Bug #11937
openHAproxy "Use Client-IP" option breaks Captive Portal
0%
Description
Devices can access https sites without authenticating via Captive portal.
Enabling 'Use Client-IP to connect to backend servers.' in HAproxy appears to add rules in ipfw and prevents 3 of the rules from /etc/inc/captiveportal.inc from being created.
Rules from captive portal which failed to get created in ipfw were:
01000 0 0 skipto tablearg ip from any to any via table(cp_ifaces)
01100 315443004 123076915775 allow ip from any to any
65534 0 0 deny ip from any to any
Without the deny rule all traffic was allowed through except access to port 80 which would still be redirected to the captive portal login page.
Problem not fixed after reboot.
To get it working, I had to remove the option 'Use Client-IP to connect to backend servers.', then delete the rules which haproxy created and add back in the rules from captiveportal.inc file.
Everything works if I do not re-enable the mentioned haproxy option.
Files