[Solved] Captive Portal not allowing Internet Access

Started by kalteVollmilch, September 12, 2019, 04:08:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 12, 2019, 04:08:11 PM Last Edit: September 13, 2019, 01:29:34 PM by kalteVollmilch
Hi all,

I've got a working OPNsense setup, as long as CP is deactivated:
Clients can connect, get an IP address, and can surf the internet.

However, when I activate CP, none of that works anymore (except for DHCP Relay, which works perfectly)

First of all, Name Resolution is no longer working. I've activated Forwarding Mode in Unbound, and set up correct DNS Servers in System -> Settings -> General and deactivated  'Allow DNS server list to be overridden by DHCP/PPP on WAN'. I've also added the DNS Servers under 'Allowed Addresses' in the CP setup, sadly this doen't seem to change things.

Second, somehow I sometimes manage to reach the Login Page (probably cached DNS), and I can login. After entering username and password, my session shows up in the CP administration page. However, I still have no internet access: When trying to visit a page, I get redirected to the CP login page, with the URL I wanted to visit in the '?redirurl' parameter of the CP url.

I also get no login prompt when connecting to the network


Has anyone an idea about what is going on and what I can do to fix this?
The culprit is probably the Captive Portal, because without it everything is working as expected

Thanks for your help in advance!
September 12, 2019, 06:01:01 PM #1
The Captive portal doesn't work either for me, I can authenticate the user with username and password or allowed mac address, and on the login page I get only log out but in console I get lighthttpd[pid]: (stat_cache.c 1033) lstat failed for /htdocs/errors/errorcode-400.html No such file or direcotry.
September 12, 2019, 07:32:01 PM #2
I suspect this is a regression between 19.7.3 and 19.7.4, and I think I can pinpoint the breaking code commit:

I've had a working OPNsense Captive Portal setup for months now, most recently working on 19.7.3. Then, last night I upgraded to 19.7.4 and Captive Portal broke after the upgrade.

Inspecting the Changelog for 19.7.4, I see: "captive portal: optimise ipfw rule parsing"

Which seems to correspond with this commit that went into 19.7.4: https://github.com/opnsense/core/commit/ffcd85f116efa

I've had to disable the Captive Portal zone in order to get Internet-bound traffic working again. With Captive Portal enabled in 19.7.4, even after signing in on the portal login page, user gets redirected to portal page with "logout" button and traffic still can't egress to the Internet even though their session shows up in the Sessions page.
September 12, 2019, 08:42:46 PM #3
It looks like after testing, the merge left a line which shouldn't have been there, https://github.com/opnsense/core/commit/2a72b99a9dda11e9daf352d1ae8af3e7bebb26bf

To install on 19.7.4:
Code Select

opnsense-patch 2a72b99



Since the entries in the ipfw table won't be removed automatically, easiest procedure is to restart the firewall and test again.
September 13, 2019, 05:47:04 AM #4
Thanks for the quick turn-around on the patch! :)

I can confirm that this fixed the issue, just wrapped up some verification testing on my 19.7.4 setup:


  • I re-enabled Captive Portal and confirmed things were broken again, before patching
  • Applied the patch via opnsense-patch
  • Rebooted, and then confirmed clients were able to authenticate and get to the Internet

I also noted the difference in the "ipfw table all list" output pre- and post-patch, confirming that that looks more correct now with the table entries per IP now pointing to a relevant ipfw rule number.

Pre-patch:
Code Select
# ipfw table all list
--- table(0), set(0) ---
192.168.12.10/32 0
192.168.12.20/32 0
192.168.12.100/32 0
192.168.12.120/32 0


Patched:
Code Select
# ipfw table all list
--- table(0), set(0) ---
192.168.12.10/32 30002
192.168.12.20/32 30001
192.168.12.100/32 30003
192.168.12.120/32 30000


P.S. While we're talking about the Captive Portal feature, I've been meaning to submit a patch or make a small request for awhile now: could the portal login page be fixed in the default template where the Enter key would work as a submit action? This works for the main OPNsense admin login screen, but not for the portal login screen. It would let users more quickly submit the form instead of mousing around to click the Login button. I think we're just missing type="submit" in the login button tag?
September 13, 2019, 08:59:46 AM #5
Has been hotfixed just now as 19.7.4_1. Sorry about that.


Cheers,
Franco
September 13, 2019, 01:29:05 PM #6
After testing, I too can confirm that everything works now.

Thanks to all for the quick reply!
September 13, 2019, 01:31:27 PM #7
@digital_aje you can create a PR for the change on GitHub, the base template can be found here https://github.com/opnsense/core/tree/master/src/opnsense/scripts/OPNsense/CaptivePortal/htdocs_default
December 17, 2019, 11:39:30 AM #8 Last Edit: December 17, 2019, 01:52:31 PM by amalzz
Hi.. Need an urgent support. I am getting the error "lstat failed for: /htdocs/error/errors/errorcode-413.html No such file or directory.

Also some devices have to reconnect with Captive Portal after every 5-10 minuets.

Cheers!

https://imgur.com/a/d57fpdB

Print
Go Up Pages1
User actions