OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: FSY on September 14, 2016, 10:15:21 am
-
Hello,
I have a problem for using Captive portal with two zones.
I need a zone for the interface "invites" with vouchers authentication, and a other one for the "collaborateurs" interface with LDAP authentication.
If I enable only one zone (invites or collaborateurs) everything work fine. But if I enable the both zones simultaneously, the redirection work (to the good GW) but the Captive Portal HTTP web page is not found. I have the error : HTTP 404 not found.
Is it a ID zone number problem ?
The problem is the same one with any template and interfaces.
I'm running the OPNsense 16.7.3 version, FreeBSD 10.3-RELEASE-p7.
I'm testing OPNsense for my diploma work. I'm sorry for my english (I usuallay speak french). I already thank you for your great work ! :)
-
Hi FSY,
Can you share a bit more about your setup? how are the zones connected (which interfaces) where do both zones try to redirect you too?
Some information about your network could also help solving the issue.
Best regards,
Ad
-
Hi,
Thank you for your quick reply.
I have 7 interfaces : https://drive.google.com/file/d/0BxmkF1mmi7OzTlFPemR2TXlnMTA/view?usp=sharing
You can see my interfaces config hier :
- Collaborateurs : https://drive.google.com/file/d/0BxmkF1mmi7OzbDYzeU9CNmltS2c/view?usp=sharing
- Invites : https://drive.google.com/file/d/0BxmkF1mmi7Ozd21BaHdlbWRlck0/view?usp=sharing
The results with only one interface enable :
- Collaborateurs : https://drive.google.com/file/d/0BxmkF1mmi7OzTTNENzZwd2ZuTTA/view?usp=sharing
- Invites : https://drive.google.com/file/d/0BxmkF1mmi7OzNnBfSnpRVWdHMjA/view?usp=sharing
And the problem :
- Collaborateurs : https://drive.google.com/file/d/0BxmkF1mmi7OzdXNFb0ZIVkpSdGM/view?usp=sharing
- Invites : https://drive.google.com/file/d/0BxmkF1mmi7OzMzR5dVA2SE11VVU/view?usp=sharing
My zones config :
- Collaborateurs : https://drive.google.com/file/d/0BxmkF1mmi7OzUURiQWFRRFVqQ00/view?usp=sharing
- Invites : https://drive.google.com/file/d/0BxmkF1mmi7Ozc1B0MkxVOVJ2N3M/view?usp=sharing
You can see the schemas (layer 2, layer3), the NICs config, DHCP, etc. : https://drive.google.com/drive/folders/0BxmkF1mmi7OzMEZUOU83aHRLWDg?usp=sharing
The DNS forwarder is disable.
Best regards,
FSY
-
Hi FSY,
ok, odd, can you execute some commands to gather some more data about the setup?
configured http servers for cp:
grep "server.port" /var/etc/lighttpd-cp*
grep "url.redi" /var/etc/lighttpd-cp*
running servers:
ps afx | grep cp-zone
and the ruleset generated by ipfw:
ipfw show
Best regards,
Ad
-
configured http servers for cp:
root@OPNsense_master_siteA:~ # grep "server.port" /var/etc/lighttpd-cp*
/var/etc/lighttpd-cp-zone-0.conf:server.port = 8000
/var/etc/lighttpd-cp-zone-1.conf:server.port = 8001
/var/etc/lighttpd-cp-zone-2.conf:server.port = 8002
root@OPNsense_master_siteA:~ # grep "url.redi" /var/etc/lighttpd-cp*
/var/etc/lighttpd-cp-zone-0.conf: url.redirect = ( "^(.*)$" => "http://10.1.101.1:8000/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-0.conf: url.redirect = ( "^(.*)$" => "http://10.1.101.1:8000/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-0.conf: url.redirect = ( "(.*)" => "http://10.1.101.1:8000/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-1.conf: url.redirect = ( "^(.*)$" => "http://10.1.104.1:8001/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-1.conf: url.redirect = ( "^(.*)$" => "http://10.1.104.1:8001/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-1.conf: url.redirect = ( "(.*)" => "http://10.1.104.1:8001/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-2.conf: url.redirect = ( "^(.*)$" => "http://10.1.101.1:8002/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-2.conf: url.redirect = ( "^(.*)$" => "http://10.1.101.1:8002/index.html?redirurl=%1$1")
/var/etc/lighttpd-cp-zone-2.conf: url.redirect = ( "(.*)" => "http://10.1.101.1:8002/index.html?redirurl=%1$1")
running servers:
root@OPNsense_master_siteA:~ # ps afx | grep cp-zone
45043 - S 0:00.14 /usr/local/sbin/lighttpd -f /var/etc/lighttpd-cp-zone-0.conf
46057 - S 0:00.14 /usr/local/sbin/lighttpd -f /var/etc/lighttpd-cp-zone-1.conf
38923 0 S+ 0:00.00 grep cp-zone
and the ruleset generated by ipfw:
root@OPNsense_master_siteA:~ # ipfw show
00100 0 0 allow pfsync from any to any
00110 0 0 allow carp from any to any
00120 0 0 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200 498 23904 skipto 60000 ip6 from ::1 to any
00201 200 284272 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 0 0 skipto 60000 ip6 from any to ::1
00203 0 0 skipto 60000 ip4 from any to 127.0.0.0/8
01002 0 0 skipto 60000 udp from any to 10.1.100.1 dst-port 53 keep-state
01002 583 52165 skipto 60000 ip from any to { 255.255.255.255 or 10.1.100.1 } in
01002 986 843938 skipto 60000 ip from { 255.255.255.255 or 10.1.100.1 } to any out
01002 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.1.100.1 } to any out icmptypes 0
01002 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.1.100.1 } in icmptypes 8
01003 0 0 skipto 60000 udp from any to 10.1.101.1 dst-port 53 keep-state
01003 35 5861 skipto 60000 ip from any to { 255.255.255.255 or 10.1.101.1 } in
01003 46 6610 skipto 60000 ip from { 255.255.255.255 or 10.1.101.1 } to any out
01003 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.1.101.1 } to any out icmptypes 0
01003 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.1.101.1 } in icmptypes 8
01004 0 0 skipto 60000 udp from any to 10.1.102.1 dst-port 53 keep-state
01004 0 0 skipto 60000 ip from any to { 255.255.255.255 or 10.1.102.1 } in
01004 7 2296 skipto 60000 ip from { 255.255.255.255 or 10.1.102.1 } to any out
01004 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.1.102.1 } to any out icmptypes 0
01004 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.1.102.1 } in icmptypes 8
01005 0 0 skipto 60000 udp from any to 10.1.103.1 dst-port 53 keep-state
01005 0 0 skipto 60000 ip from any to { 255.255.255.255 or 10.1.103.1 } in
01005 0 0 skipto 60000 ip from { 255.255.255.255 or 10.1.103.1 } to any out
01005 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.1.103.1 } to any out icmptypes 0
01005 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.1.103.1 } in icmptypes 8
01006 0 0 skipto 60000 udp from any to 10.1.104.1 dst-port 53 keep-state
01006 26 4867 skipto 60000 ip from any to { 255.255.255.255 or 10.1.104.1 } in
01006 40 7668 skipto 60000 ip from { 255.255.255.255 or 10.1.104.1 } to any out
01006 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.1.104.1 } to any out icmptypes 0
01006 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.1.104.1 } in icmptypes 8
01007 0 0 skipto 60000 udp from any to 10.2.0.1 dst-port 53 keep-state
01007 0 0 skipto 60000 ip from any to { 255.255.255.255 or 10.2.0.1 } in
01007 0 0 skipto 60000 ip from { 255.255.255.255 or 10.2.0.1 } to any out
01007 0 0 skipto 60000 icmp from { 255.255.255.255 or 10.2.0.1 } to any out icmptypes 0
01007 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 10.2.0.1 } in icmptypes 8
03000 82 9538 skipto 10001 ip from table(0) to any via em4
03000 82 5733 skipto 10001 ip from any to table(0) via em4
03001 0 0 skipto 11001 ip from table(1) to any via em5
03001 0 0 skipto 11001 ip from any to table(1) via em5
05000 56 3042 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em4
05000 0 0 allow ip from any to any dst-port 443 via em4
05000 32 4949 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em4
05000 0 0 allow ip from any to any dst-port 80 via em4
05001 70 4329 fwd 127.0.0.1,8001 tcp from any to any dst-port 443 in via em5
05001 0 0 allow ip from any to any dst-port 443 via em5
05001 26 4395 fwd 127.0.0.1,9001 tcp from any to any dst-port 80 in via em5
05001 0 0 allow ip from any to any dst-port 80 via em5
06000 239338 237658729 skipto 60000 tcp from any to any out
06002 2 165 skipto 65534 ip from any to any via em4
06003 0 0 skipto 65534 ip from any to any via em5
06199 246912 238432303 skipto 60000 ip from any to any
10001 164 15271 count ip from any to any via em4
10998 164 15271 skipto 30000 ip from any to any via em4
10999 0 0 deny ip from any to any not via em4
11001 0 0 count ip from any to any via em5
11998 0 0 skipto 30000 ip from any to any via em5
11999 0 0 deny ip from any to any not via em5
30000 164 15271 count ip from any to any
30001 0 0 count ip from 192.168.20.224 to any
30001 0 0 count ip from any to 192.168.20.224
30002 0 0 count ip from 10.1.101.103 to any
30002 0 0 count ip from any to 10.1.101.103
30003 82 9538 count ip from 10.1.103.10 to any
30003 82 5733 count ip from any to 10.1.103.10
60000 0 0 return ip from any to any
65533 488787 477302839 allow ip from any to any
65534 2 165 deny ip from any to any
65535 1463531 1254195572 allow ip from any to any
Best regards,
FSY
-
Hi FSY,
it looks like its removing the login pages here, can you try this patch?
opnsense-patch cc18336d
And then apply your settings again.
Best regards,
Ad
-
My problem is solved ! Thank you very much !
Now I have a other question : Can I enable the transparent proxy on the "Collaborateurs" interface ? Because if I do that, the NAT rule will bypass the portal.
Best regards,
FSY
-
Hi FSY,
Thank you for reporting back.
I've looked at the transparant proxy + CP, but unfortunately that combination doesn't seem to work. The problem is that you can't ignore the packets that ipfw (the firewall CP uses) is forwarding in in pf (our main firewall) at the moment.
We should find a way to mark the packets that are being forwarded in ipfw, so we can ignore mangling those packets in pf.
I've created an issue for this https://github.com/opnsense/core/issues/1189 (https://github.com/opnsense/core/issues/1189)
Best regards,
Ad
-
The original problem will be in 16.7.4. The proxy issue investigation is ongoing in FreeBSD kernel territory.
-
Call for testing crosslink... https://forum.opnsense.org/index.php?topic=3704.0