Captive Portal-Xeon Server-Issue

sankarklm

Hi

I have a strange issue to report and wish to have your valid suggestions. I have installed RC1 on a Xeon server, installation went smoothly . In normal case while enabling NAT things are working fine. Once the captive portal been enabled with local db or radius, Authentication works fine but users are not able to browse. While checked ifw tables..no new entry regards to captive portal masq been added. the same CD works fine with low config system like I3/Core 2 Duo. Infact tested with latest CD and two different Xeon Servers. Any suggestions?

Nachtfalke

Hi,

I am using a Xenon Server, too.

I didn't try it with captive portal till now on this machine and next chance will be on Tuesday.
If you have two LAN interfaces and if you enable Captive Portal on only one interface, could noone browse the web or only users on the captive portal interface ?

sankarklm

No one can browse…..

Nachtfalke

Hi,

I tried it with this snapshot:
2.0-RC2 (amd64) built on Tue Jun 7 06:12:50 EDT 2011

this CPU:
Intel(R) Xeon(R) CPU E5506 @ 2.13GHz

intel NIC Port.

I am running no NAT, just routing only.
SQUID 2.7
freeRADIUS
nmap
iperf

One WAN connection (igb0)
One LAN connection (without VLANs) on igb1)
One LAN connection (only 6 VLANs) on igb2

I enabled captive portal (User auth) on one VLAN6:
could browse the web on igb1
could browse the web on igb2/VLAN6 after entering the username/password.
could browse the web on igb2/VLANx

Hope this will help you in any way.

sankarklm

The issue is persist only with 2.0 ver. Even using local DB its not working. In both the case Authentication happen successfully but browsing does not work.

sankarklm

Can anyone throw some light…...to it...

wallabybob

@sankarklm:

Even using local DB its not working. In both the case Authentication happen successfully but browsing does not work.

What happens after you enter the authentication details? What do you expect to see?

sankarklm

I can see the user been Authenticated successfully [in both case radius or local db], but browsing doesn't happen. In the same hardware 1.2.3 Work like charm….. Ver 2.0 seems to more hardware centric as even cp doesn;t work on few core2duo based machines...

cmb

CP has 0 relevance to the hardware you're running on, and has been widely deployed on 2.0 for years. There isn't enough info here to tell you why it's not working in your case. If you can post your sanitized config that may be helpful.

sankarklm

The only point which is coming in my mind is NAT rules are not been created properly as the logged user couldn't even reach the Wan side of the server.

Server config will be posted soon. Currently using latest version of Pfsense.

sankarklm

Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.1-RELEASE-p4 #1: Sun Sep 11 21:30:45 EDT 2011
    root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense.8 i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU            5160  @ 3.00GHz (2992.52-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x6f6  Family = 6  Model = f  Stepping = 6
  Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x4e3bd <sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,dca>AMD Features=0x20100000 <nx,lm>AMD Features2=0x1 <lahf>TSC: P-state invariant
real memory  = 1074790400 (1025 MB)
avail memory = 1027383296 (979 MB)
ACPI APIC Table: <compaq greencrk="">FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
cpu0 (BSP): APIC ID:  0
cpu1 (AP): APIC ID:  1
ACPI Error: 32/64X address mismatch in Gpe0Block: 0x    F828/0x      0  1F030, using 32 (20100331/tbfadt-526)
ioapic0 <version 2.0="">irqs 0-23 on motherboard
ioapic1 <version 2.0="">irqs 24-47 on motherboard
ioapic2 <version 2.0="">irqs 48-71 on motherboard
netisr_init: forcing maxthreads to 1 and bindthreads to 0 for device polling
wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/.
wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (wpi_fw, 0xc0988330, 0) error 1
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0789370, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc0789410, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc07894b0, 0) error 1
wlan: mac acl policy registered
kbd1 at kbdmux0
cryptosoft0: <software crypto="">on motherboard
padlock0: No ACE support.
acpi0: <hpqoem slic-wks="">on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
acpi0: reservation of 0, a0000 (3) failed
acpi0: reservation of 100000, 3ff00000 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0xf808-0xf80b on acpi0
cpu0: <acpi cpu="">on acpi0
cpu1: <acpi cpu="">on acpi0
acpi_hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
pci0: <acpi pci="" bus="">on pcib0
pcib1: <acpi pci-pci="" bridge="">at device 2.0 on pci0
pci16: <acpi pci="" bus="">on pcib1
pcib2: <acpi pci-pci="" bridge="">at device 0.0 on pci16
pci30: <acpi pci="" bus="">on pcib2
pcib3: <acpi pci-pci="" bridge="">at device 0.0 on pci30
pci32: <acpi pci="" bus="">on pcib3
pcib4: <acpi pci-pci="" bridge="">at device 1.0 on pci30
pci31: <acpi pci="" bus="">on pcib4
bge0: <broadcom netxtreme="" gigabit="" ethernet="" controller,="" asic="" rev.="" 0x006001="">mem 0xfb600000-0xfb60ffff irq 17 at device 0.0 on pci31
miibus0: <mii bus="">on bge0
brgphy0: <bcm5752 10="" 100="" 1000basetx="" phy="">PHY 1 on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
bge0: [ITHREAD]
pcib5: <acpi pci-pci="" bridge="">at device 0.3 on pci16
pci17: <acpi pci="" bus="">on pcib5
mpt0: <lsilogic sas="" sata="" adapter="">port 0x1000-0x10ff mem 0xfd410000-0xfd413fff,0xfd400000-0xfd40ffff irq 62 at device 6.0 on pci17
mpt0: [ITHREAD]
mpt0: MPI Version=1.5.13.0
mpt0: Capabilities: ( RAID-0 RAID-1E RAID-1 )
mpt0: 0 Active Volumes (2 Max)
mpt0: 0 Hidden Drive Members (10 Max)
pcib6: <acpi pci-pci="" bridge="">at device 3.0 on pci0
pci96: <acpi pci="" bus="">on pcib6
pcib7: <acpi pci-pci="" bridge="">at device 4.0 on pci0
pci64: <acpi pci="" bus="">on pcib7
pcib8: <pci-pci bridge="">at device 5.0 on pci0
pci254: <pci bus="">on pcib8
pcib9: <pci-pci bridge="">at device 6.0 on pci0
pci253: <pci bus="">on pcib9
pcib10: <pci-pci bridge="">at device 7.0 on pci0
pci252: <pci bus="">on pcib10
pci0: <multimedia, hda="">at device 27.0 (no driver attached)
pcib11: <acpi pci-pci="" bridge="">irq 16 at device 28.0 on pci0
pci8: <acpi pci="" bus="">on pcib11
pcib12: <acpi pci-pci="" bridge="">at device 0.0 on pci8
pci9: <acpi pci="" bus="">on pcib12
rl0: <realtek 10="" 8139="" 100basetx="">port 0x2000-0x20ff mem 0xfa700000-0xfa7000ff irq 24 at device 4.0 on pci9
miibus1: <mii bus="">on rl0
rlphy0: <realtek internal="" media="" interface="">PHY 0 on miibus1
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: [ITHREAD]
uhci0: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-1="">port 0x4000-0x401f irq 16 at device 29.0 on pci0
uhci0: [ITHREAD]
usbus0: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-1="">on uhci0
uhci1: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-2="">port 0x4020-0x403f irq 19 at device 29.1 on pci0
uhci1: [ITHREAD]
usbus1: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-2="">on uhci1
uhci2: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-3="">port 0x4040-0x405f irq 18 at device 29.2 on pci0
uhci2: [ITHREAD]
usbus2: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-3="">on uhci2
uhci3: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-4="">port 0x4060-0x407f irq 23 at device 29.3 on pci0
uhci3: [ITHREAD]
usbus3: <intel 3100="" 631xesb="" 632xesb="" usb="" controller="" usb-4="">on uhci3
ehci0: <intel 63xxesb="" usb="" 2.0="" controller="">mem 0xfae04000-0xfae043ff irq 16 at device 29.7 on pci0
ehci0: [ITHREAD]
usbus4: EHCI version 1.0
usbus4: <intel 63xxesb="" usb="" 2.0="" controller="">on ehci0
pcib13: <acpi pci-pci="" bridge="">at device 30.0 on pci0
pci1: <acpi pci="" bus="">on pcib13
vgapci0: <vga-compatible display="">port 0x3000-0x307f mem 0xfd800000-0xfdbfffff,0xfaf00000-0xfaf0ffff at device 4.0 on pci1
fwohci0: <texas instruments="" tsb43ab22="" a="">mem 0xfaf14000-0xfaf147ff,0xfaf10000-0xfaf13fff irq 19 at device 5.0 on pci1
fwohci0: [ITHREAD]
fwohci0: OHCI version 1.10 (ROM=1)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:60:b0:00:00:20:02:dd
fwohci0: Phy 1394a available S400, 2 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <ieee1394(firewire) bus="">on fwohci0
fwe0: <ethernet over="" firewire="">on firewire0
if_fwe0: Fake Ethernet address: 02:60:b0:20:02:dd
fwip0: <ip over="" firewire="">on firewire0
fwip0: Firewire address: 00:60:b0:00:00:20:02:dd @ 0xfffe00000000, S400, maxrec 2048
dcons_crom0: <dcons configuration="" rom="">on firewire0
dcons_crom0: bus_addr 0x3ed24000
fwohci0: Initiate bus reset
isab0: <pci-isa bridge="">at device 31.0 on pci0
isa0: <isa bus="">on isab0
atapci0: <intel 63xxesb2="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x40c0-0x40cf irq 17 at device 31.1 on pci0
ata0: <ata 0="" channel="">on atapci0
ata0: [ITHREAD]
atapci1: <intel 63xxesb2="" sata300="" controller="">port 0x40e0-0x40e7,0x40f8-0x40fb,0x40e8-0x40ef,0x40fc-0x40ff,0x4080-0x409f mem 0xfae04400-0xfae047ff irq 19 at device 31.2 on pci0
atapci1: [ITHREAD]
atapci1: AHCI called from vendor specific driver
atapci1: AHCI v1.10 controller with 6 3Gbps ports, PM not supported
ata2: <ata 0="" channel="">on atapci1
ata2: [ITHREAD]
ata3: <ata 1="" channel="">on atapci1
ata3: [ITHREAD]
ata4: <ata 2="" channel="">on atapci1
ata4: [ITHREAD]
ata5: <ata 3="" channel="">on atapci1
ata5: [ITHREAD]
ata6: <ata 4="" channel="">on atapci1
ata6: [ITHREAD]
ata7: <ata 5="" channel="">on atapci1
ata7: [ITHREAD]
acpi_button0: <power button="">on acpi0
atrtc0: <at realtime="" clock="">port 0x70-0x71 irq 8 on acpi0
atkbdc0: <keyboard controller="" (i8042)="">port 0x60,0x64 irq 1 on acpi0
atkbd0: <at keyboard="">irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
ppc0: <parallel port="">port 0x378-0x37f,0x778-0x77d irq 7 drq 3 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/13 bytes threshold
ppc0: [ITHREAD]
ppbus0: <parallel port="" bus="">on ppc0
plip0: <plip network="" interface="">on ppbus0
plip0: [ITHREAD]
lpt0: <printer>on ppbus0
lpt0: [ITHREAD]
lpt0: Interrupt-driven port
ppi0: <parallel i="" o="">on ppbus0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: [FILTER]
fdc0: <floppy drive="" controller="">port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FILTER]
pmtimer0 on isa0
orm0: <isa option="" roms="">at iomem 0xc0000-0xc7fff,0xc8000-0xc8fff,0xc9000-0xca7ff pnpid ORM0000 on isa0
sc0: <system console="">at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
est0: <enhanced speedstep="" frequency="" control="">on cpu0
p4tcc0: <cpu frequency="" thermal="" control="">on cpu0
est1: <enhanced speedstep="" frequency="" control="">on cpu1
p4tcc1: <cpu frequency="" thermal="" control="">on cpu1
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 12Mbps Full Speed USB v1.0
usbus4: 480Mbps High Speed USB v2.0
ugen0.1: <intel>at usbus0
uhub0: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0
ugen1.1: <intel>at usbus1
uhub1: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus1
ugen2.1: <intel>at usbus2
uhub2: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus2
ugen3.1: <intel>at usbus3
uhub3: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus3
ugen4.1: <intel>at usbus4
uhub4: <intel 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usbus4
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub3: 2 ports with 2 removable, self powered
acd0: CDRW <hl-dt-st rw="" dvd="" gcc-4482b="" lv02="">at ata0-slave UDMA33
ad4: 152627MB <seagate st3160211as="" 3.aae="">at ata2-master UDMA100 SATA 3Gb/s
uhub4: 8 ports with 8 removable, self powered
SMP: AP CPU #1 Launched!
Trying to mount root from ufs:/dev/ad4s1a
pflog0: promiscuous mode enabled
rl0: link state changed to UP
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding enabled, default to accept, logging disabled
load_dn_sched dn_sched FIFO loaded
load_dn_sched dn_sched QFQ loaded
load_dn_sched dn_sched RR loaded
load_dn_sched dn_sched WF2Q+ loaded
load_dn_sched dn_sched PRIO loaded</seagate></hl-dt-st></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></cpu></enhanced></cpu></enhanced></generic></system></isa></floppy></parallel></printer></plip></parallel></parallel></at></keyboard></at></power></ata></ata></ata></ata></ata></ata></intel></ata></intel></isa></pci-isa></dcons></ip></ethernet></ieee1394(firewire)></texas></vga-compatible></acpi></acpi></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></realtek></mii></realtek></acpi></acpi></acpi></acpi></multimedia,></pci></pci-pci></pci></pci-pci></pci></pci-pci></acpi></acpi></acpi></acpi></lsilogic></acpi></acpi></bcm5752></mii></broadcom></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></high></acpi></acpi></hpqoem></software></version></version></version></compaq></lahf></nx,lm></sse3,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,cx16,xtpr,pdcm,dca></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>

sankarklm

ipfw list
65291 allow pfsync from any to any
65292 allow carp from any to any
65301 allow ip from any to any layer2 mac-type 0x0806
65302 allow ip from any to any layer2 mac-type 0x888e
65303 allow ip from any to any layer2 mac-type 0x88c7
65304 allow ip from any to any layer2 mac-type 0x8863
65305 allow ip from any to any layer2 mac-type 0x8864
65306 allow ip from any to any layer2 mac-type 0x888e
65307 deny ip from any to any layer2 not mac-type 0x0800
65310 allow ip from any to { 255.255.255.255 or 192.168.1.1 } in
65311 allow ip from { 255.255.255.255 or 192.168.1.1 } to any out
65312 allow icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0
65313 allow icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8
65314 allow ip from table(3) to any in
65315 allow ip from any to table(4) out
65316 pipe tablearg ip from table(5) to any in
65317 pipe tablearg ip from any to table(6) out

I have experiencing this issue with few more systems.Comparing with 1.2.3 ver i have noticed in 2.0 no new rules are been created when a user logs in example:

10001 pipe 55501 ip from any to 10.108.120.115 out
10002 pipe 50502 ip from 10.108.120.150 to any in

Please advice what else i have to check

cmb

Users get added to one of the tables, they no longer get their own ipfw rules. List the tables to see what's permitted.