Captive portal not working on GRE interfaces
On 2.0-RC1, the captive portal does not seem to intercept traffic entering on GRE interfaces, although it doesn capture traffic on regular ethernet interfaces.
When connecting through a GRE tunnel interface and fetching google, I get this (captive portal doesn't catch my traffic):
Trying 22.214.171.124, 80 ... Open GET / HTTP/1.0 HTTP/1.0 302 Found Location: http://www.google.be/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=92151bd21683bc61:FF=0:TM=1301841304:LM=1301841304:S=pZwQDq9JTPIQetZe; expires=Tue, 02-Apr-2013 14:35:04 GMT; path=/; domain=.google.com Date: Sun, 03 Apr 2011 14:35:04 GMT Server: gws Content-Length: 218 X-XSS-Protection: 1; mode=block <title>302 Moved</title> # 302 Moved The document has moved [here](http://www.google.be/).
However when fetching the same google via an ethernet interface, the captive portal does catch my traffic:
Trying 126.96.36.199, 80 ... Open GET / HTTP/1.0 HTTP/1.0 302 Found Expires: Tue, 05 Apr 2011 16:35:21 GMT Expires: 0 Cache-Control: max-age=180000 Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Location: http://188.8.131.52:8000/index.php?redirurl=http%3A%2F%2F%2F Content-type: text/html Content-Length: 0 Date: Sun, 03 Apr 2011 14:35:22 GMT Server: lighttpd/1.4.28
The captive portal is enabled on both interfaces, although I'm unsure how to verify if the required pf stuff has been created for both?
Any pointers would be greatly appreciated.
Captive portal can only function on Ethernet interfaces.
Really? That's a real shame, as I want to keep guest internet access traffic completely separate from corporate traffic, which is why I built a GRE tunnel from the Cisco CPE router at the customer's site to the pfsense firewall in our datacenter.
For my understanding, what is the reason for the captive portal only being supported on ethernet interfaces? How does the redirection for the captive portal work? Is this using pf NAT rules? Where are these rules defined?
It works at layer 2 and requires the MAC address of the client to be passed in order to allow access. GRE can't work because it doesn't pass layer 2 info, only 3 and up.
The redirect happens at layer 3, but only if the MAC isn't cleared by the layer 2 rules.
It might be possible to rework the portal to work in that scenario, but it would take quite a bit of work.
Thanks for the clarification.
Now whatever architecture I come up with, I am always going to have routers between the clients and the captive portal. From looking at the captive portal configuration page, I figured disabling MAC filtering would allow pfsense to support this setup.
Considering our case is not a paying internet solution, but rather a setup to offer separate guest wifi internet access in our customers' offices, I'm not really worried about people sharing logins, as they wouldn't be able to log in simultaneously with the same login anyway, provided I enable 'Disable concurrent logins'. Am I correct in saying that?