Blocked/deny HTTPS request over CP



  • Hi All,

    Can somebody direct to the solution link for my problem..

    https://www.facebook.com and other HTTPS websites is still accessible over CP even without user/pass or vouchers input.

    anybody has a solution? thanks a lot



  • you Gotta give more info on your network / CP setup to help you dude..


  • LAYER 8 Netgate

    pfSense's captive portal denies traffic to all destinations unless the device MAC or MAC/IP pair has an entry in the portal lists, or an entry exists in the portal's Allowed IP Addresses or Allowed Hostnames lists.

    If there is not an entry in the lists, traffic to port 80, and optionally port 443, is forwarded to the portal page.  All other traffic is dropped.

    What you're seeing is likely due to a misconfiguration.



  • thanks to your responses..

    Ive set up pfsense box with CP running on it. So then, every devices that get connected to my Hotspot is redirecting to portal homepage which is 10.0.0.1:8000 …...

    here is my firewall on the attached. i also had Multi-Wan running. but my problem is.. Connected mobile devices can access Facebook and other websites via HTTPS. only regular websites using HTTP are automatically redirected to portal (10.0.0.1:8000) and HTTPS is not redirecting to it.

    Highly appreciated your guidelines and responses.

    cheers!
    GiL



  • LAYER 8 Netgate

    Well, if that facebook block worked nobody on LAN could access facebook whether they were "logged into" the captive portal or not.  It's probably not going to work so you might as well get rid of it.

    That last rule permitting traffic from 10.0.1.0/24 is useless because traffic from 10.0.1.0/24 will never be received INBOUND on the LAN interface.

    I also don't understand your failover configuration.  One typically creates one gateway group.  That group determines the priority of the gateway to be used.  There is usually one rule with the gateway group as the gateway.  In fact, I don't think FailOver or FailOver2 will ever receive any traffic because the rule for LoadBalancer will be matched first.

    Which brings us to that.  You have given us no information on what that is.

    I would disable all those gateway rules, all the other rules already discussed, and create one "pass any from LAN net to any any via default gateway" and I'll bet your CP starts behaving normally.  Step back, get everything working, then add all your gadgets, one at a time, testing thoroughly along the way.

    You can't firewall openvpn connections with rules on LAN.  Not sure where you're going there either.  Sessions started by openvpn users are governed by rules on the openvpn interface.  All rules on pfSense interfaces are applied to traffic coming IN, or RECEIVED BY that interface.  They have no impact on traffic going OUT or TRANSMITTED BY that interface.



  • Hi Derelict,

    thanks for your time..

    @Derelict:

    Well, if that facebook block worked nobody on LAN could access facebook whether they were "logged into" the captive portal or not.  It's probably not going to work so you might as well get rid of it.

    Yes you're correct. :) this is the last option i've done yesterday. ill remove this anyway.

    I'll take your advised and reconstruct my settings then iLL you know the results..

    Cheers! :)
    -GiL



  • Hi Derelict,

    I think your advised work like a charm  ;D Im still monitoring on it since yesterday ,
    and any request of HTTPS is redirected to the portal page..

    I got that firewall settings somewhere in youtube. and I think that is also wrong..
    Thanks for advising me on what is correct and appropriate setup.

    btw, can I request for the link url for the correct OpenVPN setup.. I already had OpenVPN
    running but what I need is to Optimize the speed.
    may be you can give me hint for this one?

    Thank you so much!

    Cheers! :)
    -GiL


  • LAYER 8 Netgate

    Glad it's working.

    You probably want to start another thread with your specific openvpn question in the openvpn forum.


Log in to reply