Captive portal - only redirects IPs



  • Hello, spent a a good day on this and been searching forever.  Thought I would ask the experts.  I set up a fresh install of the latest pfsense.  I absolutely did nothing to it except for setting up wan and lan.  Then I went straight for captive portal.  It will only redirect to login page if I use IP of a fqdn.  Dns forwarding is enabled.  Any suggestions would be great!  Thanks!


  • LAYER 8 Netgate

    If your clients are not using the pfSense interface for DNS you need to whitelist the DNS servers.  See the Allowed IP Addresses Tab.



  • @Derelict:

    If your clients are not using the pfSense interface for DNS you need to whitelist the DNS servers.  See the Allowed IP Addresses Tab.

    Ok.  my internal ip is 192.168.1.40 so i need my gateway of my computer i am testing with to be 192.168.1.40.  so you are telling me i need to add 192.168.1.40 to Allowed IP Addresses?


  • LAYER 8 Netgate

    No.  Look at the client behind the captive portal.  What are its configured DNS servers?  If those addresses are ANYTHING other than the interface address captive portal is listening on (pfSense DNS Forwarder itself) you need to add the IP addresses of the DNS servers to Allowed IP Addresses.

    Your DNS queries are being blocked by the captive portal so your clients can't resolve names.  That's why it redirects to the portal when you enter an IP address.  If the browser can't resolve names it doesn't try to connect http to anything on port 80, so there's no redirect.



  • @Derelict:

    No.  Look at the client behind the captive portal.  What are its configured DNS servers?  If those addresses are ANYTHING other than the interface address captive portal is listening on (pfSense DNS Forwarder itself) you need to add the IP addresses of the DNS servers to Allowed IP Addresses.

    Your DNS queries are being blocked by the captive portal so your clients can't resolve names.  That's why it redirects to the portal when you enter an IP address.  If the browser can't resolve names it doesn't try to connect http to anything on port 80, so there's no redirect.

    Thank you!  It now works.  Except…....Maybe this is just how it works, but when i try to search within the address bar, it hangs.  Cant get the captive portal page.  This have something to do with https and google?

    thanks!


  • LAYER 8 Netgate

    https queries will hang unless you have enabled https in the CP - and even then there's no way to avoid certificate errors without complete control of all client devices.  Even if you have https on the portal, I don't know what the browser will do with a cert error or portal page in the search bar.

    Captive portals essentially break the internet.  Up to you to determine if it's worth it.



  • Thanks for that!  I have now successfully configured captive portal on a physical interface.  Now when I try to configure it on a vlan interface i cant access the captive portal page even if i try to do an IP of a website.  the only way i can access it is if i type in the captive portal page url.  I read somewhere there is an option to enable vlans and captive portal, but have no idea where that is.  thanks!


  • LAYER 8 Netgate

    Captive portal doesn't care if the interface is a vlan interface or not.  It's just an interface.

    Assign the interface to "vlan xxx on re0" and bind the captive portal instance to that interface.



  • @Derelict:

    Captive portal doesn't care if the interface is a vlan interface or not.  It's just an interface.

    Assign the interface to "vlan xxx on re0" and bind the captive portal instance to that interface.

    That's what I did and I am having issues explained in my last post.  Any suggestions?


  • LAYER 8 Netgate

    Check all your VLAN tags in your switches.  I can't just blindly suggest things.  Post screenshots of your config.



  • @Derelict:

    If your clients are not using the pfSense interface for DNS you need to whitelist the DNS servers.  See the Allowed IP Addresses Tab.

    Very true.
    But …. a client that uses a "Free Portal network" should obtain an IP (and gateway, and DNS, and ntp serveur, and ... etc etc) by the DHCP server.
    I already met clients who 'locked' their IP statically .... and then came over seeing me telling me that the "portal isn't working". ... yeah, right .....
    Client that lock their DNS servers statically will be treated equally. Its fine for me, but if the want to urf on the net, they have the option: 1) switch to default or 2): don't surf.

    All this because their is a rule that says: "guests" should conduct as the "host" proposes ;)


Log in to reply