Anyone else running a WiSP and using pfSense?
-
You could check Radius Manager (http://www.dmasoftlab.com/) but keep in mind that certain key features are NAS-specific. E.g. Radius Manager has a feature called "instant access service" that allows a user to create a Hotspot-account on the fly, after paying first. But for this feature to work, one would obviously need to add certain sites to captive portal's walled-garden, incl. wildcard domain matches for *.akamaiedge.net servers.
Check the filter by hostnam/fqdn threads to understand the issues involved. Latest pfsense2 has a daemon that resolves hostnames into IPs periodically, but I'd have to check to see if CP can be configured to allow traffic to the entire akamai's IP range (if you plan to use a payment gateway that uses it).
Thanks for this. I have actually contacted them to do a demo. They are telling me that their software works best with Mikrotik, and not so great with pfsense… not sure what to do now.. Can i somehow use both Mikrotik and pfSense?
-
Dont be too quick to try pfSense 2.0-RELEASE.. my captive portal worked perfectly before the upgrade to 2.0-RELEASE.. now i am having people bypass the CP and straight onto the net.. big bug in my opinion.
I've noticed you posting about having problems, but IIRC you were just using the MAC-passthrough feature and manually adding/removing MACs.
You'll need to provide more info about your config and ipfw settings (/tmp/ipfw.cp.rules, ipfw show, ipfw table all list), for anyone to attempt a diagnosis.
-
dhatz i am not sure what you are saying.. dont know what those ipfw commands you mention are. I have posted about this in another thread i mentioned.. but no one assisted, just someone else saying they have also got the same problem.
if i run: /tmp/ipfw.cp.rules it tells me i dont have permission (logged in as root)
ipfw table all lsit i get nothing.. it just goes to a new prompt..
ipfw show and i get:
00002 4332989 5006773709 pipe 20003 ip from any to any MAC 00:05:9e:84:e6:20 any
00003 3075455 310604103 pipe 20002 ip from any to any MAC any 00:05:9e:84:e6:20
00004 9842576 7583812500 allow ip from any to any MAC 00:0c:29:13:78:e0 any
00005 9631009 1639719585 allow ip from any to any MAC any 00:0c:29:13:78:e0
00006 0 0 allow ip from any to any MAC 00:0c:29:41:51:16 any
00007 0 0 allow ip from any to any MAC any 00:0c:29:41:51:16
00008 2667 210140 allow ip from any to any MAC 00:0c:29:a3:32:e0 any
00009 222347 10321860 allow ip from any to any MAC any 00:0c:29:a3:32:e0
00010 0 0 pipe 20011 ip from any to any MAC 00:0c:29:a4:2c:51 any
00011 0 0 pipe 20010 ip from any to any MAC any 00:0c:29:a4:2c:51
00012 16154 1302958 pipe 20013 ip from any to any MAC 00:15:6d:4e:4e:1a any
00013 25416 2561760 pipe 20012 ip from any to any MAC any 00:15:6d:4e:4e:1a
00014 0 0 allow ip from any to any MAC 00:18:8b:4b:ed:f8 any
00015 0 0 allow ip from any to any MAC any 00:18:8b:4b:ed:f8
00016 5937 820358 allow ip from any to any MAC 00:18:8b:4b:ed:fa any
00017 21567 5593215 allow ip from any to any MAC any 00:18:8b:4b:ed:fa
00018 0 0 allow ip from any to any MAC 00:1b:b9:6f:25:06 any
00019 0 0 allow ip from any to any MAC any 00:1b:b9:6f:25:06
00020 2271099 2114454968 pipe 20021 ip from any to any MAC 00:1c:26:a9:fc:f4 any
00021 1975314 471339914 pipe 20020 ip from any to any MAC any 00:1c:26:a9:fc:f4
00022 126 12583 pipe 20023 ip from any to any MAC 00:26:66:03:23:af any
00023 206 14510 pipe 20022 ip from any to any MAC any 00:26:66:03:23:af
00024 622301 524288168 pipe 20025 ip from any to any MAC 00:26:ce:0f:57:35 any
00025 459052 66340065 pipe 20024 ip from any to any MAC any 00:26:ce:0f:57:35
00026 330032 26467120 allow ip from any to any MAC 04:4f:aa:33:53:f0 any
00027 469297 274555701 allow ip from any to any MAC any 04:4f:aa:33:53:f0
00028 325160 26040717 allow ip from any to any MAC 04:4f:aa:33:5c:b0 any
00029 457004 267463375 allow ip from any to any MAC any 04:4f:aa:33:5c:b0
00030 7568554 5860475360 pipe 20031 ip from any to any MAC 08:10:74:75:7d:44 any
00031 7516046 4757064328 pipe 20030 ip from any to any MAC any 08:10:74:75:7d:44
00032 3518218 3854560400 pipe 20033 ip from any to any MAC 08:10:74:75:7f:06 any
00033 2568860 365464108 pipe 20032 ip from any to any MAC any 08:10:74:75:7f:06
00034 115475 131312084 pipe 20035 ip from any to any MAC 08:10:74:75:84:be any
00035 72804 7707477 pipe 20034 ip from any to any MAC any 08:10:74:75:84:be
00036 0 0 pipe 20037 ip from any to any MAC 08:10:74:c8:46:86 any
00037 0 0 pipe 20036 ip from any to any MAC any 08:10:74:c8:46:86
00038 1474309 1939345218 pipe 20039 ip from any to any MAC 08:10:74:75:8b:e6 any
00039 894634 72499724 pipe 20038 ip from any to any MAC any 08:10:74:75:8b:e6
00040 565946 417136068 pipe 20041 ip from any to any MAC 08:10:74:75:8f:3c any
00041 429217 75869270 pipe 20040 ip from any to any MAC any 08:10:74:75:8f:3c
00042 2985854 3239996369 pipe 20043 ip from any to any MAC 08:10:74:75:90:32 any
00043 1921277 217632925 pipe 20042 ip from any to any MAC any 08:10:74:75:90:32
00044 1288158 1706708950 pipe 20045 ip from any to any MAC 08:10:74:75:9a:9c any
00045 723971 74211447 pipe 20044 ip from any to any MAC any 08:10:74:75:9a:9c
00046 2002579 1943272834 pipe 20047 ip from any to any MAC 08:10:74:75:a5:06 any
00047 1013172 98836047 pipe 20046 ip from any to any MAC any 08:10:74:75:a5:06
00048 28290720 39669941815 pipe 20049 ip from any to any MAC 08:10:74:75:a8:80 any
00049 16095239 2111785148 pipe 20048 ip from any to any MAC any 08:10:74:75:a8:80
00050 166331 188546282 pipe 20051 ip from any to any MAC 08:10:74:75:ab:68 any
00051 103300 12669065 pipe 20050 ip from any to any MAC any 08:10:74:75:ab:68
00052 2300984 3172667786 pipe 20053 ip from any to any MAC 08:10:74:75:b1:4e any
00053 1418983 109118422 pipe 20052 ip from any to any MAC any 08:10:74:75:b1:4e
00054 5163631 6991035861 pipe 20055 ip from any to any MAC 08:10:74:75:b9:88 any
00055 3273357 266203334 pipe 20054 ip from any to any MAC any 08:10:74:75:b9:88
00056 3025463 1976128448 pipe 20057 ip from any to any MAC 08:10:74:75:bb:52 any
00057 2171779 280907648 pipe 20056 ip from any to any MAC any 08:10:74:75:bb:52
00058 459865 537204506 pipe 20059 ip from any to any MAC 08:10:74:75:a6:8c any
00059 277890 40061967 pipe 20058 ip from any to any MAC any 08:10:74:75:a6:8c
00060 0 0 pipe 20061 ip from any to any MAC 08:10:74:75:c5:d8 any
00061 0 0 pipe 20060 ip from any to any MAC any 08:10:74:75:c5:d8
00062 1873946 1953949464 pipe 20063 ip from any to any MAC 08:10:74:77:fe:7e any
00063 1636396 347991776 pipe 20062 ip from any to any MAC any 08:10:74:77:fe:7e
00064 2759491 3410703235 pipe 20065 ip from any to any MAC 08:10:74:78:08:8e any
00065 1595431 156613288 pipe 20064 ip from any to any MAC any 08:10:74:78:08:8e
00066 764212 807967272 pipe 20067 ip from any to any MAC 08:10:74:85:fd:48 any
00067 474708 64712594 pipe 20066 ip from any to any MAC any 08:10:74:85:fd:48
00068 4833764 6321102547 pipe 20069 ip from any to any MAC 08:10:74:86:02:6a any
00069 2655256 171925890 pipe 20068 ip from any to any MAC any 08:10:74:86:02:6a
00070 184133 178950476 pipe 20071 ip from any to any MAC 08:10:74:86:03:70 any
00071 128563 18067939 pipe 20070 ip from any to any MAC any 08:10:74:86:03:70
00072 2174920 348846173 pipe 20073 ip from any to any MAC 08:10:74:86:07:0e any
00073 3356930 3814734310 pipe 20072 ip from any to any MAC any 08:10:74:86:07:0e
00074 3578092 4460492829 pipe 20075 ip from any to any MAC 08:10:74:86:14:a6 any
00075 2585431 274397409 pipe 20074 ip from any to any MAC any 08:10:74:86:14:a6
00076 7462527 10502227054 pipe 20077 ip from any to any MAC 08:10:74:86:1a:22 any
00077 3952707 255584104 pipe 20076 ip from any to any MAC any 08:10:74:86:1a:22
00078 4286126 4185272568 pipe 20079 ip from any to any MAC 08:10:74:86:25:b6 any
00079 3421293 490149811 pipe 20078 ip from any to any MAC any 08:10:74:86:25:b6
00080 955203 732193600 pipe 20081 ip from any to any MAC 08:10:74:86:26:d6 any
00081 688034 139381334 pipe 20080 ip from any to any MAC any 08:10:74:86:26:d6
00082 1041003 1269900124 pipe 20083 ip from any to any MAC 08:10:74:86:29:82 any
00083 719576 70296111 pipe 20082 ip from any to any MAC any 08:10:74:86:29:82
00084 2241588 2871263310 pipe 20085 ip from any to any MAC 08:10:74:c8:c5:42 any
00085 1354726 214935886 pipe 20084 ip from any to any MAC any 08:10:74:c8:c5:42
00086 4736888 6161902089 pipe 20087 ip from any to any MAC 08:10:74:86:2e:36 any
00087 2664496 235005501 pipe 20086 ip from any to any MAC any 08:10:74:86:2e:36
00088 131322 115975933 pipe 20089 ip from any to any MAC 08:10:74:86:2f:42 any
00089 88701 16339203 pipe 20088 ip from any to any MAC any 08:10:74:86:2f:42
00090 1002356 987145289 pipe 20091 ip from any to any MAC 08:10:74:86:2f:d6 any
00091 727255 97393671 pipe 20090 ip from any to any MAC any 08:10:74:86:2f:d6
00092 1533181 1934887741 pipe 20093 ip from any to any MAC 08:10:74:86:30:5c any
00093 864980 82982534 pipe 20092 ip from any to any MAC any 08:10:74:86:30:5c
00094 0 0 pipe 20095 ip from any to any MAC 08:10:74:c8:00:00 any
00095 0 0 pipe 20094 ip from any to any MAC any 08:10:74:c8:00:00
00096 130061 168854494 pipe 20097 ip from any to any MAC 08:10:74:c8:bc:6c any
00097 73496 6046004 pipe 20096 ip from any to any MAC any 08:10:74:c8:bc:6c
00098 5137037 6155347004 pipe 20099 ip from any to any MAC 08:10:74:c8:c0:70 any
00099 2885155 558971080 pipe 20098 ip from any to any MAC any 08:10:74:c8:c0:70
00100 195441 185029323 pipe 20101 ip from any to any MAC 08:10:74:c8:c5:42 any
00101 155105 24313030 pipe 20100 ip from any to any MAC any 08:10:74:c8:c5:42
00102 13138 830143 pipe 20103 ip from any to any MAC 08:10:74:c8:c5:f4 any
00103 10808 1148591 pipe 20102 ip from any to any MAC any 08:10:74:c8:c5:f4
00104 15813 2527914 pipe 20105 ip from any to any MAC 08:10:74:c8:c9:fa any
00105 14031 1566746 pipe 20104 ip from any to any MAC any 08:10:74:c8:c9:fa
00106 1453843 1680267944 pipe 20107 ip from any to any MAC 08:10:74:c8:ce:58 any
00107 1039868 124427774 pipe 20106 ip from any to any MAC any 08:10:74:c8:ce:58
00108 478918 689777112 pipe 20109 ip from any to any MAC 08:10:74:c8:ce:68 any
00109 247947 12775142 pipe 20108 ip from any to any MAC any 08:10:74:c8:ce:68
00110 657883 555438755 pipe 20111 ip from any to any MAC 08:10:74:c8:da:b2 any
00111 452525 99963657 pipe 20110 ip from any to any MAC any 08:10:74:c8:da:b2
00112 722741 553149713 pipe 20113 ip from any to any MAC 08:10:74:c8:dc:74 any
00113 785433 203374557 pipe 20112 ip from any to any MAC any 08:10:74:c8:dc:74
00114 14722725 11822029016 pipe 20115 ip from any to any MAC 08:10:74:c8:de:94 any
00115 14176511 9000714251 pipe 20114 ip from any to any MAC any 08:10:74:c8:de:94
00116 458948 420041242 pipe 20117 ip from any to any MAC 08:10:74:c8:e0:b0 any
00117 343544 77904548 pipe 20116 ip from any to any MAC any 08:10:74:c8:e0:b0
00118 1311 411509 pipe 20119 ip from any to any MAC 08:10:74:c8:e0:e6 any
00119 886 70264 pipe 20118 ip from any to any MAC any 08:10:74:c8:e0:e6
00120 1010311 1218800362 pipe 20121 ip from any to any MAC 08:10:74:c8:e5:d0 any
00121 624559 76458597 pipe 20120 ip from any to any MAC any 08:10:74:c8:e5:d0
00122 1988198 2351126255 pipe 20123 ip from any to any MAC 08:10:74:c8:ed:f4 any
00123 1187285 118790792 pipe 20122 ip from any to any MAC any 08:10:74:c8:ed:f4
00124 14350111 20900275604 pipe 20125 ip from any to any MAC 08:10:74:c8:f0:6a any
00125 7247990 347228464 pipe 20124 ip from any to any MAC any 08:10:74:c8:f0:6a
00126 103746 109188989 pipe 20127 ip from any to any MAC 08:10:74:c8:f0:a6 any
00127 64535 6460202 pipe 20126 ip from any to any MAC any 08:10:74:c8:f0:a6
00128 1103923 1198607577 pipe 20129 ip from any to any MAC 08:10:74:c8:f3:aa any
00129 786784 106228806 pipe 20128 ip from any to any MAC any 08:10:74:c8:f3:aa
00130 910998 1175609674 pipe 20131 ip from any to any MAC 08:10:74:c8:f6:8e any
00131 520111 79062272 pipe 20130 ip from any to any MAC any 08:10:74:c8:f6:8e
00132 1026676 1001090013 pipe 20133 ip from any to any MAC 08:10:74:c8:f7:e2 any
00133 809725 176497032 pipe 20132 ip from any to any MAC any 08:10:74:c8:f7:e2
00134 4602213 5479895709 pipe 20135 ip from any to any MAC 08:10:74:c8:f8:9c any
00135 3085460 525300497 pipe 20134 ip from any to any MAC any 08:10:74:c8:f8:9c
00136 923329 1144883035 pipe 20137 ip from any to any MAC 08:10:74:c8:f8:aa any
00137 615328 46524778 pipe 20136 ip from any to any MAC any 08:10:74:c8:f8:aa
00138 568334 296974594 pipe 20139 ip from any to any MAC 08:10:74:c8:fa:14 any
00139 490189 91737144 pipe 20138 ip from any to any MAC any 08:10:74:c8:fa:14
00140 8981296 9393993251 pipe 20141 ip from any to any MAC 08:10:74:c8:fa:40 any
00141 6054045 590900973 pipe 20140 ip from any to any MAC any 08:10:74:c8:fa:40
00142 1644037 1904953778 pipe 20143 ip from any to any MAC 08:10:74:c8:fa:4c any
00143 1032831 145128109 pipe 20142 ip from any to any MAC any 08:10:74:c8:fa:4c
00144 853769 868850701 pipe 20145 ip from any to any MAC 08:10:74:c8:fa:5c any
00145 645901 93591692 pipe 20144 ip from any to any MAC any 08:10:74:c8:fa:5c
00146 4320838 4499445123 pipe 20147 ip from any to any MAC 08:10:74:c8:fd:b2 any
00147 2905435 749661585 pipe 20146 ip from any to any MAC any 08:10:74:c8:fd:b2
00148 474845 516573968 pipe 20149 ip from any to any MAC 08:10:74:c8:dd:b8 any
00149 296075 36403578 pipe 20148 ip from any to any MAC any 08:10:74:c8:dd:b8
00150 1439 393932 pipe 20151 ip from any to any MAC 08:10:74:c8:f6:ac any
00151 748 74389 pipe 20150 ip from any to any MAC any 08:10:74:c8:f6:ac
00152 7476571 6214598572 pipe 20153 ip from any to any MAC 08:10:74:c9:00:cc any
00153 5954648 2546952560 pipe 20152 ip from any to any MAC any 08:10:74:c9:00:cc
00154 3181630 4062422740 pipe 20155 ip from any to any MAC 08:10:74:c9:01:f0 any
00155 1883407 165582295 pipe 20154 ip from any to any MAC any 08:10:74:c9:01:f0
00156 49210 32270556 pipe 20157 ip from any to any MAC 08:10:74:c9:02:6c any
00157 34342 6889467 pipe 20156 ip from any to any MAC any 08:10:74:c9:02:6c
00158 13877616 17589938436 pipe 20159 ip from any to any MAC 08:10:74:c9:02:9e any
00159 8831606 1230984896 pipe 20158 ip from any to any MAC any 08:10:74:c9:02:9e
00160 4065141 5326504356 pipe 20161 ip from any to any MAC 08:10:74:c9:04:72 any
00161 2352751 225342377 pipe 20160 ip from any to any MAC any 08:10:74:c9:04:72
00162 0 0 pipe 20163 ip from any to any MAC 08:10:74:c8:59:16 any
00163 0 0 pipe 20162 ip from any to any MAC any 08:10:74:c8:59:16
00164 276006 216198548 pipe 20165 ip from any to any MAC 08:10:74:c8:e0:92 any
00165 222463 35028691 pipe 20164 ip from any to any MAC any 08:10:74:c8:e0:92
00166 877308 540245232 pipe 20167 ip from any to any MAC 90:00:4e:5a:5a:7f any
00167 692340 86802756 pipe 20166 ip from any to any MAC any 90:00:4e:5a:5a:7f
00168 0 0 allow ip from any to any MAC a4:ba:db:3d:24:5a any
00169 0 0 allow ip from any to any MAC any a4:ba:db:3d:24:5a
00170 48128 4248350 allow ip from any to any MAC ac:67:06:37:90:60 any
00171 48765 5809853 allow ip from any to any MAC any ac:67:06:37:90:60
00172 48273 4255706 allow ip from any to any MAC ac:67:06:37:91:90 any
00173 48831 5775983 allow ip from any to any MAC any ac:67:06:37:91:90
00174 207 45439 pipe 20175 ip from any to any MAC b8:70:f4:92:0f:2e any
00175 437 44620 pipe 20174 ip from any to any MAC any b8:70:f4:92:0f:2e
00176 199 55265 pipe 20177 ip from any to any MAC f8:7b:7a:3a:ce:7f any
00177 218 50668 pipe 20176 ip from any to any MAC any f8:7b:7a:3a:ce:7f
00178 9250394 1277797068 pipe 20179 ip from any to any MAC c8:3a:35:d2:53:cf any
00179 14148558 14986388983 pipe 20178 ip from any to any MAC any c8:3a:35:d2:53:cf
00180 0 0 pipe 20181 ip from any to any MAC 08:10:74:86:26:fe any
00181 246 14496 pipe 20180 ip from any to any MAC any 08:10:74:86:26:fe
00182 0 0 pipe 20183 ip from any to any MAC 08:10:74:c8:06:ac any
00183 0 0 pipe 20182 ip from any to any MAC any 08:10:74:c8:06:ac
00184 954445 682284918 allow ip from any to any MAC 00:1e:64:52:a0:16 any
00185 1186802 1104938693 allow ip from any to any MAC any 00:1e:64:52:a0:16
00186 0 0 pipe 20187 ip from any to any MAC 08:10:74:75:98:9e any
00187 458 24248 pipe 20186 ip from any to any MAC any 08:10:74:75:98:9e
00188 0 0 pipe 20189 ip from any to any MAC 08:10:74:c8:e9:6c any
00189 62 15572 pipe 20188 ip from any to any MAC any 08:10:74:c8:e9:6c
00190 15236 17844494 pipe 20191 ip from any to any MAC 1c:65:9d:b3:75:42 any
00191 11055 1464218 pipe 20190 ip from any to any MAC any 1c:65:9d:b3:75:42
00192 0 0 pipe 20193 ip from any to any MAC 00:27:22:2e:11:65 any
00193 2051 160090 pipe 20192 ip from any to any MAC any 00:27:22:2e:11:65
00194 87117 128987267 allow ip from any to any MAC 00:0c:29:44:04:2d any
00195 51242 2831873 allow ip from any to any MAC any 00:0c:29:44:04:2d
00196 0 0 pipe 20197 ip from any to any MAC 08:10:74:c8:bd:14 any
00197 10 2580 pipe 20196 ip from any to any MAC any 08:10:74:c8:bd:14
00198 0 0 pipe 20199 ip from any to any MAC 08:10:74:75:98:9e any
00199 0 0 pipe 20198 ip from any to any MAC any 08:10:74:75:98:9e
00200 0 0 pipe 20201 ip from any to any MAC 08:10:74:86:2f:42 any
00201 0 0 pipe 20200 ip from any to any MAC any 08:10:74:86:2f:42
00202 0 0 pipe 20203 ip from any to any MAC 08:10:74:c8:1d:b8 any
00203 0 0 pipe 20202 ip from any to any MAC any 08:10:74:c8:1d:b8
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 20191 738580 allow ip from any to any layer2 mac-type 0x0806
65302 0 0 allow ip from any to any layer2 mac-type 0x888e
65303 0 0 allow ip from any to any layer2 mac-type 0x88c7
65304 0 0 allow ip from any to any layer2 mac-type 0x8863
65305 0 0 allow ip from any to any layer2 mac-type 0x8864
65306 0 0 allow ip from any to any layer2 mac-type 0x888e
65307 18936 1012360 deny ip from any to any layer2 not mac-type 0x0800
65310 49077 9426797 allow ip from any to { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } in
65311 927 569345 allow ip from { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } to any out
65312 0 0 allow icmp from { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } to any out icmptypes 0
65313 0 0 allow icmp from any to { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } in icmptypes 8
65314 0 0 allow ip from table(3) to any in
65315 0 0 allow ip from any to table(4) out
65316 0 0 pipe tablearg ip from table(5) to any in
65317 0 0 pipe tablearg ip from any to table(6) out
65318 0 0 allow ip from any to table(7) in
65319 0 0 allow ip from table(8) to any out
65320 0 0 pipe tablearg ip from any to table(9) in
65321 0 0 pipe tablearg ip from table(10) to any out
65322 0 0 pipe tablearg ip from table(1) to any in
65323 0 0 pipe tablearg ip from any to table(2) out
65531 746 71739 fwd 127.0.0.1,8000 tcp from any to any in
65532 643 154006 allow tcp from any to any out
65533 92768 19184302 deny ip from any to any
65534 0 0 allow ip from any to any layer2
65535 86 79613 allow ip from any to any -
Well, the idea was to check whether the MAC-addresses you wanted blocked are actually still in the 'ipfw show' list you just posted, even though you've removed them from the MAC-pass-through page of pfsense's webGUI.
-
Thanks for this. I have actually contacted them to do a demo. They are telling me that their software works best with Mikrotik, and not so great with pfsense… not sure what to do now.. Can i somehow use both Mikrotik and pfSense?
Im using pfSense ( failover & Sip Proxy ) + MikroTik ( PPPoE ) and Ubiquiti Rocket M5 as AP, for CPE: NanoStation, NanoStation Loco & NanoBridge ( all 5M series ), and Linksys SPA2102 for clients with VoIP service . I do the PPPoE & traffic shapping at CPE.
-
Well, the idea was to check whether the MAC-addresses you wanted blocked are actually still in the 'ipfw show' list you just posted, even though you've removed them from the MAC-pass-through page of pfsense's webGUI.
Ah ok, i see.. i will check that. Thankyou.
Is it strange that the other ipfw commands that you mentioned before didn't do anything when i ran them?
-
Is it strange that the other ipfw commands that you mentioned before didn't do anything when i ran them?
Well, perhaps I wasn't clear enough
/tmp/ipfw.cp.rules is a text-file that contains the ipfw configuration, so you just check its contents (using vi, more etc)
ipfw table all list was to check if you had any entries in ipfw tables. Since it came empty, it means you don't (which is to be expected, since you only use MAC passthrough).So, as I wrote above, you need to check whether any MAC-addresses you want blocked are still in the 'ipfw show' list. And you need to check that you haven't disabled MAC filtering.
-
What about MAC addr 08:10:74:75:98:9e which seems to appear in two rule pairs?
00186 0 0 pipe 20187 ip from any to any MAC 08:10:74:75:98:9e any
00187 458 24248 pipe 20186 ip from any to any MAC any 08:10:74:75:98:9e
[…]
00198 0 0 pipe 20199 ip from any to any MAC 08:10:74:75:98:9e any
00199 0 0 pipe 20198 ip from any to any MAC any 08:10:74:75:98:9eWhat is the result of
fgrep 08:10:74:75:98:9e /cf/conf/config.xml -
luke -or anyone else who is regularly adding/removing MACs from CP's MAC-passthrough page-, could you please check your router's ipfw show output for:
-
MACs that appear in more than one rule pair (as shown in the excerpt above)
-
multiple lines with the same rule number (as shown in issue #1958 )
TIA
-
-
Just a quick reply to let you know i am traveling at the moment and will check this out and post back as soon as i am back home
-
If you're using MAC passthrough and deleting entries, it will delete the one you specify but it also deletes part of others that will break their access. ticket here: http://redmine.pfsense.org/issues/1976
work around, hit Save under Status>Captive Portal to correctly reload.
-
dhatz, could you tell me how i do this? ther isalot more data than i can see on screen when i run ipfw show.. can u pipe it through more to see a screen at a time?
I hope we can sort this out, i am getting to a point where this is causing problems. My network is open replying on the Captive Portal catching people who connect. Currently, ever new connection is getting online without being authenticated via CP.. they are somehow just passing by. This is only happening on the outdoor clients connecting through my outdoor AP (which is on LAN interface) but prople connecting through my office AP (connected on OPT1 interface) arr getting stopped by the CP login page.
We are currently adding more and more clients, but i am having to hide my SSID currently to try and stop unwanted peopl eusing the network.. what i really need is that SSID broadcasting cause it is a good way for us to get more clients when people see it and phone us up.
-
Any more ideas here?
-
I suspect CP on LAN might be a fairly uncommon configuration and consequently not well tested.
You do have CP enabled on BOTH LAN and OPT1? If so, can you move the offending AP to (say) OPT2.
-
It was all working until i did the upgrade to 2.0-RELEASE.
I dont have an Opt2 interface. Only WAN, LAN and OPT1. I will try swapping the AP from LAN to OPT1 and see if it works, just to see if the issue is the AP or the Captive Portal.. cause as i said before, on OPT1 currently i have just a small indoor WAP, and the Captive portal works.. but for my outdoor Ruckus AP it isn't anymore.
-
It was all working until i did the upgrade to 2.0-RELEASE.
Upgrades can sometimes change the configuration file. Do you have CP enabled on LAN?
-
Yes, it is as it was before the upgrade. I have CP enabled on both LAN and OPT1
-
CP works fine on LAN and is extensively used and tested there. Probably want to gitsync to RELENG_2_0, or wait for 2.0.1 that will be coming this week, if you're using a lot of MAC passthroughs and editing them frequently since we fixed an issue there.
-
And i am guessing not go the upgrade route? do a clean install? I dont mind if i have to do that, just alot more work and i have the problem that i want to keep all cache and lightsquid logs..
-
luke, if you're in a hurry, you could also manually apply the bugfix, it's this one:
https://github.com/bsdperimeter/pfsense/commit/e3db5627224a0293f74e0d032a9b230f98f85952
I haven't noticed any issues with MAC passthrough since.
-
dhatz thanks for that.. a hurry i definately am in. Ill give this a try and see what happens and report back. Thanks
just to be clear, i am just to add this line:
+ $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true);(do i add the "+" at the start also?)
Or am is supposed to delete these lines also:
- if ($enBwup && $enBwdown)
945
- $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true);
946
- else
947
- $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); -
You must delete the lines marked with "-" and add the line marked with "+"
Or you can do as indicated by cmb
Probably want to gitsync to RELENG_2_0
edit:
you have attached the "captiveportal.inc.png" from a pfsense 2.0.1 amd 64
remove the .png and upload to /etc/inc/
-
Ok, so here is my problem that i have absolutely no idea how to fix. I just applied that patch thanks to dhatz, i dont know what that will fix but we will see. I have rebooted since applying.
So i have 1 client. His MAC is not even in the Captive Portal MAC passthrough list, he is on the DHCP Leases list and also on the ARP Table. Lightsquid logs shows his usage. I currently see him onlne and see the Lightsquid logs for this user changing so i assume he is browsing, however.. i just did a ipfw show and his MAC is not in there at all…
What is going on here??
-
Your clients need to have an IP address before they can talk with the captive portal. Hence they could well have ARP entries and DHCP leases and still not be able to communicate with the web.
I don't know about Lightsquid - perhaps it captures a web access BEFORE it gets to Captive Portal.
-
Your clients need to have an IP address before they can talk with the captive portal. Hence they could well have ARP entries and DHCP leases and still not be able to communicate with the web.
I don't know about Lightsquid - perhaps it captures a web access BEFORE it gets to Captive Portal.
Wallabybob i think you are missing the point i have been making here.. this is the issue, clients ARE getting on the web, and passed teh Captive Portal but i have no idea why? They should be getting stopped at the Captive Portal logon screen but no longer are. This particular MAC isnt showing in the ipfw show but i know for certain that the client is browsing the web no problems..
-
This particular MAC isnt showing in the ipfw show but i know for certain that the client is browsing the web no problems..
Please run a packet capture on that particular client's IP address and interface. The capture may give some clues as to how they are bypassing CP.
Wallabybob i think you are missing the point i have been making here.. this is the issue, clients ARE getting on the web, and passed teh Captive Portal but i have no idea why?
Sorry, when you said @luke240778:
So i have 1 client. His MAC is not even in the Captive Portal MAC passthrough list, he is on the DHCP Leases list and also on the ARP Table. Lightsquid logs shows his usage. I currently see him onlne and see the Lightsquid logs for this user changing so i assume he is browsing, however.. i just did a ipfw show and his MAC is not in there at all…
I thought you were offering "having a DHCP lease and an ARP entry" as part of the evidence of being able to bypass CP.
Now that I have thought about things a bit more, I wonder if the issue is that the client is getting into SQUID rather than CP and the squid accesses on behalf of that client are able to bypass CP because they are sourced "locally". I don't know enough about squid, CP and their interactions to be able to suggest how you might explore that theory.
-
This particular MAC isnt showing in the ipfw show but i know for certain that the client is browsing the web no problems..
Please run a packet capture on that particular client's IP address and interface. The capture may give some clues as to how they are bypassing CP.
Wallabybob i think you are missing the point i have been making here.. this is the issue, clients ARE getting on the web, and passed teh Captive Portal but i have no idea why?
Sorry, when you said @luke240778:
So i have 1 client. His MAC is not even in the Captive Portal MAC passthrough list, he is on the DHCP Leases list and also on the ARP Table. Lightsquid logs shows his usage. I currently see him onlne and see the Lightsquid logs for this user changing so i assume he is browsing, however.. i just did a ipfw show and his MAC is not in there at all…
I thought you were offering "having a DHCP lease and an ARP entry" as part of the evidence of being able to bypass CP.
Now that I have thought about things a bit more, I wonder if the issue is that the client is getting into SQUID rather than CP and the squid accesses on behalf of that client are able to bypass CP because they are sourced "locally". I don't know enough about squid, CP and their interactions to be able to suggest how you might explore that theory.
IP address of the MAC i know is bypassing the CP is 192.168.10.241, here is a packet capture i just ran:
00:59:28.164510 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 588
00:59:28.164549 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 0
00:59:28.465596 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 313
00:59:28.465816 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 43
00:59:28.531317 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 0
00:59:36.671760 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
00:59:36.814082 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
00:59:36.987721 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
01:00:18.851057 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
01:00:19.000373 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
01:00:19.137851 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
01:00:50.510226 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 612
01:00:50.510265 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 0
01:00:50.972113 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 313
01:00:50.972267 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 43
01:00:51.028514 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 0
01:00:59.014654 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
01:00:59.157985 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
01:00:59.289235 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
01:01:15.188511 IP 74.125.234.91.80 > 192.168.10.241.1739: tcp 0
01:01:15.208393 IP 192.168.10.241.1739 > 74.125.234.91.80: tcp 0
01:01:16.187616 IP 195.28.181.138.80 > 192.168.10.241.1740: tcp 0
01:01:16.199754 IP 192.168.10.241.1740 > 195.28.181.138.80: tcp 0
01:01:17.186638 IP 184.173.254.59.80 > 192.168.10.241.1746: tcp 0
01:01:17.195715 IP 192.168.10.241.1746 > 184.173.254.59.80: tcp 0
01:01:18.185736 IP 213.8.137.51.80 > 192.168.10.241.1748: tcp 0
01:01:18.196753 IP 192.168.10.241.1748 > 213.8.137.51.80: tcp 0
01:01:46.015915 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 37241, length 24
01:01:46.017889 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 42361, length 24
01:01:46.018875 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 47481, length 24
01:01:46.101480 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 37241, length 24
01:01:46.142832 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 42361, length 24
01:01:46.144745 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 47481, length 24
01:01:47.158082 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
01:01:47.302091 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
01:01:47.465471 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
01:01:59.586950 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 572
01:01:59.586991 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 0
01:01:59.967533 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 313
01:01:59.967812 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 43
01:01:59.978150 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 0
01:02:31.315672 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
01:02:31.462128 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
01:02:31.614572 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
01:02:56.311476 IP 192.168.5.28.4193 > 192.168.10.241.137: UDP, length 50
01:03:11.479934 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
01:03:11.624158 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
01:03:11.761804 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
01:03:16.497933 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 46464, length 24
01:03:16.501866 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 50048, length 24
01:03:16.501872 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 53632, length 24
01:03:16.565799 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 46464, length 24
01:03:16.583443 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 50048, length 24
01:03:16.585429 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 53632, length 24Sorry i wasnt meaning that the DHCP entry and the ARP entry were evidence of being able to bypass CP.. just that i can see that the MAC and IP of that client is online and not in the MAC passthough list, and is definately online and surfing, so it is somehow bypassing the CP.
That thought about Squid is an interesting one.. i am just running Squid as a transparent proxy.. can someone with more knowledge of Squid possible give your two cents worth here?
-
Transparent proxying bypasses captive portal.
-
@cmb:
Transparent proxying bypasses captive portal.
Ok, but thats obviously not my problem here right? seeing that his exact same setup worked perfectly fine for over 8 months..
I always had transparent proxy and CP running and all my clients used to get the CP login screen.. now all of a sudden they are getting past it. If i stop the Squid service and try and login a client that is currently bypassing the CP this should prove this?
-
Ok all, i am seriously needing help here.
I was thinking my captive portal issue may have been my Ruckus AP letting connected clients bypass the CP, but i have just tested with another AP made by Ubiquiti and it also lets people connected bypass the CP.. However, with that same Ubiquiti AP connected to my other NIC (OPT1 and not LAN) the CP kicks in and works like it should. What can possible making 1 interface work and not the other? I have Captive Portal enabled on both LAN and OPT1.
All help is appreciated here, this is starting to be a big issue now as we are expanding a little.
-
Ok all, i am seriously needing help here.
Have you considered the Commercial Support ?
https://portal.pfsense.org/
-
@ptt:
Ok all, i am seriously needing help here.
Have you considered the Commercial Support ?
https://portal.pfsense.org/
Have considered it yes. Was hoping that some one on the forum would have been able to assist first, but if i can't get anywhere i guess thats what i'll have to do.