OPNsense Forum

Hi guys,

I am trying to enable a captive portal for our guest net (with vouchers), as we will soon get a serious fiber connection and I need to make sure to be able to monitor decently.

Anyway, I followed the steps as described here: https://docs.opnsense.org/manual/how-tos/guestnet.html

I honestly went through everything multiple times, each step again and again, but I still have the problem that, once a device connects to the guest network, it simply can access the net without any problems - no redirection to the portal/login page, no error, nothing.

Maybe somebody has an idea? I have the DNS forwarder enabled, DHCP configured as per the help page... I really dunno what else could be wrong here ...

Version Data:
OPNsense 16.1.9-amd64   
FreeBSD 10.2-RELEASE-p14   
OpenSSL 1.0.2g 1 Mar 2016


Thanks
Lukas

Hi Lukas,

Are you using bridging? If you do, that might explain why this doesn't work. Bridged interfaces have a lot of limitations under FreeBSD.

If that's not the case, can you try to run the following command in a console:


ipfw -aT list


And publish the output here.

Regards,

Ad

Hi Ad,

I am not using bridging, however the Guest WLAN net is on a VLAN tagged interface, maybe that makes a difference?
root@firewall:~ # ipfw -aT list
00100        0           0          0 allow pfsync from any to any
00110        0           0          0 allow carp from any to any
00120        0           0          0 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130        0           0          0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140        0           0          0 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150        0           0          0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200        0           0          0 skipto 60000 ip6 from ::1 to any
00201    43990     7722152 1460295070 skipto 60000 ip4 from 127.0.0.0/8 to any
00202        0           0          0 skipto 60000 ip6 from any to ::1
00203        0           0          0 skipto 60000 ip4 from any to 127.0.0.0/8
01002        0           0          0 skipto 60000 udp from any to 192.168.1.1 dst-port 53 keep-state
01002    59161    12614958 1460295082 skipto 60000 ip from any to { 255.255.255.255 or 192.168.1.1 } in
01002    64325    31137438 1460295082 skipto 60000 ip from { 255.255.255.255 or 192.168.1.1 } to any out
01002        0           0          0 skipto 60000 icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0
01002        0           0          0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8
01003        0           0          0 skipto 60000 udp from any to 192.168.3.1 dst-port 53 keep-state
01003       23       13248 1460292467 skipto 60000 ip from any to { 255.255.255.255 or 192.168.3.1 } in
01003       23        7544 1460292467 skipto 60000 ip from { 255.255.255.255 or 192.168.3.1 } to any out
01003        0           0          0 skipto 60000 icmp from { 255.255.255.255 or 192.168.3.1 } to any out icmptypes 0
01003        0           0          0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.3.1 } in icmptypes 8
01004     4564      394973 1460295082 skipto 60000 udp from any to 192.168.2.1 dst-port 53 keep-state
01004     1034      343511 1460294983 skipto 60000 ip from any to { 255.255.255.255 or 192.168.2.1 } in
01004     1024      333632 1460294983 skipto 60000 ip from { 255.255.255.255 or 192.168.2.1 } to any out
01004        0           0          0 skipto 60000 icmp from { 255.255.255.255 or 192.168.2.1 } to any out icmptypes 0
01004        0           0          0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.2.1 } in icmptypes 8
65535 19331415 17473214667 1460295082 allow ip from any to any


Hi Lukas,

That shouldn't make a difference, but by the look of your ipfw output it seems to be missing your interface selection (which is odd).
Just tried to add a zone to a vlan on my local vm and that seems to be producing the right output.

Can you create a screenshot of your zone settings?

Regards,

Ad

Hi Ad,

thanks for your help. Do you mean a screenshot of my interfaces?
Like the attached one?

Hi Lukas,

Your welcome  :)

No, I mean a screenshot of your defined captive portal zone (Services -> Captive portal -> Administration)

Regards,

Ad

Here we go :)

Looks normal, can you apply these settings again? Maybe something changed after applying the captive portal settings.
If that doesn't work, you may have to download your configuration xml and check the values in the captive portal settings.

I reapplied the settings several times, as I also rebooted the firewall and used different mobile devices.
I dunno, maybe there is something wrong with the firewall rules? Like allowing access all the time?

The firewall rules shouldn't affect the captive portal behaviour, so its probably something different.
If you can share your config, you may send it to me for inspection (ad at project domain), its probably something small, but its hard to tell without all the details.

Done :)

Got it, can you send me the contents of the file /usr/local/etc/ipfw.rules as well?
I have no machine to deploy the config on at the moment, and most settings seem to be ok.

Hi Lukas,

I think I found your problem, can you check if your "EOLO" interface is up? When I install your configuration on a machine over here it fails because it can't setup the pppoe connection for it (which is from here logical, but might very well be your issue as well).

If it isn't up or used, can you try to disable the interface and try again?

Regards,

Ad

Oh interesting...

The EOLO interface is up (see screenshot).

I tried to disable it, in which case I simply have no internet access (neither on the Guest wlan, nor on my internal LAN).

Ok, we're getting close here. I was looking in the wrong direction, one moment  :)

can you try to run this:

curl -o /usr/local/opnsense/service/templates/OPNsense/IPFW/ipfw.conf https://raw.githubusercontent.com/opnsense/core/master/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf

and apply your captive portal settings again (or reboot)?

Sir, it is working now!  :)
What did you do to get it working?

Btw, is there any way to change the complexity of the vouchers? Like, avoid special chars in the username?

We are still planing to make voucher length and character set customisable, but don't have a specific ETA.

Ok!
But now tell me, what was wrong? Did I set something odd?

No, your setup was fine, it was a bug in the ruleset in combination with the pppoe interface.

For the vouchers, I want to add some simple checkboxes to "degrade" password strength and maybe a customizable length. I rather don't want to add a complete "selectable character map", I don't think that would increase user experience.

Hi Ad,

I think that the solution with the checkbox would be more than fine. I would use the captive portal for hotel guests, and a too complicated username (for the password it's not as bad I guess) could lead to complaints  ;D

Anyway, OPNsense is truly great and I am very happy that I went installing it right away once it came out, instead of using pfSense. I used to use Endian firewall, but that stuff was simply not working anymore for my needs...

Hi Lukas,

Thanks for your feedback, always great to hear people like our project :)

I've added an issue in github for the voucher feature, I couldn't find one in the tracker and this should be easy to fix. (there have been more questions about it in the past)
https://github.com/opnsense/core/issues/886 (https://github.com/opnsense/core/issues/886)

Regards,

Ad

Ad,
the days we created the Voucher system for monowall we where confronted with two user complaints.
a) using smartphones users (mostly coming from other countries) had to switch often the the layout by pressing "option or alt keys to switch between the keyboard layouts. Some users had even difficulty to find certain characters on their device:
b) some people preferred to enter just numbers or other just small letters
c) depending on the Font (used by a external Voucher printing program) users entered wrong characters (O/0; i/L I/L) 

I have to say, I have not testet your newest feature "reduced character set" I will do it soon.
Thank you for the great work you and your team are doing. jakob

Hi Jakob,

I think the latest option (included yesterday) should solve most of the issues, but if it doesn't, I have no problem with decreasing the used character set a bit further to make this a better fix or maybe convert this option into two states (simple , only lower-case).

Regards,

Ad

Ad, thank you for the positive response.
What do you think about a following grouping.
a) UPPER CASE
b) lower case
c) numbers 273485

Hi Jakob,

I'm not sure about only numbers, chances are quite big to generate the same username twice, which may decrease generation performance a lot.
Only upper or lower case shouldn't be a problem, but I would provide the following options then:

0) default (secure like it was)
1) less secure (update from yesterday, lower+upper case and numbers, without known hard to read chars)
2) less secure, only upper case
3) less secure, only lower case

Which would (in my opinion) solve the mobile issue you mentioned.

Regards,

Ad

maybe this way:

passwords and usernames can contain
[ ] uppercase letters
[ ] lowercase letters
[ ] digits
[ ] special characters


By default, all of them are checked

I rather keep the options simpler here and limit the "weak password" option to one selectbox at max.
In my opinion it's easier to understand and read for most users and simply not worth the extra complexity.