After receiving IP from dhcp, client aren't redirect to captive portal login page and Can navigate without authentication

edarrigo

Hello, we have a pfSense C.E. 2.7.0-RELEASE (amd64) built on Wed Jun 28 03:53:34 UTC 2023 FreeBSD 14.0-CURRENT, with DHCP and Captive Portale enabled on WAN interface. Also we have enabled a DNS Forwarder service.
When a client receive an IP from DHCP, they direct conncet to internet without authentication on Captive Portal.
I have followed many community Topic and Netgate guides, but I don't able to solve the issue.
If I try to conntect directly to Captive Portal URL after DHCP connection, I am able to reach it.
Here my firewall rules for wan interface:

BLOCK 0/0 B

• Reserved
  Not assigned by IANA * * * * * Block bogon networks

PASS 0/0 B
IPv4 TCP * * This Firewall 8002 - 8005 * none

PASS 0/0 B
IPv4 TCP * * * 80 - 443 * none Abilita traffico HTTP

PASS 0/0 B
IPv4 ICMP
any
192.168.170.1 * This Firewall * * none Accetta ping da Centrostella

PASS 0/0 B
IPv4 TCP WAN net * * * * none Abilitazione traffico TCP

PASS 0/0 B
IPv4 UDP WAN net * * * * none Abilitazione traffico UDP

PASS 0/0 B
IPv4 TCP/UDP * * This Firewall 53 (DNS) * none

PASS 0/0 B
IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * none

PASS 0/0 B
IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * none NAT

PASS 0/0 B
IPv4 TCP WAN net * * 25 - 465 * none Enable SMTP traffic

I hope in yours help to solve the issue, thanks in advance.

xNUTx

hi @edarrigo by chance I have been playing around with the captive portal and discovered a bug of some sort.

By any chance, are you using any Apple device to test your captive portal?

edarrigo

@xNUTx No, no apple devices. I've tried from windows o.s.(10 and 11) and from android mobile devices.

Gertjan

@edarrigo said in After receiving IP from dhcp, client aren't redirect to captive portal login page and Can navigate without authentication:

.... and Captive Portale enabled on WAN interface

That's impossible.

edit : well, you can select it, so possible.

Read the documentation, it start here Captive Portal.

You'll find this info : Zone Configuration Options :

Don't use the portal without actually following the 3 available videos at the Youtube => Netgate channel (videos made by those who made the product, what more do you want ^^)
They are old, and contain still very useful and valid info.

edarrigo

@Gertjan Thanks and sorry, I don't understand the bridge0 configuration option.
although impossible to believe, we always used the captive portal on the wan port and it worked, at least up to 2.5.x

edarrigo

@Gertjan Hi have "re-configured" pfSense VM and I have activated Captive Portal on LAN interface , replicate FW rules but, I have the same issue:
the client received ip address from DHCP, don't are rediredt to captive Portal and they can navigate on internet without authentication.
Where am I wrong?

Gertjan

@edarrigo said in After receiving IP from dhcp, client aren't redirect to captive portal login page and Can navigate without authentication:

Where am I wrong?

Fast answer : you saw the official Netgate captive portal video's by now (I hope).
The fast answer would be : what did you do different ? Undo that, and it will work.

Typically, the LAN network is for your trusted devices, like the PC you use to admin pfSense.
A captive portal should live on a second LAN, called OPT1 when you create/activate it, as portal users are non trusted devices. If they weren't, they would be on the LAN interface.
This setup makes testing / debugging also way easier.

So : a first, original LAN interface 192.168.1.1/24 - with it's own DHCP server setup (the default will do).
A second OPT1 interface using 192.168.2.1/24 - a DHCP server setup for the 192.168.2.0/24 range, with a pool like 192.168.2.2 to 182.168.2.54. DNS is 192.168.2.1 and the gateway is 192.168.2.1.

First test : if you have no, like none, firewall rules on this OPT1, then it's impossible that connected devices have internet access. If the portal would work, you see the login page etc, they still would not have an access to the net. If it does : reformat everything, as something went very bad at the initial pfSense setup. This initial setup can be as easy as : change the admin password and done. I'm not kidding. From here : follow the official portal video and you be up and running in minutes.

If not : tell us what you did ...

edarrigo

@Gertjan cit: who is the cause of his evils, weeps himself!

Thanks a lot for the support. I've re-created from zero the firewall and I undestrand where I went wrong!(see attached pic).

I've Disabled all packet filtering because the Internet client connection it's very slowly( I'have another firewall that protect my internet conenction).

Basically I use pfsense only as captive portal for wifi clients, I then have a corporate firewall for everything.
Now, however, the fact remains that those who connect via the captive portal goes very slow on the internet. Can you give me some suggestions here or should I open another topic?

Gertjan

@edarrigo

Ok, lol - you want to use a firewall based functionality ......
.... and when set up, you shut down the firewall.

The captive portal is (based on) 'pf' rules ( ! )
'pf' is the firewall pfSense uses - hence the pf in pfsense.

If you use a 6502 or Z80 processor for your pfSense, then the portal, and everything else, might be slow. Current hardware : it's just a firewall rule or two. The captive portal is not some kind of process or program.

A captive portal network or normal LAN : I have the same speeds.
Btw : that is : my LAN uses wired devices so limited to the local 1Gbyte/sec speed and my ISP uplink, about the same speed.
My portal devices are mostly wifi based, and I have low bud lousy access points, so normal that the portal is slower.
If I use a wired device on the portal, the speed is the same as the LAN network.

edarrigo

@Gertjan I've implemented pfSense on VmWare VM, with one nic(lan) on WiFi VLAN to provide captive portal for wifi client, and the other nic(WAN) on my lan network.