Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal ignoring MACs in latest version and allowing all machines access

    Scheduled Pinned Locked Moved Captive Portal
    42 Posts 5 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      h2professor @Gertjan
      last edited by

      The captive portal is used by thousands - and it should have been know that adding some MAC's to the MAC "Pass or Block" page adds a free ride for everybody - I have some blocked MAC's and Passes on that MAC page : it just work for years now.

      Like I said before, I've used it for years, and this client has used it for years.

      We have had problems with Captive Portal. Two bugs were acknowledged and fixed recently.

      I'm going to reset the settings on that router and enter everything again from scratch over the weekend.

      There is this "You are connected" 2.4.4-p3 bug which resets / flushes all tables in ipfw when an pfSense admin saves the portal settings. Authenticated users are still shown as "logged in" in the GUI, but related IP/MAC are flushed from the tables :

      This also happens here when people try to login, but we don't use the login feature anymore so it doesn't matter.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @h2professor
        last edited by

        @h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

        Like I said before, I've used it for years, and this client has used it for years.

        I understand - I'm just repeating myself a lot (close to rambling perhaps).
        You and I use the same code. I really want see this bug. Seeing is is resolving it.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        H 1 Reply Last reply Reply Quote 0
        • H
          h2professor @Gertjan
          last edited by

          I understand - I'm just repeating myself a lot (close to rambling perhaps).
          You and I use the same code. I really want see this bug. Seeing is is resolving it.

          If I install the latest pfSense on a separate machine and import this configuration, the problem exists also on the new machine. Perhaps I could sanitize the configuration file and post it here. Perhaps you can see something I can't. But I know it can be reproduced. It's not a complicated router-- one WAN, one LAN. No hot backup.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @h2professor
            last edited by

            @h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

            Perhaps I could sanitize the configuration file and post it here

            Start with the entire <captiveportal> </captiveportal> xml dump.
            Don't post it here : drop it on a pastebin.org and send me the link.

            What packages are installed on this setup ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            H 1 Reply Last reply Reply Quote 0
            • H
              h2professor @Gertjan
              last edited by

              @Gertjan said in Captive portal ignoring MACs in latest version and allowing all machines access:

              @h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

              Perhaps I could sanitize the configuration file and post it here

              Start with the entire <captiveportal> </captiveportal> xml dump.

              I'll do this a bit later this morning. I think I already sent you everything except for the MAC entries.
              Can you send me your email address? I can send you these files directly. Send me an email h2professor@gmail.com

              What packages are installed on this setup ?

              arping*
              bandwidthd
              cron*
              darkstat*
              FTP_Client_Proxy
              notes*

              • can be uninstalled because we never use it... installed by the client's request years ago.
              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                Notes and cron cron are totally inoffensive,

                Same thing for arpping, I just tested that one.

                FTP_Client_Proxy : I thought that FTP was abandoned .... but I'll install it anyway.

                bandwidthd and darkstat : never used them, but I'm pretty sure they do "mess" with the IP stack ....

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                H 1 Reply Last reply Reply Quote 0
                • H
                  h2professor @Gertjan
                  last edited by h2professor

                  FTP_Client_Proxy : I thought that FTP was abandoned .... but I'll install it anyway.

                  We have no choice on this one. There are legacy devices in the organization that have to communicate with legacy FTP servers externally. I'm sure there's a workaround, but I can't believe this would suddenly be a problem after using it for years.

                  bandwidthd and darkstat : never used them, but I'm pretty sure they do "mess" with the IP stack ....

                  These could be uninstalled temporarily (darkstat permanently) but again, been using them for years with no problem.
                  edit: I just removed Darkstat and had no effect on the problem.

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @h2professor
                    last edited by

                    @h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

                    been using them for years with no problem.

                    A recent update ?
                    Packages are not static.
                    For example, it happened that FreeRadius was upgraded and breaking my portal access because "there was a small glitch" in the newer version.

                    I don't use darkstat or bandwidthd so I don't know if they were upgraded, which could be a potential reason.
                    I'll install them anyway.

                    Btw : if this setup isn't patched or changed manually, you could take a backup (config file) of the system, and remove these packages for testing purposes. re-installing them afterwards, importing the backup file and a reboot would take care of things.

                    I'll report back Monday, have to leave now. Weekend ;)

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • T
                      theworkingcentre
                      last edited by

                      Did you resolve this? We are running into a problem that seems similar:

                      • We have incrementally upgraded from pfsense 1.x to 2.4.4.p3
                      • We have MAC addresses (but also allowed IP addresses)
                      • Setting bandwidth limits on the MAC addresses works, but the captive portal does not block blocked MAC addresses
                      • All users are able to use the network without the captive portal
                      • DNS works and is being done by pfSense
                      • The firewall allows http/https access

                      However, one thing is different: removing all MAC address listings does NOT fix the problem. The captive portal continues not to work.

                      I can generate the results of the ipfw commands above but do not what I am looking for.

                      H 2 Replies Last reply Reply Quote 0
                      • H
                        h2professor @theworkingcentre
                        last edited by

                        @theworkingcentre said in Captive portal ignoring MACs in latest version and allowing all machines access:

                        Did you resolve this? We are running into a problem that seems similar

                        Yes, that does seem similar. We did not get this solved with the latest version. We ended up rolling back to a mirror-drive backup dated October 7, 2017 and it's working. (The configuration is 100% identical other than the software version.) We're not going to apply any updates until we figure out how to get it working on the latest version. Nobody in this forum believes there's a real problem, so it's somewhat comforting that someone else is working the same problem, although I do apologize that it had to be you.

                        Coincidentally my client is shutting down for a company-wide getaway this coming week so I'll be able to focus my attention on getting the most recent version working, if it's possible. I might experiment with 2.5.x experimental releases if all else fails.

                        I will post my findings in this forum.

                        Thank you

                        1 Reply Last reply Reply Quote 0
                        • H
                          h2professor @theworkingcentre
                          last edited by

                          @theworkingcentre said in Captive portal ignoring MACs in latest version and allowing all machines access:

                          removing all MAC address listings does NOT fix the problem

                          Question: are you using a custom Captive Portal login page? Or the stock firewall login page?
                          Thank you

                          T 1 Reply Last reply Reply Quote 0
                          • T
                            theworkingcentre @h2professor
                            last edited by

                            @h2professor It is a custom login page.

                            Unlike your situation we do ask for a username and password, using the local database.

                            H 1 Reply Last reply Reply Quote 0
                            • H
                              h2professor @theworkingcentre
                              last edited by h2professor

                              @theworkingcentre said in Captive portal ignoring MACs in latest version and allowing all machines access:

                              It is a custom login page

                              If it's no trouble, may I suggest that you delete your custom page and see if the problem resolves without it?
                              In a non-production setup last July (with the same configuration) we ended up in a situation where everything was working until we added the custom page. If this happens with yours as well, then we might narrow down the problem a bit.
                              Thanks

                              1 Reply Last reply Reply Quote 0
                              • T
                                theworkingcentre
                                last edited by

                                No, when I delete the custom login page and use the default I get the same behavior.

                                H 1 Reply Last reply Reply Quote 0
                                • H
                                  h2professor @theworkingcentre
                                  last edited by

                                  @theworkingcentre said in Captive portal ignoring MACs in latest version and allowing all machines access:

                                  I get the same behavior

                                  okay thank you for trying. We'll proceed with our testing here and will share anything that might be useful.
                                  Cheers

                                  1 Reply Last reply Reply Quote 0
                                  • JeGrJ
                                    JeGr LAYER 8 Moderator
                                    last edited by

                                    @h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

                                    Nobody in this forum believes there's a real problem,

                                    You had side-long talks in this topic about your problem and say nobody believes you? I find that hard to believe.

                                    As the last of this was talked about in June/July, did you @h2professor ever try to re-create the steps manually to "create" the problem you have?

                                    After reading through, I was always stuck with "and then I re-imported my whole/part of my config and the problem was back". Is it possible to re-trace the steps for the problem to appear? As @Gertjan said: seeing is (no, not believing) half way to fix a potential bug. But as this always re-appeared after updating/re-importing the config I'm wondering if it's a problem with the configuration as it is.

                                    Also did anyone try and open a bug report at the pfsense redmine and link this thread? Might be helpful for hunting down a potential bug!
                                    https://redmine.pfsense.org/projects/pfsense/issues

                                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                    H 1 Reply Last reply Reply Quote 0
                                    • H
                                      h2professor @JeGr
                                      last edited by

                                      @JeGr said in Captive portal ignoring MACs in latest version and allowing all machines access:

                                      I find that hard to believe

                                      How ironic.

                                      We tried everything that was suggested, but the client ran out of patience for the problem, so we were forced to use the last working cold mirror to get it back online.

                                      Here's a summary:

                                      It worked prior to 2.4.4-p3. It has worked for years.
                                      We upgraded to p3: it no longer works.
                                      We did a clean installation of p3: confirmed captive portal works as advertised in a basic installation on the hardware.
                                      We imported the original configuration: no longer works.
                                      We did a clean installation of the older 2.4.4-p1 and imported configuration: worked just fine.
                                      We tried dozens of suggestions, including removing packages, reinstalling, cutting sections out of the configuration, etc.

                                      We had to conclude that the problem is in version 2.4.4-p3 despite people insisting that "no changes were made to the captive portal section" bla bla bla. Hence, it's not a believable problem.

                                      I have a week with the client out of their building so I have time to figure this out, if it is possible.

                                      JeGrJ 1 Reply Last reply Reply Quote 0
                                      • T
                                        theworkingcentre
                                        last edited by

                                        Well, I solved the problem in my installation, but I expect it won't help @h2professor . We have some allowed IPs in "Allowed IP addresses." One of our local IPs was listed there. However, that dialog allows you to set a subnet mask, and the IP in that subnet had been set to /24, not /32. So it was allowing the entire subnet through!

                                        In the process of finding this, I rebuilt my captive portal:

                                        • I created a dummy interface and assigned the old captive portal there.
                                        • I made the configurations the same for the new portal.
                                        • I added all of the IP addresses and hostnames (but idiot that I was, I inadvertently used a /32 for the offending IP in my new build, and not a /24 like in the old one)
                                        • I added the allowed MAC addresses one by one
                                        • I re-added my custom login page

                                        and sure enough the new portal worked, but the old one didn't. (I tested the new captive portal after adding each component, hoping to find the one that broke the build.)

                                        I also exported the captive portal config for these two captive portals and compared them, but I was not able to see any significant differences.

                                        The only thing that occurred to me was whether there might be a duplicate MAC address in the list? Due to a copy and paste error when transcribing entries I thought I had one. The current pfSense interface will not let me add a duplicate MAC address, but maybe some old one did?

                                        H 1 Reply Last reply Reply Quote 0
                                        • T
                                          theworkingcentre
                                          last edited by theworkingcentre

                                          It is not quite true to say that the XML for the two captive portal backups were identical. There were some extra lines in the old one that were not present in the new one:

                                          			<radius_protocol></radius_protocol>
                                          			<redirurl></redirurl>
                                          			<radiusip></radiusip>
                                          			<radiusip2></radiusip2>
                                          			<radiusip3></radiusip3>
                                          			<radiusip4></radiusip4>
                                          			<radiusport></radiusport>
                                          			<radiusport2></radiusport2>
                                          			<radiusport3></radiusport3>
                                          			<radiusport4></radiusport4>
                                          			<radiusacctport></radiusacctport>
                                          			<radiuskey></radiuskey>
                                          			<radiuskey2></radiuskey2>
                                          			<radiuskey3></radiuskey3>
                                          			<radiuskey4></radiuskey4>
                                          			<radiusvendor>default</radiusvendor>
                                          			<radiussrcip_attribute>wan</radiussrcip_attribute>
                                          

                                          (redirurl is actually in both).

                                          I notice that radiussrcip_attribute is set to wan in my listing and set to lan in yours. I tried changing mine to opt1 (my captive portal interface) in my backup file and restoring, but it made no difference.

                                          GertjanG 1 Reply Last reply Reply Quote 0
                                          • H
                                            h2professor @theworkingcentre
                                            last edited by

                                            @theworkingcentre said in Captive portal ignoring MACs in latest version and allowing all machines access:

                                            I solved the problem in my installation

                                            That's excellent work, thank you very much. We're going to try that. It's something we haven't considered. I'll report back in a couple of days.
                                            Cheers

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.