I"m still reading here .... trying to figure out.
Last couple of weeks I loaded a Hyper-VM on my 2012 Win server, it has 3 NIC's, so I can simulate and test without disturbing my companie network. Also : I'm using a second PC @home loaded with pfSense (using VM also).
Detail these 2 phrases :
@h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:
After, with 28:c6:8e:0f:95:9b set to Block
after.txt
I note that the MAC is not found in the second output.
As soon as the captive portal is activated on an interface, everybody (MAC, IP, whatever) is blocked.
Even when you have this :
on the LAN interface.
ipfw takes precedence of the ip firewall. ip being the firewall you set up with the GUI.
When you add a MAC on the MAC tab as a "pass" , this MAC will be part of your table "default_pipe_mac":
02100 145763334 141217081935 pipe tablearg ip from any to any MAC table(default_pipe_mac)
This is a snaphot of your "default_pipe_mac" :
dc:ef:09:9b:a8:c0 any 2671 1155484 1699152753 1560263421
any dc:ef:09:9b:a8:c0 2670 11 0 1560262129
You can see the MAC, the pipe rule numbers 2670 (down) and 2671 (up) and the number of bytes received and send.
These are the related pipe rules 2670 and 2671 :
.....
02670: unlimited 0 ms burst 0
q133742 100 sl. 0 flows (1 buckets) sched 68206 weight 0 lmax 0 pri 0 droptail
sched 68206 type FIFO flags 0x0 16 buckets 0 active
.....
02671: unlimited 0 ms burst 0
q133743 100 sl. 0 flows (1 buckets) sched 68207 weight 0 lmax 0 pri 0 droptail
sched 68207 type FIFO flags 0x0 16 buckets 0 active
...
Both are unlimited pipes.
Btw :
I found one (just 1) speed limiting (half a mega / s )pipe :
02223: 500.000 Kbit/s 0 ms burst 0
q133295 100 sl. 0 flows (1 buckets) sched 67759 weight 0 lmax 0 pri 0 droptail
sched 67759 type FIFO flags 0x0 16 buckets 0 active
Pipe 2223 : so this is device
28:c6:8e:0f:95:9b any 2223 11722 14806366 1560263421
any 28:c6:8e:0f:95:9b 2222 2 0 1560262183
is speed limited - this is the only device I found that was limited speed.
The blocked MAC list : as you might have understand, MAC's that are blocked are not present in the ipfw tables and rules.
When you add a MAC as blocked, it's been put in a list handled by the GUI.
The Captive portal web server, when intercepting a (in your case : http) visitor web browser http requests, are redirected to this page page :
(some conditions have to be met, like this page must is on the same LAN segment as the captive portal - there must be a http web server that can serve the page, etc - it might, it might not. For me, using an iphone, it didn't redirect well )
If no URL, the device is blocked, for any IP, for any port, for any protocol.
But : when a MAC isn't present on the MAC tab, or it's set as a red block, it won't pass.
I advice you to use and old PC to test - make sure there is a second NIC, and setup pfSense for yourself. Although I strongly advise you to use a captive portal on a dedicated - OPT1 - NIC, and leave the LAN for administrative purposes.
When applied the minimal setup as per Netgate's video (there are 3 videos on Youtube, the Netgate channel, take a recent one that handles basic operations) no device can connect, and they will show the default Login when you use a web browser on a visiting device. https restrictions might apply.
Now, when you add ONE MAC as a pass, this device can pass to the net. Right ?
Still, no other device can pass. Right ?
Add another MAC as a pass. It passes right ?
An still, no other devices can pass.
For the fun, add a MAC of a device that you own, as a BLOCK. It can not pass, right ?
And again, other, non listed MAC's still can't pass.
Etc etc.
You could even import your entire "300 MAC" list.
I would do this by exporting the config.xml - then use notepad++ to insert the block of
....
<passthrumac>
<action>pass</action>
<mac>xx:8d:79:91:ec:52</mac>
<bw_up></bw_up>
<bw_down></bw_down>
<descr><![CDATA[Sophie]]></descr>
</passthrumac>
<passthrumac>
<action>pass</action>
<mac>7c:bb:35:f2:a9:0e</mac>
<descr><![CDATA[Serge Nouveau portable]]></descr>
</passthrumac>
.....
in the correct section, and import that file back in again.
Still, unlisted device you own can't pass as they are not part of the list.
I ended up listing all my devices (9) as blocked : they didn't pass.
I removed them from the MAC tab, so not listed as a pass or block : they still didn't pass.
Btw : do not hesitate to reset firewall states. I don't know if it is really needed, but it would harm to reset they all the time, after changes.
My main question is : can you replicate your issue on a barebone system, after a manual minimal setup.
And if so, after which change your issue happens ?
Also : export your
....
<passthrumac>
<action>pass</action>
<mac>xx:8d:79:91:ec:52</mac>
<bw_up></bw_up>
<bw_down></bw_down>
<descr><![CDATA[Sophie]]></descr>
</passthrumac>
<passthrumac>
<action>pass</action>
<mac>bb:bb:35:f2:a9:0e</mac>
<descr><![CDATA[Serge Nouveau portable]]></descr>
</passthrumac>
.....
section, and drop it in here.
Mistify all MAC's be replacing the first byte by placing 'bb', as I did above.
I'll import your list.
I wonder if I see the issue then ...
