HAproxy "Use Client-IP" option breaks Captive Portal
Devices can access https sites without authenticating via Captive portal.
Enabling 'Use Client-IP to connect to backend servers.' in HAproxy appears to add rules in ipfw and prevents 3 of the rules from /etc/inc/captiveportal.inc from being created.
Rules from captive portal which failed to get created in ipfw were:
01000 0 0 skipto tablearg ip from any to any via table(cp_ifaces)
01100 315443004 123076915775 allow ip from any to any
65534 0 0 deny ip from any to any
Without the deny rule all traffic was allowed through except access to port 80 which would still be redirected to the captive portal login page.
Problem not fixed after reboot.
To get it working, I had to remove the option 'Use Client-IP to connect to backend servers.', then delete the rules which haproxy created and add back in the rules from captiveportal.inc file.
Everything works if I do not re-enable the mentioned haproxy option.
Updated by Jim Pingle 3 months ago
- Project changed from pfSense to pfSense Packages
- Subject changed from HAproxy and Captive port to HAproxy "Use Client-IP" option breaks Captive Portal
- Category changed from Captive Portal to haproxy
- Release Notes deleted (
- Affected Version deleted (
That option is almost certainly incompatible with Captive Portal, but if there is a way to make it work, it would have to be fixed in the way HAProxy writes its ipfw rules, not in Captive Portal.