Captive Portal for newbies



  • Maybe this will be useful for other newbies like me with not much of system administration experience…

    I was setting up Captive portal in my pfs 2.1.5 for the first time and read a lot of documentation and examples. When I did as it was said, I could not get it work.

    After 2 days of trying and searching when I almost kill myself, I found out the reason why CP was not working.

    Here is the clue which never mentioned in all docs and manuals I've read:

    To get CP working you need to go to "Allowed IP addresses" tab and enter there your DNS server address (in my case it were 8.8.8.8 and 8.8.4.4)

    Rest you can do according to many tutorials and "how tos…"

    I hope this will be helpful to somebody.



  • you got  your DNS Forwarder all wrong dude….



  • But it works ONLY with that setting though.

    What is your suggestion BTW?


  • LAYER 8 Netgate

    Your clients could be using the pfSense DNS forwarder, in which case they would be using the local pfSense interface for DNS which would not require captive portal passthroughs.

    There is nothing wrong with the way you do it.  I have my clients pointing at the pfSense interface and another caching DNS server, but that requires the proper passthrough entries in the captive portal.



  • @cnd.fflv:

    To get CP working you need to go to "Allowed IP addresses" tab and enter there your DNS server address (in my case it were 8.8.8.8 and 8.8.4.4)

    As Derelict.
    I do have soem IP on that list: all the IP's of my Access Points, so THEY can communicate for NTP syncing etc.
    But no DNS entries needed.
    Remember: the DHCP server on your portal interface give an IP (of course), a gateway (== pfsense portal IP)  and DNS server (== pfsense Portal IP) (among others - did you test / see this ?).
    The DNS server should be running on LAN and OPT1 interface.
    DNS request are NOT blocked by default (otherwise the portal interface couldn't run … browsers could resolve a domain name ton an IP, using that IP to 'surf' so that they cag redirected to the portal IP authentication interface)

    Do you uses the 'default' setup ? (a WAN, LAN and OPT1 interface for portal activities).


  • LAYER 8 Netgate

    By default, captive portal blocks all traffic though the interface, but not traffic TO the interface, except for traffic to 80 (and perhaps 443) which are forwarded to the portal interface.

    Also by default, the CP interface is listening for DNS requests.  (DHCP is always passed if DHCP is enabled on the interface).

    OP's DNS servers were google's (8.8.8.8, 8.8.4.4).  I can be fairly sure that those are not the addresses of his CP interface so they would require pass-through entries in the captive portal config.

    No, I don't have a similar config.  All my access points are on a management VLAN, which doesn't have a captive portal on it and is isolated from the SSIDs that my guests use that are put on VLANs that do have a captive portals on them, if that's what the planner paying for the access wants.



  • Hi guys.

    Thanks for your replies.

    First I was trying to setup CP for OPT1 interface on my currently running pfs 2.1.5. I have proxy and Squidguard installed in there.

    I did as it was suggested by many tutorials - changed outbound NAT, add user, set CP from GUI… It did not work. I add FW rule allowing all OPT1 to all ports. I did not work. Then I took another machine, install fresh pfs 2.1.5 there and start setting up CP for LAN without installing any additional packages. Following above mentioned procedure I could not get CP working for LAN interface either. Then I spent a lot of time googling and reading different docs, manuals and how tos... No success. Then, after 2 days, I put DNS address in allowed IPs and CP start working as expected. And with the same settings on the current machine for OPT1 interface (where other packages are installed as well).

    Later on I found the following line in pfSense documentation: "...DNS resolution not functioning - the clients on the captive portal interface must either be using the DNS forwarder on pfSense, on the IP of the interface where the client resides (which is the default configuration), or if using some other IP for DNS, it must be an allowed IP entry…" (source: https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting)

    So, I assumed, that I did set up my CP correctly.

    But now I am curious if these settings are not exactly correct why I could not get it working in first time and what are CORRECT procedure to set up CP?

    Thank a lot.



  • @cnd.fflv:

    …..
    I have proxy and Squidguard installed in there.

    Aha !

    First build a 'normal" portal setup without squid etc (these 'addons' can real f*ck up the system - these tools demand a great knowledge to setup - following a a "tuto" isn't enough as with every pfsense small details do change …..)



  • @Gertjan:

    @cnd.fflv:

    …..
    I have proxy and Squidguard installed in there.

    Aha !

    First build a 'normal" portal setup without squid etc …

    But I could not set it up on the "clean" box as well! Where everything by default should work… But it did not...


  • LAYER 8 Netgate

    If you:

    Did not turn on the DNS forwarder and expected CP client resolution to 8.8.8.8 and 8.8.4.4, then that is not the default config.

    OR

    If you set your DHCP server to assign 8.8.8.8 and 8.8.4.4 to your DHCP clients as name servers then that is not the default config.

    Both of those scenarios require pass-through entries in the captive portal or it will be broken.



  • Removed my DNS lines from allowed IPs in CP settings and trying what you say:

    @Derelict:

    If you:

    Did not turn on the DNS forwarder and expected CP client resolution to 8.8.8.8 and 8.8.4.4, then that is not the default config.

    DNS forwarder is on.

    @Derelict:

    If you:

    If you set your DHCP server to assign 8.8.8.8 and 8.8.4.4 to your DHCP clients as name servers then that is not the default config.

    DHCP server assigns for it's clients as DNS pfsense box IP for this subnet (i.e., OPT1 subnet is 192.168.35.1/24, DHCP server 192.168.35.1, DNS server 192.168.35.1, Gateway - 192.168.35.1)

    CP does not work.

    If I add back 8.8.8.8 and 8.8.4.4 in CP's allowed IPs, it starts working again.


  • LAYER 8 Netgate

    Then you have something configured incorrectly.  Static DNS on the clients perhaps?

    Post an ipconfig /all (or equivalent) from the client that "doesn't work."



  • @Derelict:

    Static DNS on the clients perhaps?

    YES!!! That was the problem!!!

    Static DNS entries in client machines! After I removed them, CP starts working! Great!

    THANK YOU!!


Log in to reply