Reply
New Member
Posts: 6
Registered: 3 weeks ago

Guest portal redirect issue when remotely connecting to Controller

[ Edited ]

Hi there,

 

We want to use the captive portal for authorization to access to guest wireless network by vouchers.

 

UAP used: UAP-AC-LR ver 4.0.15.9872

 

UniFi Controller: ver 5.9.29

 

Wireless Network (called Test1) uses WPA-Personal and password.

 

Authentication: Hotspot

 

When UAP-AC-LR is in the same network with the UniFi Controller, let's say 172.16.1.0/24, the splash page comes out and prompts immediately for vouchers after connecting to the wireless network. Everything works beautifully. However, when UAP-AC-LR is working in another network (let's say 192.168.1.1/24), remotely connecting to the Controller (which is in the network 172.16.1.0/24), the splash page pops out after connecting to the wireless network but it just shows "This site can't be reached." The redirecting IP is correct and I think DHCP works. So, what is the problem? How to resolve it?

 

Thanks.

Veteran Member
Posts: 4,833
Registered: ‎06-13-2015
Kudos: 1309
Solutions: 228

Re: Guest portal redirect issue when remotely connecting to Controller

@PhantomXIII Without knowing the exact topology we won’t be able to tell what exactly is going on. I do however think  somewhere a firewall is blocking the traffic.

 

Also make sure the IP address of the controller (with the /32 suffix) is entered in the pre-auth access list.

 

If you need further help I suggest you share a screenshot of the full Guest Control settings page and details on the network topology.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
New Member
Posts: 6
Registered: 3 weeks ago

Re: Guest portal redirect issue when remotely connecting to Controller

[ Edited ]

The UniFi controller is installed on a virtual machine with an IP address 172.16.1.26 and it goes through the firewall (IP - 172.16.1.252) to the Internet. 

BTW, controller IP is already put into the pre-authorization access list. In the case of UAP (IP - 192.168.72.113) remotely connecting the Controller (210.10.248.237), after PC (IP- 192.168.72.112) connects to the wireless network Test1 (DHCP allocated IP - 192.168.72.114/24), the guest portal webpage pops out and the redirecting IP is https://210.10.248.237:8880/guest/s/.... But this webpage cannot open just showing 'This site can't be reached.'  Meanwhile we can successfully ping 210.10.248.237 fron PC. So I think the traffic is not blocked.

 

The following is the screenshot of Guest Control setting.

图片1.png图片2.png

Veteran Member
Posts: 4,833
Registered: ‎06-13-2015
Kudos: 1309
Solutions: 228

Re: Guest portal redirect issue when remotely connecting to Controller

First hunch is that the single IP addresses in the pre-auth access list require the /32 suffix because these fields take CIDR notation.

 

The fact that you can ping the controller does not prove you should be able to connect through port 8880. Is there a local firewall on the server running the controller?

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
New Member
Posts: 6
Registered: 3 weeks ago

Re: Guest portal redirect issue when remotely connecting to Controller

Thanks for your insights. I'll try it later and let you know the result.

 

BTW, the firewall on the server is turned off.

New Member
Posts: 6
Registered: 3 weeks ago

Re: Guest portal redirect issue when remotely connecting to Controller

It didn't work. The redirect page still cannot load.

New Member
Posts: 13
Registered: ‎06-11-2018

Re: Guest portal redirect issue when remotely connecting to Controller

[ Edited ]

Hello,

 

From the looks of it, you've not been able to fix this.  Since I don't see your firewall rules on the thread, I'm guessing that you do not have 8880 open on your WAN / IN settings.  The 210.X.X.X is your public IP, so the Guest Portal will only route to that address so it goes out on your internet connection and back in on your IP to port 8880.  I had to go through this when I set mine up as well...Ubiquiti does not make it clear that for some reason it won't point to the guest portal page via the internal IP and will only work on the public IP.  

 

Go to Routing & Firewall -> Port Forwarding.  Create a new rule and port forward 8880 to your CloudKey's internal IP.  This is for the non-SSL version. 

 

If you want to use HTTPS for your captive portal, you would also port forward 8443 to your CloudKey's internal IP.  You can use the self-signed cert that is already on the controller for this or you can buy one from SSL2Buy for $10.,,there are some steps that have to be taken to upload this cert to the CloudKey as well. Then you would need to check the boxes that say "Redirect Using Hostname", "Use Secure Portal", and "Enable HTTPS Redirection."  The last one is used to redirect user to your portal when they connect to it and try to browse to an already secured (HTTPS) page like Google or Facebook.

1 x Cloud Key Gen2+, 1 x USG-Pro, 1 x 24-Port Switch, 1 x 8-Port Switch w/PoE Passthrough, 3 x AP-AC-Lite
New Member
Posts: 6
Registered: 3 weeks ago

Re: Guest portal redirect issue when remotely connecting to Controller

Thanks for the suggestion. But we don't use a USG for firewall settings. Actually the redirecting page for guest to log in works when UAP and Controller are in the same network. The problem occurs only when UAP and Controller are in different networks. The redirecting page only shows that "This site can't be reached. It took long time for 210.10.248.237 to respond." 

Veteran Member
Posts: 4,833
Registered: ‎06-13-2015
Kudos: 1309
Solutions: 228

Re: Guest portal redirect issue when remotely connecting to Controller

[ Edited ]

@PhantomXIII wrote:

Thanks for the suggestion. But we don't use a USG for firewall settings. Actually the redirecting page for guest to log in works when UAP and Controller are in the same network. The problem occurs only when UAP and Controller are in different networks. The redirecting page only shows that "This site can't be reached. It took long time for 210.10.248.237 to respond." 


In that case, some other device is blocking access through the ports I mentioned earlier on. It is difficult for us to help if we do not know what is controlling the access between VLANs...

 

Can you share a network diagram showing the subnets and where the access between VLANs is controlled?

 

EDIT: my feeling is you are using security controls in the network which you do not understand. That is almost as dangerous as not applying any security controls at all. My 2 cents...

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
New Member
Posts: 6
Registered: 3 weeks ago

Re: Guest portal redirect issue when remotely connecting to Controller

[ Edited ]

Actually we don't use any VLANs. There are 4 LANs in our intranet and the controller is in one of them. The following picture is the map of how we set up UAP in the branch outside of the controller's located network. Right now I'm not sure if the firewall blocks the traffic into the controller as we already set a rule to allow it in last time.

example.png

New Member
Posts: 13
Registered: ‎06-11-2018

Re: Guest portal redirect issue when remotely connecting to Controller

I just did a port scan on 8880, 8843, and 8443 for your Public IP...

 

First and foremost: 8443 for Remote Access to Unifi is wide open, you should close this and link to unifi.ubnt.com and use the mobile apps.

 

8880 and 8843 for Captive Portal are not open from the internet which is required for access to the captive portal.

 

Additionally if the url that is coming up is HTTPS....:8880 there's something wrong already.  If using HTTPS it must be port 8843 as 8880 is the HTTP port.

1 x Cloud Key Gen2+, 1 x USG-Pro, 1 x 24-Port Switch, 1 x 8-Port Switch w/PoE Passthrough, 3 x AP-AC-Lite
Reply