Captive portal problems



  • i've been using pfsense box for months with little problems…

    then, yesterday i enable the captive portal for my wireless network (opt1 interface)
    after that, lots of users cant login.
    some users cant even ping to pfsense box, but pfsense can ping to the users machine.
    they can also ping to other computers. (all connected using wifi)

    coz cant ping to pfsense, the captive portal page didnt show up at all.

    only some (about 6 out of 20) users successfully login and get access to the internet.

    sometimes, they cant even get an ip from dhcp.

    sometimes, they can ping pfsense box, the login showed up, but then suddenly they cant ping pfsense anymore and opening browser didnt show up the login anymore...

    it's pfsense beta2 with squid installed.
    dhcp & dns forwarder enabled.
    captive portal: enable on opt1
    idle time out: 60 min
    hard time out: 900 min
    disable concurrent user: checked
    that's all it.

    any help is very much appreciated.

    rgds,
    rex



  • i just look into portal auth system log and i think i just found the cause of this problem.

    first let me describe my hotspot:
    adsl router >> pfsense >> wifi ap >> wifi repeater a >> wifi repeater b

    all repeater connected using wds

    so, client can connect to wifi ap or repeater a or repeater b

    if client connect directly to wifi ap, client can login with no problem at all.

    problem arise when client connect to repeater.
    the captive portal auth system log show up that all clients that connect to repeater have same ip as the repeater itself.

    say, repeater a have ip 192.168.123.123
    then, all client connected to that repeater will show up to have that same ip.
    (even that actually each client have their own different ip)

    so (cmiiw) because captive portal saw that same ip, it reject the login.

    anyway to fix this?

    tia
    rex



  • It looks like your repeater does some kind of NAT for clients that are connected to it. Check it's configuration for options to shut down that behavior.



  • i just double check everything…

    it seems to me no nat involve anywhere...

    some facts:

    • all wireless clients can ping each other, and pfsense can ping to all clients, regardless which ap/repeater they connect to.
    • before captive portal activated, all clients can ping to pfsense
    • all ip is in same network/subnet and retrieved by dhcp from pfsense
    • firewall already disabled from all wireless ap/repeater gui
    • windows network neighbourhood can see all computers, regardless which ap/repeater they connect to.

    only captive portal see the repeater's ip,
    pfsense arp tables and dhcp leases tables show each client's mac and ip correctly

    i'm no programmers, but just a wild guess... it might be a bug in captive portal??

    rgds,
    rex



  • Captive portal is designed to prevent clients from accessing the internet, not local items that do not use the gateway to communicate.



  • that's exactly what i intend to use it for.

    my problem now, when users connected to repeater, they cannot login with Correct user+pass.
    it always get back to login page.

    while the exact same user+pass login can successfully browse internet when they connect directly to ap (access point)

    the problems (imho) is why captive portal mistakenly see repeater's ip as the client's ip.



  • There as been a long discussion going on for issues with logins and the captive portal at the m0n0 list. The conclusion after many many tests of different devices and different firmwareversions was that the accesspoints/repeaters caused the issue by either showing the captive portal a wron mac and/or a wrong IP. As the captive portal of pfSense is 100% what is used in m0n0 I guess you are having the same problems due to your repeater breaking things. Try to use another device or another firmware. Search the m0n0 list for what device/firmware is known to be working or not.



  • i have the same problem with linksys wrt54g on wds mode
    looks like a wds bug



  • i didnt think it's problem with wds.

    coz, i just try out a friend's engenius wsr3800 wireless with built in authentication (captive portal)
    and using same wds with linksys wrt54g/gs

    all clients can successfully login,
    even those clients connected to the furthest repeater can still login with no problems.

    rgds,
    dny



  • I guess you should start to tcp-dump and see what is going on.



  • i really dont know anything about tcp dump stuff.
    how do i start it?
    what it looks like?
    what info i'm looking for from it?

    rgds,
    rex



  • @rexster:

    i didnt think it's problem with wds.
    coz, i just try out a friend's engenius wsr3800 wireless with built in authentication (captive portal)
    and using same wds with linksys wrt54g/gs
    all clients can successfully login,
    even those clients connected to the furthest repeater can still login with no problems.

    Checked that.

    Have a [ADSL modem] <–-> [pfSense Box {=>OPT1 interface}] <–--> [switch] <–-> [WRT54GS as AP+WDS] <–--- radio link ----> [WRT54GS as AP+WDS] <–- radio link ----> [Client PC].

    The Client PC can login to the captive portal on the pfSense box, and then has access to the net.

    The question is: what firmware (in your AP's) are you using  ;)

    Linksys routers are as PC's: depends on what software you're using to make them fly…  :D


Log in to reply