Only HTTP and HTTPS traffic working when captive portal enabled



  • Hi All,

    Yesterday we setup a new pfsense box for guest wifi, for reasons I wont bore you with we have had to setup a legacy version. We have installed 2.0.3, everything was going perfectly, traffic was passing correctly to our Internet Firewall including, DNS, ICMP, VPN, HTTP (S) etc.

    As this is going to be used by guests we then enabled then customised the captive portal and enabled this. At first all seemed fine, we noticed that nothing worked (As expected as not authenticated), until we entered a valid voucher into the captive portal.

    At this point we were successfully redirected to our chosen URL, and all web browsing appears to work fine.

    However, we then noticed that no ICMP is working, nor would it allow VPN connections to be enabled. We can see the allows in the pfsense firewall log, but looking at the raw interface data on the Internet firewall (Next hop) showed no traffic other than HTTP and HTTPS.

    Again if we turn the captive portal off then all traffic works and we see it on the raw interface data!

    This is driving us mad as we cannot work out why this would be.

    We will be working on installing the latest version, but this will take some time as we don't have the necessary hardware to support this.

    Any pointers would be appreciated.

    Thanks
    Dave



  • EDIT: I have also managed to try this on 2.1.5 and we see the same behaviour. As this is connected to a corporate network we have the corporate network plugged in on the LAN interface to the PFSense box, and the DHCP / Captive portal on the WAN.

    Thanks
    Dave



  • @pfsensenewbie:

    …. As this is connected to a corporate network we have the corporate network plugged in on the LAN interface to the PFSense box, and the DHCP / Captive portal on the WAN.

    Makes me wonder about your next 'edit'. I stay tuned, this is getting really special !



  • @Gertjan:

    Makes me wonder about your next 'edit'. I stay tuned, this is getting really special !

    :D Yeah that's fun.

    1. upgrade to 2.2.6, you're just asking for problems using 2.0x or 2.1x at this point and starting off 10-15 releases behind current on a new system is nuts.
    2. Put WAN towards your default gateway, LAN towards your clients. That's not strictly necessary if the interfaces are configured correctly, but is generally more sensible.


  • We have now upgraded to 2.2.6, but the same behaviour remains, only http / https traffic passes to our corporate firewall when the captive portal is enabled.

    WAN is the interface we are using for our guests (therefore DHCP is enabled), the default gateway our guests see is the WAN interface. The WAN default gateway is the corporate firewall on a dedicated interface

    The LAN is only used for us to manage the box, all traffic is blocked over the LAN (other than management)

    It all works until you active the captive portal, which was the main reason for using this product.



  • @pfsensenewbie:

    We have now upgraded to 2.2.6, but the same behaviour remains, only http / https traffic passes to our corporate firewall when the captive portal is enabled.

    Time to show us your (captive portal's) firewall rules.

    You want to manage a router with portal ? Be ready to debug and trouble shoot : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

    I know that right now, people can use:
    FTP
    SSH
    POP
    IMAP
    PING
    MMORPG gaming
    etc etc
    because I saw them doing so ….

    There is no such thing as "captive portal does Deep Packet Inspect" to see what the user is doing. The TCP ou UDP connection can contain about anything.

    There is something that you are not telling us, a situation tat exists with your setup (or the environment that it is in) that is none-standard.



  • The part that stands out for me is the idea of plugging a firewall into your corporate network for 'guests' to use. So you have staff and outsiders sharing the same network resources? Be afraid. Be very afraid.

    I should think you might also want to include a diagram of your network layout so people can get a better idea of what your setup is like. Otherwise it's just guesswork all the way.



  • Sorry for the late reply, Attached is screen shots of the WAN and LAN firewall rules, and also a basic overview diagram of the implementation we have in place.

    I will take a look at the troubleshooting docs as well.

    Thanks
    Dave



    ![Lan Rules.png](/public/imported_attachments/1/Lan Rules.png)
    ![Lan Rules.png_thumb](/public/imported_attachments/1/Lan Rules.png_thumb)
    ![Wan Rules.png](/public/imported_attachments/1/Wan Rules.png)
    ![Wan Rules.png_thumb](/public/imported_attachments/1/Wan Rules.png_thumb)



  • As much as I look at your diagram I still can't fathom what you're trying to do. So you have a segregated guest network which has it's default gateway set to your main internet-connected firewall, but you're trying to get the captive portal on your PFS to bridge traffic from your guest network across your LAN and out again? This makes no sense to me whatsoever. The routing required to get this to work must be horrible, assuming I'm reading this right. Why not set up the PFS to sit between your firewall and your guest users and have the traffic flow out normally rather than via your staff network? Or am I missing something here?

    Either way, this looks like a painful network design that could do with a major revisit.



  • @muswellhillbilly:

    As much as I look at your diagram I still can't fathom what you're trying to do. So you have a segregated guest network which has it's default gateway set to your main internet-connected firewall, but you're trying to get the captive portal on your PFS to bridge traffic from your guest network across your LAN and out again? This makes no sense to me whatsoever. The routing required to get this to work must be horrible, assuming I'm reading this right. Why not set up the PFS to sit between your firewall and your guest users and have the traffic flow out normally rather than via your staff network? Or am I missing something here?

    Either way, this looks like a painful network design that could do with a major revisit.

    Yes we want a segregated guest network, No we don't want / have the gateway through the LAN, this connection to the Lan is for access to the PFSense box for management only. We could remove the LAN interface and route to the HTTPS management page through its 192.168.13.253 address (routed via the corporate firewall and need static routes on machines that need to get to it.).

    What we want is, when a guest connects the Guest SSID, it goes out via the 192.168.13.253 pfsense interface to the corparate firewall and out to the internet. This works fine in testing until we activate the captive portal. At this point we see only HTTP/https traffic passing to the corporate firewalls 192.168.13.254 interface.

    I have yet to look at the troubleshooting page mentioned previously.

    Does this clarify what we are trying to achieve?

    Thanks
    Dave



  • You're trying to route traffic from the WAN side of the PFS. This is completely wrong. You seem to be trying to use your firewall as an internal router. Any traffic passing through from the WAN side needs to be port forwarded, which isn't really what you want to do here. Set the captive portal on the LAN side and route your guest traffic through from LAN to WAN, using the WAN address for managing the PFS. It's how firewalls are supposed to work.


Log in to reply