2.24\. Captive Portal - voucher expired, time expired, user still connected
-
I attached the files just in case somebody can compare and will find ( or not ) that my files are not the same so this mean my pfsense is compromised… by somebody or some package.
I don't understand can you please detail/link what do you mean with
Install a new, fresh one from source (GIT : version 2.2.4)
?
GIT ? To copy over actual pfsense files; files that are newer/not the same from here ? https://github.com/pfsense/pfsense
or full reinstall pfsense 2.2.4 image with USB/CD ?I am thinking if possible to reinstall pfsense 2.2.4 over the actual running pfsense 2.2.4 but I don't see or I miss the option at GUI ( it will be nice to have such option in case of file corruption so no more USB/CD involved and full reinstall ).
Yes I use Squid to filter http and also direct IP access and I have an except list with firewall/interfaces/switch IP and some LAN clients & WAN destinations, but do you think is it to blame Squid for captiveportal not disconnecting the clients and delete/deactivate old vouchers at time ?
-
I just checked Status: System logs: Portal Auth and I see in log that until 24 -August all worked ok, clients was disconnected at timeout 8h, after that date no more timeouts and clients are still connected.
I had Squid installed from the beginning so I do not think to blame him for this, I need to dig more maybe i will find the problem.
-
I deleted the portal on that interface and rebuild it from 0, the problem remain… any idea ?
-
There is a way to check what happens.
If you can read/write some PHP ;)Make some test-vouchers that last 10 a 15 minutes.
Locate this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L633 unction in your /etc/inc/captiveportal.inc - the function captiveportal_prune_old()
In this functions people are kicked out. This function is being called every 5 minutes by a cron task.Just drop some of these captiveportal_logportalauth(…) with variables to check.
See how it is used here : https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L734Vouchers time outs are handled here : https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L715 - put some logging in there.
(be carefull, I linked to the a version of etc/inc/captiveportal.inc that isn't yours for 100 %)
-
thank you for reply.
I come from past ( … ASM ) so I have no experience with PHP ( at a first quick look over the code it make sense, but I need some time to dig/found and insert logger ).
any way
I made some experiments yesterday just to be sure Squid is out of equation as many people try to blame this package for almost everything not working in pfSense:
- I uninstalled Squid and Squidguard, stop captive portal, reboot.
- I copy 2 new files from Github over old files but captive portal did not worked properly, client was not hit by captive portal so I restore old files... new voucher...
This morning no joy, problem remained without Squid being installed.
I reinstall 2.2.4 upgrade from GUI to be sure I have all files as it come from developers.
edit:
At this moment made some 15 min vouchers and test to see if problem remain after re installation of 2.2.4.
 -
After 2.2.4 reinstall ( also Squid & Squidguard reinstall), I changed Hard timeout from 480 min to 490 min, just in case:
- first test with 15 min vouchers looks OK, captive portal work ok.
- I am testing 480 min voucher now.
-
ASM ?? ;D First days with the '8088' or a 'simple' 8-bitter ?
I saw your boatload of packages, some of them are real resource eaters. Be careful with that !
When you detect troubles, always run without any addons (packages). If the problem persists, then you are facing a native pfSEnse bug. Using packages always complicates error searching.
'squid', when installing, and also used on the Captive Portal NIC, patches pfSense core files. This was creating very nasty problems, and the 'newbie expert' concluded : pfSense isn't working well.
Btw : squid, ok, but not for the Captive portal.
Also important : always run the captive portal on its own NIC (OPTx) - never share it on the LAN.I told you yesterday that connections were 'pruned' every 5 minutes => that's wrong.
Connect yourself to your pfSense (SSH) - option 8.
Type this:ps ax | grep 'prunecaptiveportal'You will see this:
85178 - Is 0:00.00 /usr/local/bin/minicron 60 /var/run/cp_prunedb_cpzone1.pid /etc/rc.prunecaptiveportal cpzone1 85293 - S 0:00.16 minicron: helper /etc/rc.prunecaptiveportal cpzone1 (minicron)As you can see (look well), pruning is done every 60 seconds !!
Pruning takes time - if you have many (hundreds or more) users connected, the process will block the next running prune task.
Things start to 'error' …. -
from Sinclair Spectrum Z80…
Understand.
This Guest captive portal it is on his own NIC interface.
I have another 2 NIC interfaces for LAN ( wifi, wired ) which share one LAN captive portal for extra security but no vouchers enabled, MAC defined allowed, no problems.This is a home setup, made as secure as I can, so only few devices, low traffic and normally 1 test device for Guests, I will see after time expire how it is with 8h voucher.
thank you.
-
I have no idea if pfsense 2.2.4 reinstall solved the problem or changing hard time expiration to be different from voucher time, 8h voucher also work ok.
It looks like the Captive Portal it is working OK now.
thank you.
-
I have a pretty good idea that Squid breaks CP files.
-
I had this working with Squid installed for some time… until something happened no idea...
I had Squid uninstalled and did not worked, and now I have Squid running and is working so I don't blame Squid.
Maybe a bug if hard time expiration = voucher time ( I can test it but not now, I had enough ).
will see in time.
