Netgate SG-1000 microFirewall

Author Topic: [Captive portal] Can't get to the login page.  (Read 937 times)

0 Members and 1 Guest are viewing this topic.

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
[Captive portal] Can't get to the login page.
« on: January 24, 2018, 01:42:24 am »
Hello

I have a server with pfsense running on it. My captive portal works almost perfect. The only problem that i'm faceing is that I can't get to the login page when I type something in the search bar. If I type "test" and press enter, the page will load for ever until it says that: " It takes too long to get a answer". But when I type an url like www.google.com I get to my login page instantly... So I have no clue why it doesn't work.

Thank you

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #1 on: January 30, 2018, 06:42:56 am »
BUMP

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2417
  • Karma: +190/-9
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #2 on: January 30, 2018, 08:24:19 am »
Hi,

Try this :
Disable your connection to the portal - example : disable wifi or remove ethernet cable.
On pfSense : remove all logged in users on pfSense.

Now, reconnect wifi or ethernet cable
First :
If windows device : what does this tells you :
Code: [Select]
ipconfig /all
Next :
You should know that every "OS on the planet" will popup a browser. This is valid for most Android devices, all Apple devices, all Microsoft OS's etc. If this didn't happen, you somewhat "broke" your devices setup. What happens (without you seeing it) is this :
(I'm using an Apple device as example) : as soon as the NIC in the device comes up with a good connection and it received a reply on a DHCP request (IP, gateway, DNS, etc), it launches a "hidden" http request to " http://captive.apple.com/hotspot-detect.html " - if there is a connection to the Internet (and resolving works (very important) !! ) then the return will be "Success" - try for yourself : http://captive.apple.com/hotspot-detect.html.
Every major OS has this functionality on board these days.

When you are connected to a network that operates with a captive portal, the reply will anything but "Success". In that case the OS decides to launch a browser, or proposes the user to launch a browser - and repeats the same request. This time human interaction is possible - and that's what the Captive portal is all about.
Now, the magic start to happen : our browser is started with http://captive.apple.com/hotspot-detect.html ones more, and our Captive portal send back .... => the pfSense Captive portal login page !
When posting back this page with the correct user credentials, your device (IP and MAC) will be loaded into the Captive portal firewall, so it becomes transparent for your device.
The browser gets redirected to the original URL, or a build in URL, and you're online.
Done.

My first question is : why doesn't your device launch a browser for you that permits you to logging ? Fo me, this works every time - and the only thing I do is connecting myself to the Captive portal's network. This issue is not related to pfSense what so ever.
I'm using pfSense (Captive portal) in a hotel, so I have many, many clients who do not know anything about a captive portals, they bring along all possible device that exist on earth, and it is very rare that some one comes to see me downstairs to ask why the connection doesn't work. My clients find the login credentials (I indicated that on the login page) and they login. This works very well for nearly a decade now.

Next : Read the first 3 points here : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting (point 3 doesn't exist anymore ;) ) Most of the time admin really f*ck up their DNS - the captive portal isn't working anymore - and worse, pfSense can't even find it's own upgrades and packages anymore. When they have kept the default DNS Resolver, everything would have worked fine.


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15104
  • Karma: +1410/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #3 on: January 30, 2018, 10:43:29 am »
"Most of the time admin really f*ck up their DNS"

QFT ;) heheheeh... They are so worried about dnsleaks without even a basic understanding how dns works to start from...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #4 on: January 31, 2018, 02:39:13 am »
Hi,

I use my captive portal with a switch for lan connections, Wifi is for later. I have read everything you put above and tried it.(Btw thanks for the clear explanation of everything). But I can't get it to work. I find it so weird that when I type an url like (www.google.com, samsung.com, etc.)
I instantly get to my login page, but when I type test or whatever it takes for ever and I'll never get to the login page. Is there something wrong with my DNS resolver? I just enabled it and left the default settings. In the attachments I placed a picture from DNS resolver with my only host overrider.

Thanks already, It's for a school Project and you guys are saving me!!!
« Last Edit: January 31, 2018, 03:49:17 am by wizencrowd »

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2417
  • Karma: +190/-9
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #5 on: January 31, 2018, 07:30:32 am »
Again, run this :
Code: [Select]
ipconfig /allon a device you connected to captive portal network.
Show me the results.

ping to "test-domaine.fr" (and sure this domaine isn't in your local DNS cache) and show the results.
Of course, before authentication against the captive portal there will be no ping reply back, but resolving works.
Example :
Quote
C:\Documents and Settings\Gertjan.BUREAU>ping test-domaine.fr

Envoi d'une requête 'ping' sur test-domaine.fr [5.196.43.182] avec 32 octets de données :
.....

Your image :
Is the domaine guest.com yours ?????  If not, your in trouble.

Do not use the LAN as a captive portal - use a dedicated interface for that. You might pull it of at home, not a school. LAN is for trusted devices,

And what about this strange IP ? 192.168.2.1 should be the IP of the gateway of your captive portal, not some "in de middle of the range IP == 100".
By default 192.168.1.0/24 is LAN, remember ?

And when connected to the portal interface, can you resolve ?

Did you understand that you do not have to do anything, like typing "test" on any PC, portable, smartphone, pad, whatever - the device should open a browser automatically. This interaction isn't activated by pfSense - it's how things work. Read my explanation again. If your device doesn't do so, you should check your device first.

And why the host override ??

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #6 on: February 07, 2018, 01:53:25 am »
This is what I got from my guest pc with ipconfig /all:
Code: [Select]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.

C:\Users\Cédric>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-BVILFUI
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : captiveportal.com

Ethernet adapter VirtualBox Host-Only Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
   Physical Address. . . . . . . . . : 0A-00-27-00-00-0B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3c27:eb32:821d:fd1a%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 403308583
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5D-11-A5-80-C1-6E-F3-E0-C5
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : captiveportal.com
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : 80-C1-6E-F3-E0-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::242d:b758:ed7b:8946%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : woensdag 7 februari 2018 8:34:10
   Lease Expires . . . . . . . . . . : woensdag 7 februari 2018 10:34:09
   Default Gateway . . . . . . . . . : 192.168.1.100
   DHCP Server . . . . . . . . . . . : 192.168.1.100
   DHCPv6 IAID . . . . . . . . . . . : 58769774
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5D-11-A5-80-C1-6E-F3-E0-C5
   DNS Servers . . . . . . . . . . . : 192.168.1.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.captiveportal.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : captiveportal.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A790479C-BEFB-467D-829C-2399C5193B24}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:453:f4f6:ab3b:cc2f(Preferred)
   Link-local IPv6 Address . . . . . : fe80::453:f4f6:ab3b:cc2f%15(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 520093696
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-5D-11-A5-80-C1-6E-F3-E0-C5
   NetBIOS over Tcpip. . . . . . . . : Disabled

This is what I got when I pinged to test-domaine.fr.
Code: [Select]
C:\Users\Cédric>ping test-domaine.fr

Pinging test-domaine.fr [5.196.43.182] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 5.196.43.182:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

My image:

The domain Guest.com is not mine, But what can I use then? What do I need to use then because I have no domain?

And about the interface, I don't have extra network ports so I can't assign a new interface. Or Can I do it without?

The Ip that I filled in on the picture should be my default gateway? I thought it was the Ip of my pfsense server(LAN Ip).


Already Thanks for spending so much time to help with my problem. And I'm sorry if I make stupid mistakes but it's the first time that I do stuff like this. :)

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2417
  • Karma: +190/-9
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #7 on: February 07, 2018, 02:18:02 am »
Code: [Select]
C:\Users\Cédric>ping test-domaine.fr
Pinging test-domaine.fr [5.196.43.182] with 32 bytes of data:
No replies, that's ok, but DNS works - test-domaine.fr resolved to 5.196.43.182 which is ok.

Not related, but I don't understand why you chose 192.168.1.100 as your IP LAN pfSense. Keep it on 192.168.1.1/24 and only remove it from there if you understand the impact.

What is this :
Code: [Select]
Ethernet adapter VirtualBox Host-Only Network?

Code: [Select]
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : captiveportal.com
I guess you do not own this domain neither : captiveportal.com
It belongs to some one on the Internet.
Visit System => General Setup and look for "domain" - ready carefully what has been said there. Name your LAN domain like "lan.mylocal" - only use domain name that you own - or one that does not exist on the net.

What are your LAN firewall rules ?
WAN settings ?
(just copy this screen and/or mention everything you took from default:)
Code: [Select]
Using username "admin".
Authenticating with public key "rsa-key-20150201"
Passphrase for key "rsa-key-20150201":
pfSense - Netgate Device ID: 20cc46df89385827e0897

*** Welcome to pfSense 2.4.2-RELEASE-p1 (amd64) on pfsense ***

 WAN (wan)       -> rl0        -> v4/DHCP4: 192.168.10.11/24
 LAN (lan)       -> fxp0       -> v4: 192.168.1.1/24
                                  v6: 2001:470:1f13:5c4:2::1/64
 PORTAL (opt1)   -> sis0       -> v4: 192.168.2.1/24
 HENETV6 (opt2)  -> gif0       -> v6: 2001:470:1f12:5c4::2/128
 OPT3 (opt3)     -> ovpns1     -> v4: 192.168.3.1/24
                                  v6: 2001:470:ccba:2::1/64

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option:


You are testing with de default, build in login portal pages, right ?

Btw : I really, really advise you to look for a old unused PC (billions exist) with an extension slot that works.
Slide in a dual - preference Intel double NIC card (a couple of $) - and use the third interface called OPT1 as the captive portal interface.
You are not working on a home setup, but for a school.
« Last Edit: February 07, 2018, 02:23:32 am by Gertjan »

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #8 on: February 07, 2018, 03:14:25 am »
Thanks for the fast reply

The ethernet adapter virtualbox thing is just a virtual network card from Virtualbox, it is from an virtual machine.

I changed my lan domain to lan.mylocal, do I need to change it in my DNS resolver settings too? Or is there no point of using the resolver.


here is the screenshot ( I don't know how top copy it)

« Last Edit: February 07, 2018, 03:34:17 am by wizencrowd »

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2417
  • Karma: +190/-9
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #9 on: February 07, 2018, 03:35:47 am »
WAN settings ? ("Block private networks and loopback addresses" checked, or not ?)

Btw : how do you connect to the console ?

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #10 on: February 07, 2018, 03:40:29 am »
Block private networks and loopback addresses is checked.

The pfsense is installed on a server, on the server I connected a monitor and keyboard.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2417
  • Karma: +190/-9
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #11 on: February 07, 2018, 03:52:38 am »
Block private networks and loopback addresses is checked.
You agree with me that your WAN IP  (192.168.5.10/24, probably obtained by an upstream router) IS a "private network IP" ?
Better remove that check, your WAN is using a private network.

Offline wizencrowd

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #12 on: February 07, 2018, 04:03:20 am »
Ok, I unchecked that. But now I don't know what's wrong... I'm still not getting redirected to the login page. I Can't make an other interface because I don't have an extra network port. So do I need the resolver or not?

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2417
  • Karma: +190/-9
    • View Profile
Re: [Captive portal] Can't get to the login page.
« Reply #13 on: February 07, 2018, 06:25:36 am »
Ok, I unchecked that. But now I don't know what's wrong... I'm still not getting redirected to the login page.
Neither do I.

What you should know :
Install a clean pfSEnse.
Accept the default for LAN.
Assign WAN and set it up. Check connectivity to the Internet. (and yes, by default pfSense expects a WAN IP on the WAN interface, a private IP form an upstream router could work,, but ... see above)
Add a "captive portal user" in the Local pfSense user manager.
Activate the portal - on LAN should work (the default LAN firewall rule is ok).

At this stadium, the captive portal works.
Your system : it isn't ok.

The question is : what more did you change ?

I Can't make an other interface because I don't have an extra network port.
There is no rush, but keep in mind setting up and exploitation a captive portal (untrusted network) will be easier with a dedicated interface.
Its always advisable to start with easy things, and complicate live afterwards when the basic are understood  ;)

So do I need the resolver or not?
pfSEnse - and you network need a DNS that works.
The default Resolver is just fine.
For some (special ?) scenarios the Forwarder is needed - like - example - for those who want to communicate all DNS traffic to OpenDNS.