Pfsense, No internet when it is said "You are connected".

Gertjan

@dhmyess said in Pfsense, No internet when it is said "You are connected".:

Still unsolved, I have to disconnect user manually after rebooting

Hummm.
You posted here, in this thread. So you must have read this thread.
What you mean with "unsolved" is that, after finding the problem, finding this thread, concluding that you have the same problem, applying the solution, you still have a problem which is : users show connected in Status > Captive Portal > [ZONE] after a reboot ?

edit : well, in that case : you are correct.

I logged in to my portal.
Saw that I showed up in Status > Captive Portal > [ZONE]
Also, I checked that I was listed into the two ipgw tables :

ipfw table cpzone1_auth_down list
ipfw table cpzone1_auth_up list

( my zone is called cpzone1 )

I reboot pfSense.

After the Status > Captive Portal > [ZONE] still showed I was logged in.
The ipfw table where empty ....
So, I saw the "You are connected." ...... again.

The solution :
Look (search) this part in the file /etc/inc/system.inc :

function system_reboot_cleanup() {
	global $config, $cpzone, $cpzoneid;

Right after 'global', add " $g, "

function system_reboot_cleanup() {
	global $g, $config, $cpzone, $cpzoneid;

Btw :
@free4 : you confirm ?
This issue is fixed upstream. I guess was created when it was backported ?

In this function system_reboot_cleanup(), the global "{$g['vardb_path']}" is used.
The result (before adding the $g) is that deleting the captive portal logged in database is NOT deleted with
unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db");
because "{$g['vardb_path']}" is empty (non defined). So the command tries to delete something inexistant, the captive portal user database survives the reboot ...

dhmyess

I was add $g like you said and reboot, but user still logged in captive portal, my captive portal zone name is 'cp', and strangely everytime i save change or when i click disconnect all users interface that i selected on captive portal will be freeze and i must reboot the router to make it work again.

Gertjan

When you add the "$g, ", the logged-in user data base is destroyed - when pfSense reboots, it won't show show any logged in users - because the 'list' is deleted.

Did you 'really' edited the file /etc/inc/system.inc ?
(and before, apply the patch stated above ? )

@dhmyess said in Pfsense, No internet when it is said "You are connected".:

when i click disconnect all users interface that i selected on captive portal will be freeze and i must reboot the router to make it work again.

Freeze ?
Logs ?
Other user ?
ipfw table list ? (see https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html )
Can you detail ?

dhmyess

@Gertjan Yes, I've ready apply this patch and then edited the file /etc/inc/system.inc but no changes.

Am I use wrong patch??

sorry for slow respon, I have to wait for users not using the network to work, I do not want to get complaints from them because of my trial.

For freezing issues it's probably due to motherboard problems or bios bugs, because other machines aren't affected.

Gertjan

First solve "motherboard problems or bios bugs" - then post back concerning portal problems.

I'm using the patch sited above :

and also edited /etc/inc/system.inc - for the sole reason that when I restart pfSense the "connected user database" should be deleted.
Note that I rarely reboot pfSense ... so that "^$g" patch is not very important.

I even don't need the " https://github.com/pfsense/pfsense/compare/RELENG_2_4_4...Augustin-FL:fix-reconfig-for-2-4-4.diff " because I never edit portal settings ... why should I ? It up and running for years now.

I do have an entire hotel - about 20 people are connected daily - and all works well.
https://www.test-domaine.fr/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/portalusers.html

dhmyess

@Gertjan apparently I used the wrong patch, after i use patch
https://github.com/pfsense/pfsense/compare/RELENG_2_4_4...Augustin-FL:fix-reconfig-for-2-4-4.diff
it works!!!
problem solved, I am very very grateful for your help

MacUsers

Hi there,
First time Captive Portal user: following this video tutorial and the login page came up right away the moment I logged into GUEST network/WiFi and then straight way presented with "You are connected" but no Internet access, just like every one else reported here (hence, reading this page). Also updated this patch, as suggested but still no joy yet. I'm on the latest v2.4.4-RELEASE-p3 and using only the Voucher based access. Could any one help me out with any suggestions and stuff pls?

-San

MacUsers

I figured out a different thing for me: It started working after I added this rule in Firewall/NAT/Outbound:

(192.168.60.x is my GUEST network)
It's working okay for me now. Probably the patch upgraded also contributed to the success??

-S

johnpoz

Well if you had dicked with outbound nat and turned if off automatic, then yeah you going to have all kinds of problems!! With no outbound nat..

MacUsers

@johnpoz said in Pfsense, No internet when it is said "You are connected".:

Well if you had dicked with outbound nat and turned if off automatic, then yeah you going to have all kinds of problems!! With no outbound nat..

Yeah, I had to switch to Manual Outbound NAT couple of yrs. ego, which I completely forgotten about it. Wanted to mentioned here just in case anyone else did the same mistake as me.

-S

johnpoz

@MacUsers said in Pfsense, No internet when it is said "You are connected".:

Yeah, I had to switch to Manual Outbound NAT couple of yrs. ego

Highly unlikely to be honest... Why did you have to switch to manual exactly? Because some vpn service guide said to? You were routing some network behind pfsense that didn't need nat at all?

Hybrid is normally better choice when you need to do something out of norm with outbound nat for some vpn client connection your routing traffic through.

MacUsers

@johnpoz, I'm actually now trying to think why did I do that. I don't use any external VPN service but that time I was new to pfSense and probably was following some of the guides.
Actually trying to clean up the collected junks from my config. So you saying just simply switch to Hybrid and remove all of the manually added rules?

-S

johnpoz

You should be able to switch to just full auto.. If your not using a vpn connection to some vpn service - I to be honest off the top of my head can not think of why you would not just be full auto for outbound nat..

Do you have more than 1 wan connection, where you would want to determine which clients get natted to which wan?

Really if you are just plain jane out of the box type of setup, wan and lan(s) on your pfsense then yeah auto is all that would be needed, and is default out of the box.

Even if you were doing downstream router with transit to pfsense, etc. auto works there too, etc. It really should be rare that you need to switch from auto to hybrid, or even rarer manual.. There would have to be something unique to your network.

stephenw10

Yeah if you need to add custom rules switching to hybrid is generally better as you still auto rules to avoid exactly this sort of thing.
If it was a long while back there may not have been the hybrid mode option. At one time there was just auto or manual.

Steve

johnpoz

@stephenw10 said in Pfsense, No internet when it is said "You are connected".:

At one time there was just auto or manual.

And what version was that, 1, 2.0 ?? I do not recall that at all.

stephenw10

It was added in 2.2 so it would have to be pretty old install. But possible!

johnpoz

Yeah would of been over 5 years ago to be pre 2.2..

That there are still copies out there running such old versions is on one a good testimony to pfsense... On the other hand - WTF people!!! And we wonder why people have issues when they don't update their security software in over 5 years ;)

MacUsers

I think I started using pfSence on WatchGuard around 2014 and I do recall there was no hybrid option during that time; probably that config is hanging around since then. The thing I can remember, all of my devices (TV, AV receivers etc.) in a separate VLAN and I didn't want outbound connections for those devices - I think that was main reason
-S

MacUsers

anyway, going back to captive-portal thing again, is there a way to allow fonts.googleapis.com from the portal, before logging in? I'm working on a custom login page and wish to use some fonts from there in the CSS (i.e. @import url(//fonts.googleapis.com/css?family=Open+Sans);). So I allowed fonts.googleapis.com in the Allowed Hostnames but it's not being imported. Anything else I need to do to make it working? Or is it possible at all?
-S

free4

@MacUsers font.googleapis.com itself is calling other domains