Captive Portal not working, think NAT rule is missing.



  • Hi there,

    I have again a problem with Captive Portal.
    I now want to have Captive Portal presenting a static site, explaining how to setup the proxy. Squid is running on port 3128. I am using the current RELEASE (1.01).

    Captive Portal is running on port 8000 and I have the rule allowing access to LAN address on this port.

    Well, initially it worked, but now it doesn't. I wont get redirected to port 8000 any more when opening a page.

    All I did in the meantime is install a proxy server (squid) and set in to listen on the LAN address on port 3128.

    How must the NAT rule look in order to install it by hand?

    Hope you can help me.

    Thanks,
    Manuel

    fxp0 = external,
    xl0 = internal

    
    pfctl -sn
    ----------------------------------
    nat-anchor "pftpx/*" all
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin
    nat on ng0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin
    nat on fxp0 inet from 192.168.0.0/24 to any -> (ng0) round-robin
    nat on ng0 inet from 192.168.0.0/24 to any -> (ng0) round-robin
    rdr-anchor "pftpx/*" all
    rdr-anchor "slb" all
    rdr-anchor "miniupnpd" all
    
    
    
    pfctl -sr
    ----------------------
    scrub all no-df random-id max-mss 1452 fragment reassemble
    anchor "ftpsesame/*" all
    anchor "firewallrules" all
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    anchor "loopback" all
    pass in quick on lo0 all label "pass loopback"
    pass out quick on lo0 all label "pass loopback"
    anchor "packageearly" all
    anchor "carp" all
    anchor "dhcpserverlan" all
    pass in quick on xl0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN"
    pass in quick on xl0 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps label "allow access to DHCP server on LAN"
    pass out quick on xl0 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc label "allow access to DHCP server on LAN"
    block drop in log quick on fxp0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
    block drop in log quick on ng0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
    pass in quick on fxp0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
    pass in quick on ng0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
    block drop in on ! xl0 inet from 192.168.0.0/24 to any
    block drop in inet from 192.168.0.1 to any
    block drop in on xl0 inet6 from fe80::206:5bff:fea7:fcf1 to any
    anchor "spoofing" all
    block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block drop in log quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in log quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block drop in log quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    block drop in log quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    anchor "limitingesr" all
    block drop in quick from <virusprot>to any label "virusprot overload table"
    pass out quick on ng0 all keep state label "let out anything from firewall host itself"
    anchor "firewallout" all
    pass out quick on fxp0 all keep state label "let out anything from firewall host itself"
    pass out quick on ng0 all keep state label "let out anything from firewall host itself"
    pass out quick on xl0 all keep state label "let out anything from firewall host itself"
    anchor "anti-lockout" all
    pass in quick inet from 192.168.0.0/24 to 192.168.0.1 keep state label "anti-lockout web rule"
    block drop in log proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    anchor "ftpproxy" all
    anchor "pftpx/*" all
    pass in quick on fxp0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: SSH Admin"
    pass in quick on ng0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: SSH Admin"
    pass in quick on fxp0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: Web Admin"
    pass in quick on ng0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: Web Admin"
    pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow DNS"
    pass in quick on xl0 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow DNS"
    pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow HTTP (Squid)"
    pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 3128 flags S/SA keep state label "USER_RULE: Allow Squid"
    pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 8000 flags S/SA keep state label "USER_RULE: Allow Captive Portal"
    block drop in log quick on xl0 inet from any to 192.168.0.1 label "USER_RULE: Block everything to Firewall"
    block drop in log quick on xl0 inet from any to 84.176.175.174 label "USER_RULE: Block everything to Firewall"
    pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    anchor "miniupnpd" all
    block drop in log quick all label "Default block all just to be sure."
    block drop out log quick all label "Default block all just to be sure."</sshlockout></virusprot></snort2c></snort2c> 
    


  • It looks like the creation process of the ruleset has a problem.

    I have edited some rules and rebooted, without success. Then I had a look at /tmp/rules.debug but my changes are not in there.

    I don't know, maybe I should use the latest beta.

    It's really frustrating me.



  • Yes, we fixed a number of bugs that will not turn on captive portal correctly without a reboot.



  • I'm sure we could figure out how to add the rule by hand, but is there a reason you want/need to?  Everytime you reboot or save changes in certain areas of the gui, the conf file you changed will be written right over the top of.  All you should have to do is install squid, configure, status > services check to see its running.  Then start the CP, try it with the local user manager first.  The most important thing though, is that your have the PFsense box set to be your DNS server.  Make sure you don't have it set to something else statically and that pfsense isn't giving out different DNS servers in the dhcp settings.  I have also found that if you have bad code in your portal page it can cause some headache, I would try it with the default page first.



  • squid will not work on a old pfsense 1.0.1 version
    so then he will need to install a snapshot anyway



  • Honestly the squid package now actuallyworked for me on 1.0…but I agree that he should be as up to date as possible.



  • Well, setting up squid or captive portal in general is not a problem at all.

    Captive portal worked for me, but after some fiddling around (only in the web-conf) absolutely no firewall rule was commited to the current configuration. Even after a reboot I wasn't able any more to change a single rule. I assumed that the problem with the NAT rule of captive portal relied on that problem.

    So I installed the latest snapshot (03-08-2007) but there is another problem now. I cannot connect to the internet.

    I use PPPoE with a german telco provider but it won't connect. I can see in the syslog:

    
    mpd.conf:8: Unknown command: 'set bundle authname'. Try "help".
    mpd.conf:9: Unknown command: 'set bundle password'. Try "help".
    
    

    So this is probably a bug report…

    Cheers,
    Manuel



  • Please upgrade again. We tried using a newer mpd which didn't work so we reverted back. Current snapshots use the "old" mpd again which works just fine.



  • Ok, but when I look here ( http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ ), the newest snapshot is from 03-08-2007, so where can I find the most current one?

    Thanks in advance,
    Manuel



  • Look at the date.  That files is rebuilt hourly but we only bump the version weekly or so.


Log in to reply