Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CP misbehavor after 2.3 Upgrade

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hardy_rafael17
      last edited by

      –-Gertjan--- If you´re reading this... "A LOT OF THANKS" you´ve been of great help before...

      There are two things not working properly after I (the day before yesterday) upgraded my Pfsense box... (I waited until now just to make sure that 2.3 was stable  :) and maybe avoid this type of trouble)...

      1- The main issue is that after a client it´s been successfully logged in with voucher (I use voucher plus Pass-through MAC Auto Entry) soon afterwards the client will lose conectivity (I don´t know how soon it happens (for one client it was less than 15 minutes)) If I try to use the same voucher on the client, the portal page will tell me that such voucher it´s already logged in with a different mac address... and indeed if I take a look at the MACs tab... I will find that client´s mac addres on the list with that same voucher that was used...

      ---when I say "the client lose conectivity" I mean that the client is treated as if it´s not logged in.. it is redirected to the cp portal page---

      I test the voucher... and it is still good (not expired)

      I look at the logs... nothing there concerning the client´s disconnection...

      If I go the the    Services/Captive/Portal/test/Configuration page... and click on "save button" then those clients who have lost conectivity get back online just like that... (not sure if they lose it again, hope not)...

      one more thing

      2- my system has a crash report wich I think is related to the problem... there it goes as an attachment..." and that crash is persistent... I delete it.. and it happens again...

      ---Gertjan--- If you´re reading this... "A LOT OF THANKS" you´ve been of great help before...

      and excuse my english....
      ![Crash Report.PNG](/public/imported_attachments/1/Crash Report.PNG)
      ![Crash Report.PNG_thumb](/public/imported_attachments/1/Crash Report.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        :) Me ?

        A couple of question first :
        The vouchers you are using : were they generated BEFORE you upgraded to 2.3.0 ?
        I don't know if voucher stats are really saved now (using 2.3.0) - I know they were NOT so before.

        More info : https://forum.pfsense.org/index.php?action=search and type the magic word rc.savevoucher.

        I guess this is not related with you https://forum.pfsense.org/index.php?topic=111132.msg618826#msg618826

        You should use this page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

        It shows you how to check on a "firewall level" who is authorized to get out.

        
......
65291     0        0 allow pfsync from any to any
65292     0        0 allow carp from any to any
65301   377    14858 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302     0        0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303     0        0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307    14      644 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310  1815   166508 allow ip from any to table(100) in
65311  6559  1319786 allow ip from table(100) to any out
65312    36     8790 allow ip from any to 255.255.255.255 in
65313     0        0 allow ip from 255.255.255.255 to any out
65314     0        0 pipe tablearg ip from table(3) to any in
65315     0        0 pipe tablearg ip from any to table(4) in
65316     0        0 pipe tablearg ip from table(3) to any out
65317     0        0 pipe tablearg ip from any to table(4) out
65318 78786 16651440 pipe tablearg ip from table(1) to any in
65319 82570 87958140 pipe tablearg ip from any to table(2) out
65531  3494   304165 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
65532   929   110438 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533  3936  1803687 allow tcp from any to any out
65534   931   246594 deny ip from any to any
65535   136    58995 allow ip from any to any

        Inspecting "table 1" like this:

        192.168.2.27/32 mac 30:10:e4:c3:94:8e 6644
        192.168.2.46/32 mac 2c:f0:ee:dd:d0:ee 6646
        192.168.2.90/32 mac 18:4f:32:b1:27:9f 6640
        192.168.2.104/32 mac 8c:29:37:41:00:fb 6638
        192.168.2.162/32 mac 58:2a:f7:85:1e:30 6642

        Shows me the 4 people logged in (their IP and MAC).

        Btw : I'm not using vouchers on my pfSense system.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • H
          hardy_rafael17
          last edited by

          Im running the system on a Netgate apu4, but I have no SD card on it.. I have a Sata Hard Disk.
          at first when I finished upgrading,the chrash dump looked exactly the same as the one you pointed me to… but I´m not running NanoBSD... I¨m on a full install on a Hard Disk.
          ////////////////////////////////////////////////////
          [2.3-RELEASE][admin@Hardy.NET]/root: ipfw zone list
          Currently defined contexts and their members:
          2: re2_vlan5,
          4: re2_vlan6,

          [2.3-RELEASE][admin@Hardy.NET]/root: ipfw -x 2 table 1 list (doesn´t show any results) maybe ´cuz I´m just using (voucher plus Pass-through MAC Auto Entry) nothing more…
          [2.3-RELEASE][admin@Hardy.NET]/root:
          /////////////////////////////////////////////////////
          You asked if vouchers were created prior to upgrading the system…. yes they were...

          a little note... I have two captive portals running... zone 2 and zone 4.... the the issue seems to be only on zone 2, (I mean... I have no reports or complaints of zone 4 misbehaving)
          that said (I have to say that the configuration on both zones is the same... but the authentication page is not... zone 2 has a custom page while zone 4 has the default page)...
          this line was missing on zone 2 portal page

          I added it... and reloaded cp configuration... (I don´t think that´s the problem... but see no other difference) Im waiting to see the results...

          [ipfw -x 2 show.txt](/public/imported_attachments/1/ipfw -x 2 show.txt)

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            If you have any more troubles, I advise you to ditch the old vouchers.
            Deactivate the voucher system. I guess a bug doesn't allow you to do so (I can't), so do it the hard way :

            Backup a complete config.xml
            Look for this pair <voucher>and a couple of line further on</voucher>
            Mine (minimal) looks like this:

            	 <voucher><cpzone1><charset>2345678abcdefhijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ</charset>
			<rollbits>16</rollbits>
			<ticketbits>10</ticketbits>
			<checksumbits>5</checksumbits>
			<magic>1782799022</magic>
			<exponent>59171</exponent>
			<publickey>LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCUXdEUVlKS29aSWh2Y05BUUVCQlFBREV3QXdFQUlKQU1jK243UGtHTkkxQWdNQTV5TT0NCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ0K</publickey>
			<privatekey>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUQ4Q0FRQUNDUURIUHArejVCalNOUUlEQU9jakFnaHRIT3JIWGNsbWl3SUZBT1pXbENFQ0JRRGRjVHVWQWdVQQ0Ka1JGQlN3SUZBTHZMVmZzQ0JCKzFHWTA9DQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ0K</privatekey>
			<descrmsgnoaccess></descrmsgnoaccess>

			 <enable></enable></cpzone1></voucher>

            Remove all that … including the <voucher>.....</voucher>
            Save
            Import config.
            => I advise you also to remove all voucher related files like /var/db/voucher_ZONEX_active_0.db
            Re-setup vouchers.
            You'll be fine.

            Btw : when updating, hand made settings like a "portal login page" should be checked with eventually new parameters etc ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • H
              hardy_rafael17
              last edited by

              Hi!!!

              Well, ditch old vouchers… yes I can do that... actually I did... I created new rolls... the system keeps reporting the same crash every now and then (but I haven't had the problem in which clients get disconnected )

              But deactivate the vouches, and remove all that's within .... uhmmmm I don't like the idea... I have 200+ voucher logged in...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.