Captive portal not working on GRE interfaces

  • Hi

    On 2.0-RC1, the captive portal does not seem to intercept traffic entering on GRE interfaces, although it doesn capture traffic on regular ethernet interfaces.

    When connecting through a GRE tunnel interface and fetching google, I get this (captive portal doesn't catch my traffic):

    Trying, 80 ... Open
    GET / HTTP/1.0
    HTTP/1.0 302 Found
    Cache-Control: private
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: PREF=ID=92151bd21683bc61:FF=0:TM=1301841304:LM=1301841304:S=pZwQDq9JTPIQetZe; expires=Tue, 02-Apr-2013 14:35:04 GMT; path=/;
    Date: Sun, 03 Apr 2011 14:35:04 GMT
    Server: gws
    Content-Length: 218
    X-XSS-Protection: 1; mode=block
                                                                                  <title>302 Moved</title>
    # 302 Moved
           The document has moved

    However when fetching the same google via an ethernet interface, the captive portal does catch my traffic:

    Trying, 80 ... Open
    GET / HTTP/1.0
    HTTP/1.0 302 Found
    Expires: Tue, 05 Apr 2011 16:35:21 GMT
    Expires: 0
    Cache-Control: max-age=180000
    Cache-Control: no-store, no-cache, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
    Connection: close
    Content-type: text/html
    Content-Length: 0
    Date: Sun, 03 Apr 2011 14:35:22 GMT
    Server: lighttpd/1.4.28

    The captive portal is enabled on both interfaces, although I'm unsure how to verify if the required pf stuff has been created for both?

    Any pointers would be greatly appreciated.


  • Captive portal can only function on Ethernet interfaces.

  • Really? That's a real shame, as I want to keep guest internet access traffic completely separate from corporate traffic, which is why I built a GRE tunnel from the Cisco CPE router at the customer's site to the pfsense firewall in our datacenter.

    For my understanding, what is the reason for the captive portal only being supported on ethernet interfaces? How does the redirection for the captive portal work? Is this using pf NAT rules? Where are these rules defined?


  • Rebel Alliance Developer Netgate

    It works at layer 2 and requires the MAC address of the client to be passed in order to allow access. GRE can't work because it doesn't pass layer 2 info, only 3 and up.

    The redirect happens at layer 3, but only if the MAC isn't cleared by the layer 2 rules.

    It might be possible to rework the portal to work in that scenario, but it would take quite a bit of work.

  • Thanks for the clarification.

    Now whatever architecture I come up with, I am always going to have routers between the clients and the captive portal. From looking at the captive portal configuration page, I figured disabling MAC filtering would allow pfsense to support this setup.

    Considering our case is not a paying internet solution, but rather a setup to offer separate guest wifi internet access in our customers' offices, I'm not really worried about people sharing logins, as they wouldn't be able to log in simultaneously with the same login anyway, provided I enable 'Disable concurrent logins'. Am I correct in saying that?


Log in to reply