Allowed IP Address does not work in captive portal
-
Hi there, I am having a problem. I have deployed pfsense on vmware workstation 12. Also configured captive portal.
Speed control is perfectly working with mac based control, but captive portal not restricting incoming speed when i
try to restrict it throught Allow IP interface. what might be the reason.I have deployed on two locations. the same problem occurs on both sights. I am wondering why pfsense captive portal
is not limiting from ip when on VM, Can any body please help. -
@nomanharoon What release of pfSense? There are a lot of CP issues resolved in the last 18 months.
-
@rcoleman-netgate I am using 2.7 latest. I just tested previouse release 2.3. It is perfectly working with captive portal will allowing ip address
-
@rcoleman-netgate but there is BUG in latest 2.7 release, it cannot control speed in captive portal with allowing ip address. However it limits with mac, for which i am using mac in captive portal
-
@nomanharoon If there isn't a redmine already for the issue in 2.7 I recommend you open one so the engineers can work on it: https://redmine.pfsense.org
Does it present in 2.6?
Testing on 2.3 is ... not very helpful as it has been out of support for more than 6 years.
-
@rcoleman-netgate I did'nt tested on 2.6, I love to report a bug to the engineering team, but the problem is I am not receiving my activation email. so that my account be activated, than i can logon afterwards and report this captive portal allow ip ISSUE.
-
@rcoleman-netgate Thanks rcoleman I have created request to resolve the Bug #14684
Allowed IP Address does not control incoming speed in captive portal, PF Sense Release 2.7 Latest
Added by Noman Haroon less than a minute ago.Status:New
Priority:High
Assignee:-
Category:
Captive Portal
Target version:
Start date:Due date:
% Done:0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
amd64
Quote
DescriptionHi PF Sense Engineers, I like to report a bug. There is problem in captive portal in latest release 2.7, In captive portal it cannot control speed in Allowed Ip Addresses. <--- This is the problem which need to be fixed.
However captive portal mac based speed limitation but it should also work with Allowed IP Addreses.
Therefore as a PF Sense user I am requesting to kindly address this issue
I will be highly oblidged. -
@nomanharoon OK, they'll want details whenever possible -- screenshots, errors, etc., on your bug report so they can figure out how to replicate the issue on their side.
-
@rcoleman-netgate I can send video if they need.
-
@rcoleman-netgate U know this is one of the main feature of captive portal which is not working. A lot of community who are using this feature of captive portal speed limitation, when they will upgrade to 2.7 they will be disappointed. so this need to be fixed urgently.
-
@nomanharoon Include as much detail in the redmine as you can today as that will save the engineers time and help get any bug addressed more quickly.
-
@rcoleman-netgate I have shared a video link, kindly check it. Also I am sharing with PF Sense engineering team.
https://drive.google.com/drive/folders/1kVCGz0lYrItvGxy6muFJ05PSN0l2O5B4?usp=sharing
-
I'm not using 2.7.0, I have 23.05.1, so I'm not sure if my observations are comparable.
I do know I use the same 'pf' version (the firewall), and the captive portal pfSense script file are identical.I'm using FreeRadius, where I only assigned a user name and password.
The advantage is : I can chose one user (one user account) to have, for example, a speed limit only for this user.I've set up my test user, and added :
Btw : these setting, on the captive portal settings page, isn't used :
I've checked on the command line :
pfSsh.php playback pfanchordrill ... cpzoneid_2_auth/192.168.2.6_32 rules/nat contents: ether pass in quick proto 0x0800 from e0:92:5c:d9:6c:fe l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2008 ether pass out quick proto 0x0800 to e0:92:5c:d9:6c:fe l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2009 ....192.168.2.6 is my 'Phone' device.
192.168.2.6 is using the pipes 2008/2009 :
I've tested on my Phone test up download speed :
It was close to 1 Mbits Up and Down :
instead of the usual +100 Mbit up / down :
edit : well ... raw speed depends a lot on the number of actve portal users, and right now, there are a lot (tourists).
My advise : if bandwidth limiting is important : use 23.05.1 (and FreeRadius for fine control) : it works.
-
@nomanharoon The BUG is in 2.7.0 CE for real. you are using 23 plus which probably do not have this issue.
Our concern is to solve captive portal allow ip problem. thanksDid you see my videos !!!
-
@Gertjan kindly watch these two videos. One identify the issue of 2.7.0 CE
Second tells that in pfsense old edition 2.3 works perfectly fine.https://drive.google.com/drive/folders/1kVCGz0lYrItvGxy6muFJ05PSN0l2O5B4?usp=sharing
-
I reread the entire thread.
I'm still using
@nomanharoon said in Allowed IP Address does not work in captive portal:
captive portal not restricting incoming speed when i
try to restrict it throught Allow IP interfacebut ...
I've added my iPhone IP 192.168.2.6 to the Allowed IP list :
with a 1,5 Mbits sec band with limiter, up and down.
I connected my phone - double checked the IP it received : 192.168.2.6
pfSsh.php playback pfanchordrill ....... cpzoneid_2_allowedhosts/192.168.2.6_32 rules/nat contents: ether pass in quick proto 0x0800 l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2008 ether pass in quick proto 0x0800 l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2009so pipes are 2008/2009 :
Limiters:
.... 02008: 1.500 Mbit/s 0 ms burst 0 q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail sched 67544 type FIFO flags 0x0 16 buckets 0 active 02009: 1.500 Mbit/s 0 ms burst 0 q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail sched 67545 type FIFO flags 0x0 16 buckets 0 active ....Speedtest on the phone : 30 Mbits sec up and down ......
Yeah, something isn't good.MAC based speed limiting works ...
(I removed the Allowed IP entry / 192.168.2.6)
Added the Phone MAC entry to MACs list :
Still using the same IP 192.168.2.6cpzoneid_2_passthrumac rules/nat contents:
pfSsh.php playback pfanchordrill ...... cpzoneid_2_passthrumac/e0925cd96cfe rules/nat contents: ether pass in quick from e0:92:5c:d9:6c:fe l3 all tag cpzoneid_2_auth dnpipe 2014 ether pass out quick to e0:92:5c:d9:6c:fe l3 all tag cpzoneid_2_auth dnpipe 2015And I can see that these pipes 'do something' == are being used :
edit :
IP : "tag"
MAC : "all tag" -
@Gertjan Dear Gertjan I am not delusional :), Did you see the videos I uploaded. ? I am not making this up. It did'nt
control. -
Me seeing you experiencing isn't that important ;)
I believe you.IMHO, me - or some one else - being able to reproduce, is also important.
From what I saw, Allowed MACs placed in the "cpzoneid_2_passthrumac" anchor use the attached pipes, pipes that limit the flow speed.
Allowed IPs, placed in the cpzoneid_2_allowedhosts anchor do not seem to use the attached pipes, pipes that should limit the flow speed.
-
@Gertjan By See this "Allowed IPs, placed in the cpzoneid_2_allowedhosts anchor do not seem to use the attached pipes, pipes that should limit the flow speed." I now knew that you know it does'nt work. Which needed to be fixed :) And I am waiting when the stable version will be released which have these problems corrected. THanks
