pfSense Support Subscription

Author Topic: I can't get Captive Portal login page in any browser else Firefox  (Read 7068 times)

0 Members and 1 Guest are viewing this topic.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2158
  • Karma: +166/-9
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #15 on: June 14, 2016, 02:54:03 am »
Notice that now, when CP Login is shown successfully, after doing the Login the PC fails to ping external sites (www.google.com) like being blocked.  I checked the CP status and the MAC address of the PC is registered successfully and active. So it should not be blocked.

Your portal interface is on an interface - probably named initially OPTx.

Please list the firewall rules (see GUI this time !) and gives us YOUR rules for this interface.
Remember : by default, LAN has ONE rule : let all pass. By default, all other interfacse have ONE hidden rule (the list will be empty) : BLOCK ALL.
Do you let in ICMP ? ("in" because it's from the point of view of the interface).

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #16 on: June 16, 2016, 11:45:55 am »
I do not have OPT interfaces, only LAN and WAN.  I think ICMP is allowed.  When I have CP off I can ping from inside to outside successfully.  With CP on I can ping the pfsense LAN IP.   
« Last Edit: June 16, 2016, 11:51:22 am by jetberrocal »

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #17 on: June 16, 2016, 12:26:41 pm »
I notice that I can ping the site which triggered the CP Login not other.

Example. 
I Open browser (Chrome).  The home page fails to load and does not trigger the CP Login.
I write in the address bar a http address (http://www.jetsystemservices.com).  The CP Login is triggered. 
I login successfully and the site is shown.  (External links in the site fails, youtube links)
I go the command prompt in the browser computer and I can ping the www.jetsystemservices.com site. But I cannot ping other address.

It is like CP only allows one address at a time instead of opening all internet.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2158
  • Karma: +166/-9
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #18 on: June 16, 2016, 12:56:34 pm »
....
I Open browser (Chrome).  The home page fails to load and does not trigger the CP Login.
Is this the locally build page that doesn't need any 'internet' access -
or
is this a page like http://www.google.com (and NOT https://www.google.com !!! ) that comes from the net ?

....
I write in the address bar a http address (http://www.jetsystemservices.com).  The CP Login is triggered.
Great !

....I login successfully and the site is shown.  (External links in the site fails, youtube links)
at that moment, go here https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
and list us your ipfw rules and tables (what IN these tables)

also, at that moment:
open command prompt
and
ping www.yutoube.com

The URL is resolved ?
The ping replies ? (youtube.com might decide not to reply, that's ok)

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #19 on: June 16, 2016, 02:12:39 pm »
The home page is http://www.google.com

Ping to www.youtube.com does not resolve.

ipfw execution:

ipfw zone list
Currently defined contexts and their members:
2: em1,

ipfw -x 2 table all list
---table(1)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2090
---table(2)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2091
---table(3)---
192.168.56.1/32 2032
---table(4)---
192.168.56.1/32 2033
---table(100)---
192.168.56.1/32 0

ipfw -x 2 show
65291    0      0 allow pfsync from any to any
65292    0      0 allow carp from any to any
65301   99   3978 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302    0      0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303    0      0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307    0      0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 2320 166643 allow ip from any to table(100) in
65311 2242 298979 allow ip from table(100) to any out
65312    4   1312 allow ip from any to 255.255.255.255 in
65313    0      0 allow ip from 255.255.255.255 to any out
65314    0      0 pipe tablearg ip from table(3) to any in
65315    0      0 pipe tablearg ip from any to table(4) in
65316    0      0 pipe tablearg ip from table(3) to any out
65317    0      0 pipe tablearg ip from any to table(4) out
65318  671 180692 pipe tablearg ip from table(1) to any in
65319   86  16287 pipe tablearg ip from any to table(2) out
65531 1696  82569 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
65532 1927 136541 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 2939 379068 allow tcp from any to any out
65534 3112 348052 deny ip from any to any
65535    2    955 allow ip from any to any

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #20 on: June 20, 2016, 06:16:24 pm »
Now I think got worst.

I reinstall pfsense 2.3.1 amd64 from cero, even format the HD to make sure no files remained.  Did not install any package. I set the LAN IP static, WAN IP takes IP from Cable modem DHCP.  I turn off DHCP on LAN interface as the LAN side takes the IPs from the Windows Domain DHCP server.

Added CP zone, with Local Authentication.  HTTPS Login unchecked.  Added the pfsense IP at Allowed IP Addresses.

The Win7 computer access internet as if CP is turn off, is not blocked. 


Shell Output - ipfw -x 2 show

65291   0      0 allow pfsync from any to any
65292   0      0 allow carp from any to any
65301  20    776 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302   0      0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303   0      0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307   0      0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 131  17105 allow ip from any to table(100) in
65311 155  88607 allow ip from table(100) to any out
65312   0      0 allow ip from any to 255.255.255.255 in
65313   0      0 allow ip from 255.255.255.255 to any out
65314 582  80166 pipe tablearg ip from table(3) to any in
65315   0      0 pipe tablearg ip from any to table(4) in
65316   0      0 pipe tablearg ip from table(3) to any out
65317 672 429906 pipe tablearg ip from any to table(4) out
65318   0      0 pipe tablearg ip from table(1) to any in
65319   0      0 pipe tablearg ip from any to table(2) out
65532   0      0 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533   0      0 allow tcp from any to any out
65534   0      0 deny ip from any to any
65535   0      0 allow ip from any to any


Shell Output - ipfw -x 2 table all list

---table(3)---
192.168.56.0/24 2000
---table(4)---
192.168.56.0/24 2001
---table(100)---
192.168.56.1/32 0

Note: the pfsense IP is 192.168.56.1/24, don't know why table(100) has 192.168.56.1/32

« Last Edit: June 20, 2016, 06:23:53 pm by jetberrocal »

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2158
  • Karma: +166/-9
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #21 on: June 21, 2016, 04:55:46 am »
......
...... I turn off DHCP on LAN interface as the LAN side takes the IPs from the Windows Domain DHCP server.
......

Added CP zone, ...............
STOP.
While you set up your portal settings, read the foot note.

https://forum.pfsense.org/index.php?topic=111737.msg632639#msg632639

( => case solved ;) )

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #22 on: June 21, 2016, 10:17:17 am »
......
...... I turn off DHCP on LAN interface as the LAN side takes the IPs from the Windows Domain DHCP server.
......

Added CP zone, ...............
STOP.
While you set up your portal settings, read the foot note.

https://forum.pfsense.org/index.php?topic=111737.msg632639#msg632639

( => case solved ;) )

OK.  I though that there was a posible work around. 

Not being the case, for my needs CP in pfsense is not a viable solution.  In my case as many others, DHCP and primary DNS must be kept on the Windows Domain Controller.

Offline skron

  • Newbie
  • *
  • Posts: 10
  • Karma: +3/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #23 on: June 22, 2016, 01:34:56 am »
DHCP Relay (and keeping DNS to DC) is not an option?

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #24 on: June 22, 2016, 11:23:33 am »
DHCP Relay (and keeping DNS to DC) is not an option?

How will I use DHCP Relay?

My DHCP (DC/DNS) server IP is 192.168.56.10 (static, 255.255.255.0)
My pfsense IP is 192.168.56.1 (static, 255.255.255.0) in LAN side, WAN is DHCP assign from cable modem. I do not have any other interface.

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #25 on: June 24, 2016, 07:53:19 pm »
It happens that I have a client that has a Win Server with AD/DNS but without DHCP because it has a Wifi Router that is doing the DHCP Server role.

So I can turn on DHCP on pfsense and configure the router to use the pfsense's dhcp.

How should I configure the pfsense dhcp to register addresses in the AD/DNS?

Once I get this dhcp running I can turn on CP in pfsense

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9244
  • Karma: +1052/-308
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #26 on: June 24, 2016, 08:13:10 pm »
No idea why you wouldn't just use Windows DHCP in that case.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #27 on: June 24, 2016, 08:23:59 pm »
No idea why you wouldn't just use Windows DHCP in that case.

I tried Captive Portal with DHCP in the AD, but it did not work.  Also in this thread was directed to the note referred by Gertjan on: June 21, 2016, 04:55:46 am , implying that DHCP must be done by pfsense as CP works correctly.

It was suggested to use DHCP relay but I do not how could I use that for this situation.

Offline jetberrocal

  • Full Member
  • ***
  • Posts: 258
  • Karma: +7/-0
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #28 on: June 24, 2016, 08:44:48 pm »
OH! Still does not work.

I turn dhcp off in the AD server and turn on dhcp on pfsense.  The PC aquired the IP succesfully as can be seen on the dhcp leases in pfsense.

But chrome does not call the CP login page.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9244
  • Karma: +1052/-308
    • View Profile
Re: I can't get Captive Portal login page in any browser else Firefox
« Reply #29 on: June 25, 2016, 01:47:44 pm »
Is the AD DHCP server in the same subnet as your clients? If not you will have to use DHCP relay to get there and put the proper scope in the DHCP Server.

What happens if you go to http://10.10.10.10/ in chrome?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM