Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MAC Passthrough

    Scheduled Pinned Locked Moved Captive Portal
    23 Posts 5 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WorldDrknss @leofox
      last edited by

      @leofox I might just go back to 2.5.2 where Captive Portal worked, or just wait a few releases and see if they figure out the issue. CP isn't that huge of a deal for me as I was just using it as a secondary security option to port security.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @WorldDrknss
        last edited by Gertjan

        @worlddrknss

        You did a ping test while watching the "bytes counters" ?
        The final block rule - line 65534 - was incrementing ?
        The xxxxx_pipe_mac table content : your MAC, the counters were incrementing ?
        Another line ?

        edit :

        Look at the last line :

        65535        0           0 allow ip from any to any
        

        This is a "pass all traffic line".

        What happens when you place the same line at position 1, like

        ipfw add 1 allow ip from any to any
        

        Now the entire captive portal "ipfw" should be transparent as everything passes right at the start ?

        Try also other positions. Did the rule go hit/matched ?

        Btw : if a rule like "02108" exisys, you can create second "02108".
        But when you delete "02108", you delete them both. Just restart the portal to recreate all the rules.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        W 1 Reply Last reply Reply Quote 0
        • W
          WorldDrknss @Gertjan
          last edited by

          @gertjan

          Adding the following (excluding the Administrator Network):
          60d0d925-bd8a-4018-9ff7-039c87960641-image.png
          Fixed the internal ping issues, but ping over the internet is still being blocked. Eg: google, msn, yahoo, etc.

          W 1 Reply Last reply Reply Quote 0
          • W
            WorldDrknss @WorldDrknss
            last edited by

            This is related to: https://forum.netgate.com/topic/169879/udp-icmp-is-not-working-after-upgrade-to-2-6-0/2 and https://redmine.pfsense.org/issues/12834

            1 Reply Last reply Reply Quote 1
            • L
              leofox
              last edited by

              Good point about these links. Indeed, my Windows clients can no longer reach the AD domain either, which is the problem with the UDP protocol.

              1 Reply Last reply Reply Quote 0
              • B
                bobcat05
                last edited by

                I can also confirm this issue. I recently upgraded to 22.01 on my Netgate 1100 appliance.

                Users authenticate via a freeradius server with Pass-through MAC automatic additions enabled. Before, once a user authenticated and got past captive portal, nothing was blocked as the only firewall rule on that interface was to allow any IPv4 traffic, anywhere.

                After the upgrade, those with authenticated MAC addresses are only allowed basic web traffic. I can no longer connect to a VPN, ping DNS servers outside the network, or even ping the WAN address or gateway address. The only fix is to disable Captive Portal which I obviously don't want to do.

                The network diagram is:

                Modem >> Netgate 1100 >> UniFi Switch >> UniFi Access Points

                The UniFi switch is connected to the OPT1 (192.168.10.1/24) interface on the router that captive portal is active on. I've got a dumb switch connected to the LAN (192.168.1.1/24) interface that connects all the wired PC's in our office.

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @bobcat05
                  last edited by Gertjan

                  @all

                  I wouldn't believe it.
                  I've installed the App of my Expr*ss VPN ISP to my phone, and Pad, and connected both to my captive portal.
                  I fired up the VPN App.
                  Initially, no connection could be made. That's new .... because it was falling back to a TCP tunnel, it connected.

                  I'm using my portal for hotel client, and no one, complained .... yet. I guess most clients use the wifi just to check mails, update FB, and watch Netflix anyway.

                  II think the "pipes" used by the portal connections have an issue.
                  You can see them here : Diagnostics > Limiter Info
                  These "pipes" are also used for the bugger bloat limiters I was using before, this is not possible any more with 2.6.0. I can live with that. But the captive portal partially broken .... hummm. Never saw that before.

                  When I remove all connected clients.
                  And I de activate the captive portal, all limiters and schedulers should be removed, right ?
                  Wrong :

                  These stay in place :

                  89cbf57d-b2ae-4af8-83c9-d7d27d6c6bf4-image.png

                  This should also be 'empty' :

                  [2.6.0-RELEASE][admin@pfsense.mynetwork.net]/root: ipfw table all list
                  --- table(cp_ifaces), set(0) ---
                  
                  [2.6.0-RELEASE][admin@pfsense.mynetwork.net]/root: ipfw table all list
                  --- table(cp_ifaces), set(0) ---
                  [2.6.0-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw show
                  00999  1093652   159826765 allow tagged 1
                  01000  3334509  3552256101 skipto tablearg ip from any to any via table(cp_ifaces)
                  01100 25766627 20440009158 allow ip from any to any
                  65534    51291    14897634 deny ip from any to any
                  65535      144       33784 allow ip from any to any
                  

                  as the captive portal is de activated.

                  I rebooted pfSense :

                  [2.6.0-RELEASE][admin@pfsense.mynetwork.net]/root: ipfw show
                  ipfw: retrieving config failed: Protocol not available
                  [2.6.0-RELEASE][admin@pfsense.mynetwork.net]/root: ipfw ipfw table all list
                  ipfw: bad command `ipfw'
                  

                  this is normal, no portal == no ipfw loaded.

                  I have a pfSEnse home setup @home. I'll do some testing this weekend.

                  edit 2022-03-01 :

                  Pipes or limiters are probably another issue, or not the issue at all

                  When I introduce a '00998' rule like this :

                  2.6.0-RELEASE][admin@pfsense.portalbroken.net]/root: ipfw show
                  00998 94719259 85479897044 allow ip from any to any
                  00999  5485259  1007470890 allow tagged 1
                  01000 11615464 11431517900 skipto tablearg ip from any to any via table(cp_ifaces)
                  01100 93906271 71988908641 allow ip from any to any
                  .....
                  

                  00999 and further are default captive portal ipfw rules.

                  My captive portal becomes 100% transparent, that is : still no UDP neither ICMP, just TCP.

                  Looks like the issue is ipfw ....

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • B
                    bobcat05
                    last edited by

                    I ended up just reinstalling the firmware on my Netgate 1100 until this gets resolved. I followed this guide and requested access to version 21.05 in a support ticket. Install went fine and after restoring my config, everything works as it should.

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @bobcat05
                      last edited by Gertjan

                      @bobcat05

                      Read https://forum.netgate.com/topic/170300/new-system-patches-v2-0?_=1646343673426 - Apply patch (Redmine #12834) and ICMP/UDP will be handled just fine.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        leofox @Gertjan
                        last edited by

                        It's ok for me. The patch has fixed the issue. Thanks.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.