Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal login page not served

    Scheduled Pinned Locked Moved Captive Portal
    2 Posts 2 Posters 497 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ratcrow
      last edited by

      I am unable to get captive portal to work, despite trying to keep everything as simple as possible. Any help would be appreciated.

      I have a Netgate 4100 running the latest pfSense+ (23.09-RELEASE). One of the LAN ports is connected to a Ubiquiti wireless access point. The WAP has four SSIDs, each of which is mapped to their own VLAN. Three of these are private (requiring authentication to join), and one is open but I want to require vouchers to get onto the Internet. The private VLANs can all connect to the Internet, and the open one can too if I add exceptions to the captive portal, so I think the basic setup is right.

      The problem is that I never get an authentication/login page to appear for the captive portal.

      I have checked the following:

      • The wireless client gets a valid IP address (10.4.0.X). This is served up by the pfSense+ DHCP server for that VLAN.
      • The client is able to do DNS lookups (verified with packet capture on the VLAN interface). I added IP exceptions for 8.8.8.8 and 8.8.4.4 because the pfSense DNS Resolver did not seem to be working (is this a clue?).
      • Using Chrome, an attempt to open an http:// URL resulted in a redirect back to 10.4.0.1:8003/.../... but this timed out. In other words, it looks like something caught the request at port 80 and sent a redirect to port 8003, but nothing responded at port 8003. I tried adding a firewall rule to allow traffic to 10.4.0.1 in case this was somehow being blocked, and no packets were ever matched to it, so I don't think that is the problem. (I since removed that rule since it seemed like it could cause more harm than good.)
      • On an iPhone, I can connect to the network but it warns that it has no Internet connection. There is a fair amount of traffic from the iPhone (10.4.0.102) including DNS lookups and some attempts to talk to Apple (excerpt below):

      01:54:46.684336 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 0
      01:54:46.685414 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 39
      01:54:46.703472 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 183
      01:54:46.705287 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 0
      01:54:46.721136 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 0
      01:54:46.722530 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 83
      01:54:46.722557 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 499
      01:54:46.722615 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 31
      01:54:46.722633 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 39
      01:54:46.726709 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 0
      01:54:46.727244 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 39
      01:54:46.732608 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
      01:54:46.751325 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 0
      01:54:46.768052 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
      01:54:46.803764 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
      01:54:46.840056 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
      01:54:46.841678 IP 10.4.0.102.50047 > 17.253.13.208.443: tcp 0
      01:54:46.843259 IP 8.8.8.8.443 > 10.4.0.102.50044: tcp 0
      01:54:46.874561 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
      01:54:46.876889 IP 10.4.0.102.50044 > 8.8.8.8.443: tcp 0
      01:54:46.909429 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
      01:54:46.974858 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0

      One thing that is really odd: if I try to go to a nonsense URL (http://10.10.10.10) on the iPhone, the URL in Safari changes to say "data:text/html," as though it is interpreting HTML as a URL. I eventually get a "server stopped responding" error.

      I haven't done much to the configuration to try to set up captive portal. I created a roll of 1000 vouchers and turned it on. As far as I can tell, the captive portal service just isn't sending the required HTML for the authentication page when queried.

      I assume that there is a default captive portal page that will just come up and that I don't have to create a custom page to make this work.

      This is all for a home network, so I don't have a real certificate I can use for HTTPS authentication. I am trying to use HTTP for the captive portal.

      My firewall rules are about as simple as can be. It is possible that some other part of my configuration is to blame, but I don't know where to look.

      Any advice? Thanks.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @ratcrow
        last edited by

        @ratcrow said in Captive portal login page not served:

        because the pfSense DNS Resolver did not seem to be working (is this a clue?).

        Yes, it the most common failure, see Troubleshooting Captive Portal.

        Typically, you include in the DHCP lease (server side !) the IP of the captive portal interface of pfSense.
        This is the case by default.
        Two conditions must be true :
        You have to allow traffic 'to port 53, protocol TCP and UDP where the IP is the IP of the captive ortal network.
        This is the case by default (see my firewall line below).
        Unbound has to listen to this interface.
        This is the case by default.

        @ratcrow said in Captive portal login page not served:

        I assume that there is a default captive portal page that will just come up and that I don't have to create a custom page to make this work.

        Exact.

        @ratcrow said in Captive portal login page not served:

        My firewall rules are about as simple as can be. It is possible that some other part of my configuration is to blame, but I don't know where to look

        This is the 'simple one' : only the last yellow line :

        95cf4987-eefa-4051-a76b-59ede42c6400-image.png

        Afterwards you can add new, more specific 'block' rules above this line.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.