Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Captive portal not working on GRE interfaces

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    5
    2259
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McGlenn last edited by

      Hi

      On 2.0-RC1, the captive portal does not seem to intercept traffic entering on GRE interfaces, although it doesn capture traffic on regular ethernet interfaces.

      When connecting through a GRE tunnel interface and fetching google, I get this (captive portal doesn't catch my traffic):

      Trying 74.125.79.99, 80 ... Open
      GET / HTTP/1.0
      
      HTTP/1.0 302 Found
      Location: http://www.google.be/
      Cache-Control: private
      Content-Type: text/html; charset=UTF-8
      Set-Cookie: PREF=ID=92151bd21683bc61:FF=0:TM=1301841304:LM=1301841304:S=pZwQDq9JTPIQetZe; expires=Tue, 02-Apr-2013 14:35:04 GMT; path=/; domain=.google.com
      Date: Sun, 03 Apr 2011 14:35:04 GMT
      Server: gws
      Content-Length: 218
      X-XSS-Protection: 1; mode=block
      
                                                                                    <title>302 Moved</title>
      
      # 302 Moved
      
             The document has moved
                                   [here](http://www.google.be/).
      
      

      However when fetching the same google via an ethernet interface, the captive portal does catch my traffic:

      
      Trying 74.125.79.99, 80 ... Open
      GET / HTTP/1.0
      
      HTTP/1.0 302 Found
      Expires: Tue, 05 Apr 2011 16:35:21 GMT
      Expires: 0
      Cache-Control: max-age=180000
      Cache-Control: no-store, no-cache, must-revalidate
      Cache-Control: post-check=0, pre-check=0
      Pragma: no-cache
      Connection: close
      Location: http://74.125.79.99:8000/index.php?redirurl=http%3A%2F%2F%2F
      Content-type: text/html
      Content-Length: 0
      Date: Sun, 03 Apr 2011 14:35:22 GMT
      Server: lighttpd/1.4.28
      
      

      The captive portal is enabled on both interfaces, although I'm unsure how to verify if the required pf stuff has been created for both?

      Any pointers would be greatly appreciated.

      McGlenn

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Captive portal can only function on Ethernet interfaces.

        1 Reply Last reply Reply Quote 0
        • M
          McGlenn last edited by

          Really? That's a real shame, as I want to keep guest internet access traffic completely separate from corporate traffic, which is why I built a GRE tunnel from the Cisco CPE router at the customer's site to the pfsense firewall in our datacenter.

          For my understanding, what is the reason for the captive portal only being supported on ethernet interfaces? How does the redirection for the captive portal work? Is this using pf NAT rules? Where are these rules defined?

          Thanks

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            It works at layer 2 and requires the MAC address of the client to be passed in order to allow access. GRE can't work because it doesn't pass layer 2 info, only 3 and up.

            The redirect happens at layer 3, but only if the MAC isn't cleared by the layer 2 rules.

            It might be possible to rework the portal to work in that scenario, but it would take quite a bit of work.

            1 Reply Last reply Reply Quote 0
            • M
              McGlenn last edited by

              Thanks for the clarification.

              Now whatever architecture I come up with, I am always going to have routers between the clients and the captive portal. From looking at the captive portal configuration page, I figured disabling MAC filtering would allow pfsense to support this setup.

              Considering our case is not a paying internet solution, but rather a setup to offer separate guest wifi internet access in our customers' offices, I'm not really worried about people sharing logins, as they wouldn't be able to log in simultaneously with the same login anyway, provided I enable 'Disable concurrent logins'. Am I correct in saying that?

              Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy