Captiv portal and vouchers integration with ssid on wlc 9800

johnpoz

@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:

It is very weird that I have to use redirection on WLC to pfSense Captiv Portal.

YOU DON'T! You should not set any web auth anything on this ssid you setup in wlc.

If your client that gets and IP on this network you have can not ping pfsense IP on that interface - what are the rules you setup on that interface in pfsense?

Jozy

@johnpoz
Rules below

I disabled web adn can see that there is no redirection

"You said - You should not set any web auth anything on this ssid you setup in wlc. " Yes, I know but in case I dont set any web auth it redirects to nowhere.

I dont know if it is possible to setup to work, since Cisco maybe has itself rules or incompatibility with ?

If you know anyone who already did this ??

Gertjan

@Jozy

What / why is this ?

Btw : don't use things (devices) or rules like this that no one else has ever tried.
Use proven methods.

johnpoz

@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:

I dont know if it is possible to setup to work, since Cisco maybe has itself rules or incompatibility with ?

nonsense - it can clearly setup a SSID that just connects to the network with no auth - just an open network.

Normally when you run a captive portal the connection to the wifi is open, and the user auths with the captive portal.

maybe this would be a good video for you to watch

Youtube Video

And with @Gertjan why would you setup a port forward???

Jozy

@johnpoz this is just basic video of how to configure basic/initial things.
I agree with you that is should be just setup ssid and connect to network.
I get dhcp address on both PC and wirelles, PC works on somw and wifi not.
Not sure why cant ping over wifi my pfsense lan address but over wired network it works. There must be some other rule or permission on wlc or somwhere whic dont send echo replay or something.
Im tired, seems will look for some other solution

johnpoz

@Jozy again what rules do you have on this pfsense interface? What makes more sense wlc doing some odd firewalling thing when its just a AP when comes down to it or you have no rule to allow icmp on pfsense which when you create a new interface zero rules are on it.

Create you simple wifi setup and do not enable captive portal on pfsense yet for this network. Make sure you have rules on this interface that allows what you want. I would start with any any rule.

Make sure that works, you can ping pfsense IP, you can surf the internet, etc..

Then enable the captive portal.

to pfsense there is zero difference between a wireless client or a wired client - because to pfsense they come in on a wire.

Jozy

@johnpoz this is what I sent earlier is interface OPT1 with any any

It is the same, with or without captiv portal enabled.
The thing is as you said I deal with you that wlc have some restictions and should bypass it, but what

johnpoz

@Jozy so your saying you can browse the internet through pfsense, but it doesn't answer ping?

And those are the only rules you have for this interface - do you have any rules in floating?

On your client when you try and ping pfsense IP, do you see the mac in the arp table?

Do you have some ACLs set on your WLC - why would you block icmp??

If your mac shows up and you say you can get internet through pfsense.. I would do a simple packet capture on that opt1 interface while you pinging.. If you do not see the ping - they yeah you have something blocking it between the client and pfsense. If you see the pings but just no answer than points to a floating rule in pfsense blocking it.. Or some weirdness with mask or something, but seems unlikely that internet through pfsense would work then.

Jozy

@johnpoz I have following situation.
Ping from OPT1 to 8.8.8.8 is working

Ping from PC to 8.8.8.8 and resolving you can see below

I can not ping gateway from the PC but can ping lan ip address

arp table below

why default gateway is offline?? hm
30938951-b264-4337-af02-ce8a88001278-image.png

Floating rules

Wan rules

OPT1 rules where is network for wifi and im testing wired as well

NAT rules

It is wierd I get captiv portal page but dont get internet even if I can ping and resolve it

On port group on vmware for WLC I found missing vlan id 1160 which im using in network and dhcp and I have added it.
First have to figure out why I dont get internet over OPT1 network even if Captiv portal is showing up.

johnpoz

@Jozy if this is pfsense IP

Why would .13 be saying it can not get there and be answering? That is your client device?

What is pfsense IP address on opt1, this network your wireless device is on??? is it that 160.1 address - if so then pfsense doesn't even know its own mac address?

From that I would say pfsense IP on opt1 is the .229 address - why are you trying to ping 160.1 ???

Why are you using manual nat - which doesn't have this 10.223.160 network even?? Why would you have outbound nat set for your lan interface? Why would you use a source of any?

No wonder you are having issue - this is a complete and utter train wreck!

Set your outbound nat to auto..

Show the configuration of this opt1 network, lets see the output of ipconfig /all on your client.

You understand if pfsense IP is this .229, that would be the gateway of anything on the 10.223.160.0/24 network you setup on the opt1 interface.. What do you think this 160.1 address is - that is not pfsense, that that some other device on your network that you want to use to get off the network, ie a gateway.. Well pfsense can't even get a mac for this - so clearly its not actually on the network even..

Here as example this is a lan side interface of pfsense - its IP is .253, see how my client on this network points to that .253 address as its gateway

this is typical sort of outbound nat you would have have

Those are all my lan side of pfsense networks, pfsense has an IP in all of those networks.. The pfsense IP on those networks is the gateway for the devices on those network.. All my IPs on pfsense end in .253, .253 is the gateway for all the devices on the different networks..

Devices on my 192.168.3 would use pfsense IP on that network 192.168.3.253, devices on my 192.168.0/24 network would use pfsense IP on that network 192.168.6.253, etc..

Where and why would a device be using this 10.223.160.1 as a gateway? If some device is using that 160.1 as a gateway it sure is not going to send any traffic to pfsense, nor would it ever be able to use pfsense as a captive portal.

Jozy

@johnpoz I dont get it anymore. You said above "What nat rules - did you edit your outbound nat to not be auto?" now why "Set your outbound nat to auto.." hm

I would like to thank you for your time, but now definitely I give up :)

johnpoz

@Jozy good luck with that mess.. I asked if you had messed with your outbound nat, I didn't say set it to manual..

Auto is the default - all of this would work with clicky, clicky with pfsense out of the box - the only reason it wouldn't is you messed with the defaults, etc..

Or you not even using pfsense as the gateway.. Which it seems your not.. ugggh..