Captive portal login page not served
-
I am unable to get captive portal to work, despite trying to keep everything as simple as possible. Any help would be appreciated.
I have a Netgate 4100 running the latest pfSense+ (23.09-RELEASE). One of the LAN ports is connected to a Ubiquiti wireless access point. The WAP has four SSIDs, each of which is mapped to their own VLAN. Three of these are private (requiring authentication to join), and one is open but I want to require vouchers to get onto the Internet. The private VLANs can all connect to the Internet, and the open one can too if I add exceptions to the captive portal, so I think the basic setup is right.
The problem is that I never get an authentication/login page to appear for the captive portal.
I have checked the following:
- The wireless client gets a valid IP address (10.4.0.X). This is served up by the pfSense+ DHCP server for that VLAN.
- The client is able to do DNS lookups (verified with packet capture on the VLAN interface). I added IP exceptions for 8.8.8.8 and 8.8.4.4 because the pfSense DNS Resolver did not seem to be working (is this a clue?).
- Using Chrome, an attempt to open an http:// URL resulted in a redirect back to 10.4.0.1:8003/.../... but this timed out. In other words, it looks like something caught the request at port 80 and sent a redirect to port 8003, but nothing responded at port 8003. I tried adding a firewall rule to allow traffic to 10.4.0.1 in case this was somehow being blocked, and no packets were ever matched to it, so I don't think that is the problem. (I since removed that rule since it seemed like it could cause more harm than good.)
- On an iPhone, I can connect to the network but it warns that it has no Internet connection. There is a fair amount of traffic from the iPhone (10.4.0.102) including DNS lookups and some attempts to talk to Apple (excerpt below):
01:54:46.684336 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 0
01:54:46.685414 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 39
01:54:46.703472 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 183
01:54:46.705287 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 0
01:54:46.721136 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 0
01:54:46.722530 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 83
01:54:46.722557 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 499
01:54:46.722615 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 31
01:54:46.722633 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 39
01:54:46.726709 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 0
01:54:46.727244 IP 10.4.0.102.50045 > 8.8.4.4.443: tcp 39
01:54:46.732608 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
01:54:46.751325 IP 8.8.4.4.443 > 10.4.0.102.50045: tcp 0
01:54:46.768052 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
01:54:46.803764 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
01:54:46.840056 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
01:54:46.841678 IP 10.4.0.102.50047 > 17.253.13.208.443: tcp 0
01:54:46.843259 IP 8.8.8.8.443 > 10.4.0.102.50044: tcp 0
01:54:46.874561 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
01:54:46.876889 IP 10.4.0.102.50044 > 8.8.8.8.443: tcp 0
01:54:46.909429 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0
01:54:46.974858 IP 10.4.0.102.50046 > 17.253.13.206.443: tcp 0One thing that is really odd: if I try to go to a nonsense URL (http://10.10.10.10) on the iPhone, the URL in Safari changes to say "data:text/html," as though it is interpreting HTML as a URL. I eventually get a "server stopped responding" error.
I haven't done much to the configuration to try to set up captive portal. I created a roll of 1000 vouchers and turned it on. As far as I can tell, the captive portal service just isn't sending the required HTML for the authentication page when queried.
I assume that there is a default captive portal page that will just come up and that I don't have to create a custom page to make this work.
This is all for a home network, so I don't have a real certificate I can use for HTTPS authentication. I am trying to use HTTP for the captive portal.
My firewall rules are about as simple as can be. It is possible that some other part of my configuration is to blame, but I don't know where to look.
Any advice? Thanks.
-
@ratcrow said in Captive portal login page not served:
because the pfSense DNS Resolver did not seem to be working (is this a clue?).
Yes, it the most common failure, see Troubleshooting Captive Portal.
Typically, you include in the DHCP lease (server side !) the IP of the captive portal interface of pfSense.
This is the case by default.
Two conditions must be true :
You have to allow traffic 'to port 53, protocol TCP and UDP where the IP is the IP of the captive ortal network.
This is the case by default (see my firewall line below).
Unbound has to listen to this interface.
This is the case by default.@ratcrow said in Captive portal login page not served:
I assume that there is a default captive portal page that will just come up and that I don't have to create a custom page to make this work.
Exact.
@ratcrow said in Captive portal login page not served:
My firewall rules are about as simple as can be. It is possible that some other part of my configuration is to blame, but I don't know where to look
This is the 'simple one' : only the last yellow line :
Afterwards you can add new, more specific 'block' rules above this line.
