Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clients can't reconnect after pfsense reboot

    Scheduled Pinned Locked Moved Captive Portal
    51 Posts 9 Posters 14.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @prophet
      last edited by

      @prophet said in Clients can't reconnect after pfsense reboot:

      @kengo I confirm that the issue is related to captive portal

      2.3.5 == 2.4.4 main difference is the code-base. The first is 32 bits - the latter 64 bits.
      So, totally normal that you found the same issue.

      The issue has a name and a number : https://redmine.pfsense.org/issues/8783

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      P 1 Reply Last reply Reply Quote 0
      • P
        prophet @Gertjan
        last edited by

        @gertjan sorry but this isn't the same issue.
        When pfSense is up i can save/edit anything without problems.

        I only have problems after reboot, with clients stuck at "You are connected" message in their browser.

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @prophet
          last edited by Gertjan

          @prophet said in Clients can't reconnect after pfsense reboot:

          @gertjan sorry but this isn't the same issue.
          When pfSense is up i can save/edit anything without problems.

          Can't tell what happens with 2.4.1 - that's old code and ditched because of "security issues".
          There is no such thing as a bug list "2.4.1". You're free to use it as long as you accept that product is unsupportable.
          So, again, ok to me ☺

          I only have problems after reboot, with clients stuck at "You are connected" message in their browser.
          And that's the situation right now with 2.4.4 and 2.3.5 (can't test that - have no 32 bits devices).

          And "Save" on the captive portal's setting will "redo" the ipfw firewall rules and tables. The captive portal's "connected client database" will not get emptied. This is what this issue is all about.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          P 1 Reply Last reply Reply Quote 0
          • P
            prophet @Gertjan
            last edited by

            @gertjan never tried 2.4.1 and not planning to use it, i just asked @kengo if that version was ok.

            by the way bug #8783 is marked as "resolved", so it can't be the same issue. if it was i wouldn't be here :)

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @prophet
              last edited by

              @prophet said in Clients can't reconnect after pfsense reboot:

              by the way bug #8783 is marked as "resolved", so it can't be the same issue. if it was i wouldn't be here :)

              You're right.
              When 8783 repaired something, this arrived https://redmine.pfsense.org/issues/8616 (other might exist).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • K
                kengo
                last edited by

                Will be testing older versions of pfsense 2.2 and 2.3 tonight. i will post an update again.

                1 Reply Last reply Reply Quote 0
                • K
                  kengo
                  last edited by

                  @prophet I'm using 2.3.2 and its working like a charm so far. I will post again after 24 hours as I continue to monitor this

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    prophet @kengo
                    last edited by

                    @kengo excellent!

                    does it also "remember" clients/users across reboot or do they have to sign in again?

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by Gertjan

                      I'm curious too.
                      I've been using 2.3.2 for a while, and I don't remember if users are all logged out. Normally, yes, they would have been.

                      Most of the captive portal settings don't have anything to do with created entries in the related ipfw tables. Better yet : back then, there were no "tables" to hold the authorized devices, there were just rules.
                      Only this one : "Per-user bandwidth restriction" ( Default download (Kbit/s) and Default upload (Kbit/s)) are used when creating rules.

                      I can imagine that, when FreeRadius is used to restrict "bandwidth restriction" or "Amount of Download and Upload Traffic" is counted, and the rule (and related limiter/pipe) vanishes a moment for a device, things really start to break.
                      So, saving the config == everybody has to start over. This is far more saver.

                      Btw : Why should one want the captive portal setting regularly ? I didin't touch mine for weeks, if not months. Ones set up as needed, no need to change something.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • K
                        kengo
                        last edited by

                        hi everyone, sorry for the delayed response.

                        I can confirm that 2.3.2 has resolved the captive portal issue on one box. but what i am curious is why on another box, 2.4.4 still works fine.

                        @prophet upon reboot of the 2.3.2 machine, users need to login again. I think this is the intended behavior. captive portal works flawlessly now and doesn't kick machines off the internet after a period of time.

                        as for my setup, I added all the mac address of my routers/access points to the Mac filter in captive portal, not sure if that helped.

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @kengo
                          last edited by

                          @kengo said in Clients can't reconnect after pfsense reboot:

                          as for my setup, I added all the mac address of my routers/access points to the Mac filter in captive portal, not sure if that helped.

                          I did the same thing.
                          Even basic access points could have NTP services (time keeping) or could need updates, so these should be able to communicate with the net.

                          @kengo said in Clients can't reconnect after pfsense reboot:

                          upon reboot of the 2.3.2 machine, users need to login again. I think this is the intended behavior

                          Exact.

                          @kengo said in Clients can't reconnect after pfsense reboot:

                          captive portal works flawlessly now and doesn't kick machines off the internet after a period of time.

                          by default, a captive portal should kick of user after a certain time (hard or soft time out).
                          Except the ones listed on the MACs / Allowed IP / Allowed host names tabs

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • ontzuevanhussenO
                            ontzuevanhussen @prophet
                            last edited by

                            @prophet I have same problem :(

                            1 Reply Last reply Reply Quote 0
                            • D
                              darkblack
                              last edited by

                              I have the exact same problem of OP @kengo which he mentioned in the 1st message. I cannot downgrade now. Is there a fix or workaround? Does setting an hard and idle time out fix the issue? Is there a way we can automatically log all users out of the captive portal every time the firewall reboots? Please advice. Thanks.

                              P 1 Reply Last reply Reply Quote 0
                              • P
                                prophet @darkblack
                                last edited by

                                @darkblack to solve problems after reboot i just customized pfSense-rc script to automatically truncate captive portal sqlite3 database.

                                Still looking for a way to automatically login devices after reboot, but i'm working with Fauxapi and i could be discovering something useful soon.

                                D 1 Reply Last reply Reply Quote 0
                                • D
                                  darkblack @prophet
                                  last edited by

                                  @prophet Thanks a lot for your response. Can you please tell me what piece of code you added and at what position (between which lines), it will be helpful and others who stumble on this rather frustrating issue

                                  P 1 Reply Last reply Reply Quote 0
                                  • P
                                    prophet @darkblack
                                    last edited by

                                    @darkblack

                                    in /etc/pfSense-rc, at the very end just before "exit 0".

                                    sqlite3 /var/db/captiveportalyourname.db <<EOF
                                    DELETE FROM captiveportal;
                                    EOF
                                    

                                    Where "yourname" is obviously the name of your captive portal.

                                    1 Reply Last reply Reply Quote 0
                                    • GertjanG
                                      Gertjan
                                      last edited by Gertjan

                                      Instead of deleting files - and editing pfSense core fils, I prefer to use the API.

                                      Consider this :
                                      Install the Shellcmd package which permit us to execute 'commands' at startup.

                                      Place a file called "captiveportal_disconnect_all.php" in the directory /root

                                      #!/usr/local/bin/php -q
                                      <?php
                                      	/* Disconnect all clients on all captive portal instances */
                                      
                                      	require_once("/etc/inc/util.inc");
                                      	require_once("/etc/inc/functions.inc");
                                      	require_once("/etc/inc/captiveportal.inc");
                                      
                                      	global $g, $config, $cpzone, $cpzoneid;
                                      
                                      	/* Are there any portals  ? */
                                      	if (is_array($config['captiveportal'])) {
                                      		/* For every portal (cpzone), do */
                                      		foreach ($config['captiveportal'] as $cpkey => $cp)
                                      			/* Sanity check */
                                      			if (is_array($config['captiveportal'][$cpkey])) 
                                      				/* Is zone enabled ? */
                                      				if (array_key_exists('enable', $config['captiveportal'][$cpkey])) {
                                      					$cpzone = $cpkey;
                                      					$cpzoneid = $cp['zoneid'];
                                      					captiveportal_disconnect_all();
                                      				}
                                      		log_error("All users disconnected after system start-up");
                                      	}
                                      ?>
                                      

                                      Add a command in the Shellcmd package :

                                      0_1542297148892_9003a358-315a-4155-805f-139923138a46-image.png
                                      Done.

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      P 1 2 Replies Last reply Reply Quote 1
                                      • P
                                        prophet @Gertjan
                                        last edited by

                                        @gertjan much better, thanks.
                                        do you have something similar to programmatically login users? given that we already have mac address, last ip, username.

                                        GertjanG 1 Reply Last reply Reply Quote 0
                                        • GertjanG
                                          Gertjan @prophet
                                          last edited by Gertjan

                                          @prophet said in Clients can't reconnect after pfsense reboot:

                                          do you have something similar to programmatically login users? given that we already have mac address, last ip, username.

                                          You were reading my mind ☺

                                          What you're asking for is the other way around : if a database exists with logged in user(s), why not rebuilding the ipfw rules for them ?!
                                          Right ?

                                          I guess it's possible.
                                          But : it's time out for me right now. I wrote the lines in the post above on a live system, throwning out users and restarting pfSense while testing : people are yelling all around me.
                                          I'll have a shot at it tomorrow.

                                          Basically, it should be a loop that iterates the database, and for every user

                                          function portal_allow($clientip, $clientmac, $username, $password = null, $attributes = null, $pipeno = null, $authmethod = null, $context = 'first') {
                                          

                                          should be called (see /etc/inc/captiveportal.inc, around line 2212)

                                          Except that this function does all the work (a lot of work !), and adds the user to the database ☹

                                          Keep in mind : firewall states and stuff like that will be gone.
                                          It should be something that is "voucher compatible", "Radius compatible", etc.

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          P 1 Reply Last reply Reply Quote 0
                                          • D
                                            darkblack
                                            last edited by

                                            Thanks @prophet @Gertjan , will try the shellcmd fix today. Wondering, why this buy isn't fixed yet (officially) if it affects wide scale of users..

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.