pfSense captive portal SSL mode

papdee · November 30, 2020, 10:02am

Not sure which forum to include this but I cannot get the captive portal on pfsense to work in SSL mode via the wifi. It works fine in HTTP mode but HTTPS just returns a blank page. If I connect a notebook to the switch connected to the LAN interface the captive portal works fine in HTTPS mode. So it I figure it must be related to the APs running openwrt and then it must be a DNS issue over wifi connections.

I added hostname portal-login.myofficialdomain.com to point to the pfsense box and SSH in and confirmed it resolves hostname to IP but this didn't seem to fix the HTTPS captive portal giving a blank page over wifi connections.

My setup is SSID1 on VLAN100 and SSID2 on VLAN200 both bridged to LAN interface. All works fine in HTTP mode just HTTPS gives blank page.

mk24 · November 30, 2020, 3:53pm

Don't do that. Placing two VLANs into the same network bridge makes them no longer separate networks.

The guest AP should have a dedicated bridge with proto none from the wifi to the Ethernet VLAN served by the pfsense portal server. This will make the AP transparent to all traffic.

papdee · December 1, 2020, 4:31am

My mistake...my Wifi interfaces are bridged to eth0.x interfaces and not the LAN interface.

It seems I need to use the localize-queries option in DNSmasq to solve my problem.

lleachii · December 1, 2020, 2:18pm

I'm just curious, is an OpenWrt device related to this issue (I can't tell)?

BTW, I'm glad your problem is solved!

papdee · December 2, 2020, 12:38am

I suspect yes. No I haven't fixed the issue yet.

My APs are running openWRT 19.07.2 and my controller is a pfsense box + ansible. All works well and the openWRT AP devices have not yet once failed me. Super stable even under heavy workloads (previous APs would just decide to reset or halt if overloaded. Not sure if that was by chance or by design).

I installed SSL certs on the pfsense box and switched the captive portal to SSL and then disabled the WPA2 on openWRT. However this just gives me a blank page or spinning wheel.

My guess is since SSL requires a FQDN this is not being resolved correctly. The SSIDs run on their own VLAN and my guess is that it receives the DNS records for the pfsense box on VLAN0 instead of VLAN100. So my question is do I try to fix on pfsense side or at the AP side. At this moment I am leaning towards fixing it at the AP side. My last guess is to work on the dnsmasq host file utilizing the localize-queries option. Something I am currently trying to familiarize myself with.

mk24 · December 3, 2020, 12:57pm

The AP(s) should be completely dumb layer 2 bridges(1). Once a client makes a wifi connection(2) it goes directly to the pfsense box on a VLAN on the cable(3). OpenWrt should not be doing any sort of DHCP or DNS on these networks, it's all to be handled by pfsense.

1 I always created a specific bridge named 'vlanN' of proto none to do this. It may work to directly set option network eth0.100 in /etc/config/wireless but you should check with brctl show to confirm that a bridge really was created as intended.

2 which can be an open AP or using WPA2-PSK, since PSK authentication is handled inside hostapd and the wifi driver and doesn't involve the network at all. Or even WPA2-EAP with your RADIUS server in the pfsense box on a different VLAN, though most people would consider logging in to EAP and then a captive portal excessive.

3 Do not try to mix tagged and untagged packets on a port or cable. While working with tagged VLANs, don't have the "mother" interface (eth0 with no VLAN number) in any network.

papdee · December 2, 2020, 2:54am

tks for the advice. will go to netgate forum to discuss how to configure dnsmasq.

papdee · December 3, 2020, 12:57pm

took some time but finally worked it out. I took your advice and just left the openWRT APs as L2 devices. In the pfsense box I needed to add the following in the dns resolver custom parameters field:

localise-queries
addn-hosts=/root/hosts

then create a hosts file in /root with corresponding FQDN to IP. Reboot for settings to take effect.

don't know if you have knowledge of pfsense but it's perilous to modify the system outside of the web interface as pfsense will clear any under-the-hood modifications on next reboot. All config changes must be made through the web interface so trying to match generalized system level advice with the pfsense web interface is always difficult.

tmomas · December 3, 2020, 12:54pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · December 12, 2020, 6:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.