Captive portal always bypasing

schabi

Hi, I administrate a Pfsense setup at my dorm. There we have a captrive protal to ensure certain users only have a certain quota for their internet. The captive portal has a login site, and identifies the loged in users by their mac address. The authentication is done through a freeradius server with mysql. The pf captvie portal is using interim mode to check agains freeradius.

Since a few days however every traffic is bypassed, that means no user has to log in in order to get to the internet. I don't see what could have changed.
Pfsense is at: 2.4.4-RELEASE-p3
freeradius: Version 2.2.8

free4

do you have routers (such as wifi router) between your pfsense and your devices ?

schabi

Yes and no. We offer both, wifi and ethernet. The wifi router only work as AP. That means they don't do NAT and no DHCP. Captive portal does not work from wifi as well as ethernet.

free4

ok, sorry wrong clue

I was asking because many users have this issue because they are using a router with NAT between devices and pfsense

what's displayed inside the status->captive portal page? how many users are connected?

could you go to diagnosis -> command prompt, execute the command ipfw table all list and post here anonymized results?

schabi

what's displayed inside the status->captive portal page?

ipfw table all list:

--- table(cp_ifaces), set(0) ---
vmx0 2100 295497766 292079367206 1559073824
--- table(lan_auth_up), set(0) ---
10.10.0.81/32 xx:xx:xx:xx:xx:xx 2082 0 0 0
10.10.0.82/32 xx:xx:xx:xx:xx:xx 2072 0 0 0
10.10.0.181/32 xx:xx:xx:xx:xx:xx 2106 0 0 0
10.10.0.187/32 xx:xx:xx:xx:xx:xx 2064 0 0 0
10.10.0.249/32 xx:xx:xx:xx:xx:xx 2094 0 0 0
10.10.1.16/32 xx:xx:xx:xx:xx:xx 2074 0 0 0
10.10.1.24/32 xx:xx:xx:xx:xx:xx 2110 0 0 0
10.10.1.27/32 xx:xx:xx:xx:xx:xx 2098 0 0 0
10.10.1.48/32 xx:xx:xx:xx:xx:xx 2090 0 0 0
10.10.1.71/32 xx:xx:xx:xx:xx:xx 2096 0 0 0
10.10.1.188/32 xx:xx:xx:xx:xx:xx 2080 0 0 0
10.10.1.216/32 xx:xx:xx:xx:xx:xx 2066 0 0 0
10.10.2.8/32 xx:xx:xx:xx:xx:xx 2112 0 0 0
10.10.2.35/32 xx:xx:xx:xx:xx:xx 2092 0 0 0
10.10.2.40/32 xx:xx:xx:xx:xx:xx 2084 0 0 0
10.10.2.114/32 xx:xx:xx:xx:xx:xx 2114 0 0 0
10.10.2.126/32 xx:xx:xx:xx:xx:xx 2104 0 0 0
10.10.2.130/32 xx:xx:xx:xx:xx:xx 2102 0 0 0
10.10.2.147/32 xx:xx:xx:xx:xx:xx 2116 0 0 0
10.10.2.234/32 xx:xx:xx:xx:xx:xx 2068 0 0 0
10.10.3.6/32 xx:xx:xx:xx:xx:xx 2070 0 0 0
10.10.3.28/32 xx:xx:xx:xx:xx:xx 2120 0 0 0
10.10.3.98/32 xx:xx:xx:xx:xx:xx 2118 0 0 0
10.10.3.120/32 xx:xx:xx:xx:xx:xx 2108 0 0 0
10.10.3.141/32 xx:xx:xx:xx:xx:xx 2078 0 0 0
10.10.3.159/32 xx:xx:xx:xx:xx:xx 2076 0 0 0
10.10.3.238/32 xx:xx:xx:xx:xx:xx 2100 0 0 0
--- table(lan_host_ips), set(0) ---
10.10.7.201/32 0 18460 3416339 1559073821
10.10.7.254/32 0 956754 162666520 1559073823
--- table(lan_pipe_mac), set(0) ---
 xx:xx:xx:xx:xx:xx any 2013 0 0 0
 any xx:xx:xx:xx:xx:xx 2012 0 0 0
 xx:xx:xx:xx:xx:xx any 2033 40337 13662578 1559073744
 any xx:xx:xx:xx:xx:xx 2032 62146 75082844 1559073725
 xx:xx:xx:xx:xx:xx any 2005 0 0 0
 any xx:xx:xx:xx:xx:xx 2004 0 0 0
 xx:xx:xx:xx:xx:xx any 2041 0 0 0
 any xx:xx:xx:xx:xx:xx 2040 0 0 0
 xx:xx:xx:xx:xx:xx any 2003 0 0 0
 any xx:xx:xx:xx:xx:xx 2002 0 0 0
 xx:xx:xx:xx:xx:xx any 2027 113775 136528994 1559066142
 any xx:xx:xx:xx:xx:xx 2026 60099 13043501 1559065621
 xx:xx:xx:xx:xx:xx any 2043 0 0 0
 any xx:xx:xx:xx:xx:xx 2042 0 0 0
 xx:xx:xx:xx:xx:xx any 2049 0 0 0
 any xx:xx:xx:xx:xx:xx 2048 0 0 0
 xx:xx:xx:xx:xx:xx any 2001 40942 9473306 1559073786
 any xx:xx:xx:xx:xx:xx 2000 40948 5337083 1559073786
 xx:xx:xx:xx:xx:xx any 2025 16262 19875180 1559073820
 any xx:xx:xx:xx:xx:xx 2024 6945 593038 1559073820
 xx:xx:xx:xx:xx:xx any 2009 0 0 0
 any xx:xx:xx:xx:xx:xx 2008 0 0 0
 xx:xx:xx:xx:xx:xx any 2023 0 0 0
 any xx:xx:xx:xx:xx:xx 2022 0 0 0
 xx:xx:xx:xx:xx:xx any 2035 0 0 0
 any xx:xx:xx:xx:xx:xx 2034 0 0 0
 xx:xx:xx:xx:xx:xx any 2031 5736 1951675 1559073728
 any xx:xx:xx:xx:xx:xx 2030 7036 932558 1559073728
 xx:xx:xx:xx:xx:xx any 2053 0 0 0
 any xx:xx:xx:xx:xx:xx 2052 0 0 0
 xx:xx:xx:xx:xx:xx any 2021 661433 883394044 1559073771
 any xx:xx:xx:xx:xx:xx 2020 90765 10294113 1559073653
 xx:xx:xx:xx:xx:xx any 2007 42854 45520096 1559073777
 any xx:xx:xx:xx:xx:xx 2006 30950 3358468 1559073777
 xx:xx:xx:xx:xx:xx any 2047 0 0 0
 any xx:xx:xx:xx:xx:xx 2046 0 0 0
 xx:xx:xx:xx:xx:xx any 2045 40800 50765159 1559073824
 any xx:xx:xx:xx:xx:xx 2044 14798 2001444 1559073824
 xx:xx:xx:xx:xx:xx any 2017 332135 324588686 1559073822
 any xx:xx:xx:xx:xx:xx 2016 255655 191986930 1559073822
 xx:xx:xx:xx:xx:xx any 2061 219419 300051570 1559073767
 any xx:xx:xx:xx:xx:xx 2060 110327 8765703 1559073767
 xx:xx:xx:xx:xx:xx any 2039 0 0 0
 any xx:xx:xx:xx:xx:xx 2038 0 0 0
 xx:xx:xx:xx:xx:xx any 2037 379560 470206774 1559073823
 any xx:xx:xx:xx:xx:xx 2036 239337 29587450 1559073823
 xx:xx:xx:xx:xx:xx any 2057 0 0 0
 any xx:xx:xx:xx:xx:xx 2056 0 0 0
 xx:xx:xx:xx:xx:xx any 2015 15645 10564113 1559073823
 any xx:xx:xx:xx:xx:xx 2014 14474 1363211 1559073823
 xx:xx:xx:xx:xx:xx any 2029 0 0 0
 any xx:xx:xx:xx:xx:xx 2028 0 0 0
 xx:xx:xx:xx:xx:xx any 2011 424988 515776136 1559073818
 any xx:xx:xx:xx:xx:xx 2010 266988 28753324 1559073818
 xx:xx:xx:xx:xx:xx any 2051 0 0 0
 any xx:xx:xx:xx:xx:xx 2050 0 0 0
 xx:xx:xx:xx:xx:xx any 2019 349689 497773419 1559064286
 any xx:xx:xx:xx:xx:xx 2018 77000 4801787 1559063778
 xx:xx:xx:xx:xx:xx any 2059 1156141 1703206065 1559073570
 any xx:xx:xx:xx:xx:xx 2058 430631 22792756 1559073571
 xx:xx:xx:xx:xx:xx any 2055 478831 451309939 1559049933
 any xx:xx:xx:xx:xx:xx 2054 400380 28902792 1559049635
--- table(lan_auth_down), set(0) ---
10.10.0.81/32 2083 0 0 0
10.10.0.82/32 2073 0 0 0
10.10.0.181/32 2107 0 0 0
10.10.0.187/32 2065 0 0 0
10.10.0.249/32 2095 0 0 0
10.10.1.16/32 2075 0 0 0
10.10.1.24/32 2111 0 0 0
10.10.1.27/32 2099 0 0 0
10.10.1.48/32 2091 0 0 0
10.10.1.71/32 2097 0 0 0
10.10.1.188/32 2081 0 0 0
10.10.1.216/32 2067 0 0 0
10.10.2.8/32 2113 0 0 0
10.10.2.35/32 2093 0 0 0
10.10.2.40/32 2085 0 0 0
10.10.2.114/32 2115 0 0 0
10.10.2.126/32 2105 0 0 0
10.10.2.130/32 2103 0 0 0
10.10.2.147/32 2117 0 0 0
10.10.2.234/32 2069 0 0 0
10.10.3.6/32 2071 0 0 0
10.10.3.28/32 2121 0 0 0
10.10.3.98/32 2119 0 0 0
10.10.3.120/32 2109 0 0 0
10.10.3.141/32 2079 0 0 0
10.10.3.159/32 2077 0 0 0
10.10.3.238/32 2101 0 0 0
--- table(lan_allowed_up), set(0) ---
10.10.0.0/21 2062 89390755 24792069760 1559073824
--- table(lan_allowed_down), set(0) ---
10.10.0.0/21 2063 198092339 261271319196 1559073824

The reason why there are still people loged in I guess is because they are used to log in when they enter the dorm. But I am sure they didn't log in because Network was not working for them. As normally we have ~200 people listed here.

Gertjan

This looks very strange to me :
@schabi said in Captive portal always bypasing:

...
--- table(lan_allowed_up), set(0) ---
10.10.0.0/21 2062 89390755 24792069760 1559073824
--- table(lan_allowed_down), set(0) ---
10.10.0.0/21 2063 198092339 261271319196 1559073824

This means :
10.10.0.1 to 10.10.7.254 goes right through ... is that what you want ?
Nota : Mask /21 = 111 1111 1111 = $7ff

What did you put in "Allowed IP Addresses" ?

free4

@Gertjan is right

please check your "Allowed IP address" settings. I don't think you wanted to allow 10.10.0.0/21

Gertjan

Update :
I just tried it out myself :

192.168.2.0/24 is my captive portal network.

Adding a network like does everybody offer a free ride !! Works great actually.
Although, it could be done more easier : just shut down the captive portal ...

edit : I guess I know who's slamming his head right now ^^

schabi

Ah wtf, I din't see that. How did this setting even get there?
Thank you very much. I'll remove it on Monday as I am currently on vacation.

Gertjan

@schabi said in Captive portal always bypasing:

Ah wtf, I din't see that. How did this setting even get there?

Config changes are logged - so bring along the baseball bat, and consult the log ;)