- Check the External Captive Portal URL configured on Security Mode -> Captive Portal on the interface where the Internal Users are connected.
In this example, FortiAuthenticator is used as an External Captive Portal Server. Confirm the Authentication Portal URL Translates to the FortiGate WAN IP Address and there is VIP configured to map the traffic to the internal IP of the Captive Portal Server.
VIP Example:
edit VIP External Captive Portal set extip <Public IP the External Captive Portal URL is translated to> set mappedip <Internal Captive Portal Server IP> set extintf <External Interface> set portforward enable set extport <Captive Portal Server Port> set mappedport <Captive Portal Server Port>
next
Note: Double check there is not any other VIP matching the same External Port.
- Create the policies to allow the hair-pinning traffic for the internal users to the Captive Portal Server.
2 policies are necessary to allow that hair-pinning traffic. One to permit the traffic from internal users subnet to WAN and another one to permit traffic from WAN to the Captive Portal Server.
Internal LAN to WAN: Note: Remember that as a Captive Portal Authentication is used and it is not allowing all internet traffic. Otherwise, the Captive Portal would be bypassed. It is necessary to permit traffic only to the public IP that the Captive Portal Redirect URL is translated to.
config firewall policy edit <Policy ID> set status enable set name <Policy Name> set srcintf <Select LAN Users Interface - The interface where Captive Portal is configured> set dstintf <WAN Interface> set action accept set srcaddr <LAN Users Subnet> set dstaddr <Public IP that the Captive Portal Redirect URL is translated to> set schedule "always" set service "ALL" set nat enable set comments <----- Allow access to the Captive Portal from the local subnet. next
- WAN to Captive Portal Subnet:
Note: In this policy, the VIP that NATs FortiGate's Public IP to the Captive Portal Server Private IP will be used (DNAT).
config firewall policy edit <Policy ID> set name "<Policy Name> set srcintf <WAN Interface> set dstintf <Captive Portal Server Interface> set action accept set srcaddr <LAN Users Subnet> set dstaddr "VIP External Captive Portal" <----- This is the VIP for the Captive Portal Server. set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set ips-sensor "default" set comments "Allow access to the Captive Portal from local subnet" next
Notice that as the hair-pinning traffic never leaves the FortiGate, it is possible to use the LAN Internal Users subnet as the source of this policy.
Once the policies needed are created for the hair-pinning traffic, it is necessary to create the Policies for the Users authenticated on the Captive Portal Server. This provides more control and security to the network. If there are any issues with submitting the information on the Captive Portal or with information not being properly displayed, check the Captive Portal Configuration. Remember that with this configuration, FortiGate only does the Redirection and Policy Enforcement.
See also the General captive portal explanation, flow and troubleshooting.
|