Peplink WLAN Captive Portal Configuration


#1

I have an installation of Peplink LB-380 acting as a WLAN Controller for 16x AP One access points. The LB-380 WLAN controller is connected only through LAN interface, where all WAN interfaces are disconnected. All AP One access points are configured with a gateway residing on the same LAN subnet. I have configured the captive portal as suggested by the documentation and support knowledge base, however, it was not working. I have this question: For the Captive Portal feature to work, Is it mandatory that the LB-380 WLAN controller should have Internet access on any of its WAN interfaces? Is it mandatory that the default gateway of all AP One access points should be the LAN IP of the LB-380 WLAN controller? Is there any detailed description on how does a wireless device interact with the Captive Portal (something like communication flow diagram). Our requirement is very simple, whenever a wireless user connects to our network, at first he should be redirected to our web page no matter what was his requested page. Our service will be free, open quota, without login, just redirection to our web page. Thanks in advance!


#2
  1. We don’t necessarily need Internet connection to capture wireless user on their first visit, but if the landing page is on the web then of course we will need Internet for it to be displayed properly.

  2. AP One does not need to point to Balance 380 as default gateway for captive portal to function.

It sounds like an Open Access mode with a custom landing page is all we need. But something else isn’t quite right.

We want to take a look at the diagnostic report via support. Could you please send a copy to us on http://www.peplink.com/contact/support/? Instructions of downloading a diagnostic report is at http://www.peplink.com/index.php?view=faq&id=31


#3

Thank you Kurt.
Does that mean, that when using a custom landing page, the first user session will go through the LB-380 (to connect to the custom landing page)? What about further traffic, will it flow through the default Gateway which is our ISP router, or it also has to pass through the LB-380?
I will take diagnostic report next visit to the site.
I wanted a technical guide on designing Multi AP Multi floor wireless network using the AP One access points. Please advise!


#4

Once a client goes past the captive portal, future Internet traffic will go from AP One directly to default gateway, without passing through Peplink Balance.

We don’t have a bulky paper on WLAN Controller - you know ease of use is one of our main design principles. But we do have a video tutorial at http://www.peplink.com/index.php?view=faq&id=287&path=34 that will walk you through the configuration if that would help.


#5

OK, So I will have to give an Internet feed to the LB-380 on any WAN interface for this scenario to work. I will try that in my next site visit, and if any thing does not work I will send you the diagnostics report.
Thanks


#6

If Peplink Balance is not the default gateway of AP One then we will not need a WAN link on Balance. AP One will send new client to wireless client to Peplink Balance for captive portal but once this is done AP One will send the client to its default gateway (e.g. your ISP router) for landing page and Internet traffic.

So, I guess in your case, we won’t need a WAN link on Balance.


#7

Let me explain more on our setup. The LB-380 WLAN Controller LAN interface is connected to VLAN 500 and has an IP address from the range 10.50.5.x/24. All AP One access points are connected to trunk switch ports and all have the native VLAN as 500 as well as IP addresses from the same range 10.50.5.x/24. We have also configured VLAN 70 as tagged. VLAN 70 connects SSID “Open-Internet” users to the free internet service. Any user who connects to this open SSID will get connected to VLAN 70 where he will acquire IP address from the range 192.168.1.x/24 with default gateway as 192.168.1.1. Security rules on the network block communication between the two VLANs 500 and 70 (traffic between 10.50.5.x and 192.168.1.x is blocked). I configured the LB-380 WLAN Controller for Open Captive Portal and custom landing page on that SSID. On the AP One web configuration I can see that for this SSID, the “Portal” indicates “InControl” where it was before showing “Disabled”. After enabling Captive Portal this way, a new connecting user may face problems getting DHCP address, but even after it gets address, it hangs and cannot communicate (even it cannot ping the default gateway 192.168.1.1). Please advise what changes to be done for this scenario to work for us. Also, a side question: Which country radio settings for AP One will allow for maximum power of 33 (as in the specifications sheet)?


#8

Did you see your AP One units online in Balance’s Dashboard?

Do you have DHCP server on VLAN 70? What is the IP address, Default Gateway, DNS server you will get in the client device?


#9

Yes, All AP One access points appear online on the Peplink LB-380 dashboard. We are configuring the Captive Portal for that SSID from within the LB-380, and then it applies to all AP One access points. Yes we have DHCP on VLAN 70. It will assign the client device IP address from 192.168.1.x/24 range, default gateway= 192.168.1.1 (ISP router), DNS= ISP_DNS.


#10

In your previous post, you said “a new connecting user may face problems getting DHCP address, but even after it gets address”, so, the user can actually get the IP or not?

Also, did you add the subnet 10.50.5.x/24 in “Guest Protect” of “Wireless Network” to block the 192.168.1.0/24 to access 10.50.5.0/24? If it is correct, please try to add the Balance’s IP in “Block Exception”. It is because you enabled the Captive Portal, for all traffic passthrough the AP from your client, it will be redirected to the Portal page which is located in Balance. If the traffic from 192.168.10/24 to 10.50.5.? (Balance’s IP) is blocked, the client cannot land the captive portal page.


#11

Well, it happened twice with two different laptops that after we enabled Captive portal, that the laptops cannot get DHCP. We could not determine is this a problem of the DHCP Server, our laptops or the AP One wireless Access Points, then we assigned static IP address from the range 192.168.1.x on our laptops and tried to ping the gateway 192.168.1.1 but ping failed. We went back and disabled Captive Portal, and everything was back again working normal.
Arises a question: What type of traffic will not be allowed before a user successfully passes the Captive Portal page? Are ping, DHCP allowed before successfully passing the portal?
We did not configure “Guest Protect” nor any security limitation on our wireless, but rather our L3 Core switch is configured with ACL to block traffic between the 192.168.1.x and the 10.50.5.x. The most difficult part of this we are facing is that we do not have a technical reference to troubleshoot this setup and no technical reference to describe the communication flow that works in the Peplink Captive Portal implementation. Our only reference is this forum. So now I understand that we need to allow communication on our L3 switches between the 192.168.1.x users and the Peplink IP address on 10.50.5.x, any thing else to check?


#12

Hi Sabbah,

For my understanding, the problem is not complicated as you’d thought.
Let’s talk about the processes (traffic flow) in order (not meaning I’m right because I think, this is where we discuss our common problems, and that: Peplink’s team will help us checking whether right or not :slight_smile: ):

  1. Client (say: from Laptop) try to associate with one of discovered SSIDs (Open for simplicity).
  2. When associated, Client will try to make DHCP request (broadcast…) then get its IP from some DHCP on the network (in your situation, I’d like to use L3 Switch or Enterprise Server (Windows/Linux) for the sake of central management.
  3. Having IP, Gateway, DNS, Client is now ready for say Surfing. He open Chrome and try Googling. In a second, Peplink jump between and redirect him to its page for Authentication (Captive Portal here). The client the enter his User/PW and “Agree and Login”.
  4. After successful authentication, Peplink will confirm with AP One that - OK, let him go surfing. AP1 then open the gate and Peplink reply the Client with the so-called “landing page” if any. If not, Google Home page will be displayed on its Chrome windows.
  5. Now the client will check mail or whatever you allow.
    Belive me, because I’ve made several demonstrations so far with our 2 demo AP1s.
    I have L3 switch, 2 AP1s, Router… and I’m willing to make a real test again for your scenario following your numbers, ACL…

As you’ve said, you’re stuck in Step-3. Try setting L3 SW as DHCP server and debug DHCP packet/event between SW and Client to find out… Try One SSID at a time. After all, make ACL. (Remember allow any - any at the end (Cisco SW/Router) if neccessary).
Again, you’d better update AP1 to the latest firmware. I’ve experienced badly with r3.1.2 really.
Peplink Balance firmware 5.3.12 or 5.4beta are both good working.

Regards.


#13

Thanks Bao for the suggestion. I agree to allow any to any on ACL of L3 switch first for troubleshooting.

You network diagram should be:

VLAN 70: 192.168.1.0/24 (Guest VLAN)
VLAN 500: 10.50.5.0/24 (Admin VLAN)

Client Laptop/PC -------- AP One ------ Tagged VLAN 70/500 ----- L3 Switch ----- Untagged VLAN 500 ------ Balance 380

Also, I suggest to test the following.

  1. Allow any traffic on your L3 switch.
  2. Configure a switch port with untagged VLAN 70 (guest VLAN), and plug a computer directly to the port to see you can obtain IP 192.168.1.x or not. (Make sure the computer is obtaining IP from DHCP server)
  3. From the computer, ping to default gateway (switch IP) and ping the B380 (10.50.5.?).
  4. If you are unable to ping B380, please make sure you have configure LAN Static Route on B380 (192.168.1.0/24 via 10.50.5.y <- switch IP)
  5. Please plug back the AP One to the switch, make sure the switch are configured properly. (The port should be tagged both VLAN 500 and 70)
  6. Don’t use Captive Portal in this step, associate the computer to the SSID (Make sure the computer is obtaining IP from DHCP server).
  7. From the computer, ping to default gateway (switch IP) and ping the B380 (10.50.5.?).
  8. Turn on Captive Portal.
  9. Associate the computer to the SSID (Make sure the computer is obtaining IP from DHCP server).
  10. You can get the IP address properly if you passed the steps above. (Don’t try ping, as you cannot ping outside the AP before login captive portal)
  11. Perform “arp -a” in “CMD” (command prompt) to see any ARP records of default gateway.
  12. Open the web browser and access any web page, and the captive portal page should be pop out.
  13. After login captive portal, you should able to access anywhere you want.

#14

Thank you Bao and Chung-lai for the prompt response. I guess this thread is becoming the technical reference I was looking for. So before successful authentication, DHCP and ARP will work, but not ping, right? Also, the AP1 will not interfere in any http communication other than directing the client in his first session to the B380, right? After that, B380 will send a redirect to the client to land on the authentication page, and once successfully authenticated, the B380 will direct the client towards the custom landing page. Am I understanding right? I will take care of the inter-VLAN routing part and follow the suggested test plan. I will update you on the results


#15

Hi Bao/Chung-lai
I am trying to setup the captive portal as open (unlimited quota)+landing page. When I click “Preview” (captive portal page customization) a new browser window open with Message asking to agree (Logo image - GIF or JPEG - we uploaded never displays!!). Once I click “Agree”, a new url opens: https://device.pepwave.com:8000/cgi-bin/portal.cgi. Is this normal?


#16

Hi Sabbah,
I recall from my last setup as following:


If everything OK for anything except for Peplink:

  1. You should have your Peplink Online (I’ve found that Captive Portal not work when Peplink is offline - rare case. Lai will help us).
  2. You should use Peplink as Public DNS Server (I mean: If you have Intranet DNS server behind).
    2nd one is IMPORTANT because It will resolve 2 IMPORTANT hosts for you:
    https://captive-portal.peplink.com/login/process.php
    https://device.pepwave.com:8000/cgi-bin/portal.cgi

Regards.


#17

Hi Bao,
Connected Peplink to Internet on WAN1. Put my PC on LAN side, and made my PC Gateway as Peplink LAN IP and DNS Server as Peplink LAN IP. Still, when I go to Preview Custom Captive Portal, on the Terms and Conditions Agree page I am not getting the Logo image. And when I click Agree, it takes me to that link device.pepwave.com:8000 … etc getting Server Not Found. Where is the problem?


#18

Hi Sabbah,
I think Login Page resides in Peplink. So if you like previewing the page, Balance will open it in another window or tab for you - always successfully (like my picture above). If you have not import the logo… AP1’s picture will be chosen.
So I don’t know why balance redirected you to page “device.pepwave.com:8000” - is AP1.
In real case, after authenticated via Balance’s captive portal page, it redirect user to AP1’s page like following order:
- https://captive-portal.peplink.com/ --> Captive Portal page
- https://captive-portal.peplink.com/login/process.php --> Authentication
- https://captive-portal.peplink.com/login/success.php --> Successful Authentication
- https://device.pepwave.com:8000/cgi-bin/portal.cgi --> AP1 (Fast transition)
- To Landing Page if any
I think that’s all you need to know about Balance’s Captive Portal.
Try double check Peplink’s config to find the reason why… ( Just try and test :slight_smile: cause I know you are skilled networker).
Anyway, give me your Balance and AP1 configs, I’ll try to learn more (and find the reason).
(I’ve got some experiences with Pole Point as well - you have to setup PHP webserver to make a captive portal, now it’s built into the Balance already).
Regards.


#19

I have placed the Peplink inline between the clients and the Internet router. Changed all IP addressing of Peplink and AP1s, and changed the SSID VLANs to make this happen. Now Captive portal is working. Logo displays, and Landing Page works (although I feel it is slow and takes time to reach the finish). Now I want to know: How to make the portal work if not inline (Just LB-380 LAN will b e connected)? How to make portal work even if LB-380 is on different subnet than the users? How to get rid of Terms and Conditions Agree page of the captive portal (just redirect the user to the landing page)? and How to make the process more faster?
I have some experience with Captive portals, worked on wifidog long time back. It is not a trivial job.


#20

How do I get the right sidebar back on my personalized Google Homepage? Must have X-d it out by mistake. T U?