2.24\. Captive Portal - voucher expired, time expired, user still connected
-
Hello,
PFsense 2.2.4, I set up Captive Portal at home for Guests; Vouchers valid for 480 min = 8h.
I tested this configuration few times and all was ok first… I am still testing as I print one page with 100 vouchers, so I connect a tablet daily sometime with user name ( if I don't have the glasses near me 8) ) sometime with vouchers; after few days/vouchers ( now at 8 voucher ) I found that tablet connected with voucher it is still connected after voucher expired.
see the pictures.anybody is facing the same problem as me ?
any ideas ?thank you.
-
Hi,
Looks like the pruning process isn't doing its job.
The "SQLLite3" contains still the IP+MAC
Your Captive Portal firewall still contains the "pass through" rules for that Ip/MAC (check it out yourself : "ipfw -x A table all list" where A is your Captive Portal ID).
But : other files exists for captive Portal accounting and one of them 'fools' the pruning process.Can you 'kill' the connection in the GUI and check that that device an't connect anymore, neither reusing the voucher you showed above ?
My advise: stop the Captive Portal - and reboot. The re-enable to have the files being regenerated.
-
Gertjan many thanks for your assistance.
here it is what I did:
1)- killed that connection and voucher manually from captive portal status.
- disabled & stopped captive portal.
- reboot pfsense.
- enabled captive portal.
- connected the tablet with another voucher, old voucher was expired I can't connect with him and now … waiting for the voucher to expire ( tablet is not connected to wifi all the time, when I don't use it - most of the time - I turn off the wifi because it is a bad tablet and has a bad battery ).
I made a copy of rc.prunecaptiveportal and captiveportal.inc file from pfsense before and after reboot.
I also found in /root this files:
2.1.5-RELEASE.captiveportal.inc.backup
2.2.4-RELEASE.captiveportal.inc.backupbefore reboot files captiveportal.inc was not the same as 2.2.4-RELEASE.captiveportal.inc.backup
captiveportal.inc had this code at lines 554-555.$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} 3128 in\n"; $cprules .= "add {$rulenum} skipto 65314 ip from {$ips} 3128 to any out\n";
It looks like it is a patch from Squid when I had enabled setting Patch captive portal… it is not active any more.
If anybody can compare my files with what he have to see if are the same or somehow are changed/tampered here there are:
/etc/inc/captiveportal.inc and /etc/rc.prunecaptiveportal
-
If anybody can compare my files with what he have to see if are the same or somehow are changed/tampered here there are:
ROFL… No, not in this "format".
-
yes sorry Dok,
somehow the code tags was not properly formatted maybe to long so I zip the files.
if other files are required to check please let me know.
-
The source file "/etc/inc/captiveportal.inc" is the same for you and me.
It should be the same !
I can't help with files that were manually (or by the install of a package) modified.Install a new, fresh one from source (GIT : version 2.2.4)
That files I was talking about are:
/var/db/captiveportalcpzone1.db : the SQLLite3 data base file. /var/db/captiveportaldn.rules /var/db/captiveportal_cpzone1.rules
The "cpzone1" part could be different for you.
Btw : its very know problem "…... captive portal not working ...." and afterwards : "Oh, yes, I installed squid ......"
:o -
I attached the files just in case somebody can compare and will find ( or not ) that my files are not the same so this mean my pfsense is compromised… by somebody or some package.
I don't understand can you please detail/link what do you mean with
Install a new, fresh one from source (GIT : version 2.2.4)
?
GIT ? To copy over actual pfsense files; files that are newer/not the same from here ? https://github.com/pfsense/pfsense
or full reinstall pfsense 2.2.4 image with USB/CD ?I am thinking if possible to reinstall pfsense 2.2.4 over the actual running pfsense 2.2.4 but I don't see or I miss the option at GUI ( it will be nice to have such option in case of file corruption so no more USB/CD involved and full reinstall ).
Yes I use Squid to filter http and also direct IP access and I have an except list with firewall/interfaces/switch IP and some LAN clients & WAN destinations, but do you think is it to blame Squid for captiveportal not disconnecting the clients and delete/deactivate old vouchers at time ?
-
I just checked Status: System logs: Portal Auth and I see in log that until 24 -August all worked ok, clients was disconnected at timeout 8h, after that date no more timeouts and clients are still connected.
I had Squid installed from the beginning so I do not think to blame him for this, I need to dig more maybe i will find the problem.
-
I deleted the portal on that interface and rebuild it from 0, the problem remain… any idea ?
-
There is a way to check what happens.
If you can read/write some PHP ;)Make some test-vouchers that last 10 a 15 minutes.
Locate this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L633 unction in your /etc/inc/captiveportal.inc - the function captiveportal_prune_old()
In this functions people are kicked out. This function is being called every 5 minutes by a cron task.Just drop some of these captiveportal_logportalauth(…) with variables to check.
See how it is used here : https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L734Vouchers time outs are handled here : https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L715 - put some logging in there.
(be carefull, I linked to the a version of etc/inc/captiveportal.inc that isn't yours for 100 %)
-
thank you for reply.
I come from past ( … ASM ) so I have no experience with PHP ( at a first quick look over the code it make sense, but I need some time to dig/found and insert logger ).
any way
I made some experiments yesterday just to be sure Squid is out of equation as many people try to blame this package for almost everything not working in pfSense:
- I uninstalled Squid and Squidguard, stop captive portal, reboot.
- I copy 2 new files from Github over old files but captive portal did not worked properly, client was not hit by captive portal so I restore old files... new voucher...
This morning no joy, problem remained without Squid being installed.
I reinstall 2.2.4 upgrade from GUI to be sure I have all files as it come from developers.
edit:
At this moment made some 15 min vouchers and test to see if problem remain after re installation of 2.2.4.![2015-09-02 09.25.18.jpg](/public/imported_attachments/1/2015-09-02 09.25.18.jpg)
![2015-09-02 09.25.18.jpg_thumb](/public/imported_attachments/1/2015-09-02 09.25.18.jpg_thumb) -
After 2.2.4 reinstall ( also Squid & Squidguard reinstall), I changed Hard timeout from 480 min to 490 min, just in case:
- first test with 15 min vouchers looks OK, captive portal work ok.
- I am testing 480 min voucher now.
-
ASM ?? ;D First days with the '8088' or a 'simple' 8-bitter ?
I saw your boatload of packages, some of them are real resource eaters. Be careful with that !
When you detect troubles, always run without any addons (packages). If the problem persists, then you are facing a native pfSEnse bug. Using packages always complicates error searching.
'squid', when installing, and also used on the Captive Portal NIC, patches pfSense core files. This was creating very nasty problems, and the 'newbie expert' concluded : pfSense isn't working well.
Btw : squid, ok, but not for the Captive portal.
Also important : always run the captive portal on its own NIC (OPTx) - never share it on the LAN.I told you yesterday that connections were 'pruned' every 5 minutes => that's wrong.
Connect yourself to your pfSense (SSH) - option 8.
Type this:ps ax | grep 'prunecaptiveportal'
You will see this:
85178 - Is 0:00.00 /usr/local/bin/minicron 60 /var/run/cp_prunedb_cpzone1.pid /etc/rc.prunecaptiveportal cpzone1 85293 - S 0:00.16 minicron: helper /etc/rc.prunecaptiveportal cpzone1 (minicron)
As you can see (look well), pruning is done every 60 seconds !!
Pruning takes time - if you have many (hundreds or more) users connected, the process will block the next running prune task.
Things start to 'error' …. -
from Sinclair Spectrum Z80…
Understand.
This Guest captive portal it is on his own NIC interface.
I have another 2 NIC interfaces for LAN ( wifi, wired ) which share one LAN captive portal for extra security but no vouchers enabled, MAC defined allowed, no problems.This is a home setup, made as secure as I can, so only few devices, low traffic and normally 1 test device for Guests, I will see after time expire how it is with 8h voucher.
thank you.
-
I have no idea if pfsense 2.2.4 reinstall solved the problem or changing hard time expiration to be different from voucher time, 8h voucher also work ok.
It looks like the Captive Portal it is working OK now.
thank you.
-
I have a pretty good idea that Squid breaks CP files.
-
I had this working with Squid installed for some time… until something happened no idea...
I had Squid uninstalled and did not worked, and now I have Squid running and is working so I don't blame Squid.
Maybe a bug if hard time expiration = voucher time ( I can test it but not now, I had enough ).
will see in time.