OPNsense 25.1.5 - Captive Portal active on all interfaces

Started by willemr, April 10, 2025, 05:32:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 10, 2025, 05:32:45 PM
Today I upgraded to OPNsense 25.1.5 (running on dedicated hardware). After the upgrade (and reboot) the captive portal was active on all interfaces, while it was only configured on a guest interface. The only way to remove the portal was to disable it.
Removing the captive portal and recreating it didn't solve the issue. Same for rebooting the system (again).

I can reproduce the issue if someone has any ideas.
April 10, 2025, 07:24:05 PM #1
Thanks, we are already looking into it.


Cheers,
Franco
April 10, 2025, 08:39:24 PM #2
I expect nat reflection is enabled (Firewall: Settings: Advanced) in which case https://github.com/opnsense/core/commit/25b2716325951a7cbd93bc42ca21179f46519c10 is likely the culrpit.

To install use the following:

Code Select
opnsense-patch 25b2716325
April 10, 2025, 09:07:09 PM #3
Don't forget the filter reload when testing:

# configctl filter reload
April 10, 2025, 09:15:45 PM #4 Last Edit: April 10, 2025, 09:20:01 PM by danderson
after applying the patch and reloading the filer

i was able to get back on my regular lan's now and the portal isnt running/redirecting on all interfaces anymore, but when trying on the interface with the portal, the portal page never comes up / gets redirected.
April 10, 2025, 09:43:11 PM #5 Last Edit: April 10, 2025, 09:58:47 PM by Monviech (Cedrik)
I just happened to test this with my test guest captive portal and my iphone. It looks like before this patch it still worked with redirection, and after I went to latest master and rebooted the redirection doesnt work anymore.

Though I can manually browse https://172.16.0.254:8000 and the page opens, just no redirect anymore.

I dont have any automatic nat reflection rules enabled.

EDIT:

I don't see any differences in the rdr rules though from before and after the patch, so could be a different issue on my end and unrelated.

Code Select
rdr pass on vlan0.3 inet proto tcp from ! <__captiveportal_zone_0> to any port = http -> 127.0.0.1 port 9000
rdr pass on vlan0.3 inet proto tcp from ! <__captiveportal_zone_0> to any port = https -> 127.0.0.1 port 8000

EDIT2:

Looks like it was an iPhone problem, on my Windows Laptop the redirection worked in chrome and edge after the patch.
Hardware:
DEC740
April 10, 2025, 10:41:34 PM #6
Applying the patch and reloading the filters did the trick for me.
I got a scare since I'm running it as a VM in Proxmox, but forgot to make a snapshot before upgrade, and my whole network was down. Luckily I was able to ssh into the machine to apply the patch. Thank you!
April 11, 2025, 08:19:36 AM #7
Looks like the patch fixed my problem. Thanks!
April 11, 2025, 10:11:40 AM #8
OPNsense 25.1.5_4 is now available and has a couple more captive portal fixes
April 12, 2025, 05:57:40 AM #9 Last Edit: April 14, 2025, 01:48:20 AM by tong2x
on OPNsense 25.1.5_4
using no authentication

the connect button is missing...

reverting to the default portal.
connect button shows but throws, login failed

should NAT refelction be turned on? ang 1to1 NAT?

there is an open issue in github
https://github.com/opnsense/core/issues/8540
April 14, 2025, 01:43:44 PM #10

A hotfix release was issued as 25.1.5_5:
 o captive portal: missing fix for command line argument parsing in backend
Print
Go Up Pages1
User actions