Captive portal not redirecting on https requests. problem on every browser



  • Hi every one

    KInldy Please help me on this:

    I am using pfsense 2.4.4 p1. I have a problem that captive portal not redirecting automatically on DNS. when i entered ip against dns it redirects to me captive portal login page. like when i dail 8.8.8.8 its fine but when i entered google or something else its not reaching. when i enable https login in captive portal page shows to me unsafe error and not proceeding as well. in Firefox https login just then working when i manually entered the captive portal ip or port to exeptions.


  • Rebel Alliance

    @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    Hi every one

    KInldy Please help me on this:

    I am using pfsense 2.4.4 p1. I have a problem that captive portal not redirecting automatically on DNS. when i entered ip against dns it redirects to me captive portal login page. like when i dail 8.8.8.8 its fine but when i entered google or something else its not reaching. when i enable https login in captive portal page shows to me unsafe error and not proceeding as well. in Firefox https login just then working when i manually entered the captive portal ip or port to exeptions.

    First of all, if you plan to enable HTTPS on your captive portal in production, you should get a valid certificate for your captive portal (you can use either let's encrypt or someting else).

    But even if you get a valid certificate, you may have an HTTPS/HSTS error when browsing https://google.com . That's completly normal and that's simply how HTTPS works. There is no way to mitigate this

    On recent firefox/chrome/safari versions, any browser that get opened try first to make an HTTP request to a "test website", to check if there is a captive portal on your network :

    alt text



  • For https loging would i have to import certificate on every browser or system ?

    currently when i manually entered the certificate to browser then redirects to login page only in firefox. otherwise chrome chow unsafe error.

    is it possible to add certificate in pfsense for secure connection? because if i have a 500 pcs it would be very difficult for me to add certificates manually on every sytem



  • @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    For https loging would i have to import certificate on every browser or system ?

    No.
    Exemple : When you visit https://www.papypal.com you do not have to import the paypal cert neither. Your browser recognizes that that certificate has been build using a known certificate organization, and accepts it.
    With the acme package you can obtain a certificate from LetEnscrypt, also recognized by all browsers.

    @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    currently when i manually entered the certificate to browser then redirects to login page only in firefox. otherwise chrome chow unsafe error.

    Enabling https login is ok, if you have a valid certificate, not some "home made" one (like the one pfSense makes for you for it's GUI access).

    @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    is it possible to add certificate in pfsense for secure connection? because if i have a 500 pcs it would be very difficult for me to add certificates manually on every system

    That's why the acme package exists ...

    @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    like when i dail 8.8.8.8 its fine but when i entered google or something else its not reaching.

    So you broke the DNS for the clients visiting the portal.
    Check out this part.

    Normally, by default, the resolver running on pfSense will resolve for all LAN clients - and also for all clients connected to the portal. This is because a firewall rule exists on the captive portal interface that allows incoming connections for port 53 UDP, TCP on the pfSense's portal IP. So even when not authenticated yet, the client can resolve www.google.com (totally meaningless to a browser) to an IP like 74.125.140.101 - 74.125.140.139 - 74.125.140.100 - 74.125.140.113.
    Now, as you said, it can "dail out" (ans will be intercepted by the same ipfw firewall, and redirected to the captive portal web server that shows the login page).
    So, a lookup for google.com will resolve.



  • I i gave you a teamviwer or any desk session can you configure the captive portal with proper settings. actually i have only this problem of redirecting on dns



  • I advise you to disable the https login on the captive portal if you do not want to use the acme package.
    Use the resolver in default mode.
    No extra DNS's like "8.8.8.8".

    Keep everything to default, and the captive portal works in a minute.



  • Yes i disable https login but page not redirecting to captive portals page dont know what is the issue now



  • Its only works when i delete the browser history. Then when i entered the google.com and every dns with .com when i use the it redirects to login page. but when the session expire the its does not redirecting to me on login page. i want that if i entered only a single word in google it should redirect to me into login page if i am not logged in



  • @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    but when the session expire the its does not redirecting to me on login page

    If you were visiting some site, and the portal session expires, then yes, your browser will hit the captive portal 'firewall' wall.
    Your browser has the URL resolved (and local DNS is up to date) so

    Also : if your were visiting a https site, then the portal can't kick in, because there is this law that says : "you can't break / intercept https traffic".

    You should use high values for idle and hard time out.

    You can login again by :
    Rip out the RJ45 cable or switch off the Wifi connection for while.
    Close your browser.
    Enable the wire or radio connection.

    Or, more easel y : visit any http site (not a https site, or a http site that has HTST activated) again and hit Ctrl-F5.



  • i want redirecting on every requests whether it http or https. kindly tell me the configuration tha do this for me. i am running captive portal on lan or vlan connections.



  • Just tell me is it possible to redirecting every page to captive portal ?



  • Any http page will get redirected to the portal login page - if the users isn't logged in already.
    A https page : normally, no - but browsers could be smart about what to do.

    Btw : never ever change captive portal settings if you have logged in users - if you really have to change settings, throw out users first.



  • U mean to say that normally captive portal cannot redirect the https request if user not logged in? mean this is not possible?



  • @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    mean this is not possible?

    You know the ansswer already.

    https == SSL traffic can NOT be intercepted. If that would be possible, that https:// sites are identical to http:// visits.

    You do know what https:// is, right ? What it stands for - what it means ?

    Example : if you type in https:/:www.google.com, your browser ill first resolve google.com. As soon as it gets an IP, it will do https://172.217.22.142/ (on port 443).
    In the reply there will be a certificate that states that it is connected to "*.google.com" .
    If the captive portal intercepts this request, it will not return the certificate of Google, but it own certificate - which will be anything but not "google.com". Your browser, being smart, knows that you want to connect to google.com, but some other site replied. The browser knows it's request is redirected- or their is some other MITM.
    It will bail out with the famous certificate error message.



  • In simple words my captive portal not redirecting. please help me on this



  • On a device that you connect to the portal network - but not logged in yet, show what these commands show to you :

    ipconfig  /all
    
    nslookup google.com
    

    or better

    nslookup onisep.fr
    


  • C:\Users\fahad>nslookup onisep.fr
    Server: pfsense.localdomain
    Address: 192.168.1.1

    Non-authoritative answer:
    Name: onisep.fr
    Address: 213.162.50.177



  • @gertjan said in Captive portal not redirecting on https requests. problem on every browser:

    nslookup google.com

    C:\Users\fahad>nslookup google.com
    Server: pfsense.localdomain
    Address: 192.168.1.1

    Non-authoritative answer:
    Name: google.com
    Addresses: 2404:6800:4003:806::200e
    74.125.130.113
    74.125.130.102
    74.125.130.139
    74.125.130.138
    74.125.130.101
    74.125.130.100



  • C:\Users\fahad>ipconfig/all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : Muhammad-Fahad
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : localdomain

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix . : localdomain
    Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
    Physical Address. . . . . . . . . : D4-C9-EF-E5-F4-27
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::1998:6eb8:b089:d1a6%24(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Monday, January 7, 2019 4:05:06 PM
    Lease Expires . . . . . . . . . . : Monday, January 7, 2019 5:50:52 PM
    Default Gateway . . . . . . . . . : fe80::1:1%24
    192.168.1.1
    DHCP Server . . . . . . . . . . . : 192.168.1.1
    DHCPv6 IAID . . . . . . . . . . . : 164940271
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-ED-F6-29-D4-C9-EF-E5-F4-27
    DNS Servers . . . . . . . . . . . : 192.168.1.1
    NetBIOS over Tcpip. . . . . . . . : Enabled
    Connection-specific DNS Suffix Search List :
    localdomain

    Wireless LAN adapter Local Area Connection* 4:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #3
    Physical Address. . . . . . . . . : 3C-A9-F4-2E-A0-41
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Local Area Connection* 5:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #4
    Physical Address. . . . . . . . . : 3E-A9-F4-2E-A0-40
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wi-Fi:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . : Home
    Description . . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
    Physical Address. . . . . . . . . : 3C-A9-F4-2E-A0-40
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes



  • @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    92.168.1.1

    Ok, looks all good.
    DNS works - pfSense is the DNS resolver for your clients.

    You use the default login page ?

    What GUI firewall rules on your captive portal interface ?



  • All is on default settings. Gui Login all is on default settings. Yoy can say that firewall is on default settings i had just configure captive portal


  • Rebel Alliance

    @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    Its only works when i delete the browser history. Then when i entered the google.com and every dns with .com when i use the it redirects to login page. but when the session expire the its does not redirecting to me on login page. i want that if i entered only a single word in google it should redirect to me into login page if i am not logged in

    Again : that is an expected behaviour.

    It is not possible to redirect HTTPS connections. Not only with pfSense, but also with any other router. HTTPS connections just can't be redirected, that's by design. You can learn more here : https://stackoverflow.com/questions/51562003/captive-portal-and-https-redirect

    That shoudn't be an issue because modern web browsers do handle captive portals pretty well, using HTTP test requests (cf my picture above)



  • @free4
    yeah i have checked your picture but its only works in firefox not on another browsers. how would it be possible on google chrome?


  • Rebel Alliance

    @fahad77678 chrome also implement captive portal tests

    alt text

    Android and apple devices also implement this feature



  • @free4
    But in my case chrome not doing like this.
    can you come on teamviwer ?



  • @free4
    Did you enable https login enable in captive portal or not?
    in my case if i disable https login then it cant reach the login page. chrome says site cant be reach if i search some sites.
    same case in firefox. firefox only promt for login netwrok but not redirecting to catptive page.



  • The browser indicates that a user action is needed.
    It's probably not directing you right away some where else, which seems rather logic to me: the user wants to browse site a.b.c. - the browser won't take him to d.e.f (our captive portal login page) but suggests the a user action is needed.

    These are my observations :
    Use http (default) and the https portal login. Things will go very smooth.
    Chrome might be "portal aware" these days. I'm using the captive portal in a hotel - do not explain clients how to connect - and they connect (mostly not being IT experts, they all manage to connect using whatever device).

    As said here - and in the doc : https you should obtain a certificate signed by an authority.
    This implies that you should use an existing domain name on your portal LAN, like
    portal.your-domaine.tld
    You can buy such a corticate - or use the acme package.
    True : the acme package works for you if you know what to do and how to do it



  • @gertjan
    Use http (default) and the https portal login. Things will go very smooth.
    what do you mean by this how can i do this in pfsense. actually i m new in pfsesne



  • @gertjan
    can you give me the step step configuration of captive portal with dns resolver?



  • @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    @gertjan
    can you give me the step step configuration of captive portal with dns resolver?

    https://www.youtube.com/watch?v=qb5TDpihnq4&t=111s
    https://www.netgate.com/docs/pfsense/captiveportal/index.html

    The Resolver : nothing to do. The default settings - as set on installation, are just perfect.



  • @gertjan
    is it necessary to add captive portal ports add in firewall's wan and lan rules ?
    it it is? the which ports should i add to the rules ?



  • @fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

    @gertjan
    is it necessary to add captive portal ports add in firewall's wan and lan rules ?
    it it is? the which ports should i add to the rules ?

    Two cases :
    If you activate the portal on the LAN you have nothing to do : the default firewall rule is a pass-all, the portal will work right away.
    If you activate the captive portal on an extra interface (the best choice !), like OPT1, you have to, initially, add one firewall rule : the same one as you can find on the LAN interface.
    Like this :

    0_1547200712194_bf62f6c6-807f-413d-8f57-a02fd9357a26-image.png

    Never ever add firewall rules to the WAN interface. Rules for that interface belong to the experts.