Any Change And Save Update Captive Portal Bug
-
What the webconfig shows, is nothing more as the content of a local database with connected users :
They are :
172.16.2.14
172.16.2.15
172.16.2.16
172.16.2.18
172.16.2.19
172.16.2.23Both tables company_guest_auth_up and table company_guest_auth_down should also contain these same IP's. And they do.
There is another firewall, pf, which is fed with the GUI firewall rules for your portal interface.
Check out
ipfw list :01000 skipto tablearg ip from any to any via table(cp_ifaces) 01100 allow ip from any to any 02100 pipe tablearg ip from any to any MAC table(cpzone1_pipe_mac) 02101 allow pfsync from any to any 02102 allow carp from any to any 02103 allow ip from any to any layer2 mac-type 0x0806,0x8035 02104 allow ip from any to any layer2 mac-type 0x888e,0x88c7 02105 allow ip from any to any layer2 mac-type 0x8863,0x8864 02106 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 02107 allow ip from any to table(cpzone1_host_ips) in 02108 allow ip from table(cpzone1_host_ips) to any out 02109 allow ip from any to 255.255.255.255 in 02110 allow ip from 255.255.255.255 to any out 02111 pipe tablearg ip from table(cpzone1_allowed_up) to any in 02112 pipe tablearg ip from any to table(cpzone1_allowed_down) in 02113 pipe tablearg ip from table(cpzone1_allowed_up) to any out 02114 pipe tablearg ip from any to table(cpzone1_allowed_down) out 02115 pipe tablearg ip from table(cpzone1_auth_up) to any layer2 in 02116 pipe tablearg ip from any to table(cpzone1_auth_down) layer2 out 02117 fwd 127.0.0.1,8003 tcp from any to any 443 in 02118 fwd 127.0.0.1,8002 tcp from any to any 80 in 02119 allow tcp from any to any out 02120 skipto 65534 ip from any to any 65534 deny ip from any to any 65535 allow ip from any to anyAll these lines are actually easy to read :
Line 02118 (and 02117) will get hit if the the network connected user has no IP/MAC into one (or two) of the tables 02111 -> 02116.The login code places the IP/MAC into the tables company_guest_auth_down and company_guest_auth_up.
As long as these IP/MAC's are there, clients are not redirected to the captive portal by these firewall rules 02117/02118, except if they use the URL of the portal, something like
https://your.portal.net:800x?zone=company_guestCheck your logged in database and ipfw ones more, do an edit on the captive portal config page, and check both again.
You see what happens : tables company_guest_auth_down and company_guest_auth_up will be empty : people get redirected to the login portal (and can't login, because the database (== GUI Status => Captive Portal) considers them as logged in again.So, the get back to your issue : if both ipfw tables tables company_guest_auth_down and company_guest_auth_up contain teh IP/MAC of visitors, these visitors are not redirected to the login page. At least, not on behalf of pfSense.
Your issue is not related to the "config save => connected visitors logged out and can't re login" bug.
Show you "html login page" please.
-
There should not be another firewall in the network.
This is the current html login page:
<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> <title>Company Guest WLAN</title> <style> #content,.login,.login-card a,.login-card h1,.login-help{text-align:center}body,html{margin:0;padding:0;width:100%;height:100%;display:table}#content{font-family:'Source Sans Pro',sans-serif;background-color:#1C1275;background:linear-gradient(135deg, #1475CF, #2B40B5, #1C1275);-webkit-background-size:cover;-moz-background-size:cover;-o-background-size:cover;background-size:cover;display:table-cell;vertical-align:middle}.login-card{padding:40px;width:280px;background-color:#F7F7F7;margin:100px auto 10px;border-radius:2px;box-shadow:0 2px 2px rgba(0,0,0,.3);overflow:hidden}.login-card h1{font-weight:400;font-size:2.3em;color:#1383c6}.login-card h1 span{color:#f26721}.login-card img{width:70%;height:70%}.login-card input[type=submit]{width:100%;display:block;margin-bottom:10px;position:relative}.login-card input[type=text],input[type=password]{height:44px;font-size:16px;width:100%;margin-bottom:10px;-webkit-appearance:none;background:#fff;border:1px solid #d9d9d9;border-top:1px solid silver;padding:0 8px;box-sizing:border-box;-moz-box-sizing:border-box}.login-card input[type=text]:hover,input[type=password]:hover{border:1px solid #b9b9b9;border-top:1px solid #a0a0a0;-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.login{font-size:14px;font-family:Arial,sans-serif;font-weight:700;height:36px;padding:0 8px}.login-submit{-webkit-appearance:none;-moz-appearance:none;appearance:none;border:0;color:#fff;text-shadow:0 1px rgba(0,0,0,.1);background-color:#4d90fe}.login-submit:disabled{opacity:.6}.login-submit:hover{border:0;text-shadow:0 1px rgba(0,0,0,.3);background-color:#357ae8}.login-card a{text-decoration:none;color:#222;font-weight:400;display:inline-block;opacity:.6;transition:opacity ease .5s}.login-card a:hover{opacity:1}.login-help{width:100%;font-size:12px}.list{list-style-type:none;padding:0}.list__item{margin:0 0 .7rem;padding:0}label{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-align:center;-webkit-align-items:center;-ms-flex-align:center;align-items:center;text-align:left;font-size:14px;}input[type=checkbox]{-webkit-box-flex:0;-webkit-flex:none;-ms-flex:none;flex:none;margin-right:10px;float:left}@media screen and (max-width:450px){.login-card{width:70%!important}.login-card img{width:30%;height:30%}}textarea{width:66%;margin:auto;height:120px;max-height:120px;background-color:#f7f7f7;padding:20px}#terms{display:none;padding-top:100px;padding-bottom:300px;}.auth_source{border: 1px solid lightgray; padding:20px 8px 0px 8px; margin-top: -2em; border-radius: 2px; }.auth_head{background-color:#f7f7f7;display:inline-block;}.auth_head_div{text-align:left;}#error-message{text-align:left;color:#ff3e3e;font-style:italic;} </style> </head> <body> <div id="content"> <div class="login-card"> <img src="captiveportal-logo.png"/><br> <h1></h1> <div id="error-message"> #PORTAL_MESSAGE# </div> <form name="login_form" method="post" action="#PORTAL_ACTION#"> <input name="auth_voucher" type="text" placeholder="Voucher Code"> <div class="login-help"> <ul class="list"> <li class="list__item"> <label class="label--checkbox"> <input type="checkbox" class="checkbox" onchange="document.getElementById('login').disabled = !this.checked;"> <span>I agree with the <a rel="noopener" href="#terms" onclick="document.getElementById('terms').style.display = 'block';">terms & conditions</a></span> </label> </li> </ul> </div> <input name="redirurl" type="hidden" value="#PORTAL_REDIRURL#"> <input type="submit" name="accept" class="login login-submit" value="Login" id="login" disabled> </form> </div> <div id="terms"> <textarea readonly>TERMS</textarea> </div> </div> </body> </html>These are the current captive portal settings:
-
According to your settings you use the default, build in login page.
Check : "Use custom captive portal page" and compare the code html shown with your html .
The extremely important line :<input name="zone" type="hidden" value="$PORTAL_ZONE$" />is missing in your html ....
-
Ah i got it!
I changed the settings like you write to me now:
The new login page has the missing line now:
<body> <div id="content"> <div class="login-card"> <img src="captiveportal-logo.png"/><br> <h1></h1> <div id="error-message"> #PORTAL_MESSAGE# </div> <form name="login_form" method="post" action="#PORTAL_ACTION#"> <input name="auth_voucher" type="text" placeholder="Voucher Code"> <div class="login-help"> <ul class="list"> <li class="list__item"> <label class="label--checkbox"> <input type="checkbox" class="checkbox" onchange="document.getElementById('login').disabled = !this.checked;"> <span>I agree with the <a rel="noopener" href="#terms" onclick="document.getElementById('terms').style.display = 'block';">terms & conditions</a></span> </label> </li> </ul> </div> <input name="redirurl" type="hidden" value="#PORTAL_REDIRURL#"> <input type="submit" name="accept" class="login login-submit" value="Login" id="login" disabled> **<input name="zone" type="hidden" value="#PORTAL_ZONE#" />** </form> </div> <div id="terms">I have disconnected all users and will test the new configuration!
Thank you very much! I will give you all a feedback if it works now. -
Wish you all a happy new year!
I would like to give you a short feedback:After adding the code:
<input name="zone" type="hidden" value="$PORTAL_ZONE$" />in the custom login page it seems to work!
Thank you very much for your help.I have another question!
All of the employees use the vouchers for connecting to the guest wifi with private devices, but they have to type in the voucher every single day. This is very annoying for them. Is there any possibility to "save" the vouchers entries in the captive portal so that they do not need to type it in every single day? -
@streetsfinest said in Any Change And Save Update Captive Portal Bug:
but they have to type in the voucher every single day
Check your idle and hard time out values.
Visitors are thrown of the portal after "idle" time - and "hard" time.
They can reconnect, of course, if the credentials are valid. -
@streetsfinest said in Any Change And Save Update Captive Portal Bug:
Wish you all a happy new year!
I would like to give you a short feedback:After adding the code:
<input name="zone" type="hidden" value="$PORTAL_ZONE$" />in the custom login page it seems to work!
Thank you very much for your help.That's actually super strange
I checked everywhere in the code, there is no references to
$_POST['zone'].
This hidden input should have absolutely no effect on pfSense's Captive Portal in 2.4.XThis hidden input was used long time ago, but it's now an outdated string. Or at least it's supposed to be....
Maybe you spotted a new bug? -
@free4 said in Any Change And Save Update Captive Portal Bug:
This hidden input was used long time ago,
@free4 : He, ho -> time out ^^ : check out the very first line of the index.php file.
If the "zone" isn't defined, everything stops right away.
It's the mandatory parameter that makes it possible to support multiple captive portals on pfSense. -
@gertjan said in Any Change And Save Update Captive Portal Bug:
@free4 said in Any Change And Save Update Captive Portal Bug:
This hidden input was used long time ago,
@free4 : He, ho -> time out ^^ : check out the very first line of the index.php file.
If the "zone" isn't defined, everything stops right away.
It's the mandatory parameter that makes it ppfSenseossible to support multiple captive portals on .I know, but it's a
$_REQUEST(so it can contain both GET and POST data)The problem is, that the first browser request to display the captive portal login form is a GET one, so if
cpzone=....was missing in the URL, the login form woudn't even display. So i am sure that a GET parametercpzoneexists all the time during login process (if it didn't a blank page would be displayed instead, and an error message would appear clearly in the logs)anyway, doesn't really matter. Case closed, i guess.
-
@gertjan thanks for your answer!
In my opinion, if there is no value in the hard and idle timeout, it means that the users will not be disconnected. Is that right? I mean, what is the default time for those two options, if i leave it blank? I have not set those two options for now:
Should i set those options?
-
@streetsfinest check the validity time of your vouchers. You probably set up 1 day, so after 1 day all your users are disconnected. You can create vouchers with a much, much bigger validity time
If you need multiple validity times (1 day for guests and 30 for employees for instance), well you could create multiple rolls
-
-
Not setting an idle time and hard time out is "not recommended".
And remember the subject of this thread : if you re save the portal settings, your users will have troubles re connecting (firewall rule are flushed ...).
When using user/password or vouchers or then it is normal hat user have to retype their access credentials.
That's what happens what you give access to "untrusted users" on an trusted network (the portal).
If you trust your employees, consider using this :
on a seperate portal instance. -
@magokbas said in Any Change And Save Update Captive Portal Bug:
Hi,
Yep, probably true. I see the same thing.
This time the ipfw firewall rules are (still) destroyed, but the session stays present in captive portal SQLITE database : the user seems to be logged in but without ipfw rules they're hitting into the wall.Temporarily solution : Finish up you config, and don't change settings when users are connected ;)
yeah I am doing it right now. I can not even touch it. a very annoying situation
There is now a fix avaliable for this issue: https://forum.netgate.com/topic/137824/pfsense-no-internet-when-it-is-said-you-are-connected/13
-
Thank you for creating this patch!
Could you please explain how to install the patch?
I have tried to install via the patch installer:
-
@streetsfinest said in Any Change And Save Update Captive Portal Bug:
Thank you for creating this patch!
Could you please explain how to install the patch?
I have tried to install via the patch installer:You need to add ".diff" at the end of the patch URL.
https://github.com/pfsense/pfsense/pull/4031.diff
Otherwise your settings seems good -
@free4
Ah okay!
Now i get the following information after testing:
/usr/bin/patch --directory=/ -t -p2 -i /var/patches/5c32f2a9d342c.patch --check --forward --ignore-whitespace Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc |index 9b4856f774..b08bd350e0 100644 |--- a/src/etc/inc/captiveportal.inc |+++ b/src/etc/inc/captiveportal.inc -------------------------- Patching file etc/inc/captiveportal.inc using Plan A... Hunk #1 succeeded at 225. Hunk #2 succeeded at 233. Hunk #3 succeeded at 371. Hunk #4 succeeded at 391. Hunk #5 succeeded at 415. Hunk #6 succeeded at 563. Hunk #7 succeeded at 605. Hunk #8 succeeded at 698. Hunk #9 succeeded at 911. Hunk #10 succeeded at 967. Hunk #11 succeeded at 1101. Hunk #12 succeeded at 1219. Hunk #13 succeeded at 1234. Hunk #14 succeeded at 1683. Hunk #15 succeeded at 1706. Hunk #16 succeeded at 2208. Hunk #17 succeeded at 2431. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc |index 6d082a01d7..f1cc340192 100644 |--- a/src/etc/inc/globals.inc |+++ b/src/etc/inc/globals.inc -------------------------- Patching file etc/inc/globals.inc using Plan A... Hunk #1 failed at 69. 1 out of 1 hunks failed while patching etc/inc/globals.inc Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc |index 97fb3d6a3e..51398ca6cb 100644 |--- a/src/etc/inc/upgrade_config.inc |+++ b/src/etc/inc/upgrade_config.inc -------------------------- Patching file etc/inc/upgrade_config.inc using Plan A... Hunk #1 succeeded at 5921 (offset -13 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/usr/local/www/status_captiveportal.php b/src/usr/local/www/status_captiveportal.php |index bdfd441f5a..3963fd2ed5 100644 |--- a/src/usr/local/www/status_captiveportal.php |+++ b/src/usr/local/www/status_captiveportal.php -------------------------- Patching file usr/local/www/status_captiveportal.php using Plan A... Hunk #1 succeeded at 268. done ```java /usr/bin/patch --directory=/ -f -p2 -i /var/patches/5c32f2a9d342c.patch --check --reverse --ignore-whitespace Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc |index 9b4856f774..b08bd350e0 100644 |--- a/src/etc/inc/captiveportal.inc |+++ b/src/etc/inc/captiveportal.inc -------------------------- Patching file etc/inc/captiveportal.inc using Plan A... Hunk #1 succeeded at 227 with fuzz 2 (offset 2 lines). Hunk #2 failed at 237. Hunk #3 succeeded at 376 with fuzz 2 (offset 3 lines). Hunk #4 failed at 399. Hunk #5 succeeded at 1513 (offset 1091 lines). Hunk #6 failed at 1663. Hunk #7 failed at 1709. Hunk #8 failed at 1806. Hunk #9 failed at 1991. Hunk #10 failed at 2047. Hunk #11 failed at 2181. Hunk #12 failed at 2299. Hunk #13 failed at 2321. No such line 2773 in input file, ignoring Hunk #14 failed at 2770. Hunk #15 failed at 2793. Hunk #16 failed at 3295. Hunk #17 failed at 3505. 14 out of 17 hunks failed while patching etc/inc/captiveportal.inc Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc |index 6d082a01d7..f1cc340192 100644 |--- a/src/etc/inc/globals.inc |+++ b/src/etc/inc/globals.inc -------------------------- Patching file etc/inc/globals.inc using Plan A... Hunk #1 failed at 69. 1 out of 1 hunks failed while patching etc/inc/globals.inc Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc |index 97fb3d6a3e..51398ca6cb 100644 |--- a/src/etc/inc/upgrade_config.inc |+++ b/src/etc/inc/upgrade_config.inc -------------------------- Patching file etc/inc/upgrade_config.inc using Plan A... Hunk #1 failed at 5934. 1 out of 1 hunks failed while patching etc/inc/upgrade_config.inc Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/src/usr/local/www/status_captiveportal.php b/src/usr/local/www/status_captiveportal.php |index bdfd441f5a..3963fd2ed5 100644 |--- a/src/usr/local/www/status_captiveportal.php |+++ b/src/usr/local/www/status_captiveportal.php -------------------------- Patching file usr/local/www/status_captiveportal.php using Plan A... Hunk #1 failed at 268. 1 out of 1 hunks failed while patching usr/local/www/status_captiveportal.php done -
@streetsfinest remove what's inside "patch content"
Then re-fetch your patch (i don't know wtf happened with your patch x) )
-
@free4
Done!
After that i got the same issue as i had before.
Could it be an issue with custom portal page? -
I'm seeing the same thing here.
I guess because @free4 is patching against pfsense:master (a futur "dev" version) and we are using 2.4.4-P1 ?
Thus files like
/etc/inc//etc/captiveportal.inc
/etc/inc/globals.inc
/etc/inc/upgrade_config.inc
/usr/local/www/status_captiveportal.php
are different.
