[SOLVED] Captive Portal not working

Started by lukepower, April 09, 2016, 04:13:44 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 09, 2016, 04:13:44 PM Last Edit: April 11, 2016, 11:31:27 AM by franco
Hi guys,

I am trying to enable a captive portal for our guest net (with vouchers), as we will soon get a serious fiber connection and I need to make sure to be able to monitor decently.

Anyway, I followed the steps as described here: https://docs.opnsense.org/manual/how-tos/guestnet.html

I honestly went through everything multiple times, each step again and again, but I still have the problem that, once a device connects to the guest network, it simply can access the net without any problems - no redirection to the portal/login page, no error, nothing.

Maybe somebody has an idea? I have the DNS forwarder enabled, DHCP configured as per the help page... I really dunno what else could be wrong here ...

Version Data:
OPNsense 16.1.9-amd64   
FreeBSD 10.2-RELEASE-p14   
OpenSSL 1.0.2g 1 Mar 2016


Thanks
Lukas
April 10, 2016, 02:23:48 PM #1
Hi Lukas,

Are you using bridging? If you do, that might explain why this doesn't work. Bridged interfaces have a lot of limitations under FreeBSD.

If that's not the case, can you try to run the following command in a console:

Code Select

ipfw -aT list


And publish the output here.

Regards,

Ad
April 10, 2016, 03:32:34 PM #2
Hi Ad,

I am not using bridging, however the Guest WLAN net is on a VLAN tagged interface, maybe that makes a difference?
Code Select
root@firewall:~ # ipfw -aT list
00100        0           0          0 allow pfsync from any to any
00110        0           0          0 allow carp from any to any
00120        0           0          0 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130        0           0          0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140        0           0          0 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150        0           0          0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200        0           0          0 skipto 60000 ip6 from ::1 to any
00201    43990     7722152 1460295070 skipto 60000 ip4 from 127.0.0.0/8 to any
00202        0           0          0 skipto 60000 ip6 from any to ::1
00203        0           0          0 skipto 60000 ip4 from any to 127.0.0.0/8
01002        0           0          0 skipto 60000 udp from any to 192.168.1.1 dst-port 53 keep-state
01002    59161    12614958 1460295082 skipto 60000 ip from any to { 255.255.255.255 or 192.168.1.1 } in
01002    64325    31137438 1460295082 skipto 60000 ip from { 255.255.255.255 or 192.168.1.1 } to any out
01002        0           0          0 skipto 60000 icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0
01002        0           0          0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8
01003        0           0          0 skipto 60000 udp from any to 192.168.3.1 dst-port 53 keep-state
01003       23       13248 1460292467 skipto 60000 ip from any to { 255.255.255.255 or 192.168.3.1 } in
01003       23        7544 1460292467 skipto 60000 ip from { 255.255.255.255 or 192.168.3.1 } to any out
01003        0           0          0 skipto 60000 icmp from { 255.255.255.255 or 192.168.3.1 } to any out icmptypes 0
01003        0           0          0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.3.1 } in icmptypes 8
01004     4564      394973 1460295082 skipto 60000 udp from any to 192.168.2.1 dst-port 53 keep-state
01004     1034      343511 1460294983 skipto 60000 ip from any to { 255.255.255.255 or 192.168.2.1 } in
01004     1024      333632 1460294983 skipto 60000 ip from { 255.255.255.255 or 192.168.2.1 } to any out
01004        0           0          0 skipto 60000 icmp from { 255.255.255.255 or 192.168.2.1 } to any out icmptypes 0
01004        0           0          0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.2.1 } in icmptypes 8
65535 19331415 17473214667 1460295082 allow ip from any to any
April 10, 2016, 03:37:56 PM #3 Last Edit: April 10, 2016, 06:59:32 PM by AdSchellevis
Hi Lukas,

That shouldn't make a difference, but by the look of your ipfw output it seems to be missing your interface selection (which is odd).
Just tried to add a zone to a vlan on my local vm and that seems to be producing the right output.

Can you create a screenshot of your zone settings?

Regards,

Ad
April 10, 2016, 03:39:37 PM #4
Hi Ad,

thanks for your help. Do you mean a screenshot of my interfaces?
Like the attached one?
April 10, 2016, 06:35:24 PM #5
Hi Lukas,

Your welcome  :)

No, I mean a screenshot of your defined captive portal zone (Services -> Captive portal -> Administration)

Regards,

Ad
April 10, 2016, 07:08:45 PM #6
Here we go :)
April 10, 2016, 07:13:42 PM #7
Looks normal, can you apply these settings again? Maybe something changed after applying the captive portal settings.
If that doesn't work, you may have to download your configuration xml and check the values in the captive portal settings.
April 10, 2016, 07:36:28 PM #8
I reapplied the settings several times, as I also rebooted the firewall and used different mobile devices.
I dunno, maybe there is something wrong with the firewall rules? Like allowing access all the time?
April 10, 2016, 07:39:42 PM #9
The firewall rules shouldn't affect the captive portal behaviour, so its probably something different.
If you can share your config, you may send it to me for inspection (ad at project domain), its probably something small, but its hard to tell without all the details.
April 10, 2016, 07:41:29 PM #10
Done :)
April 10, 2016, 07:54:36 PM #11
Got it, can you send me the contents of the file /usr/local/etc/ipfw.rules as well?
I have no machine to deploy the config on at the moment, and most settings seem to be ok.
April 11, 2016, 09:10:41 AM #12
Hi Lukas,

I think I found your problem, can you check if your "EOLO" interface is up? When I install your configuration on a machine over here it fails because it can't setup the pppoe connection for it (which is from here logical, but might very well be your issue as well).

If it isn't up or used, can you try to disable the interface and try again?

Regards,

Ad
April 11, 2016, 09:31:20 AM #13
Oh interesting...

The EOLO interface is up (see screenshot).

I tried to disable it, in which case I simply have no internet access (neither on the Guest wlan, nor on my internal LAN).
April 11, 2016, 09:35:09 AM #14
Ok, we're getting close here. I was looking in the wrong direction, one moment  :)
Print
Go Up Pages1 2
User actions