How to allow other ports in captive portal?



  • Hi!

    Is there a way to allow other ports in the captive portal just like the mac address and ip passthrough?

    Anyone has other ways to allow a port to bypass the captive portal?

    Thanks in advance!



  • Bumping this thread up…

    Anyone who knows any workaround to this?

    I noticed the captive portal can interchange from port 8000 to 8001 so this should be possible but I can't seem to find which file to tweak.

    Thanks!



  • If you are looking for the file where initial captive portal firewall rules are setup, goto /etc/inc/captiveportal.inc

    Line 452: function captiveportal_init_rules($reinit = false)

    In this function, mac and IP pass-through is setup.

    I'm pretty sure that if you now how to "talk" to the captive portal firewall (/sbin/ipfw) you could include your own rules.

    Needless to say: some knowledge about PHP and FreeBSD (/sbin/ipfw) and "what is pfSEnse all about" is NOT an option here.



  • Thank Gertjan for your reply.

    I've been playing with that file since yesterday.

    I've found the solution now.

    In my current observation, any rule after this line

    # redirect non-authenticated clients to captive portal
    add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in.....
    

    will get blocked so it should be added before it's blocked.

    My current solution then is, say I want port 5900 to open in captive portal, I should:

    add 5900 pass tcp from any to any out
    
    # redirect non-authenticated clients to captive portal
    add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in.....
    
    

    I've got it working now, I just hope that it won't get overwritten in the next update or a GUI is already made available for allowing ports to open.

    Hope this can be of help to somebody as well.



  • @edanpedragosa:

    I've got it working now, I just hope that it won't get overwritten in the next update or a GUI is already made available for allowing ports to open.

    You're good to go.
    You hard coded the rule, so you will be fine.
    Needless to say: when updating pfsense (and this file gets updated) then your changes will get lost. But, now you now how to patch it, it won't take long to add the patch again.



  • This tweak does not seem to work now.

    Any workaround for this?

    Thanks in advance!



  • Hello.

    What work around ?

    This concerns a patch for this version:

    2.1-RELEASE (amd64)
    built on Wed Sep 11 18:17:48 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    It might take a couple of minutes to backport it to a more recent version.
    But, sorry, for the moment I only use 2.1.



  • I just hope there's another way to do it like in the GUI.

    I'm also now using 2.1 64-bit:

    2.1-RELEASE (amd64)
    built on Wed Sep 11 18:17:48 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Hopefully a patch will be made available soon.

    Thanks for your reply by the way.



  • Anyone got this working on 2.1.3?

    What I'm trying to do is:

    1.) Create an explicit proxy with Squid
    2.) Force users to use my explicit proxy OR if they don't they hit CAPTIVE PORTAL.
    3.) Have CAPTIVE PORTAL block WEB ONLY (80 and 443) and allow everything else through, e.g. I only want to stop web browsing.

    Any ideas?



  • I know this is old, but wanted to ask the same thing –

    "Allowed IP" in captive portal appears to ONLY be port 80 and no other port! So how can I allow a different port access? For example, I have a RESTful server on port 7831 that's trying to communicate with the wifi client -- if I turn it on port 80 (VERY not cool to have to do this), it works ... so it's 100% a port problem.

    Ideas?



  • @dylanh724:

    "Allowed IP" in captive portal appears to ONLY be port 80 and no other port! So how can I allow a different port access?

    I have a portal interface, OPT1, 192.168.2.1
    I have 4 AP's on that network segement, using IP 192.168.2.2 - .3 - .4 - .5
    These 4 IP's are on the Allow IP page (Captive portal setting).

    From one of my PC's on my LAN (192.168.1.0/24) I connect to one of my AP's:
    ssh root@192.168.2.2
    and I login to my AP.
    Have a look:

    login as: root
    DD-WRT v24-sp2 std (c) 2009 NewMedia-NET GmbH
    Release: 10/10/09 (SVN revision: 13064)
    root@192.168.2.2's password:
    ==========================================================
    
     ____  ___    __        ______ _____         ____  _  _
     | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
     || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
     ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
     |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|
    
                           DD-WRT v24-sp2
                       http://www.dd-wrt.com
    
    ==========================================================
    
    BusyBox v1.13.4 (2009-10-10 02:04:00 CEST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    root@WRT54GL:~# telnet mail.test-domaine.fr 110
    +OK Hello there.
    quit
    +OK Better luck next time.
    Connection closed by foreign host
    

    I connected just fine to a mail server on the Internet - no portal authentication needed. I was using port '110'. I could have opening a smtp connection, do a 'dig' (port 53) or whatever.
    I can connect from my AP on my portal network to ANY IP on the Internet, using ANY port, because the IP of this AP (device) is on the allow list.
    My AP can use DNS, NTP, syslog, or whatever it want to do on the Internet without being blocked by the portal.

    IP allowing (or MAC allowing) worked in pfSense 1.x, 2.x and 2.2 (for the last six years).

    edit: I don't know if it matters for you (I do not know your network setup) but check your "AP Isolation" settings if your are using AP's.
    Added to that: on my portal network, that contains serveral AP's, any comunication to ANY IP except the portal interface, is forbidden (so I'm isolating the clients on the portal network - no visitors device can "see" other visitors, which is the oposite of what you are trying to do).
    By definition, a portal (Wifi) network is a public network and as such, by default, visitors connected to it will only talk to the gateway (my 192.168.2.1 = pfSense), and to no other device on the local network segment (my 192.168.2.0/24. Keep this in mind. This behavior  has been enforced since Windows 7.

    @dylanh724:

    For example, I have a RESTful server on port 7831 that's trying to communicate with the wifi client – if I turn it on port 80 (VERY not cool to have to do this), it works ... so it's 100% a port problem.

    Portal code NEEDS a browser that will hit by default on port '80' (or '443') otherwise instruction to login become to complicated.
    Human interaction is needed, and a default browser.
    Running other services on a network that has the portal functionality activated is very strange at least.



  • Also found another potential way:

    I'll test later



  • 'Ports' can not be added (using pfSEnse + ipfw).

    MAC addresses or IPv4 address can.

    Look here :  https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L566
    Table 3 and 4 (in and out) are the whitelisted IP's
    Table 1 and 2 (in and out) are the whitelisted MAC's

    Check : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
    So, get your zone ID:

    ipfw zone list
    

    The numerical ID is your captive portal zone ID. Mine is "2" for now.

    Now:
    ipfw -x 2 list
    will list all captive portal ipfw firewall rules.

    ipfw -x 2 table 3 list
    (and ipfw -x 2 table 4 list)
    will list all whitelisted IP's

    ipfw -x 2 table 1 list
    (and ipfw -x 2 table 2 list)
    will list all whitelisted MAC's

    Adding an IP ?
    => https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L614

    A MAC ?
    => https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L610



  • @Gertjan:

    'Ports' can not be added (using pfSEnse + ipfw).

    MAC addresses or IPv4 address can.

    Look here :  https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L566
    Table 3 and 4 (in and out) are the whitelisted IP's
    Table 1 and 2 (in and out) are the whitelisted MAC's

    Check : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
    So, get your zone ID:

    ipfw zone list
    

    The numerical ID is your captive portal zone ID. Mine is "2" for now.

    Now:
    ipfw -x 2 list
    will list all captive portal ipfw firewall rules.

    ipfw -x 2 table 3 list
    (and ipfw -x 2 table 4 list)
    will list all whitelisted IP's

    ipfw -x 2 table 1 list
    (and ipfw -x 2 table 2 list)
    will list all whitelisted MAC's

    Adding an IP ?
    => https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L614

    A MAC ?
    => https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L610

    Wow what a guide – thanks!!



  • Hello

    I am bumping this thread as I have the same wish as the thread creator.
    I have a pfsense with three different subnets /network cards. Most of my clients are not allowed to have internet
    so they are blocked by captive portal ofcourse.
    The problem is that captive portal is not just blocking access to the the WAN interface, it also blocks access to the other subnets.
    Ideally I would like to allow traffic between all subnets to pass captive portal

    IF this is not possible I have some ports that has to be opened. My enterprise antivirus solution uses port 18226 tcp and 21226 udp.
    they are used for a P2P solution for updatings protection and signaturefiles between clients.

    I would like to add these ports as Pass-through the same way as I can add IP addresses, macs , hosts etc. There has been several suggestions but I have not managed to get them to work. I am using pfsense ver 2.1.5

    Best regards
    Toby



  • Hi,

    As mentioned above: you saw the place where to insert your edits, as this can not be done with the GUI.
    You need some basic PHP knowledge - and some "ipfw" knowledge.

    After that: there is NO limit.

    Btw : keeping an old pfSense version always complicates things ;)



  • Hi

    Thanks for your answer. Well PHP is not one of my best sides and therefore I am looking for help here. Maybe a template. I have tried
    to edit the captiveportal.inc as suggested earlier in the thread but that screws up captive portal totally.
    We are using 2.1.5 because we did not manage to get squid with SSL proxy to work correctly under 2.2. This works fantastic in 2.1.5 and is one of our most important functions.
    So the question is still their. Can anybody give us a hint on how this could be done. In the best of worlds we would propose the pfsense team to implement this in the GUI :-)

    Best regards
    Toby