Why does Captive Portal not work with IPv6?



  • I've checked two different major firewall vendors and they claim their Captive Portal works with IPv6.
    The must do something differently or it's just FreeBSD network stack limitation on Pfsense's side?


  • Rebel Alliance Developer Netgate

    pfSense uses ipfw on FreeBSD for Captive Portal. There are some features of ipfw which are required for Captive Portal, such as fwd, that do not function on IPv6. I'm not certain if that is still the case on FreeBSD 12.1 but limitations like that are what have held it back in the past.

    https://redmine.pfsense.org/issues/1831



  • Cannot find it in FreeBSD's bug tracker.
    So the requirement for Captive Portal on IPv6 seems to be low for Pfsense or OPNSense community users.


  • Rebel Alliance Developer Netgate

    There is a FreeBSD PR linked in the redmine entry I linked above, and from what it looks like, it was closed without being implemented.

    If the features required to support it were added to FreeBSD, we'd be a lot more likely to add the feature. Otherwise we're taking on a lot of technical debt maintaining that code for every new release in addition to all of the up-front development time. If it really isn't implemented in FreeBSD yet, as that report implies, then it needs to be brought up there.



  • @jimp said in Why does Captive Portal not work with IPv6?:

    If it really isn't implemented in FreeBSD yet, as that report implies, then it needs to be brought up there.

    Can you do that?



  • @mdes said in Why does Captive Portal not work with IPv6?:

    @jimp said in Why does Captive Portal not work with IPv6?:

    If it really isn't implemented in FreeBSD yet, as that report implies, then it needs to be brought up there.

    Can you do that?

    jimp works for Netgate (pfSense), not the group that 'builds' the FreeBSD kernel and its direct dependencies.
    Even if "FreeBSD and needed firewall tools/programs" is 100 % IPv6 ready (I guess, for version 12.x it is by now - ) the Captive portal "code" becomes 3 times more work : for the IPv6 only devices, the IPv4 only devices and devices that use both.

    The day jimp gets punished badly, they will beat him, or say to him : Go implement IPv6 into the portal code....
    and we won't hear from him for months, because the thing is : most code / script has to be rewritten from he ground up.
    PHP might not even be the right language to do so.

    Btw : a captive portal is a network to offer a temporary internet connection for people dropping by at some spot.
    They just need an access. As long as there are not really "IPv6 devices only", the question isn't urgent.

    All other interfaces that do not use 'ipfw' - just 'pf', works very well with IPv6 for years now.



  • I was talking about bumping it up in FreeBSD bug tracker.



  • @mdes said in Why does Captive Portal not work with IPv6?:

    I was talking about bumping it up in FreeBSD bug tracker.

    One exists ?
    I'm pretty sure it can not exist.
    As said, FreeBSD is already 100 % IPv6 compliant.

    A "captive portal' is a 'trick' build into the client OS - pretty close the same thing as it should have a DHCP client running to obtain network connection info upon a network link establishment.

    On the pfSense side, the captive portal is nothing more a some firewall rules and tables lined up in some intelligent way. Someone that knows something about a firewall (the pfSesne admin ^^)and how it's set up, can see for himself how it works.

    What pfSense does, other then loading the ipfw up with rules and tables, exactly like the "pf" firewall, is handling some tasks like running a web server, so initial requests gets intercepted by this web server because a last firewall is redirecting http traffic to it.
    Upon user identification, tables are expended with the IP / MAC of that user = the ipfw firewall becomes transparent for this user. The "pass rules" also count user traffic, so this info can be used later on enforce quotas.
    Several types of identification are possible : the build in user database, or by using FreeRadius (the package) etc.

    The problem with IPv6 : it's another protocol that needs dedicated firewall rule / table entries. And up to the captive portal logistics - the actual pfSense, mostly scripts, to link the (one) IPv4 and (more then one ?) IPv6 to one device.

    With IPv6 - think about the the SLAAC issues used by Samsung devices : this isn't the case yet. Even major ISPs do not not propose IPv6 as they should (not RFC compliant etc).
    Let's face it : who uses these days pfSense with 'simple' LAN's that handle correctly IPv4 and IPv6 without any issues ?


Log in to reply