PROBLEM with captive portal and limite
-
Hello,
I setup the limiter with the captive portal using the settings found on the captive portal page, and that does seem to work fine. My upload and download is working, the login page comes up. I attached an image of what I have it set at. I'm not quite understanding how that limiter is setup though. Is that limiter truly per-user, so if one user had 3 laptops, and logged in with the same credentials on each one, then the total bandwidth for those 3 laptops would be throttled as a whole? Or is per-user = per node/host? I'm not planning on using authentication, just a splash page with an EULA. Will this method of limiting work for me?When I look at the pipes that were created for the captive portal limiter they look a little different. They do not show up under the traffic shaper, limiter menu.
$ ipfw pipe show 00001: 250.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 18 ip 192.168.206.253/0 0.0.0.0/0 8098 2969711 0 0 0 00002: 400.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 44 ip 0.0.0.0/0 192.168.206.253/0 9137 10626184 0 0 0 00003: 512.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail 50501: 250.000 Kbit/s 0 ms 100 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 192.168.1.198/4627 206.183.1.139/80 14403 1539968 0 0 0 55501: 350.000 Kbit/s 0 ms 100 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 206.183.1.139/80 192.168.1.198/4627 19802 28268162 1 1500 0Pipe 1&2 are for a lan limit, 3 is for another test, and 50501 and 55501 look like they are for the captive portal. They are not masked for source or destination, so I am assuming that each user (or node/host) gets a dynamically created pipe just for them. If that is the case it is pretty sweet.
I will keep playing around with it, and try manually adding a limiter to see if I see the same problem as rojocesar.
Josh
-
Hello,
I am seeing the same problems as rojocesar. I can have the captive portal working fine. IP's given out. Splash page shown. If I add the pair of limiters to the default wireless interface rule, then all traffic stops because the client cannot get to the splash page, and no connections can be made.If I first click through the splash page, and an entry for that client is made in the captive portal db first, and then I add the pipes to the default rule. Everything works just fine. So the pipes must be interfering with the redirection to the splash page. Maybe that is why someone designed the built in limiter for the captive portal in the first place. I'm inclined to just use the built in one for now, since that works.
Josh
-
Can you try a snapshot later than this post message and see if it fixes things.
-
BTW CP has its own shaper cause you can use it with radius settings etc and you may want to do some very advanced shaping on boxes with multiple interfaces with limiter altq and CP ones.
-
I use the last snapshots from pfsense and doesn't work.. still the problem..
-
You have to wait the snapshots are not that fast.
Try a snapshot after at least 5+ hours :) -
@ermal:
BTW CP has its own shaper cause you can use it with radius settings etc and you may want to do some very advanced shaping on boxes with multiple interfaces with limiter altq and CP ones.
Ermal, do you know if the CP shaper is providing per user limits or per host? If the CP is documented somewhere could you provide a link or a hint to that documentation?
Thanks
Josh -
Its per user ip so basically its per ip.
-
I cannot download the last version of pfsense 2.0 alpha :'( how long time i have to wait? I want to use and prove captive portal with limiter :'( :'( :'( :'( :'( :'( :'( :'(
-
@ermal:
You have to wait the snapshots are not that fast.
Try a snapshot after at least 5+ hours :)Dear Ermal I wonder if the last snapshot is from July 26? or maybe i have wait a couple days :-[
-
Can i have any feedback on this?
-
I am so sorry i was travelling in place where there is not internet and i arrived yesterday and prove the last version pfsense 2.0 and see that there is a problem with limiter, doesn
t work i dont know why? anybody help me or fix this problem??? -
Provide output of commands:
ipfw show
ipfw table 3 list
ipfw table 4 list
ipfw table 1 list
ipfw table 2 list
ipfw pipe show
ifconfig
sysctl -a | grep pfil
kldstatRelated logs
-
I'm using 2.0-ALPHA-ALPHA built on Sat Aug 22 01:39:53 UTC 2009 FreeBSD 7.2-RELEASE-p3 nanobsd. The built in limiter setup with captive portal works just fine. Set it up on the captive portal page and each client is limited to that amount of bandwidth.
When I setup a set of limiters for lan and assign lan clients to it, it also works just fine.
I guess I don't see the point of assigning a set of limiters to the captive portal port since the built in one does the same thing, and works. Unless you only want certain traffic to go through the limiter. rojocesar, is that what you are trying to do?
Josh -
Well i know it that captive portal has limiter per user but i want to use the limiter from Traffic Shaper why?? because i want to use rules in firewall, in the firewall i want to give rules for each port, for example limiter 600kbps only port 80 and port 443 (internet) and give rules limiter 200kbps all of them.
Hi Ermal.. here send your information
when now when i set up limiter and captive portal there is ping to my dns here send a picture but when i connect any webpage nothing here send other picture
i hope that all is ok send you a hug from Peru and thanks for your words stompro
….
more information.. I only set up limiter and doesn't work..
[$ ifconfig.txt](/public/imported_attachments/1/$ ifconfig.txt)
[$ ipfw pipe show.txt](/public/imported_attachments/1/$ ipfw pipe show.txt)
[$ ipfw show.txt](/public/imported_attachments/1/$ ipfw show.txt)
[$ ipfw table list.txt](/public/imported_attachments/1/$ ipfw table list.txt)
[$ kldstat.txt](/public/imported_attachments/1/$ kldstat.txt)
[$ sysctl -a l grep pfil.txt](/public/imported_attachments/1/$ sysctl -a l grep pfil.txt) -
rojocesar,
I just want to be sure I know what you are trying to do. Are you talking about per client limits or per pipe limits?
For port 80 and 443 you want 600kbps per client.
For the default allow you want 200kbps per client.Let me know if you really mean to limit all clients to 600kbps.
I wonder if your port 80 rule is interfering with the captive portal redirection of port 80 traffic. If you take out the rule for port 80, leave in the rule for port 443 and the default, do you have any luck? Does https traffic get limited like you want?
Ermal, what order do ipfw and pf rules get evaluated? Does it go through the ipfw rules first, and then the pf rules?
JoshWell i know it that captive portal has limiter per user but i want to use the limiter from Traffic Shaper why?? because i want to use rules in firewall, in the firewall i want to give rules for each port, for example limiter 600kbps only port 80 and port 443 (internet) and give rules limiter 200kbps all of them.
Hi Ermal.. here send your information
when now when i set up limiter and captive portal there is ping to my dns here send a picture but when i connect any webpage nothing here send other picture
i hope that all is ok send you a hug from Peru and thanks for your words stompro
….
more information.. I only set up limiter and doesn't work.. -
This is an example
For port 80 and 443 i want 400Kbps per client
For other ports i want 100Kpbs per client
But in firewall i can give more rules..captive portal doesn't use port 80 it use port 8000.
The others version of PFSENSE 2.0 work fine (excellent) 8) , but i want to use captive portal, when i set captive portal up all doesn't work >:( .
The pfsense is excellent but i need use captive portal and limiter i hope that Ermal can fixed all this problem :'( -
The captive portal rules automatically redirect port 80 connections to port 8000 or 8001 for clients that are not authenticated. That is how the splash page works.
run "ipfw list" and look for this line.
01990 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 inThat forwards all connections with a destination port of 80 coming in the CP interface to localhost port 8000. So it does use port 80 :P
JoshThis is an example
For port 80 and 443 i want 400Kbps per client
For other ports i want 100Kpbs per client
But in firewall i can give more rules..captive portal doesn't use port 80 it use port 8000.
The others version of PFSENSE 2.0 work fine (excellent) 8) , but i want to use captive portal, when i set captive portal up all doesn't work >:( .
The pfsense is excellent but i need use captive portal and limiter i hope that Ermal can fixed all this problem :'( -
I just setup a config just like you described.
Port 80 traffic limited to 100kbit per user.
All other traffic limited to 500kbit per user.
When I connect a client, the splash page comes up, I'm able to log in, and I can confirm that my port 80 traffic is being limited to 100kbit.
I'm using
2.0-ALPHA-ALPHA
built on Sat Aug 22 01:39:53 UTC 2009
FreeBSD 7.2-RELEASE-p3 Nanobsd.Can you get it to work if you just limit all traffic to a certain speed. I'm wondering if you can simplify your config until you get something that works, and then add in more complexity to try and figure out what element is causing the problem.
Josh
-
all can simplify if captive portal and limiter works but at the momento only can use the limiter of captive portal… :'( I hope that Ermal fixed all..