Captive portal dont show logged users after marked mac pass-through
-
After marked Mac Pass-through:
Users logged dont show in status->captive portal:
why?
-
Feature request exist https://redmine.pfsense.org/issues/9627
-
@edicastro said in Captive portal dont show logged users after marked mac pass-through:
why?
True, the user has to log in ones to have it's MAC added to the list with MAC(s) that are allowed to go though without pfSense 'seeing' any further traffic of this device = they will show up on the Services > Captive Portal > [portal name] > MACs.
An early ipfw firewall has a table with all the MAC's that are allowed without further interaction.
This means that this device doesn't use a something that can is considered by pfSense as a session.But : checking out the xxxxx_pipe_macipfw table shows :
--- table(xxxxx_pipe_mac), set(0) --- ..... b0:cc:2d:45:aa:da any 2049 533 555054 1602673668 any cc:70:2d:45:aa:da 2048 477 39677 1602673668 ....This " b0:cc:2d:45:aa:da" has been auto MAC added upon the first login.
Because auto added MAC's have pipes, the traffic they generate is counted.
pfSense could parse this traffic info - the 555054 (bytes down) and 39677 (bytes up) numbers in my example - to see if the device is actually generating traffic, and if so, showing it in the "Captive Portal Status" list like the other, logged in , users . And remove it from the list after, for example, when "Idle timeout (Minutes)" arrives without seeing any traffic change during this "Idle timeout (Minutes)".So, it can be done. The feature could be implemented.
edit :
Services > Captive Portal > ZONE > MACsOr do you want this page to be shown as a widget on the dashboard ?
When
is selected, this :
has no meaning any more - it will stay empty because the auto mac add is valid for every portal user.
.... and - feature - could be populated with 'active auto MAC users'.Btw : I left the option auto mac add activated for the night.
This morning, I found this :
I know they logged in, and I could even find out when, and I could throw them off, which I did.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@viktor_g This feature has accepted for pfsense team?
-
@Gertjan your images post dont show. try imgur.com to send images
-
@edicastro said in Captive portal dont show logged users after marked mac pass-through:
try imgur.com to send images
I added them.
I prefer not to use add-black-holes .... and keeping pfSense info at the pfSense forum. -
Great! This post is very use full.
-
@Gertjan said in Captive portal dont show logged users after marked mac pass-through:
True, the user has to log in ones to have it's MAC added to the list with MAC(s) that are allowed to go though without pfSense 'seeing' any further traffic of this device = they will show up on the Services > Captive Portal > [portal name] > MACs.
An early ipfw firewall has a table with all the MAC's that are allowed without further interaction.Correct, see https://github.com/pfsense/pfsense/blob/2e1cfbf9957a559a49af37c00f07db8854950ae3/src/etc/inc/captiveportal.inc#L746
in other words this is just static firewall rulesBecause auto added MAC's have pipes, the traffic they generate is counted.
pfSense could parse this traffic info - the 555054 (bytes down) and 39677 (bytes up) numbers in my example - to see if the device is actually generating traffic, and if so, showing it in the "Captive Portal Status" list like the other, logged in , users . And remove it from the list after, for example, when "Idle timeout (Minutes)" arrives without seeing any traffic change during this "Idle timeout (Minutes)"."Idle Timeout (Minutes)" can confuse pfSense administrators in a different way. When you see MAC on the configuration page, but not on Active users page due to incorrect timeout settings or host inactivity (printers, phones, servers etc)
feel free to leave your comments/ideas on https://redmine.pfsense.org/issues/9627
-
@viktor_g said in Captive portal dont show logged users after marked mac pass-through:
"Idle Timeout (Minutes)" can confuse pfSense administrators in a different way.
Like a smart wall outlet that calls home, opens a channel, and waits for incoming instructions, that might come in after hours or days.
Yeah, when I think about the possible pitfalls : they are there.I did not mean that "Idle Timeout (Minutes)" should be used to disconnect a device. The disconnecting thing is only meant to be used for logged in users that will get removed after after a certain time of non connectivity.
As soon as "Pass-through MAC Auto Entry" is set, something like "Idle Timeout (Minutes)" has no meaning any more, as ALL logged in devices will get auto-MAC-add.
The captive portal status widget becomes .... useless / not needed as it will be empty : the connected user database would be empty.
So, why not showing something useful like "these are the "auto MAC" devices that generated traffic the last xx time" ?
Or list all the auto mac added devices ? (with traffic usage statistics ?)
Because "Pass-through MAC Auto Entry" is set, one could change the title of the widget, and change the behaviour off the disconnect function, so it will remove the MAC from the list / firewall table rule ?Any way, nothing that can be pulled of by @viktor_g in an hour or two ;)
-
how to identify the activities of the users of the "mac past-through" in the logs?
-
@edicastro said in Captive portal dont show logged users after marked mac pass-through:
how to identify the activities of the users of the "mac past-through" in the logs?
Re read my post above where I say :
But : checking out the xxxxx_pipe_macipfw table shows :
Yo can do so with your fingers and keyboard : type the command mentionned, do some number subtractions and you'll find the traffic.
Or bring @viktor_g to the bounty room. -
@Gertjan said in Captive portal dont show logged users after marked mac pass-through:
But : checking out the xxxxx_pipe_macipfw table shows :
@Gertjan I dont understand... where i find "xxxxx_pipe_macipfw" in pfsense? this is a command line? or gui functionality?
-
@edicastro type the command line
ipfw table all listThe result should indicate you the status of the two ipfw tables named
xxxxx_pipe_macThese tables indicate who is connected
