Captive portal

cdc1975

Ciao a tutti,

Ho installato per prova un pfsense 2.0 su ALIX.2D13 e vorrei provare la funzione di captive portal.

Il problema è il server non mi reindirizza correttamente alla pagina di autenticazione, ottengo infatti da firefox l'errore "Questa pagina non reindirizza in modo corretto. Firefox ha rilevato che il server sta reindirizzando la richiesta per questa pagina in modo che non possa mai essere completata."

Se accedo a http://192.168.1.1:8000 ho solo una pagina bianca.

Riporto il file di configurazione di prova, ho provato + volte a ripartire dal default factory ma non riesco mai a trovare l'intoppo. Nell'elenco delle problematiche legate alla 2.0 non trovo nessuna segnalazione a riguardo.

Se qualcuno mi può dare un suggerimento lo ringrazio anticipatamente.

Config file:

<pfsense><version>6.3</version>
<lastchange><theme>pfsense_ng</theme>
<sysctl><desc>Set the ephemeral port range to be lower.</desc>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
<desc>Drop packets to closed TCP ports without returning a RST</desc>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
<desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
<desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
<desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
<desc>Enable sending IPv4 redirects</desc>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
<desc>Enable sending IPv6 redirects</desc>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
<desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
<desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
<desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
<desc>IP Fastforwarding</desc>
<tunable>net.inet.ip.fastforwarding</tunable>
<value>default</value>
<desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
<desc>Maximum outgoing UDP datagram size</desc>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
<desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
<desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
<desc>Set to 1 to enable filtering on the bridge interface</desc>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
<desc>Allow unprivileged access to tap(4) device nodes</desc>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
<desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
<tunable>kern.rndtest.verbose</tunable>
<value>default</value>
<desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
<tunable>kern.randompid</tunable>
<value>default</value>
<desc>Maximum size of the IP input queue</desc>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
<desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
<desc>Enable TCP Inflight mode</desc>
<tunable>net.inet.tcp.inflight.enable</tunable>
<value>default</value>
<desc>Enable TCP extended debugging</desc>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
<desc>Set ICMP Limits</desc>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
<desc>TCP Offload Engine</desc>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
<desc>TCP Offload Engine - BCE</desc>
<tunable>hw.bce.tso_enable</tunable>
<value>default</value></sysctl>
<system><optimization>normal</optimization>
<hostname>fw</hostname>
<domain>intranet.net</domain>
<group><name>all</name>

<scope>system</scope>
<gid>1998</gid>
<member>0</member></group>
<group><name>admins</name>

<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv></group>
<user><name>admin</name>
<fullname>System Administrator</fullname>
<scope>system</scope>
<groupname>admins</groupname>
<password>$1$eRkJYBdc$eNo4qKmZCiBWpJHTq92Bc.</password>
<uid>0</uid>
<priv>user-shell-access</priv>
<md5-hash>21232f297a57a5a743894a0e4a801fc3</md5-hash>
<nt-hash>a281fad8d0de9635da57c0fe96220aa2</nt-hash></user>
<user><scope>user</scope>
<password>$1$rMNP4/sN$t.dayWIxkXO84LNFHdLyU0</password>
<md5-hash>c9f5c29cf490da28e0ee29dddc7151c5</md5-hash>
<nt-hash>f51df19a5bd2d915a4347ad5088bef14</nt-hash>
<name>test</name>
<fullname><expires><authorizedkeys><uid>2000</uid></authorizedkeys></expires></fullname></user>
<nextuid>2001</nextuid>
<nextgid>2000</nextgid>
<timezone>Europe/Rome</timezone>
<time-update-interval><timeservers>1.europe.pool.ntp.org</timeservers>
<webgui><protocol>https</protocol>
<ssl-certref>4bfd8e989ef1e</ssl-certref></webgui>
<disablenatreflection>yes</disablenatreflection>
<cert><refid>4bfd8e989ef1e</refid>
<name>webConfigurator default</name>
<crt>crt></crt></cert>
<cert><refid>4bfe2e83641cd</refid>
<name>CERTIFICATO-CP</name>
<caref>4bfe2e348fde3</caref></cert>
<enablesshd>enabled</enablesshd>
<dnsserver>208.67.222.222</dnsserver>
<dnsserver>208.67.220.220</dnsserver>
<dnsallowoverride><dns1gwint>none</dns1gwint>
<dns2gwint>none</dns2gwint>
<dns3gwint>none</dns3gwint>
<dns4gwint>none</dns4gwint>
<ca><refid>4bfe2e348fde3</refid>
<name>certCP</name>

<serial>1</serial></ca></dnsallowoverride></time-update-interval></system>
<interfaces><wan><enable><if>vr1</if>
<mtu>1500</mtu>
<media><mediaopt><ipaddr>10.39.251.140</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac></mediaopt></media></enable></wan>
<lan><enable><if>vr0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<media><mediaopt></mediaopt></media></enable></lan></interfaces>
<staticroutes><pppoe><username><password></password></username></pppoe>
<pptp><username><password></password></username></pptp>
<dhcpd><lan><enable><range><from>192.168.1.10</from>
<to>192.168.1.100</to></range>
<defaultleasetime><maxleasetime><netmask></netmask>
<failover_peerip><gateway><domain><domainsearchlist><ddnsdomain><tftp><ldap><next-server><filename><rootpath></rootpath></filename></next-server></ldap></tftp></ddnsdomain></domainsearchlist></domain></gateway></failover_peerip></maxleasetime></defaultleasetime></enable></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<ovpn><dnsmasq><enable><hosts><host>fw</host>
<domain>intranet.net</domain>
<ip>192.168.1.1</ip></hosts></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
<bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru></nat>
<filter><rule><id><type>pass</type>
<interface>wan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>lan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network>

<destination><any></any></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule></filter>
<shaper><ipsec><preferredoldsa></preferredoldsa></ipsec>
<aliases><proxyarp><cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslog
<minute>1,31</minute>
<hour>0-5</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 adjkerntz -a
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
<minute>1</minute>
<hour>1</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
<minute>/5</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh</cron>
<wol><rrd><enable></enable></rrd>
<load_balancer><monitor_type><name>ICMP</name>
<type>icmp</type>
<desc>ICMP</desc></monitor_type>
<monitor_type><name>TCP</name>
<type>tcp</type>
<desc>Generic TCP</desc></monitor_type>
<monitor_type><name>HTTP</name>
<type>http</type>
<desc>Generic HTTP</desc>
<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>HTTPS</name>
<type>https</type>
<desc>Generic HTTPS</desc>
<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>SMTP</name>
<type>send</type>
<desc>Generic SMTP</desc>
<options><send>EHLO nosuchhost</send>
<expect>250-</expect></options></monitor_type></load_balancer>
<widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>
<revision><time>1274950593</time>

<username>admin</username></revision>
<l7shaper><container></container></l7shaper>
<dnshaper><gateways><gateway_item><interface>wan</interface>
<gateway>10.39.251.5</gateway>
<name>netscreen</name>
<weight>1</weight>
<descr><defaultgw></defaultgw></descr></gateway_item></gateways>
<openvpn><captiveportal><page><timeout>60</timeout>
<interface>lan</interface>
<maxproc><idletimeout><enable><auth_method>local</auth_method>
<reauthenticateacct><httpsname>fw.intranet.net</httpsname>
<bwdefaultdn><bwdefaultup><certificate></certificate>
<cacertificate><private-key></private-key>
<redirurl>http://www.google.it</redirurl>
<radiusip><radiusip2><radiusport><radiusport2><radiusacctport><radiuskey><radiuskey2><radiusvendor>default</radiusvendor>
<radmac_format>default</radmac_format>
<logoutwin_enable></logoutwin_enable></radiuskey2></radiuskey></radiusacctport></radiusport2></radiusport></radiusip2></radiusip></cacertificate></bwdefaultup></bwdefaultdn></reauthenticateacct></enable></idletimeout></maxproc></page></captiveportal></openvpn></dnshaper></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>

Ecco anche l'output del comando ipfw list:

65291 allow pfsync from any to any
65292 allow carp from any to any
65301 allow ip from any to any layer2 mac-type 0x0806
65302 allow ip from any to any layer2 mac-type 0x888e
65303 allow ip from any to any layer2 mac-type 0x88c7
65304 allow ip from any to any layer2 mac-type 0x8863
65305 allow ip from any to any layer2 mac-type 0x8864
65306 allow ip from any to any layer2 mac-type 0x888e
65307 deny ip from any to any layer2 not mac-type 0x0800
65310 allow udp from any 68 to { 255.255.255.255 or 192.168.1.1 } dst-port 67 in
65311 allow udp from any 68 to { 255.255.255.255 or 192.168.1.1 } dst-port 67 in
65312 allow udp from { 255.255.255.255 or 192.168.1.1 } 67 to any dst-port 68 ou
t
65313 allow icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0
65314 allow icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8
65315 allow udp from any to { 255.255.255.255 or 192.168.1.1 } dst-port 53 in
65316 allow udp from { 255.255.255.255 or 192.168.1.1 } 53 to any out
65317 allow tcp from any to { 255.255.255.255 or 192.168.1.1 } dst-port 8000 in
65318 allow tcp from { 255.255.255.255 or 192.168.1.1 } 8000 to any out
65319 allow tcp from any to { 255.255.255.255 or 192.168.1.1 } dst-port 443 in
65320 allow tcp from { 255.255.255.255 or 192.168.1.1 } 443 to any out
65321 allow ip from table(3) to any in
65322 allow ip from any to table(4) out
65323 pipe tablearg ip from table(5) to any in
65324 pipe tablearg ip from any to table(6) out
65325 allow ip from any to table(7) in
65326 allow ip from table(8) to any out
65327 pipe tablearg ip from any to table(9) in
65328 pipe tablearg ip from table(10) to any out
65329 allow ip from table(1) to any in
65330 allow ip from any to table(2) out
65531 fwd 127.0.0.1,8000 tcp from any to any in
65532 allow tcp from any to any out
65533 deny ip from any to any
65534 allow ip from any to any layer2
65535 allow ip from any to any