ilker Aktuna

I added "ip nat Chilli0" to my config on Keenetic router. Then the issue is resolved. I don't understand. Why is this needed ? Shouldn't it be enabled by default ? Also , if I don't add Firewall rule "tcp allow any" to the Guest interface, the user can not get to the UAM server login page. Why ?

Hello, I'm trying to implement a captive portal on a Keenetic router in the guest network. My UAM and RADIUS servers are ready. I've entered the necessary parameters into the captive portal's "my profile" section as follows: UAM_Server: http://192.168.1.40:3990/login UAM_Secret: secret_2024 Radius Server: 192.168.1.40 Radius Secret: radius_secret RADIUS NAS ID: keenetic I'm trying to access it from an Android phone. When I connect to the Guest page, I'm redirected to the login page. There, I only authenticate by clicking the "accept" button. And I see "success" in the logs. 10.1.30.6 - - [21/Feb/2026 23:59:47] "GET /login?res=notyet&uamip=10.1.30.1&uamport=3990&challenge=e2fa752793a8de730eb4daebd27f5992&called=52-FF-20-F8-5D-78&mac=B2-D0-DC-7D-9C-B4&ip=10.1.30.6&nasid=keenetic&sessionid=177171836000000005&userurl=http://play.googleapis.com/generate_204&md=23DA19D9D824E0D449FBFA23DD88F63F HTTP/1.1" 200 - 10.1.30.6 - - [21/Feb/2026 23:59:47] "GET /favicon.ico HTTP/1.1" 404 - 10.1.30.6 - - [21/Feb/2026 23:59:48] "POST /accept HTTP/1.1" 302 - 10.1.30.6 - - [21/Feb/2026 23:59:48] "GET /login?res=success&uamip=10.1.30.1&uamport=3990&called=52-FF-20-F8-5D-78&uid=B2-D0-DC-7D-9C-B4&timeleft=300&mac=B2-D0-DC-7D-9C-B4&ip=10.1.30.6&reply=Welcome&nasid=keenetic&sessionid=177171836000000005&userurl=http://play.googleapis.com/generate_204&md=E50C1463B84B2838B5FF3801A094F6C3 HTTP/1.1" 200 - Then, when I check the router's CLI, I see that the client is connected and packets are being passed through: (config)> show interface Chilli0 chilli host: session-id: 177174301100000003 user: CC-F8-26-D5-00-96 ip: 10.1.30.20 mac: cc:f8:26:d5:00:96 start-time: 178 end-time: 300 idle-time: 0 idle-time-limit: 0 tx-bytes: 37575 tx-bytes-limit: 0 rx-bytes: 19874 rx-bytes-limit: 0 tx-speed: 0 tx-speed-limit: 0 rx-speed: 0 rx-speed-limit: 0 It's receiving the IP address 10.1.30.20. However, the Android client still doesn't see itself as connected and can't access web pages. The "Sign in to the network" warning persists. When I ping 10.1.30.20 from the router: PING 10.1.30.20 (10.1.30.20): 56 data bytes 64 bytes from 10.1.30.20: seq=0 ttl=64 time=79.626 ms 64 bytes from 10.1.30.20: seq=0 ttl=64 time=79.683 ms (DUP!) 64 bytes from 10.1.30.20: seq=1 ttl=64 time=29.208 ms 64 bytes from 10.1.30.20: seq=1 ttl=64 time=29.251 ms (DUP!) 64 bytes from 10.1.30.20: seq=2 ttl=64 time=51.577 ms 64 bytes from 10.1.30.20: seq=2 ttl=64 time=51.641 ms (DUP!) If I close the captive portal and access the site normally as a guest, I get the same IP address (10.1.30.20) and the ping result is correct: PING 10.1.30.20 (10.1.30.20): 56 data bytes 64 bytes from 10.1.30.20: seq=6 ttl=64 time=1135.330 ms 64 bytes from 10.1.30.20: seq=7 ttl=64 time=135.173 ms 64 bytes from 10.1.30.20: seq=8 ttl=64 time=10.261 ms 64 bytes from 10.1.30.20: seq=9 ttl=64 time=5.695 ms 64 bytes from 10.1.30.20: seq=10 ttl=64 time=3.116 ms When I look at the interfaces for the captive portal and the normal guest via the router, I see a difference: When there is no captive portal, the interface name appears as Guest and "link: up". When there is a captive portal, the interface name appears as Chilli0 and "link: down". (config)> show interface Chilli0 id: Chilli0 index: 0 interface-name: Chilli0 type: Chilli description: Guest network traits: Ip traits: Chilli link: down connected: yes state: up mtu: 1500 tx-queue-length: 1000 admin-only: no address: 10.1.30.1 mask: 255.255.255.0 uptime: 35 global: no security-level: protected bridge: interface, link = yes: GigabitEthernet0/Vlan3 interface, link = yes: WifiMaster0/AccessPoint1 interface, link = yes: WifiMaster1/AccessPoint1 uam-auth: 192.168.1.40:3990 max-auth: 1 summary: layer: conf: running ipv4: running ctrl: running (config)> show interface Guest id: Bridge1 index: 1 interface-name: Guest type: Bridge description: Guest network traits: Mac traits: Ethernet traits: Ip traits: Ip6 traits: Supplicant traits: EthernetIp traits: Bridge link: up connected: yes state: up mtu: 1500 tx-queue-length: 0 admin-only: no address: 10.1.30.1 mask: 255.255.255.0 uptime: 421 global: no security-level: protected ipv6: addresses: address: fe80::50ff:20ff:fef8:5d78 prefix-length: 64 proto: KERNEL valid-lifetime: infinite mac: 52:ff:20:f8:5d:78 auth-type: none bridge: interface, link = yes: GigabitEthernet0/Vlan3 interface, link = yes: WifiMaster0/AccessPoint1 interface, link = yes: WifiMaster1/AccessPoint1 summary: layer: conf: running link: running ipv4: disabled ipv6: disabled ctrl: running (config)> Because of this difference, the client connecting through the captive portal cannot access the site. Where is the problem? How can I fix it?