Captive portal with multiple routed networks

[verdant]

Hello everyone! I was originally looking for a simple captive portal - no auth, no DHCP, nothing fancy just a splash page with instructions on how to connect to our networks BYOD guest Wifi. OPNSense was the first solution I found that just worked out of the box.

That is it's working well on the network attached to an interface. I'm struggling to get a routed network to work through it, however. I've spent a couple of days troubleshooting and searching these forums (and of the original project's forums, google etc.)

Here's what I know:
Routed clients can access the OPNSense IP address, browse, get to the Captive Portal splash page and even "Agree"  - creating a session. After this, requests just time out. DNS is working - names are resolved. I don't see any blocked traffic from a sample client in the Firewall logs.

Likely the environment is too complicated to get a simple answer, but I would like some help diagnosing. Where can I look to see where this traffic is failing? Is there somewhere I can see the operation of the Captive Portal? Firewall? I have looked at the links from the web GUI, but they don't seem to show anything of interest.

[Tripple_Delta]

My favorite place is /var/log and then do something like #clog -f xxxx.log

[fabian]

this may be a bug - captive portal is using ARP:
https://github.com/opnsense/core/blob/86996d7bf74d7eadcd0879d8edb5aa3d7f807b32/src/opnsense/scripts/OPNsense/CaptivePortal/allow.py#L62
If you are routing the traffic, ARP cannot resolve the IP address. this may be the issue. Can you try an ARP proxy on your router?

[verdant]

Ah! Interesting. I'll look into an ARP proxy. And report back.

I needed a solution sooner, so I just installed another OPNSense instance on that site; which worked well. I wasn't looking forward to managing another eight server/appliances, but at the end of the day it's whatever works!