Issue with Captive Portal after Update to 25.1

Started by kozistan, February 04, 2025, 08:59:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 04, 2025, 08:59:14 AM
In the previous version of OPNsense (24.7.12), the captive portal functioned as expected. A client would connect to the guest network, and a pop-up window with the login page would automatically open. This worked reliably across all operating systems.

Now, after updating to 25.1, the pop-up does not appear. It can be bypassed by manually entering any web address in a browser, which triggers a redirect to the login page. However, this does not always work consistently. I often have to refresh the page multiple times, disconnect and reconnect to Wi-Fi, or switch browsers to get the login page to appear. This behavior is highly unreliable for a production environment.

Another issue is that I can no longer download templates, neither the default ones nor the custom templates I have added. I haven't changed any settings—this issue only appeared after the update.

Additionally, there has been a long-standing issue with session timeouts. Even if I set Idle timeout to 0 and Hard timeout to 10080 (a week), the settings are not applied. When a client disconnects, they must log in again, despite the timeout settings.

My configuration is entirely standard, and I use both vouchers and an external RADIUS server for authentication. I originally followed the OPNsense documentation when setting it up.

Has anyone else encountered the same problem? Or even better—found a solution?
February 04, 2025, 10:41:16 AM #1
Found some php errors on OPNsense crash reporter:

Code Select
[04-Feb-2025 08:43:07 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('6502116055eda')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
[04-Feb-2025 08:43:16 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('645e023ccc36e')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
[04-Feb-2025 08:43:32 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('649155181b691')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
[04-Feb-2025 08:43:42 Europe/Prague] Error: Class "OPNsense\CaptivePortal\Api\SanitizeFilter" not found in /usr/local/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php:91
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php(166): OPNsense\CaptivePortal\Api\ServiceController->getTemplateAction('669993b1037dc')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(156): OPNsense\Mvc\Dispatcher->dispatch(Object(OPNsense\Mvc\Request), Object(OPNsense\Mvc\Response), Object(OPNsense\Mvc\Session))
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Router.php(139): OPNsense\Mvc\Router->performRequest(Object(OPNsense\Mvc\Dispatcher))
#3 /usr/local/opnsense/www/api.php(36): OPNsense\Mvc\Router->routeRequest('/api/captivepor...', Array)
#4 {main}
February 04, 2025, 01:33:59 PM #2
Thanks for the report:

# opnsense-patch https://github.com/opnsense/core/commit/8139d9e1c


Cheers,
Franco
February 04, 2025, 04:35:41 PM #3
Thanks for the patch franco, confirming - no issues so far.
February 04, 2025, 04:37:10 PM #4
Thanks for confirming. I'll add this to 25.1.1.


Cheers,
Franco
February 05, 2025, 12:58:35 AM #5
Hello Franco!
I have a DEC850, Business subscription.
Today I've upgraded the firewall from 24.10.1 to the latest 24.10.2
The upgrade process completed without errors, but...

The first problem: I don't have the os-tailscale on Plugins section and also other new plugings added with the lates 24.10.2
The second problem: when I run an audit for connectivity, I receive this log:

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 24.10.2 (amd64) at Wed Feb  5 00:47:39 CET 2025
Strict TLS 1.3 and CRL checking is enabled.
Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=52 time=40.363 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=52 time=40.109 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=52 time=40.930 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=52 time=40.262 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 40.109/40.416/40.930/0.310 ms
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 874 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ... done
Processing entries: ....... done
SunnyValley repository update completed. 66 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: No route to host
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: No route to host
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: No route to host
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:14:amd64/24.7/${SUBSCRIPTION}/meta.txz: No route to host
repository SunnyValley has no meta file, using default settings
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:14:amd64/24.7/${SUBSCRIPTION}/packagesite.pkg: No route to host
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:14:amd64/24.7/${SUBSCRIPTION}/packagesite.txz: No route to host
Unable to update repository SunnyValley
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS ECC CA G1
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE
Checking server certificate for host: updates.zenarmor.com
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = zenarmor.com
verify return:1
DONE
***DONE***

What is problem?
February 05, 2025, 08:36:34 AM #6
> The first problem: I don't have the os-tailscale on Plugins section and also other new plugings added with the lates 24.10.2

I can see there is an issue with tailscale missing and I will fix this in a few minutes.

I have no idea what "and also other new plugings added with the lates 24.10.2" means since tailscale was the only new plugin.

> The second problem: when I run an audit for connectivity, I receive this log:

Your IPv6 isn't working which can be normal...  The audit will be able to detect it, but that's all that it means most of the time.

I would like to mention that this is neither the forum nor the right thread to report this though.  ;)



Cheers,
Franco
February 06, 2025, 01:09:00 AM #7
Thanks for the reply, Franco.
Having an official DEC850 device with OPNsense, I would like to know which would be the correct forum to report problems and any discussions related to OPNsense. I thought I was in the correct forum. I made a mistake in the thread, and I apologize, but I think the forum is correct.
February 06, 2025, 08:38:22 AM #8
I'm back, templates downloading is working again so the patch helped but issue with redirecting is still ongoing.
After day of testing and troubleshooting the redirection issue, I haven't been able to find a solution. However, I can share my observations:

   •   Captive Portal is running and can be manually accessed via https://captive.domain.name:8000, certs are ok.
   •   After connecting to the network, the login page does not appear automatically – the user must manually enter a URL to be redirected.
   •   Both HTTP and HTTPS behave the same way, switching Captive Portal to pure HTTP does not solve the issue.
   •   Testing with http://captive.apple.com only works once
           •   The first time I enter this URL, I am redirected to the Captive Portal.
           •   If I enter it again (without restarting the client), no redirection occurs.
   •   Entering the same address twice in a row does not return the user to the Captive Portal.

Any idea?
February 08, 2025, 12:15:32 AM #9 Last Edit: February 08, 2025, 08:42:52 PM by allan
I am also having trouble with my captive portal under 25.1. I use "Enforce Local Group" to lock down access to a specific group, but the portal denies the logins; I've double-checked my credentials. What group privileges should I enable to allow access? I tried "All pages" as a test but it did not work.

As for the captive portal pop up, I ran tcpdump against my iOS connection. It got the HTTP 302 and connected to the portal with TLS1.2. I then see:

Code Select
Alert (Level: Fatal, Description: Protocol Version)
This is the server response after Client Hello. It seems lighttpd no longer accepts TLS1.2 and requires TLS1.3 to connect.

Edit: Opened Github Issue 8300 for the TLS version.
Print
Go Up Pages1
User actions