Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Only HTTP and HTTPS traffic working when captive portal enabled

    Scheduled Pinned Locked Moved Captive Portal
    11 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsensenewbie
      last edited by

      Hi All,

      Yesterday we setup a new pfsense box for guest wifi, for reasons I wont bore you with we have had to setup a legacy version. We have installed 2.0.3, everything was going perfectly, traffic was passing correctly to our Internet Firewall including, DNS, ICMP, VPN, HTTP (S) etc.

      As this is going to be used by guests we then enabled then customised the captive portal and enabled this. At first all seemed fine, we noticed that nothing worked (As expected as not authenticated), until we entered a valid voucher into the captive portal.

      At this point we were successfully redirected to our chosen URL, and all web browsing appears to work fine.

      However, we then noticed that no ICMP is working, nor would it allow VPN connections to be enabled. We can see the allows in the pfsense firewall log, but looking at the raw interface data on the Internet firewall (Next hop) showed no traffic other than HTTP and HTTPS.

      Again if we turn the captive portal off then all traffic works and we see it on the raw interface data!

      This is driving us mad as we cannot work out why this would be.

      We will be working on installing the latest version, but this will take some time as we don't have the necessary hardware to support this.

      Any pointers would be appreciated.

      Thanks
      Dave

      1 Reply Last reply Reply Quote 0
      • P
        pfsensenewbie
        last edited by

        EDIT: I have also managed to try this on 2.1.5 and we see the same behaviour. As this is connected to a corporate network we have the corporate network plugged in on the LAN interface to the PFSense box, and the DHCP / Captive portal on the WAN.

        Thanks
        Dave

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          @pfsensenewbie:

          …. As this is connected to a corporate network we have the corporate network plugged in on the LAN interface to the PFSense box, and the DHCP / Captive portal on the WAN.

          Makes me wonder about your next 'edit'. I stay tuned, this is getting really special !

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @Gertjan:

            Makes me wonder about your next 'edit'. I stay tuned, this is getting really special !

            :D Yeah that's fun.

            1. upgrade to 2.2.6, you're just asking for problems using 2.0x or 2.1x at this point and starting off 10-15 releases behind current on a new system is nuts.
            2. Put WAN towards your default gateway, LAN towards your clients. That's not strictly necessary if the interfaces are configured correctly, but is generally more sensible.
            1 Reply Last reply Reply Quote 0
            • P
              pfsensenewbie
              last edited by

              We have now upgraded to 2.2.6, but the same behaviour remains, only http / https traffic passes to our corporate firewall when the captive portal is enabled.

              WAN is the interface we are using for our guests (therefore DHCP is enabled), the default gateway our guests see is the WAN interface. The WAN default gateway is the corporate firewall on a dedicated interface

              The LAN is only used for us to manage the box, all traffic is blocked over the LAN (other than management)

              It all works until you active the captive portal, which was the main reason for using this product.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @pfsensenewbie:

                We have now upgraded to 2.2.6, but the same behaviour remains, only http / https traffic passes to our corporate firewall when the captive portal is enabled.

                Time to show us your (captive portal's) firewall rules.

                You want to manage a router with portal ? Be ready to debug and trouble shoot : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

                I know that right now, people can use:
                FTP
                SSH
                POP
                IMAP
                PING
                MMORPG gaming
                etc etc
                because I saw them doing so ….

                There is no such thing as "captive portal does Deep Packet Inspect" to see what the user is doing. The TCP ou UDP connection can contain about anything.

                There is something that you are not telling us, a situation tat exists with your setup (or the environment that it is in) that is none-standard.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • M
                  muswellhillbilly
                  last edited by

                  The part that stands out for me is the idea of plugging a firewall into your corporate network for 'guests' to use. So you have staff and outsiders sharing the same network resources? Be afraid. Be very afraid.

                  I should think you might also want to include a diagram of your network layout so people can get a better idea of what your setup is like. Otherwise it's just guesswork all the way.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsensenewbie
                    last edited by

                    Sorry for the late reply, Attached is screen shots of the WAN and LAN firewall rules, and also a basic overview diagram of the implementation we have in place.

                    I will take a look at the troubleshooting docs as well.

                    Thanks
                    Dave

                    Overview.png
                    Overview.png_thumb
                    ![Lan Rules.png](/public/imported_attachments/1/Lan Rules.png)
                    ![Lan Rules.png_thumb](/public/imported_attachments/1/Lan Rules.png_thumb)
                    ![Wan Rules.png](/public/imported_attachments/1/Wan Rules.png)
                    ![Wan Rules.png_thumb](/public/imported_attachments/1/Wan Rules.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • M
                      muswellhillbilly
                      last edited by

                      As much as I look at your diagram I still can't fathom what you're trying to do. So you have a segregated guest network which has it's default gateway set to your main internet-connected firewall, but you're trying to get the captive portal on your PFS to bridge traffic from your guest network across your LAN and out again? This makes no sense to me whatsoever. The routing required to get this to work must be horrible, assuming I'm reading this right. Why not set up the PFS to sit between your firewall and your guest users and have the traffic flow out normally rather than via your staff network? Or am I missing something here?

                      Either way, this looks like a painful network design that could do with a major revisit.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfsensenewbie
                        last edited by

                        @muswellhillbilly:

                        As much as I look at your diagram I still can't fathom what you're trying to do. So you have a segregated guest network which has it's default gateway set to your main internet-connected firewall, but you're trying to get the captive portal on your PFS to bridge traffic from your guest network across your LAN and out again? This makes no sense to me whatsoever. The routing required to get this to work must be horrible, assuming I'm reading this right. Why not set up the PFS to sit between your firewall and your guest users and have the traffic flow out normally rather than via your staff network? Or am I missing something here?

                        Either way, this looks like a painful network design that could do with a major revisit.

                        Yes we want a segregated guest network, No we don't want / have the gateway through the LAN, this connection to the Lan is for access to the PFSense box for management only. We could remove the LAN interface and route to the HTTPS management page through its 192.168.13.253 address (routed via the corporate firewall and need static routes on machines that need to get to it.).

                        What we want is, when a guest connects the Guest SSID, it goes out via the 192.168.13.253 pfsense interface to the corparate firewall and out to the internet. This works fine in testing until we activate the captive portal. At this point we see only HTTP/https traffic passing to the corporate firewalls 192.168.13.254 interface.

                        I have yet to look at the troubleshooting page mentioned previously.

                        Does this clarify what we are trying to achieve?

                        Thanks
                        Dave

                        1 Reply Last reply Reply Quote 0
                        • M
                          muswellhillbilly
                          last edited by

                          You're trying to route traffic from the WAN side of the PFS. This is completely wrong. You seem to be trying to use your firewall as an internal router. Any traffic passing through from the WAN side needs to be port forwarded, which isn't really what you want to do here. Set the captive portal on the LAN side and route your guest traffic through from LAN to WAN, using the WAN address for managing the PFS. It's how firewalls are supposed to work.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.