OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: EHRETic on April 11, 2020, 03:44:30 pm
-
Hi there :)
I am trying to get the Captive Portal with my Guest network to operate. However, the problem is that ano clients are automatically forwarded to the login page (iPad, Chrome phone or Windows computer)
I configured it according to the documentation (https://docs.opnsense.org/manual/how-tos/guestnet.html).
What is strange for me is that it was working before (as I'm new to OPNsense & I've started implementation not so long ago, I can't tell exactly when it started not to work anymore. I've configured the base as in the doc, saw it was working and let it there. I've the feeling it was working with 20.1.3 but I can't vouch if 20.1.4 broke the thing.
What is weird, whenever it was redirecting or now (not working anymore), my captive portal is accessible at http://192.168.XXX.1:8001 (not 8000 as I saw almost everywhere). I can't explain why and don't know if it is a config issue.
However, otherwise I just get "server not found" when I try to open any page, no matter if https or http.
Some settings about the setup:
- 2 physical NICs (it's a VM), one is WAN, the other is tagged for all the different subnets (guest, prod, mutimedia)
- I'm not using a proxy (for now)
- I'm using Unbound with DNSsec active
- the captive portal is not using SSL and no hostname is defined.
- DHCP works fine in the guest
I've the feeling with other threads in forum that tagged interfaces are often linked with issue... is it ?
Anyway, I'd like to have some help, so I can also understand better how everything works together.
Thanks in advance ! ;)
-
Anyone ? :P
-
have you added the 2 firewall "allow" rule?
allow dns
and allow access to captive portal? it should be in the wiki instruction.
-
ok i missed some of your comments..
you mean it was working before?
now it aint? but disabling captive portal makes your connection work?
then it is probably a corrupt db. you may need to go to shell and follow the instruction to delete the db. it should refresh itself once you reenble captive portal.
you may want to check logs to verify if db is corrupt
system-log files-back end
there should be a long message about captive portal or any db error, file locked and/or failed read/write
https://forum.opnsense.org/index.php?topic=12843.msg59581#msg59581
-
Like tong said it's important to double-check your firewall rules (make sure the allow rules takes precedence aka above the deny rules), You can troubleshoot Firewall rules by going to Firewall> log files> Live view and type in the filter 8001 (or whatever port you want to filter) and check whether it's being blocked or denied (red) or allowed (green), you can also use ".*" for advanced filter ex: 192.168.xxx.1.*8001 to see all the rules associated with IP 192.168.xxx.1 on port 8001.
my captive portal is accessible at http://192.168.XXX.1:8001 (not 8000 as I saw almost everywhere)
this is probably due to captive portal zone number ( 0->8000, 1->8001, etc) you can check which zone your captive portal has by clicking edit and check the zone number (maybe after deleting the test CP it wasn't removed from the cache).
try adding your DNS server in the allowed address in captive portal configuration, I believe some people reported that the CP worked after doing so
-
First, thanks a lot for your time, I really appreciate. It took me some time to test everything, but here we are! ;)
ok i missed some of your comments..
you mean it was working before?
now it aint? but disabling captive portal makes your connection work?
Yes it was working at some point. And no, I can't make it work by disabling the portal. :-\
Like tong said it's important to double-check your firewall rules (make sure the allow rules takes precedence aka above the deny rules), You can troubleshoot Firewall rules by going to Firewall> log files> Live view and type in the filter 8001 (or whatever port you want to filter) and check whether it's being blocked or denied (red) or allowed (green), you can also use ".*" for advanced filter ex: 192.168.xxx.1.*8001 to see all the rules associated with IP 192.168.xxx.1 on port 8001.
Well, I've crosschecked again, except one LAN more I'm blocking, the rest sticks to tutorial.
my captive portal is accessible at http://192.168.XXX.1:8001 (not 8000 as I saw almost everywhere)
this is probably due to captive portal zone number ( 0->8000, 1->8001, etc) you can check which zone your captive portal has by clicking edit and check the zone number (maybe after deleting the test CP it wasn't removed from the cache).
try adding your DNS server in the allowed address in captive portal configuration, I believe some people reported that the CP worked after doing so
After removing the DB and also recreated the portal from scratch, the new portal comes on 8000 (zone 0)
I've tried to add the DNS server in the allowed addresses it didn't change the result.
When I look at FW logs, I see an allowed incoming for DHCP address request, an outgoing ICMP to the client and some allowed DNS queries at first connection but nothing is blocked even if everything points out to a non-working DNS resolution.
I've checked that as well, Unbound is linked to all the necessary interfaces (my 2 LANs and the guest), both LAN work fine. So it is still weird, I'm missing something there...
Any clue? Might not be the portal itself after all! ::)
-
Hi there,
So I've some new info but still no solution! :P
What I can confirm: it is definitivelly a DNS resolution issue.
What I've tried:
- One rule, full access, no portal but FW as DNS server in DHCP: doesn't work
- Portal standard FW rules, portal activated but Google DNS in DHCP: work fine
Some more info about my setup sbout DNS:
- FW general option DNS servers are the ones from the LAN
- LAN DNS servers are forwarding to the FW. All clients/servers are using them as they are the domain controllers (via DHCP or fixed settings)
- I've Unbound activated on LAN and guest interfaces.
- Unbound settings are the following: DNSSEC actvated, transparent, no forward, transparent local zone, standard port 53 and those extra settings:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 8.8.8.8@853
forward-addr: 8.8.4.4@853
I've crosscheck to see if whenever I try Internet on guest if something would be blocked, I see nothing on firewall logs.
I could use "direct" google DNS servers, but I wanted to have Unbound used for all interfaces.
Any clue ? Would that be a bug ? :o
EDIT: the portal only comes with google DNS ONLY IF I browse a web site that has been resolved before portal activation (so IP already in local DNS cache). If unknown, like affter a restart or on a new device, portal doesn't come.
-
could check accessing www.neverssl.com as test site
", like affter a restart or on a new device, portal doesn't come."
and you cant browse the net?
have you added na DNS allow rule? (Lan ->DNS -> firewall should be allowed)
it should be on top of most rules you have
your clients should also use DHCP, to force them to use your gatewate/DNS server/ubound
also using DHCP without portal... Internet works fine right? for your lan?
-
Well, for now, update to 20.1.5 did include one Unbound change (I can't figure out if there was a version change), but this fixed the issue.
I'll monitor it and do some further testing. thanks everybody so far! ;)
-
Monitoring on 20.1.5 was ok, now since 20.1.6 it is not working again ! :o
(So portal OK with manual entry, but not popping up automatically)
-
If you want to use unbound as your primary DNS server try forwarding all DNS queries to unbound (this is done through port forwarding and FW rules) and test whether the captive portal will come up automatically or not, and instruct the DHCP client to use your outbound server by specifying the DNS server in the DHCP lease configuration.
-
Monitoring on 20.1.5 was ok, now since 20.1.6 it is not working again ! :o
(So portal OK with manual entry, but not popping up automatically)
mostly manual also in may case
but most smart phones will present a pop signin
not on computers/desktops, rare pops out