Captive portal on multiple ifaces?

itsmorefun · May 22, 2009, 10:10 AM

Hum, :-
Seem not work.
I have try http://snapshots.pfsense.org/FreeBSD_RELENG_8_0/pfSense_HEAD/livecd_installer/pfSense-2.0-ALPHA-ALPHA-20090522-0021.iso.gz
If i select LAN, if user on LAN ask google, he have captive portail (ok)
If i select OPT1, if user on OPT1 ask google, he have captive portail (ok)
If i select LAN and OPT1, if a user on LAN ask google, he have portail, but if a user of OPT1 ask google he have google. :'(

I will add interface and try with captive portail on OPT1 and OPT2…

Thank in advance.

itsmorefun · May 22, 2009, 1:07 PM

Same result,
With captive portal enabled on OPT1 and OPT2, only OPT1 packet are intercepted.

I will try to understand https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/f8b1131038f1a8ced102c79ed6c72ef9dc05e6f1 to find why that don't work…

Maybe a problem with:
341 # skip to traffic shaper if not on captive portal interface
342 add 1000 set 1 skipto 50000 all from any to any not layer2 not $cpif
343 # pass all layer2 traffic on other interfaces
344 add 1001 set 1 pass layer2 not $cpif

If I do "ipfw show | grep ed2" with only OPT1 selected:
01000 5 5344 skipto 50000 ip from any to any not layer2 not via ed2
01001 5 5344 allow ip from any to any layer2 not via ed2

If I do "ipfw show | grep ed3" with only OPT2 selected:
01000 5 5325 skipto 50000 ip from any to any not layer2 not via ed3
01001 5 5325 allow ip from any to any layer2 not via ed3

If I do "ipfw show | grep ed2" with OPT1 and OPT2 selected:
01000 5 5325 skipto 50000 ip from any to any not layer2 { not via ed2 or via ed3 }
01001 5 5325 allow ip from any to any layer2 { not via ed2 or via ed3 }

Maybe the problem is the interpretation of the "not" and the "or" ?

Thank for any help.

eri-- · May 22, 2009, 1:31 PM

Can you update to the latest snapshot or try this modification?
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/fca39472782bdbd06722c053cb345de6a8f754bd

Thanks

itsmorefun · May 22, 2009, 2:49 PM

Yes!!! You are a king 8)

It work ;)

Juste two things,
->on Status: Captive portal:
The last line, the column Session start show: Warning: date() expects parameter 2 to be long, string given in /usr/local/www/status_captiveportal.php on line 107

->on Status: System logs: Portal Auth: When user have a firewall blocking input icmp some log with: php[43507]: /index.php: The command '/sbin/ping -c 1 -t 1 172.16.1.11' returned exit code '2', the output was 'PING 172.16.1.11 (172.16.1.11): 56 data bytes –- 172.16.1.11 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss'
(172.16.1.11 is the ip of the user)

Very Thank

eri-- · May 22, 2009, 3:06 PM

Should be fixed both of them.

Thanks for teh feedback.

itsmorefun · May 22, 2009, 3:44 PM

@ermal:

Should be fixed both of them.

Thanks for teh feedback.

Nice but https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/4fa2be6d7d7e2351e60805d7cbcb7d734945adb5 not work because $cpent is an array.

With "if (empty($cpent[0]))" it work

Thank
:)

eri-- · May 22, 2009, 4:31 PM

Added to the repo a better fix https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/caec9484b7ad9fdf1613db7b05955a14281b4b9c

itsmorefun · May 23, 2009, 7:56 AM

@ermal:

Added to the repo a better fix https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/caec9484b7ad9fdf1613db7b05955a14281b4b9c

Nice, it work too

BUT after start the captive portal, while nobody log on, the captiveportal.db file is not created and the
status page show:
Warning: file(/var/db/captiveportal.db): failed to open stream: No such file or
directory in /usr/local/www/status_captiveportal.php on line 67 Warning: Invalid
argument supplied for foreach() in /usr/local/www/status_captiveportal.php on line
68
;D

Thank :)

itsmorefun · May 26, 2009, 6:03 AM

Thank Ermal (https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/93ed765955f8891b985805e4d49ba96f8694c6d7)
:-)

rt_rex · Sep 4, 2009, 7:22 PM

I did not test the captive portal feature on 2.0 .
One thing i did not understand about dual iface captive portal.
Assuming i have CAPtive portal enable on LAN and OPT1 and the CP interfaces are in diferent subnets (10.0.0.0/24,192.168.1.0/24), how do they do the http redirect to one single address ?
Or there is a field to config the two independent URL redirect ,one for each subnet?

Thanks

eri-- · Sep 5, 2009, 3:07 PM

It will show the same login to different subnets.
That is all up to you in your login page php code if you want to show them different things.