[SOLVED]Multi zones not working on opt interfaces

yanqian · Feb 4, 2016, 7:42 AM

Hi, This is pfsense 2.2.6 box, here are the interfaces info.

WAN (wan) -> bge0
LAN (lan) -> bge1
TEST01 (opt1) -> bge1_vlan108
TEST02 (opt2) -> bge1_vlan109

I created 2 portals, one operates on LAN interface, the other operates on TEST01 and TEST02:

zone1: LAN
zone2: TEST01,TEST02

When I enable one of them only, it works well, but if I enable both of them, client will not be authorized, clients are required to login again and again, and not able to access internet.

I checked the CP status page, found client sessions exist in both zones, or maybe they were flapping in both zones.

I also tried to set up 2 zones as below, it also didn't work when both zones are enabled:

Zone1: TEST01
Zone2: TEST02

May I know if we can set up multi zones between these virtual interfaces?
or do we have to create zones operating on different physical interfaces?

magura · Feb 3, 2016, 3:14 PM

Please provide your record fails the testing and certification

System logs–> System and Portal Auth

cmb · Feb 3, 2016, 8:15 PM

Not aware of any issues there, but my guess is maybe the use of tagged and untagged VLANs on the same interface. I know there are people doing multiple different zones on tagged VLANs not using the parent interface. I'd try tagging everything and running CP only on the tagged VLANs and see if that works as expected.

magura · Feb 4, 2016, 3:38 AM

test ok. 3 vlan bind one CP

but my LAN(name:VlanLAN) no IP.Just transfer vlan traffic.

As cmb said,Your problem maybe is use of tagged and untagged VLANs on the same interface.

test3.zip

magura · Feb 4, 2016, 7:42 AM

TEST1:
LAN+3vlan bind one CP, can work.

TEST2:
Zone lan_cp:LAN(igb2)
Zone CP: 3VLAN(igb2)

client will twice login, Refer login recorded

VLAN PC –->CP portal---->lan_cp---->internet =_=

first login URL: xxxx.xxx.xxx.xx:8003
second time login URL: xxxx.xxx.xxx.xx:8005

don't use TEST2 approach and untag-tag port

nativevlan.zip

yanqian · Feb 4, 2016, 7:41 AM

Hi,cmb,
Yes, you are right, I should avoid using both tagged and untagged on the same interface.

Hi,magura,
Now this issue has been solved, thanks for your great support!

yaman.amin · Mar 22, 2016, 8:48 AM

I suggest to set the redirection url before and after authentication
it is good also to isolate these different subnets of captive portal interfaces from eachother by using Aliase and apply this aliases in the firewall rules of each captive portal interface.
i read once but i am not sure if this is correct , Apply Captive portal always on Opt interface not LAN interfcae

Bet Wishes