Troubleshooting Captive Portal¶

This section contains troubleshooting tips for the most common problem with captive portal.

Authentication failures¶

Authentication failures are normally the result of users entering an incorrect username or password. In the case of RADIUS authentication, these can occur because of connectivity problems to the configured RADIUS server(s), or problems on the RADIUS server itself. Check the RADIUS server logs for indications of why access was denied, and ensure the firewall can communicate with the RADIUS server.

For local users, if the option to require the Captive Portal login privilege is enabled, ensure the users have the privilege directly or are members of a group with the privilege.

Captive Portal Does not Redirect¶

If clients are not being redirected to the portal page when attempting to browse on an interface with captive portal enabled, it’s most always one of the following causes:

DNS resolution not functioning: Clients on the captive portal interface must either be using the DNS resolver or forwarder on pfSense® software, on the IP address of the interface where the client resides (which is the default configuration), or if using another IP address for DNS, it must be in an allowed IP address entry. If DNS fails, the browser never issues the HTTP request, hence it cannot be intercepted and redirected.
Firewall rules on the captive portal interface do not allow the initial HTTP request: If the user is trying to browse to google.com, but HTTP connections are not allowed to google.com, the HTTP request will be blocked and hence cannot be redirected. Under Firewall > Rules, on the interface where captive portal is enabled, the traffic to be redirected must be allowed to pass. This is most commonly HTTP to any destination.
The client has an HTTPS home page: The request must be to an HTTP site in order for the portal to redirect the client. If HTTPS is enabled for the portal, this may still work but it depends upon the client browser or operating system automatic portal detection to work.

Apple devices are unable to load the portal page or login¶

Certain versions of Safari on iOS do not properly handle the login form for the Captive Portal page. The most common resolution is to disable autofill for forms in Safari on iOS.

In some cases, Apple devices will not automatically prompt for a Captive Portal login or test for its presence if the wireless network uses encryption. In these cases, manually open a browser and navigate to an HTTP site to get the login redirect.

There have also been reports that on older version of OS X, a Mac would refuse to load any HTTPS sites, including an HTTPS portal, until it could load a CRL and OSCP URL for the certificate. This has been fixed in current versions of OS X.

Some users have had to add www.apple.com to their allowed hostnames so that Apple’s call to their test page succeeds.

Port Forwards Behind Portal Only Work When Target Logs In¶

This is a side effect of how the portal operates. No traffic is allowed to reach a host behind the portal unless it has been authenticated or passed through the portal. If a port forward must always work to a device behind the portal, then it must be setup to bypass the portal with either a Pass-through MAC entry (MAC Address Control) or an Allowed IP Address entry (Allowed IP Address) to allow traffic To the target.

Captive Portal Rules¶

Captive Portal uses ipfw under the hood. ipfw is a program performing packet filtering. When having issues with the captive portal, it is possible to list ipfw rules for debugging.

To list all ipfw rules, which includes rules for Captive Portal in general as well as zone specific tables, run:

# ipfw show

IPFW Tables¶

Show all tables:

# ipfw table all list

The <name>_auth_up table holds authenticated/allowed clients for a zone. This table allow traffic from clients to enter the interface. For example, a zone called “myzone” would contain this table:

# ipfw table myzone_auth_up list

The <name>_auth_down table holds authenticated/allowed clients for a zone. This table allow traffic to clients to exit the interface. For example, a zone called “myzone” would contain this table:

# ipfw table myzone_auth_down list

See /etc/inc/captiveportal.inc for information on other tables, these include tables for host/MAC bypass entries and other necessary controls.