• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

FreeRadius and quotas, doesn't work since 22.05

Captive Portal
3
16
1.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gertjan
    last edited by Gertjan Aug 8, 2022, 8:39 PM Aug 8, 2022, 1:22 PM

    This has been set :

    login-to-view

    The daily quota for a user :

    login-to-view

    The folder /var/log/radacct/datacounter/daily contains the usual files (the users with a quota defined ) :

    login-to-view

    This issue :

    The Function getVolume($ip) ( /etc/inc/captiveportal.inc )
    calls a pfSense PHP function :

    $result = pfSense_pf_cp_get_eth_rule_counters("{$anchor}/{$ip}");
    

    always returns "" nothing, and is interpreted as zero. So traffic isn't counted any more.

    The variable {$anchor}/{$ip} seesm correct to me :

    cpzoneid_2_auth/192.168.2.8
    

    where 192.168.2.8 is an IP of a portal connected device.

    A part of my /tmp/rules.debug :

    # Captive Portal
    ether pass on { igc1  } tag "cpzoneid_2_rdr"
    ether anchor "cpzoneid_2_auth/*" on { igc1  }   <=============
    ether anchor "cpzoneid_2_passthrumac/*" on { igc1  }
    ether anchor "cpzoneid_2_allowedhosts/*" on { igc1  }
    

    and I understood that pfSense_pf_cp_get_eth_rule_counters("cpzoneid_2_auth/192.168.2.8") should return an array with up/down counters for that IP (192.168.2.8).
    The anchor "cpzoneid_2_auth" should contain a list with authorized (logged in) portal users.
    Well .... it doesn't.

    I understood that the 'ether' is a new kind of 'pf' keyword, proposed by Netgate so FreeBSD ( the source ) has a better 'pf'.

    Is there a way to test this manually ?

    Btw : pfSense_pf_cp_get_eth_rule_counters() is plain vanilla old school C.

    I've tried a lot of possible commands using pfctl - but no go.

    Is this work in progress ? A bug ? Is it known ? Am I the only one who saw that quotas doesn't work any more ?
    Btw : I'm not using quotas. I activate them one in a while for users who 'over consume' bandwidth.

    I know : ipfw has been retird. It's all "pf" now.

    And not related to this issue :
    Please (in big capitals) :
    This file :
    /usr/local/etc/raddb/scripts/datacounter_auth.sh

    Line 20 :

       	logger -f /var/log/system.log "FreeRADIUS: User $USERNAME has used $USEDOCTETSUSERNAMEMB MB of $MAXOCTETSUSERNAMEMB MB $TIMERANGE allotted traffic. The login request was accepted."
    

    Change it for

    ### logger -f /var/log/system.log "FreeRADIUS: User $USERNAME has used $USEDOCTETSUSERNAMEMB MB of $MAXOCTETSUSERNAMEMB MB $TIMERANGE allotted traffic. The login request was accepted."
    

    as right now, when some one works with freeradius quotas, the main Status > System Logs > System > General log file gets obliterated with useless log lines.
    This will hide useful lines and makes the main log file useless, which I would call a "security issue".

    edit :

    FreeBSD 14.0 - the pfctl man pages talk about the new 'ether' modifier.

    But now the real magic : I'm using FreeBSD 12.3 on my pfSense 22.05 .....

    This works :

    [22.05-RELEASE][admin@pfSense.hello.net]/root: pfctl -s ether -v
    ether pass on igc1 l3 all tag cpzoneid_2_rdr
      [ Evaluations: 60478361  Packets: 2283751   Bytes: 690277032 ]
    ether anchor "cpzoneid_2_auth/*" on igc1 l3 all   <======== this 'root' key
      [ Evaluations: 17749888  Packets: 0         Bytes: 0         ]
    ether anchor "cpzoneid_2_passthrumac/*" on igc1 l3 all
      [ Evaluations: 2296071   Packets: 0         Bytes: 0         ]
    ether anchor "cpzoneid_2_allowedhosts/*" on igc1 l3 all
      [ Evaluations: 2296071   Packets: 0         Bytes: 0         ]
    

    But this root key (if I me call it like that) : says ..... Packets: 0 Bytes: 0 ]
    and that's probably the bottom of the no go I guess.

    The first line "ether pass on igc1 l3 all tag cpzoneid_2_rdr" did give counter results :

      [ Evaluations: 60478361  Packets: 2283751   Bytes: 690277032 ]
    

    No "help me" PM's please. Use the forum, the community will thank you.
    Edit : and where are the logs ??

    G 1 Reply Last reply Aug 24, 2022, 7:44 AM Reply Quote 0
    • G
      Gertjan @Gertjan
      last edited by Aug 24, 2022, 7:44 AM

      Update : Regression #13418

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      M 1 Reply Last reply Aug 28, 2022, 9:25 PM Reply Quote 0
      • M
        marcosm Netgate @Gertjan
        last edited by Aug 28, 2022, 9:25 PM

        @gertjan Thanks for the detailed troubleshooting. I posted a patch on the redmine issue which you can test.

        G 1 Reply Last reply Aug 29, 2022, 7:41 AM Reply Quote 0
        • G
          Gertjan @marcosm
          last edited by Gertjan Aug 29, 2022, 8:11 AM Aug 29, 2022, 7:41 AM

          @marcosm

          I've added the patch -> changed the two lines => added '_32'.
          Restarted the portal. Noop.
          Logged out all portal users, and let them login again. Noop.
          Restarted pfSense (this logs out all users, I do not maintain connected users)). Noop.

          I still see lines like :

          login-to-view

          edit :

          	$result = pfSense_pf_cp_get_eth_rule_counters("{$anchor}/{$ip}_32");
          

          still returns 'nothing'.

          Btw : I'm using "22.05".

          Is there more to patch then just https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/850 - which I can not read !?

          edit again :

          But now I know how to use

          [22.05-RELEASE][admin@pfSense.mynetwork.net]/dev: pfctl -s ether -v -a cpzoneid_2_auth/192.168.2.6_32
          ether pass in quick proto 0x0800 from ea:1a:04:4f:cc:a1 l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2010
            [ Evaluations: 13325     Packets: 7450      Bytes: 6456087   ]
          ether pass out quick proto 0x0800 to ea:1a:04:4f:cc:a1 l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2011
            [ Evaluations: 5871      Packets: 5865      Bytes: 4255946   ]
          

          Where "192.168.2.6" is a connected portal user, ea:1a:04:4f:xx:a1 is its MAC address.
          Packets and bytes in both direction are incrementing fast !! pf , with the ether mode, works !

          edit again :

          [22.05-RELEASE][admin@pfSense.mynetwork.net]/dev: pfctl -s ether -a cpzoneid_2_auth/192.168.2.6_32 -v
          ether pass in quick proto 0x0800 from ea:1a:04:4f:xx:a1 l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2010
            [ Evaluations: 4002      Packets: 1935      Bytes: 927597    ]
          ether pass out quick proto 0x0800 to ea:1a:04:4f:xx:a1 l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2011
            [ Evaluations: 2061      Packets: 2056      Bytes: 1870105   ]
          

          and second later, suddenly :

          [22.05-RELEASE][admin@pfSense.mynetwork.net]/dev: pfctl -s ether -a cpzoneid_2_auth/192.168.2.6_32 -v
          ether pass in quick proto 0x0800 from ea:1a:04:4f:xx:a1 l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2010
            [ Evaluations: 0         Packets: 0         Bytes: 0         ]
          ether pass out quick proto 0x0800 to ea:1a:04:4f:xx:a1 l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2011
            [ Evaluations: 0         Packets: 0         Bytes: 0
          

          who reset the counters ??

          I'm using interim mode "interimupdate", not "stopstart".
          Startstop is the only one that calls captiveportal_anchor_zerocnt().

          Who resets my counters ? ;)

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M 1 Reply Last reply Aug 29, 2022, 2:17 PM Reply Quote 0
          • M
            marcosm Netgate @Gertjan
            last edited by Aug 29, 2022, 2:17 PM

            @gertjan Maybe there's something different in your configuration - start with just the setup referenced on the redmine link and see if you can narrow down where it breaks for you. Regarding the log, that's specific to the FreeRADIUS package itself. Ideally all of its logs would go into its own package log.

            G 1 Reply Last reply Aug 29, 2022, 2:36 PM Reply Quote 0
            • G
              Gertjan @marcosm
              last edited by Gertjan Aug 29, 2022, 2:36 PM Aug 29, 2022, 2:36 PM

              @marcosm said in FreeRadius and quotas, doesn't work since 22.05:

              start with just the setup referenced on the redmine link

              pfSense+ 22.05 => Of course.

              Configure Captive Portal on VLAN interface => I'm not using VLANs interface ifgc1 on my SG-4100.

              Use FreeRADIUS auth backend => Of course. That what this is all about.

              Check Reauthenticate Users, Session timeout, Traffic quota, Per-user bandwidth restrictions
              Like :

              login-to-view

              Enable Send RADIUS accounting packets, select Stop/Start (FreeRADIUS) or Interim

              As said, I'm using Iterim updating.

              For me, in the function getVolume($ip) (/etc/inc/captiveportal.inc)

              	$result = pfSense_pf_cp_get_eth_rule_counters("{$anchor}/{$ip}_32");
              

              always returns an empty array - I test this with an 'else', and log $result ... it's empty.

              The parameter "cpzoneid_2_auth/192.168.1.6_32" seems ok to me.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              M 1 Reply Last reply Aug 29, 2022, 2:54 PM Reply Quote 0
              • M
                marcosm Netgate @Gertjan
                last edited by marcosm Aug 30, 2022, 12:18 AM Aug 29, 2022, 2:54 PM

                @gertjan You can see the actual anchors by running "pfSsh.php playback pfanchordrill" - it's returning correctly when I test it here.

                I have seen some odd behavior where bandwidth limits are not respected when configured in FreeRADIUS. Details here: https://redmine.pfsense.org/issues/13150#note-16

                G 1 Reply Last reply Aug 30, 2022, 7:16 AM Reply Quote 1
                • G
                  Gertjan @marcosm
                  last edited by Aug 30, 2022, 7:16 AM

                  @marcosm said in FreeRadius and quotas, doesn't work since 22.05:

                  You can see the actual anchors by running "pfSsh.php playback pfanchordrill" - it's returning correctly when I test it here.

                  Two users are connected :

                  [22.05-RELEASE][admin@pfSense.mynetwork.net]/root: pfSsh.php playback pfanchordrill
                  ......
                  cpzoneid_2_auth/192.168.2.161_32 rules/nat contents:
                  ether pass in quick proto 0x0800 from 14:c2:13:c9:1e:77 l3 from 192.168.2.161 to any tag cpzoneid_2_auth dnpipe 2010
                  ether pass out quick proto 0x0800 to 14:c2:13:c9:1e:77 l3 from any to 192.168.2.161 tag cpzoneid_2_auth dnpipe 2011
                  
                  cpzoneid_2_auth/192.168.2.28_32 rules/nat contents:
                  ether pass in quick proto 0x0800 from d8:8f:76:02:32:87 l3 from 192.168.2.28 to any tag cpzoneid_2_auth dnpipe 2010
                  ether pass out quick proto 0x0800 to d8:8f:76:02:32:87 l3 from any to 192.168.2.28 tag cpzoneid_2_auth dnpipe 2011
                  
                  .....
                  

                  Note that pipes for both portal users 192.168.2.161 (my phone) and captive portal user 192.168.2.28 are identical : 2010 and 2011.
                  The pipes 2010 and 2011 are shared for all portal users ?

                  @marcosm said in FreeRadius and quotas, doesn't work since 22.05:

                  I have seen some odd behavior where bandwidth limits are not respected when configured in FreeRADIUS. Details here: https://redmine.pfsense.org/issues/13150#note-16

                  Btw : I'm not trying to limit bandwidth.
                  I use freeradius to set up a 'daily' amount of Mbytes.
                  From what I understand :
                  Freeradius isn't questioning pf at all. It calls back the pfSense portal code,
                  Interim During de 60 seconds update cycle, every connected user status is interrogated, and consumed bytes are returned.
                  Or, nothing - zero - get returned.
                  I can go down to this function : getVolume($ip) (/etc/inc/captiveportal.inc) dat doesn't return the array with this info : the array stays empty.
                  Result : quotas don't work 'for me'.

                  login-to-view

                  I know now pf does it's work :

                  [22.05-RELEASE][admin@pfSense.mynetwork.net]/root: pfctl -a cpzoneid_2_auth/192.168.2.161_32 -se -v
                  ether pass in quick proto 0x0800 from 14:c2:13:c9:1e:77 l3 from 192.168.2.161 to any tag cpzoneid_2_auth dnpipe 2010
                    [ Evaluations: 2488      Packets: 1397      Bytes: 1641623   ]
                  ether pass out quick proto 0x0800 to 14:c2:13:c9:1e:77 l3 from any to 192.168.2.161 tag cpzoneid_2_auth dnpipe 2011
                    [ Evaluations: 1091      Packets: 1089      Bytes: 110482    ]
                  

                  I can see Packets and Bytes in both pipes = both direction grow rapidly while I do a speed test on my phone = "192.168.2.161".

                  Then why getVolume($ip) (/etc/inc/captiveportal.inc) always returns zero ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  M 1 Reply Last reply Aug 30, 2022, 3:17 PM Reply Quote 0
                  • M
                    marcosm Netgate @Gertjan
                    last edited by marcosm Aug 30, 2022, 3:23 PM Aug 30, 2022, 3:17 PM

                    @gertjan If you run e.g. print_r(pfSense_pf_cp_get_eth_rule_counters("cpzoneid_2_auth/192.168.2.8_32")); from Diagnostics / Command Prompt // Execute PHP Commands, you should be seeing the data. If not, there's something else wrong. If you do see the counters from that, then you should also see the usage data being recorded (however often you have it configured in FreeRADIUS; default is 600 seconds) in the files under /var/log/radacct/datacounter/ where "max" is the traffic quota and "used" is the currently recorded usage.

                    Regarding the limiters, they can be shared across multiple clients, and each client will be limited accordingly. You can see them by going to Diagnostics / Limiters or by running dnctl pipe show.

                    G 1 Reply Last reply Aug 31, 2022, 10:49 AM Reply Quote 0
                    • G
                      Gertjan @marcosm
                      last edited by Gertjan Aug 31, 2022, 10:50 AM Aug 31, 2022, 10:49 AM

                      @marcosm said in FreeRadius and quotas, doesn't work since 22.05:

                      If you run e.g. print_r(pfSense_pf_cp_get_eth_rule_counters("cpzoneid_2_auth/192.168.2.8_32")); from Diagnostics / Command Prompt // Execute PHP Commands, you should be seeing the data

                      Bingo ! Thanks.

                      login-to-view

                      With your proposal in mind, I've created :

                      login-to-view

                      and executed it.
                      In the logs, I saw :

                      2022-08-31 10:54:27.147981+02:00 	logportalauth 	8179 	Zone: cpzone1 - endx
                      2022-08-31 10:54:27.147946+02:00 	logportalauth 	8179 	Zone: cpzone1 - cpzoneid_2_auth/192.168.2.161_32 - 1006 - 169431 - 1405 - 1573888
                      2022-08-31 10:54:27.146714+02:00 	logportalauth 	8179 	Zone: cpzone1 - ends
                      

                      This is promising. Traffic info was shown, using the getVolume($ip) function.

                      So I tried to find out why function getVolume($ip) regularly called from captiveportal_prune_old() return 'zero' ?

                      I found it (I'm pretty sure).

                      Line (around) 673, in the beginning of the function captiveportal_prune_old() :

                      			$lastact = captiveportal_get_last_activity($cpentry[2]);
                      

                      gets called and has a side effect : things get zero'd out.

                      Here : https://github.com/pfsense/FreeBSD-ports/blob/e585da7c980bb3a47b021c597f6160959495a103/devel/php-pfSense-module/files/pfSense.c

                      		if (pfctl_get_eth_rule(dev, nr, info.ticket, path, &rule, true, anchor_call) != 0)
                      

                      Parameter 6 = true and this means 'clear' is set. (traffic) Counters get reset !?!

                      A dirty patch :

                      //			$lastact = captiveportal_get_last_activity($cpentry[2]);
                      

                      and now quotas start to work :

                      login-to-view

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      M 1 Reply Last reply Aug 31, 2022, 3:00 PM Reply Quote 0
                      • M
                        marcosm Netgate @Gertjan
                        last edited by Aug 31, 2022, 3:00 PM

                        @gertjan It seems like a copy/paste error to me and it should not be set to true. There are other ways that can be triggered though, so I would do this instead as a temporary work around (this breaks idle timeout and anything relying on last activity time):

                        diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc
                        index db66cb8e7c..262a9f26e2 100644
                        --- a/src/etc/inc/captiveportal.inc
                        +++ b/src/etc/inc/captiveportal.inc
                        @@ -1154,7 +1154,7 @@ function captiveportal_get_last_activity($ip) {
                         	$cpzoneprefix = CPPREFIX . $config['captiveportal'][$cpzone]['zoneid'];
                         	$anchor = $cpzoneprefix . '_auth';
                         
                        -	$active_times = pfSense_pf_cp_get_eth_last_active("{$anchor}/{$ip}_32");
                        +	//$active_times = pfSense_pf_cp_get_eth_last_active("{$anchor}/{$ip}_32");
                         	$time = 0;
                         	if (!empty($active_times)) {
                         		foreach ($active_times as $active_time) {
                        
                        
                        G 1 Reply Last reply Aug 31, 2022, 3:50 PM Reply Quote 0
                        • G
                          Gertjan @marcosm
                          last edited by Gertjan Sep 26, 2022, 8:24 AM Aug 31, 2022, 3:50 PM

                          @marcosm

                          I can live with the non working Idle timeout, I've also set a hard time, both are the same now.

                          I've got a bonus for you :

                          Take a look at how the array $result is filled in :

                          login-to-view

                          Now use these commands :

                          $result = array();
                          $result = pfSense_pf_cp_get_eth_rule_counters("cpzoneid_2_auth/192.168.2.6_32");
                          list($output_pkts, $output_bytes, $input_pkts, $input_bytes) = $result;
                          echo " ".$output_pkts;
                          echo " ".$output_bytes;
                          echo " ".$input_pkts;
                          echo " ".$input_bytes;
                          

                          Where "192.168.2.6" is the IP to collect data from.

                          This came back for me :

                          login-to-view

                          Element [0] [1] and [6] [7] are 0 and should be discarded.

                          So getVolume($ip), around line 1691 :

                          	   list($output_pkts, $output_bytes, $input_pkts, $input_bytes) = $result;
                          

                          With this :

                          	   list($discard, $discard, $output_pkts, $output_bytes, $input_pkts, $input_bytes, $discard, $discard) = $result;
                          

                          Now I can see :

                          $result = array();
                          $result = pfSense_pf_cp_get_eth_rule_counters("cpzoneid_2_auth/192.168.2.6_32");
                          list($discard, $discard, $output_pkts, $output_bytes, $input_pkts, $input_bytes, $discard, $discard) = $result;
                          echo " ".$output_pkts;
                          echo " ".$output_bytes;
                          echo " ".$input_pkts;
                          echo " ".$input_bytes;
                          

                          I see a

                          login-to-view

                          which looks good.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          M 1 Reply Last reply Aug 31, 2022, 11:20 PM Reply Quote 0
                          • M
                            marcosm Netgate @Gertjan
                            last edited by Aug 31, 2022, 11:20 PM

                            @gertjan Thanks! I submitted a fix for that, unfortunately it will require a new build.

                            H 1 Reply Last reply Sep 2, 2022, 8:26 AM Reply Quote 0
                            • G Gertjan referenced this topic on Sep 1, 2022, 9:52 AM
                            • G Gertjan referenced this topic on Sep 2, 2022, 7:16 AM
                            • H
                              heper @marcosm
                              last edited by heper Sep 2, 2022, 8:57 AM Sep 2, 2022, 8:26 AM

                              @Gertjan

                              do you use these settings? ( i'm only using windows AD for cP-auth, not accounting)
                              login-to-view
                              login-to-view

                              i'm seeing odd behaviour.
                              this is supposed to provide x kb/s for EACH user. (it worked in previous versions)

                              now i am seeing that the sum of all client traffic combined on captive portal matches the speeds set in the "default download/upload".
                              so in my case it becomes a global limiter on the entire VLAN ....

                              can anyone confirm / deny if they can also observe this.

                              G 1 Reply Last reply Sep 2, 2022, 10:00 AM Reply Quote 0
                              • G
                                Gertjan @heper
                                last edited by Gertjan Sep 2, 2022, 10:05 AM Sep 2, 2022, 10:00 AM

                                @heper

                                Your talking about bandwith restriction.
                                I'm (see subject thread) was talking about quotas.

                                For a 'test' FreeRadius user, I have

                                login-to-view

                                so : no bandwidth restrictions.

                                I've activated a 2 Mbit down for "everybody" :

                                login-to-view

                                Two active users are connected, both a clipping to the 2 Mbit down.
                                ( two other users are just connected and not active).

                                login-to-view

                                With my two devices, I can see 2 x 2 Mbits = 4 Mbit.

                                edit :

                                When I clip a user with FreeRadius :

                                login-to-view

                                the bandwidth for this user is also respected. 1 Mbits down and 500Kbit up.
                                Other users can still access using all bandwidth available.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                H 1 Reply Last reply Sep 2, 2022, 10:06 AM Reply Quote 0
                                • H
                                  heper @Gertjan
                                  last edited by Sep 2, 2022, 10:06 AM

                                  @gertjan said in FreeRadius and quotas, doesn't work since 22.05:

                                  as talking about quotas.

                                  i realize that you were talking about quota's and not bandwidth limiting, but since i didn't find anyone with the same issue i hoped it might have been related.

                                  i'll contact netgate support - perhaps they have more insight in the bandwidth-limiting issue i'm having, while yours seem fine on 22.05

                                  1 Reply Last reply Reply Quote 0
                                  • G Gertjan referenced this topic on Sep 21, 2022, 9:55 AM
                                  • G Gertjan referenced this topic on Sep 26, 2022, 8:25 AM
                                  • G Gertjan referenced this topic on Sep 26, 2022, 8:25 AM
                                  • F FSC830 referenced this topic on Dec 12, 2022, 6:32 PM
                                  • G Gertjan referenced this topic on Dec 13, 2022, 8:18 AM
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.