Captive Portal not working under pfBlocker-devel



  • J
    justice41 11 minutes ago

    Hello everyone. I have this issue with CP in the LAN which works fine. But installing pfBlocker breaks the CP in which client says have "Internet Access" but cannot access any sites. And logging in directly to :8002 does nothing.

    CP only - can browse normally
    pfBlocker only - can browse normally
    pfBlocker + CP - no connection
    pfBlocker + CP(but disabled) - can browse normally

    pfSense is a fresh install and everything is in default. Is there a conflict between these two services?

    [Posted here for pfBlocker]



  • Hi,

    Your issue is most probably not pfblocker related .
    To remove the issue : never ever edit or change captive portal settings while users are logged in.
    If you have to, you have to throw them of the portal, because they will get 'stuck'.

    It's a known, old issue,and a patch (use the path and the patch package) is proposed in the portal forum.

    If the issue is pfBlocker related : another advise : as portal users are typical non trusted users, they do not belong on the LAN interface. Use a dedicated interface. You could use pfBlockerng-devel on that interface - I do so and have no issues.



  • Hello

    The thing is, everything is in default. No changes whatsoever. CP is working normally. Login page shows, works, and disconnecting users also works. Just that installing pfBlocker breaks the CP. Even if I change the interface to OPT1 it would still be the same. Login page does not show nor directly logging in has no connection also.. Either I can use pfBlocker or CP but not at the same time.



  • Do this test :

    aaff1982-4f38-4e26-b9b8-3be85e54e0d5-image.png

    and compare these with the ipfw firewall rules : thes erae the two tables that contain the "pass" rules :

    ipfw table all list | grep '_auth_'
    

    So, for me :

    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw table cpzone1_auth_down list
    192.168.2.22/32 2045 32346 42479778 1597985246
    192.168.2.61/32 2049 258045 327928165 1597985267
    192.168.2.111/32 2043 30170 27498789 1597985844
    192.168.2.237/32 2031 172539 174804555 1597985775
    
    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw table cpzone1_auth_up list
    192.168.2.22/32 c6:0d:9d:bf:12:dx 2044 18462 2470106 1597985246
    192.168.2.61/32 b4:8b:19:00:9e:0x 2048 144932 20520809 1597985267
    192.168.2.111/32 b6:03:24:ee:d8:8x 2042 26872 15886625 1597985847
    192.168.2.237/32 b4:86:55:6a:8a:cx 2030 119359 84302573 1597985775
    

    There is a perfect match between these two tables and the GUI list : identical IP and MAC's.

    If the GUI list connected users that you can't find in the ipfw tables, you've been bitten by the "Your are connected" bug.

    @justice41 said in Captive Portal not working under pfBlocker-devel:

    No changes whatsoever. CP is working normally. Login page shows, works, and disconnecting users also works. Just that installing pfBlocker breaks the CP

    i'm using the CP for my clients / visitors, and have no troubles at all using pfBlockerNG-devel on the LAN and PORTAL interface :

    a1ef54a4-de56-414e-8b42-14e8def2ea33-image.png

    Read again the top part of this page. Every portal admin should know this page out of his head. The ipfw rules actually
    So, a good working local DNS is very important (it's always important, but this time it's very important).
    When you know that pfBlockerNG-devell also indirectly 'manipulates' DNS requests, all dependings what the feeds are that you have chosen.
    A pfBlockerNG-devel without feeds - the default install - does actually nothing, it doesn't change the resolver's behaviour in any kind, so it's presence is neutral.



  • ipfw shows a perfect match. And local DNS is working perfectly fine. Although I seem to have found the problem in which one of the feeds is blocking the localhost for some reason. For now I disabled localhost being included in the DNS and thing works ok now.
    If somewhere breaks again, might be better to just remove that feed.

    thnx for the reply.


Log in to reply