allow udp from any to 192.168.0.74 dst-port 53 in
      01301 allow udp from 192.168.0.74 53 to any out
      01301 allow udp from 192.168.0.74 53 to any out
      01302 allow tcp from any to 192.168.0.74 dst-port 8000 in
      01302 allow tcp from any to 192.168.0.74 dst-port 8000 in
      01303 allow tcp from 192.168.0.74 8000 to any out
      01303 allow tcp from 192.168.0.74 8000 to any out
      10000 skipto 50000 ip from 192.168.0.14 to any in
      10000 skipto 50000 ip from any to 192.168.0.14 out
      19902 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
      19903 allow tcp from any 80 to any out
      19904 deny ip from any to any
      20000 deny ip from 192.168.0.14 to any not MAC any 00:a0:d1:be:4a:2e layer2 in
      20000 deny ip from any to 192.168.0.14 not MAC 00:a0:d1:be:4a:2e any layer2 out
      29900 allow ip from any to any layer2
      65535 allow ip from any to any
      
      

      as far i understand these rules
      10000 skipto 50000 ip from 192.168.0.14 to any in
      10000 skipto 50000 ip from any to 192.168.0.14 out

      should let me to get a working imap, ssh or everything-i-want working but this didn't happen :\

      I'm using pfSense 1.2.2, but i've the problem with pfSense 1.2.0 too! I've squid with transparent proxy, squidguard and havp packages installed

      suggestions?

      1 Reply Last reply Reply Quote 0
      • D
        daniele_dll
        last edited by

        I've done some tests and i see that disabling squid as trasparent proxy blocks web too, so i think that the problem is that captive portal blocks the traffic at all and web works only because pf act before ipfw redirecting web requests to the proxy in trasparent mode

        Poking around in /etc/inc/captiveportal.inc i've founded the rule
        add 19904 set 1 deny all from any to any

        Dropping it all starts to working correctly but only web requestes needs to be authenticated, because if i start thunderbird i can download my mails from imap server, but i think that it's correct dropping that rule.

        After that i do auth, i can navigate normally without trasparent proxy if i drop that rule.

        NOTE:

        trying to do a simple dns lookup give this result on LAN (using packet capture feature)
        13:17:10.940925 IP 192.168.0.14.2887 > 151.99.125.2.53: UDP, length 28
        13:17:13.494964 IP 192.168.0.14.2888 > 151.99.125.2.53: UDP, length 28
        13:17:15.497696 IP 192.168.0.14.2889 > 151.99.125.2.53: UDP, length 28

        but nothing on wan

        (i've executed two times the command, one with packet capture setted on lan and the second with it setted on wan)

        1 Reply Last reply Reply Quote 0
        • D
          daniele_dll
          last edited by

          no one can help?

          1 Reply Last reply Reply Quote 0
          • D
            daniele_dll
            last edited by

            not resolved yet :\

            i've reinstalled the system another time but i get exactly the same problem :\

            1 Reply Last reply Reply Quote 0
            • D
              daniele_dll
              last edited by

              UPDATE!!!

              finally … i've done a lot of tests and finally i founded the problem!

              Dropping the in/out parameter from the ipfw rules let the connections to works right!

              I've removed from captive portal index.php page (located in /usr/local/captiveportal) and /etc/inc/captiveportal.inc page the in/out suffix from client rules

              /etc/inc/captiveportal.inc

              
              771:            /* insert ipfw rule to allow ip thru */
              772:            if ($ipent['dir'] == "from") {
              773:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any");
              774:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip']);
              775:            } else {
              776:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip']);
              777:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any");
              778:            }
              
              

              /usr/local/captiveportal/index.php

              
              279:        if ($peruserbw && !empty($bw_up) && is_numeric($bw_up)) {
              280:            $bw_up_pipeno = $ruleno + 40500;
              281:            exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any");
              282:            exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100");
              283:        } else {
              284:            exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any");
              285:        }
              286:        if ($peruserbw && !empty($bw_down) && is_numeric($bw_down)) {
              287:            $bw_down_pipeno = $ruleno + 45500;
              288:            exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip");
              289:            exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100");
              290:        } else {
              291:            exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip");
              292:        }
              
              
              1 Reply Last reply Reply Quote 0
              • D
                daniele_dll
                last edited by

                last update :)

                Applying this fix you didn't need anymore another network interface to run captive portal on, you can use LAN too

                1 Reply Last reply Reply Quote 0
                • D
                  DestekTeknik
                  last edited by

                  Just wanna ask a question;

                  I have a similer problem but the situation is something like this:

                  I have fixed computer's that are on the pass through macs list of the CP
                  Those computer's are also on the static pool of the DHCP
                  Firewall rules do apply to THOSE machines.

                  But when I try to connect with a dinamic client, only the firewall rules apply which I set before turning CP on. (80 443 and msn live login port)
                  They can't use the webcam on msn nor play WOW.

                  The symptoms are, New rules (which works for ONLY static's) defined after CP turning on.
                  Old rules works for auth'ing clients, but not the New ones.

                  Any idea's?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.