Captive Portal + Squid Dev-3 in Non Transparent mode not working



  • Hi there,

    I have used Pfsense 2.0.3 with Squid-3 (not working with squid3-dev) in Non Transparent mode. Using Patch Captive Portal option in squid, CP Page is showing up and I am able to access internet and pfsense is working like a charm with using proxy setting in the browser.

    But when I use Pfsense 2.1 onwards up to 2.1.3 version, squid3 or squid-Dev3 with Non Transparent mode, using patch captive portal option in squid, CP page in not showing and I am not able to access Internet. CP Page is only showing if I remove proxy setting in the browser and then again when I add proxy setting in the browser I am able to access internet.

    I am trying my luck for last whole week still nothing.

    Please help.



  • Hi we encounter same problem here…

    We use squid3-dev with patch captive portal on pfsense 2.1.4

    We have wpad available which configure lan clients browser to use pfsense squid instance as proxy server.

    But the browser always attempt to connect to the squid instance on the pfsense LAN interface which is seems denied by the 'patch captive portal"

    If we attempt to connect directly to the internet, bypassing proxy.pac info, the captive portal intercept the request and redirect the browser to authentication page.

    After authentication we can access the pfsense squid instance...

    I don't really understand how the patch should work and if this a normal working mode or not.

    Anyone can point me to the "Patch captive Portal" code or author ?

    I'm a pfsense newbie so perhaps its a misconfiguration on our architecture ?



  • Hi all,
    After some search i think i found the problem.
    The check box "PAtch captive portal" in pfsense squid configuration page seems to modify /etc/inc/captiveportal.inc file in order to add two packetFilter rules.
    But the regexp used in the "patch" doesn't match any rules so do any modifications on the captiveportal.inc file.
    It seems since 2.1 pfsense version the default pf rules format the captiveportal.inc has changed.
    So the local squid is always open on the lan and anyone can browse the web without authentication using this proxy.

    I had a workaround.
    Modify the squid.inc file in order to change the regexp and match the new captiveportal.inc format.
    It's pretty simple.

    My question is about the "bug" declaration.

    Can Anyone use "redmine.pfsense.org" to set a bug for this package ?
    Is it the right way ?

    Thks for your help



  • HI, I have the same problem, could you explain how to fix regexp in squid.inc, I´ve already opened a new post in Portuguese forum for Marcelloc and I´m waiting for a answer or fix for the Patch.



  • hi lozair, can you post your patched files, or explain how to do it, I'm experiencing the same problem right not,

    All help will be really appreciated

    Regards



  • The point of using this path is to enable cp to use squid as 'cache' without any notice from the end users right?

    Them u can setup/tune squid and went is ready apply the patch and start using the power of squid.

    Now, on squid u have to open ports from 1025-65535 http/https because u will start receving calls about blocked pages, I'm trying to understand the setup.

    Guys if u need testers please count on me.

    Don't know how can we use the power of a proxy-cache on a captive portal enviroment wihout this patch, a lot of WISP would like to use this feature, me 2.

    Monitoring this post… ;D

    captive portal+squid3(non-transparent).



  • I had been playing with this feature, what I see is:

    1. Squid must be in transparent-mode.
    2. I hadn't need seen any HIT_ in my access.log, is no caching nothing.

    In transparent-mode u can forget to filter port 443/ssl, users can pass this without issue.

    Continue.



  • Hi all,

    You can modify directly the file /etc/inc/captiveportal.inc which is normally modified by the squid.inc file.

    I have replaced these lines (line 28) and for us that did the trick :

    /Modification manuelle (Patch captive portal):/
            $cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} 3128 in\n";
            $cprules .= "add {$rulenum} skipto 65314 ip from {$ips} 3128 to any out\n";
            /
    */

    Hope it can help.

    PS : The goal of this modification is to only disable access to the proxy while user is not authenticated into the captive portal.
    These feature was introduce by mercelloc and need the transparent proxy feature was enable



  • Pessoal, Boa Tarde!

    Situação: Utilizar Proxy Autenticado e Captive Portal (Desbloquear Proxy ate que se Autentique no PortalCaptive).

    Atualmente foi criado regras para utilizar o proxy autenticado, e tambem regras para inserir automaticamente o script para setar o proxy nos navegadores,
    até ai tudo certo mas.. tambem temos o Captive Portal, que funciona como uma camada protetora da rede., pois so tem trafego de internet se logar nele.
    Acontece que, ao colocar o proxy autenticado e abrir a pagina do navegador, ele chama primeiramente o Autenticador do Squid, normal!, mas nao temos acesso ao Captive Portal.
    Alguem poderia me ajudar a resolver isso tipo,

    Primeiramente ao abrir o navegador e abrir o PortalCaptive e depois pédir autenticacao do proxy ou vice versa,.

    Li um artigo acima que fala algo sobre inserir um parametro no captiveportal.inc mas, tambem li que era somente para proxy transparente, que nao e o meu caso.

    Agradeço…

    Abaixo o post relacionado.

    Agradeco a atencao.@lozair:

    Hi all,

    You can modify directly the file /etc/inc/captiveportal.inc which is normally modified by the squid.inc file.

    I have replaced these lines (line 28) and for us that did the trick :

    /Modification manuelle (Patch captive portal):/
            $cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} 3128 in\n";
            $cprules .= "add {$rulenum} skipto 65314 ip from {$ips} 3128 to any out\n";
            /
    */

    Hope it can help.

    PS : The goal of this modification is to only disable access to the proxy while user is not authenticated into the captive portal.
    These feature was introduce by mercelloc and need the transparent proxy feature was enable



  • Hi Lozair,

    I am not able to use CP for authentication as it not showing. How have you fixed the problem mentioned in my 1st post
    Can you please explain steps to configure the file /etc/inc/captiveportal.inc  and squid.inc so that CP can show in PFsense 2.2 with non transparent squid3
    Thanks..


Log in to reply