[pfsense-2.3] captive portal not working - single interface (WAN)



  • Hello,

    this is my first post and I thank all the good guys that will have the patience to support me in this new adventure with pfsense, it seems to be a very powerful product and I have just started to explore all its possibilities

    I have started installing it on a virtual machine for testing purposes, my first project and final purpose will be install it in a library configured as an transparent webproxy with a captive portal. The current router dhcp will be configured to make pfsense as gateway and dns server.
    It is not a business work so I have all the time to make it work and tune it at the best as I can

    As far as I have gone I got proxy transparent working but when I activate and configure the captive portal module/zone it does not work, simply it does not redirect to "captive/login page"

    The true problem is that I am wondering if it is possible to make it work with the "transparent proxy + captive portal + single interface" features or it is some black magic desire

    I have already searched in the forum for some suggestion but I cant find anywhere a true response at the "is it possible" question

    Thank you very much



  • You have to have two interfaces for captive portal to function, the clients on the LAN, the WAN connected to the Internet.



  • Ok I have managed to make a 2-interfaces machine with the WAN configured as dhcp client in the current network and the LAN with a static IP

    Configured the squid proxy server to work on the LAN interface as a transparent proxy and enabled the DNS forwarder, it works fine browsing the web from a host on LAN side  8)

    The problem now is when I enable the Captive portal on LAN interface the proxy stops working without any useful event logged under "Status -> System Logs"

    If I add manually under "Allowed IP Addresses" a particular host IP it works fine… It seems that the "captive page" with the login doesnt trigger or something



  • @solidus:

    …..
    If I add manually under "Allowed IP Addresses" a particular host IP it works fine... It seems that the "captive page" with the login doesnt trigger or something

    The 'Captive Portal client' that gets an IP (using DHCP) from pfSense obtained also a DNS (ore more DNSs) ?
    Resolving works ? (make the wifi connection - do NOT login) and ping to www.google.com => the ping won't reply, but did it resolve ton AN IP (belonging to google) ?)



  • The 'Captive Portal client' that gets an IP (using DHCP) from pfSense obtained also a DNS (ore more DNSs) ?

    The 'Captive Portal client' has a static IP manually set in the LAN interface having the pfsense proxy as gateway and nameserver

    Resolving works ? (make the wifi connection - do NOT login) and ping to www.google.com => the ping won't reply, but did it resolve ton AN IP (belonging to google) ?)

    Preamble: I do not use a wifi connection, only cabled ethernet, and I have never been able to connect to or see the captive login page.

    Resolving always works, wheter I add the client IP under " Services / Captive Portal / captive_proxy / Allowed IP Addresses " or not

    Question: does Captive portal works only with dhcp enabled on the pfsense LAN interface?
    (the original idea was to use the dhcp already working in the current network running on a Windows Server, configuring it to release the configuration telling the clients that the gateway and nameserver is the pfsense proxy)



  • It seems to be that the DHCP service is a fundamental component for the Captive Portal correct working, can anyone confirm that please?

    I will enable it on the LAN interface and make some tests, I hope that Captive Portal will work this way

    thanks



  • @solidus:

    It seems to be that the DHCP service is a fundamental component for the Captive Portal correct working, can anyone confirm that please?

    OPen the main config page for the portal on pfSense.
    Read out loud what's been marked at the bottom of the page.

    I have this :
    Don't forget to enable the DHCP server on the captive portal interface! Make sure that the default/maximum DHCP lease time is higher than the hard timeout entered on this page. Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work.

    Btw : all this gives you actually enough information if you want to use another (non-pfense) DHCP server.
    [You should be knowing what your are doing]
    And, in this case : support isn't a pfSense matter anymore ;)



  • Thank you Gertjan, I made it work enabling the DHCP, it would be nice to know how to make properly work the captive portal with DHCP residing on another machine, but for now it is good as is

    Is there a way to make trigger the captive portal if a client browses or have an https site as homepage?



  • @solidus:

    ….
    Is there a way to make trigger the captive portal if a client browses or have an https site as homepage?

    Short answer : No.
    Search on this forum "Man In The Middle" or MITM, and you find out why.



  • Yes of course, I understand that this is a very serious issue

    So, if someone has an https home page set and is not sufficiently smart to change the https into an http at the beginning of the URL, what could be a simple solution/workaround?

    How much is feasible to put in the DNS resolver configuration, maybe using the "domain override" option, a domain like "log.me" that triggers the captive page?
    DOMAIN : log.me    –--  IP Address : pfsense LAN IP

    It would be easy to say to someone that is blaming browsing issues to digit "log.me" in the browser address bar



  • @solidus:

    Yes of course, I understand that this is a very serious issue

    So, if someone has an https home page set and is not sufficiently smart to change the https into an http at the beginning of the URL, what could be a simple solution/workaround?

    Well ….
    A visitor that want to have the page https://www.google.com instructs his browser that he want to see https://www.google.com - and nothing else - no matter what.
    That's what https (ssl) is known about. It guarantees this need.
    It doesn't need much thinking that other destinations or ruled out. If the connections gets incercepted (redirected), the returned certificate will NOT say its "google.com" but "myportal.net" => the browser will jell.
    So, the visitor will start to understand that something is up ...
    He should know that he is behind a "captive portal" (more and more people are using this kind of Internet access more and more.
    The captive portal login page isn't, of course "https://www.google.com" so ....

    Basic rule : a connection should be build before secure connections are possible.
    With others words : use http://..... first and if ok, use https://.....

    @solidus:

    How much is feasible to put in the DNS resolver configuration, maybe using the "domain override" option, a domain like "log.me" that triggers the captive page?
    DOMAIN : log.me    –--  IP Address : pfsense LAN IP

    It would be easy to say to someone that is blaming browsing issues to digit "log.me" in the browser address bar

    ;D
    This has been done already. Search the forum (nad pfSEnse doc) for the examples.
    Instruct the local DNS that log.me == the IP of the Captive portal and your close.