Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal on 2.7 not redirecting to login page

    Scheduled Pinned Locked Moved
    Captive Portal
    2
    4
    417
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      John 3
      last edited by

      Hello to everyone,

      I've installed 2.7 version and tried to enable the captive portal. The pfsense was reset to factory defaults and followed that tutorial with no authentication from this video:
      https://www.youtube.com/watch?v=ALQvXRCSy8w

      I've read most of the topics here and didn't find any solution except that maybe it's a 2.7 version bug???

      The problem is as in some other posts that i get IP from the DHCP Server but there is no redirection to the Login Portal.

      I've tried to enter it manually the address and then it opens the portal, i click login and everything works fine..
      The active portal will be on LAN interface were some access points exist too so i'd like it to work both on wired and wireless connections! The problem occurs on both instances!
      I've also tried to connect to simple http sites and nothing happens!

      Any help will be appreciated!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @John 3
        last edited by Gertjan

        @John-3 said in Captive Portal on 2.7 not redirecting to login page:

        I've read most of the topics here

        Then you know that 'getting an IP' isn't enough.
        Did it get an network, known as 'mask' ? A gateway ?? A DNS ???
        It's time to launch the good old 'cmd' (or PowerShell, or whatever you have available on your device) and check this info :

        ipconfig /all

        If all goes well, the DNS IPv4 is the IPv4 of the gateway, and both would be the IPv4 of the pfSense captive portal NIC.

        Be aware of the fact that users can change their device configuration 'for whatever reason'.
        or worse : browsers can be set to use their own DNS method like 'DoH' or whatever, and this will break 'captive portal access', while normal, non captive portals would work just fine.

        Out of the box, any Android (I presume, never used such a device), iPhones/pads, Microsoft OS devices as from Windows 7, All MAC's and most Debian derived OS's will for fine.

        @John-3 said in Captive Portal on 2.7 not redirecting to login page:

        https://www.youtube.com/watch?v=ALQvXRCSy8w

        Ok, you like old videos.
        Then what about the video's from the guy that actually build the portal ?
        Here there are : https://www.youtube.com/@NetgateOfficial/videos

        Check out the one called : Captive Portal on pfSense 2.3/2.

        Look also at Troubleshooting Captive Portal.
        Under "Captive Portal Does not Redirect" yo will find the most probable reasons why the portal doesn't work : it's called "DNS", and this can be tested : when you are connected to the porta network, and without even seeing and or autneticating yourself DNS should work.

        nslookup microsoft.com

        should give an answer = an IPv4.
        ( for some reason people want to ping, so ok :

        ping microsoft.com

        should NOT answer to the ping requests, as the portal will block ping packets.
        but it should mention on the very first line that it resolved "microsoft.com" to "20.236.44.162" which means DNS is accessible.

        PING microsoft.com (20.236.44.162): 56 data bytes
.....

        @John-3 said in Captive Portal on 2.7 not redirecting to login page:

        The active portal will be on LAN interface

        As the video you've being used already showed you : make live easy on yourself, and keep LAN for all trusted devices. Use a second LAN (called OPT when created, you can rename it) for your captive portal.
        The portal network will only be used by non trusted devices, as these are the reason why you created a portal the first place.
        That said, the portal will work on the main LAN.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        J 1 Reply Last reply Reply Quote 0
        • J
          John 3 @Gertjan
          last edited by John 3

          @Gertjan Thanks for answering,

          For starters DHCP Works fine and the client does get IP/Gateway and all the information from the DHCP Server.
          I've already tested that dns answers my queries with pinging random addresses which of course doesn't reply to my pings because i haven't authenticated yet but resolves the addresses to Ip's and as i've mentioned if i enter the portal login page manually then everything works fine!

          I've already seen the video you've shared! (and almost all the videos for that matter 😵 )

          AS for the LAN interface, actually the test i've been doing is on my home with a fresh installation, on my client's premises will be on the 2nd Guest_Lan interface which will be for the guest (It's a hotel)

          The funny thing is i did another test with the same exact steps instead of having the 2.7 version...
          So, Instead of installing 2.7, i've installed a 2.6 version and the captive portal worked! Then i've upgraded to 2.7 and it kept working!
          When i'm doing the same things in 2.7 fresh install then the problem occurs!

          In some topics they say that Captive Portal has moved to IPFW which i don't get what exactly that move did but i think that there must be the problem :)

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @John 3
            last edited by

            @John-3 said in Captive Portal on 2.7 not redirecting to login page:

            For starters DHCP Works fine and the client does get IP/Gateway and all the information from the DHCP Server.
            I've already tested that dns answers my queries with pinging random addresses which of course doesn't reply to my pings because i haven't authenticated yet but resolves the addresses to Ip's and as i've mentioned if i enter the portal login page manually then everything works fine!

            Ok. Good to know, and now this is out of the way, let's continue.

            I'm using pfBlockerng, so I have a file I can use to test if DNS works :

            If you haven't, switch the resolver to "Level 3" (query level) on the Services > DNS Resolver > Advanced Settings, and then Save + Apply.

            I use

            tail -f /var/unbound/var/log/pfblockerng/dns_reply.log

            you can also use (I didn't test but sur ethat DNS requests will show up - do not forget to undo this "Level 3" setting as it will produce a huge log file) :

            tail -f /var/log/resolver.log

            As soon as I connect my 'iPhone' to the portal, before a browser pops up on my phone, showing the login page, I saw a lot of (20+) DNS requests flying by.
            This is what I just saw :

            ......
DNS-reply,Nov 22 11:52:03,reply,A,CNAME,30,captive.apple.com,192.168.2.35,17.253.109.202,FR
.....

            This was the the OS of my phone that emitted a http (not https !!) request to a known web server (from Apple of course) and my device does this because it wants to test (all devices do this these days) if it can reach a 'test' site available on the internet.
            Click to see the test.

            This was my iPhone 'calling home' 😊
            Androids don't call to apple, they use some other site.
            Same thing for Microsoft device, they use a xxxx.microsoft.com http site.

            If the resulting page contains the word (in my Apple case) 'Success' then the device knows it has a direct (non portal !) connection to the Internet. This is by far the most common case.
            If it doesn't, (something else came back) then the device knows that a captive portal might be present.
            It will fire up a 'browser', and repeat the same request.
            On the pfSense side of things, a http request "with destination port 80 (http)" will get redirected by a captive portal firewall rule. To something like http://a.b.c.d:8002/xxxxxxx

            Now, welcome that nice feeling : you start to understand how a portal works, that a 'captive portal' isn't actually a pfSense thing, but a BJOD device thing.
            pfSense uses a rather simple firewall rule - and a web server to show a web (login) page if requested. Most of the heavy lifting is done by your device.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post