Captive portal will not redirect to portal page



  • Hello,

    At one time I had this working flawlessly.  Then I disabled it for awhile.  I just reenabled it and it doesnt seem to work.  I tried using a website's IP, which still doesnt work.  i am running it with no authentication.  I manually typed in the portal page, which i was able to get.  but when i click on the button to accept the terms, it just hangs.

    any ideas?

    thanks



  • @jbrown:

    any ideas?

    Yep.
    Detail your setup - all LAN config.



  • pfsense 2.1.5

    captive portal is running on my lan interface.

    all my subnets are allowed on this except for my guest subnet.  but my guest subnet gateway is allowed.  the subnets that are allowed, do work just fine, does not go to portal page.

    i am not using dhcp on pfsense.

    hope this info is enough to get started.  thanks!



  • @jbrown:

    pfsense 2.1.5

    Old version ….
    And memoiry is short  ;)

    @jbrown:

    captive portal is running on my lan interface.

    Ah ….
    Why ? Running the portal stuff on a dedicated (OPTx) interface makes live easier .... but I heard that it could be done.

    @jbrown:

    all my subnets are allowed on this except for my guest subnet.  but my guest subnet gateway is allowed.  the subnets that are allowed, do work just fine, does not go to portal page.

    Your (default !) 192.168.1.0/24 has subnets ?
    I guess I lost you there.
    I advise you to make a more classic, more simple, more default setup.

    @jbrown:

    i am not using dhcp on pfsense.

    Then where is this dhcp server ?
    pfSense is a professional gateway/firewall/dhcp/you-name-it

    Need more input - error ;)



  • Ok, new details.  I set up a captive portal on a OPTx interface.  I tried to go to www.cnn.com and the url redirected but i get "webpage is not available", and the url looks like this….

    172.16.255.1:8000/index.php?zone=test&redirurl=http%3A%2F%2Fwww.cnn.com%2F

    also, even if i disable captive portal, i still cant get to 172.16.255.1:8000/index.php    "webpage is not available"



  • Ok, I understand why vlan 255 interface will not work for captive portal.

    When i have captive portal enabled on interface vlan255, the ip address configuration for that interface is 172.16.255.1 /24

    I already have 172.16.255.1 assigned on my cisco 3560.  i ahve a vlan activated with 172.16.255.1 as the gateway.

    so therefore when captive portal tries to redirect to 172.16.255.1:8000/index.php it is redirecting to the vlan255 gateway i have set up on my 3560.

    So what is best practice to get this working correctly?  thanks!



  • @jbrown:

    …...172.16.255.1:8000/index.php

    pfSense 2.2 will not default to '8000' by itself.
    It's "8001" when you set up a first portal instance.

    I advise you to:
    Stop the portal interface
    Make a backup of your confif.
    Edit the config with Notepad++ - and remove everything between
    <captiveportal>and</captiveportal>
    Import the config file.
    Configure your portal interface.

    Captive portal ports start from 8001 now … I guess you retrieved something that was valid for pfSense <2.2 but not will not anymore.

    If your OPTx interface has the IP "172.16.255.1", port "8000" will NOT work. The first instance will be using "8001".


  • LAYER 8 Netgate

    8002 actually.



  • Hummm …

    Right for the '8002' !

    The port will be choses by the redirection in pfSEnse. Visitors don't have to know these details.



  • Thanks.  I will do that.

    What about my issue with my vlan 255 on my cisco 3560 having an ip address of 172.16.255.1 - same ip address as my OPTx interface.

    How does one go about this?  Sorry, very new to all of this.

    thanks again


  • LAYER 8 Netgate

    Assign different addresses on the same subnet to your interfaces.



  • I need to back up a bit….

    When you posted about how it should be at 8002 and not 8000 i was still on pfSense 2.1.5.  I didnt realize until after I posted my last post.  so i did the upgrade (which i lost my squid proxy and content filter, but whatever - was still in trial mode anyways)

    So now that I am upgraded to latest and greatest.  I deleted all my captive portal instances and started a fresh one on a OPTx interface.  I enable it.  It lets me go right to the url i want to go to without going to the redirect page.  i also tried 172.16.255.2:8002/login.php  i get nothing.

    So confused


  • LAYER 8 Netgate

    Are you behind another router?

    Anything in any of the passthroughs? (IP, Hostname, MAC?)

    Any users listed in Status > Captive Portal??

    Instead of saying what you think you did, how about posting what you've actually done.  Interface config, portal config, firewall rules, etc.

    https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting#Captive_portal_not_redirecting



  • Ok, forget about my OPTx interfaces, i have another issue with that.

    So I set up captive portal back on my lan interface again and it redirects me to the captive portal page.  however, when i enter a username and password and click continue it just reloads the portal page as if i entered in the username and password wrong.  i have captive portal set to no authentication.  Any help?

    I am getting somewhere thanks to your help, just need a lot of hand holding.  ;D


  • LAYER 8 Netgate

    If your browser thinks it's going to the portal page URL, that will happen.  It might also try to redirect you to the page you attempted.  There is a lot to be desired regarding pfSense's CP handling of this.

    1. After you log in, is there an IP/MAC entry in Status > Captive Portal??
    2. After you log in, if you manually enter an outside URL, does it work?

    If you always want to be redirected after login regardless, use the After authentication Redirection URL in the captive portal settings.

    I would like to see much better handling of the originally attempted URL.  It'd also be nice to have some way to redirect things like the Apple test URLs to something sane too.

    I have looked at the code and got scared away.

    In general it works well enough.



  • After I log in, yes there is a IP/MAC entry.
    After I log in, if i manually enter an outside url, no, it does not work.

    I tried using the after uthentication redirection url - when i logged in, it reloaded the portal page but it changed the redirurl to what it should be.

    thoughts?


  • LAYER 8 Netgate

    "Does not work" gives us nothing to go on.

    Post your config.  You probably don't have firewall rules for DNS, or wrong DNS servers, or no firewall rules allowing traffic out, or no NAT rules, or ??.  With what we have it'd just be a guess.  Did you go through the list in the link above?



  • This use to work before so not sure what happened.

    when i say does not work, i mean that it will go back to the portal page if i enter an outside url.

    how do i post config?  just post the whole xml?


  • LAYER 8 Netgate

    Screen shots are probably better.  You have something hosed if you get a captive portal entry for the correct IP/MAC pair and keep getting redirected to the portal page when you enter other URLs.  How about just ping?  Can you ping, say, 8.8.8.8 after logging in?



  • I cant ping 8.8.8.8 after logging into captive portal.  what screen shots would you want?  thanks again.


  • LAYER 8 Netgate

    Captive portal, LAN, LAN Rules, outbound NAT, DHCP Server.



  • … added to that: what services are running ? (Status => Services) - logs extracts from Stats => System logs => Portal Auth and DHCP (all lines that are related to the Portail Interface - you can remove the others)


  • LAYER 8 Netgate

    If this is squid again I give up.



  • I attached screenshots, hopefully this helps.  i am not using dhcp on pfsense.

























  • LAYER 8 Netgate

    And if you open a browser after authentication and enter www.cnn.com from host 04:7d:7b🆎1c:7f / 172.16.1.184 you get the portal page again?

    Let me spin up a quick captive portal on "pfSense B" LAN (diagram in the sig) and see what's what.


  • LAYER 8 Netgate

    Works fine here.

    $ ipfw -x 2 list
    65291 allow pfsync from any to any
    65292 allow carp from any to any
    65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
    65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
    65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    65310 allow ip from any to { 255.255.255.255 or 172.26.2.1 } in
    65311 allow ip from { 255.255.255.255 or 172.26.2.1 } to any out
    65312 allow icmp from { 255.255.255.255 or 172.26.2.1 } to any out icmptypes 0
    65313 allow icmp from any to { 255.255.255.255 or 172.26.2.1 } in icmptypes 8
    65314 pipe tablearg ip from table(3) to any in
    65315 pipe tablearg ip from any to table(4) in
    65316 pipe tablearg ip from table(3) to any out
    65317 pipe tablearg ip from any to table(4) out
    65318 pipe tablearg ip from table(1) to any in
    65319 pipe tablearg ip from any to table(2) out
    65532 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
    65533 allow tcp from any to any out
    65534 deny ip from any to any
    65535 allow ip from any to any

    $ ipfw -x 2 table 1 list
    172.26.2.100/32 mac 8a:7c:f4:f8:e1:6f 2000

    $ ipfw -x 2 table 2 list
    172.26.2.100/32 mac 8a:7c:f4:f8:e1:6f 2001



  • Correct, I get the login page again and i cant ping anything.

    any suggestions?


  • LAYER 8 Netgate

    Sorry.  No idea.  What's the output of those commands on your system when a client is connected?  SSH or Diagnostics > Command Prompt.


  • LAYER 8 Netgate

    Wait a second…

    Why do you have so many 172.16.0.0 subnets in your NAT entries?  Are all those /24 networks other interfaces?  If so, they all conflict with 172.16.1.2/16 you have defined on LAN.



  • Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface.  that was the whole point.  but now it won't even run correctly on LAN interface.

    So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan?  in order to resolve this issue?

    And If I do that, am I going to have to add some rules for my other subnets to work properly?


  • Banned

    @jbrown:

    Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface.  that was the whole point.  but now it won't even run correctly on LAN interface.
    So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan?  in order to resolve this issue?

    Are you trying to "bridge" VLANs via supernetting or, like… WTH.  :o ::)


  • LAYER 8 Netgate

    172.16.1.2/16 contains 172.16.0.1 through 172.16.255.254. 65534 hosts.  None of your other subnets should be anywhere of overlap at all with that range.

    Yes, I would change that netmask to /24 or size it properly for the number of clients/dhcp leases you'll think you need.  Be sure to adjust your DHCP scope.

    I don't know if it'll fix your problem but I do know what you have is unsound/broken.



  • Ok,  I figured I would fix the subnet / vlans first.

    I switched 172.16.1.2/16 -> 172.16.1.2/24

    I can talk between subnets, but I am not able to access Internet.  I have an interface 172.16.240.1/24 which is a vlan on my Cisco switch.  The cisco switch vlan 240 has an ip address of 172.16.240.1/24.  I am currently on the .240.0 network and I am on trying to access the internet.  I cannot ping an outside address either.  HOWEVER, i can traceroute an outside address.  So how can i a traceroute and address but not be able to access or ping it?

    thanks!


  • LAYER 8 Netgate

    Traceroute does not necessarily use ICMP like ping.  Are you passing ICMP in your rules ot just TCP/UDP?  Anything in the firewall logs?  Those will tell you far more than we can by guessing.



  • Sorry, I should have tried that.  THis is all new to me.  Attached is my firewall log where my computer was blocked and also i attached my rules for vlan 240.





  • LAYER 8 Netgate

    Looks like your VLAN/layer 2 is hosed.  The interface should be VLAN240 not LAN.



  • Can I post my cisco switch config or no?  would you be able to take a look at it?

    I changed my lan back to 172.16.1.2/16 and check out the attachment.  some are showing the correct interface while others are still showing LAN for interface.  You still think this has to do with my switch config?

    thanks



  • LAYER 8 Netgate

    The traffic from those hosts is hitting LAN, not VLAN240 so yes.

    Instead of just making changes willy-nilly you need to document your network.  What IP scheme is on what interface?  In order to help you we'll need to know physical details as well as logical.  For instance, I have no idea whether or not your VLANs are on the same physical interface as LAN.

    If you don't understand basic subnetting and VLANs this is going to be difficult to get going for you.



  • vlans are on single physical LAN.  I have cisco aironet APs.  Each SSID is a different vlan.  The APs are hard wired into a port on my switches.  on my layer 2 switch i have my vlans enabled.

    is this a start?


  • Banned

    @jbrown:

    The APs are hard wired into a port on my switches.

    Uhm… did you configure the VLANs on the APs?


Log in to reply