Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal issue, Apple devices pass thru without authentication

    Scheduled Pinned Locked Moved Captive Portal
    17 Posts 6 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m4st3rc1p0
      last edited by

      i have the same issue is there a fix for this.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        There is no: "push a button and the problem is gone".

        Read message 2,3 and especially 3 (cmb) and even mine: This is NOT a pfSense problem.
        As said: if packet come into the Portal interface with the same MAC adress, same source IP then pfSEnse can't tell any difference.
        Try for yourself: if your portal interface is a wire only solution - so hook all guest up with cables on a switch behind the OPT1-portal interface (so NO Wifi Acces points) then this problem will stop.
        Draw your conclusions.

        So, please, take 5 minutes - do the test I proposed, and see what happens. Post back with the results.

        Btw: this is not a 'iPod-Pad-Phone-Mac-Apple' problem.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • M
          m4st3rc1p0
          last edited by

          here's what, i setup a new pfsense and configure it to serve my LAN and VLAN's desktop. Captive portal i serving well all workstations however smartphones were able to browse the internet without authenticating to the portal and how did that happen ?

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            @m4st3rc1p0:

            however smartphones were able to browse the internet without authenticating to the portal and how did that happen ?

            You have provided nowhere near enough configuration information for me to say definitely. Perhaps captive portal is not enabled on the pfSense interface upstream of the smartphones. Perhaps the smartphones are downstream of some device that has authenticated with the captive portal and they are "piggybacking" on that device's access. Perhaps they are going through some proxy. Perhaps …

            I suggest you provide a network network diagram showing at least a few of the smartphones exhibiting the behaviour, the upstream pfSense box and relevant interfaces, any intermediate devices and the IP address and subnet mask of all the interfaces on the diagram.

            1 Reply Last reply Reply Quote 0
            • M
              m4st3rc1p0
              last edited by

              hi, here's your request attaching my network diagram.

              @wallabybob:

              @m4st3rc1p0:

              however smartphones were able to browse the internet without authenticating to the portal and how did that happen ?

              You have provided nowhere near enough configuration information for me to say definitely. Perhaps captive portal is not enabled on the pfSense interface upstream of the smartphones. Perhaps the smartphones are downstream of some device that has authenticated with the captive portal and they are "piggybacking" on that device's access. Perhaps they are going through some proxy. Perhaps …

              I suggest you provide a network network diagram showing at least a few of the smartphones exhibiting the behaviour, the upstream pfSense box and relevant interfaces, any intermediate devices and the IP address and subnet mask of all the interfaces on the diagram.

              ![NETWORK DIAGRAM.jpg](/public/imported_attachments/1/NETWORK DIAGRAM.jpg)
              ![NETWORK DIAGRAM.jpg_thumb](/public/imported_attachments/1/NETWORK DIAGRAM.jpg_thumb)

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                I presume the smartphones access the Internet through one of the APs on your diagram.

                I suspect that the APs are doing NAT for the smart phones which would mean that pfSense would not be able to distinguish between two different smartphones using the same AP, hence a smart phone could "piggy back" on the authentication of another smart phone on the AP. You probably need to operate the APs as bridges rather than NAT routers. I am not familiar wit the APs you are using. Do they have multiple "LAN" ports and a "WAN" port?

                1 Reply Last reply Reply Quote 0
                • M
                  m4st3rc1p0
                  last edited by

                  All AP's does not have authentication they are open as authentication are being processed on Captive Portal using mac pass through. All AP's is under VLAN and PFSense is also servicing DHCP for that VLAN.  My question in this is that Smarthphones connecting via AP's does not have any records on Captive Portral but they were able to by pass it ?

                  As I said earlier this is a new setup PFsense 2.0.1 and Portal is serving workstation well that means authentication page are being seen on all workstation except to all smartphones.

                  I forgot to mention all AP's are just running as bridge, and all IP being thrown are from  PFSense DHCP Server (VLAN)

                  TIA

                  @wallabybob:

                  I presume the smartphones access the Internet through one of the APs on your diagram.

                  I suspect that the APs are doing NAT for the smart phones which would mean that pfSense would not be able to distinguish between two different smartphones using the same AP, hence a smart phone could "piggy back" on the authentication of another smart phone on the AP. You probably need to operate the APs as bridges rather than NAT routers. I am not familiar wit the APs you are using. Do they have multiple "LAN" ports and a "WAN" port?

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan
                    last edited by

                    Is it possible that the SmartPhone have any notion about the 1.1.1.1/24 network ?
                    I mean, if they get hold on and 1.1.1.1/24 the would not even see/hear/feal your pfSense installation.

                    But, why only smartphones act like this is strange. They have no such thing as a special power to avoid portal pages. I'm pretty sure you won't find ANY communication on the pfSEnse box. Just try this : pull out the 1.1.1.1/.24 cable on your pfsense box and see if the smartphohes are still connected.
                    If they do: and as said in another thread (http://forum.pfsense.org/index.php/topic,61954.0.html), remove SQUID & SNORT and see what happens.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • M
                      m4st3rc1p0
                      last edited by

                      i think i found the problem, after carefully checking the routes, the policy i have on firewalls and how the device passes over pfsense. Ok i will list it in details:

                      • PFSEnSE is implementing a fail-over rule (I grouped the two ISP so it will served my failover)

                      • ON firewall policy i define objects that will be under my failover setup

                      • both LAN and VLAN contains both policy for failover

                      • PFSense Captive Portal INterface is LAN and VLAN.

                      What I did is remove the failover policy (gateway) on the objects and put an any-any policy for testing purposes, and restarted Captive portal. After restarting the services of Portal I did run a test on Smartphones and BOOOOMMM there goes the login screen of portal.

                      I enable again the policy and there it goes the phone can by pass the portal and workstation cannot ! . This is really weird can someone enlighten me on this.

                      TIA

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan
                        last edited by

                        Good thing to here !

                        Btw: did your never thought about making your network more - simple -.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.