Allowed-hostnames not working.



  • I am still new to captive portals and all, but from what i have found, i need to setup a walled garden by using allowed host-names, the problem is that the ones i set up don't seem to be working.
    ex: i used google.com as hostname. i couldn't use *google.com since it says there is an error
    any suggestion on how to fix it ?


  • LAYER 8 Global Moderator

    https://docs.netgate.com/pfsense/en/latest/book/captiveportal/allowed-hostnames.html

    "A daemon periodically resolves the hostnames to IP address(es) and allows them through the portal without authentication in this zone."

    You understand that google.com doesn't mean it resolves the same as www.google.com right? Anything served off a CDN like that is going to quite often fail, because the IPs change all the time. And the IP for that hostname is only resolved every so often to be allowed by the captive portal.

    $ dig google.com +short
    216.58.192.206
    
    $ dig www.google.com +short
    172.217.0.4
    
    

    So in my above example access to that 216 ip would be allowed, but www.google.com is 172.x.x.x so it wouldn't be.



  • as i said i am fairly new to this so i didn't know that it would make a difference since it was host-name based config and not ip based.
    how do you suggest i fix this ? i tried using www.google.com but i still get the same result.
    should i switch to ip based exceptions ? and if so, where do i find the ips that need to be excluded ?


  • LAYER 8 Global Moderator

    Are you allowing your clients to query dns? If client can not query dns can not look up hostname, can not try and go to hostname, for captive portal to allow it..



  • I have disabled both the DNS Resolver and Forworder if that's what you mean.



  • @ghassen said in Allowed-hostnames not working.:

    I have disabled both the DNS Resolver and Forworder if that's what you mean.

    Ah .....
    The captive portal is very depending on a functional DNS . You should have a working DNS on your network. Although an initial captive portal setup and not using the local resolver, I would qualify that as an "expert install".
    I really advise you to read the manual. For example : this page. The most known issue : people break DNS.

    Btw : look at the available Captive portal video's from the authors.

    Host names like www.google.com (and facebook, microsoft, twitter, apple.com, cnn, snapshat, etc etc etc) acually point to hundreds of IP's. The IP you obtain now, could not exist (not used) any more after a few minutes, as also Google has to upgrade and update it's front end servers, without showing a temporary "host not found" error.


  • LAYER 8 Global Moderator

    @ghassen said in Allowed-hostnames not working.:

    I have disabled both the DNS Resolver and Forworder if that's what you mean.

    And then how is client on your captive portal suppose to look up www.google.com then? Do you hand them external dns that you allow through captive portal?

    @Gertjan stated - working dns is a MUST for captive portal to function.

    Where does pfsense point for dns? When it finds the ip for www.google.com better hope it matches what the client finds when it does query.. Pointing to different dns can exacerbate problems with mismatch of IPs..


Log in to reply