CP still not working for me on VLAN

ktims

I encountered an issue some time ago with captive portal not working on my VLAN wifi, which resulted in issue #357, which was apparently resolved way back in March. I'm still running into exactly the same problem though; I can see the captive user's traffic hit the firewall with tcpdump, but no response traffic ever goes out. The user never makes a connection to anything, just times out. DNS does seem to work.

As before, manually navigating the to the CP URL and clicking through connects the user and it works fine after that. I've tried various adjustments to the CP configuration, but my setup is pretty basic, there's not much to be changed.

The hit count on the fwd rule does increase.

cmb

That was indeed fixed in March, we've put a number of CP deployments on 2.0 in production since then using VLANs with no issues. Even assigning the parent, with or without CP, works fine where that can't be done in 1.2.3.

can you email me your full configuration?  cmb at pfsense dot org  link this thread.

cmb

You've got all kinds of stuff going on in that config. I don't see anything obviously wrong, but there are numerous things in there that could potentially be the cause (my first guess would be packages, but looking through what you have on there, I don't think any of them would cause problems).

I suggest building another box for testing, setup just the VLANs, IPs, firewall rules, and CP and see if that works (it definitely should). Then start dropping in bits of your configuration and see what happens.

Before going that far, some things to check:

1. make sure you have basic IP connectivity. You should be able to ping that interface IP.
   2)  try to load the portal page manually by browsing to http://<interface ip="">:8000  if that loads, and you click through, do you get out?</interface>

ktims

Yeah, it's my home 'do as much as I can and actually exercise it to see what breaks' setup, I'm not surprised to see some conflicts drop out, but that's good, right :P

I'll see if I can blow away the config and restore it bit by bit to narrow it down, but it'll take me some time to get to that.

1. Yup
2. Yup, works fine if I do it manually, it appears to be either the forward rule not working or the return traffic not arriving at the client

cmb

Get a packet capture on the interface running CP and grab what happens when you try to browse somewhere. Download the pcap and email it to me.

cmb

The pcap shows nothing is answering the SYN, so something you have there is overriding that fwd, possibly Squid with its rdr. Either start clean and see at what point it breaks as you add things, or start removing things, I'd start with Squid, and see what happens.