Session expiration, and users being blocked on layer 2

  • Hello everybody….

    Honestly I havent been able to sleep quietly... after the upgrade..... before that, both my captive portal zones.. worked like a charm... it was paradise... after upgrade chaos came upon... jajaja "Just having little fun"

    After the upgrade I have a couple of issues... one of them  was solved with te help of Gertjan "some logged in voucher users lost internet connectivity shortly after succesful login nothing on the logs"  <----- that issue is no more thanks to Gertjan...

    Later on I found out that I was experiencing more issues... but I didn't want to open a topic about it right away... I wanted to see if I could understand what was happening so I could ask clearer questions about it...

    two issues, both seem to be captive portal related issues..
    1rst... not all.. but some sessions are expiring before their due date... it does not happen on both zones... the other day I was having this issue on zone 4, which I changed to zone 6.... and now it's happening on zone 2... I have two cp zonez 2 and 6
    I use Pass-through MAC Auto Entry...
    below there are atachments regarding this issue (issue number one)

    2nd... after a power failure, I noticed that some clients couldn't get an ip address from pfsense... on the logs I could see the dhpc request, and the dhcp offer made by the server, so the client should be getting the ip... for some clients dhcp worked as normal but for some others they were not getting an ip addres...
    I noticed that even if I'd put a static addres to that client... that especific client wouldn't even be able to acces the pfsense box... like an arp block...
    testing and testing I found out that if I disabled CP... things get back to normal... clients get the ip.. and are able to navigate again... when I reenable captive portal, things are normal...
    Also if I reboot the firewall by command things are fixed...

    please, dont mention a ups or "power backup" a have one... but where I live Dominican Republic/Barahona avoiding power failure is kind of impossible to acomplish...
    thanks in advance...

    If I can't solve this... I'm gonna have to roll back to 2.2.6.... In fact I havent done that... because my box's serial port is damaged and it doesn't have a VGA port... and I have to get a pc which has a realtek network card, so I can install there and then move the hard disk to my pfsense box.. and I don't have one around...!!!

    ![system info.JPG](/public/imported_attachments/1/system info.JPG)
    ![system info.JPG_thumb](/public/imported_attachments/1/system info.JPG_thumb)
    ![pass-through Mac Auto Entry.JPG](/public/imported_attachments/1/pass-through Mac Auto Entry.JPG)
    ![pass-through Mac Auto Entry.JPG_thumb](/public/imported_attachments/1/pass-through Mac Auto Entry.JPG_thumb)
    ![voucher 5 dias 7200 mins.JPG](/public/imported_attachments/1/voucher 5 dias 7200 mins.JPG)
    ![voucher 5 dias 7200 mins.JPG_thumb](/public/imported_attachments/1/voucher 5 dias 7200 mins.JPG_thumb)
    ![voucher 5 dias 7200 mins2.JPG](/public/imported_attachments/1/voucher 5 dias 7200 mins2.JPG)
    ![voucher 5 dias 7200 mins2.JPG_thumb](/public/imported_attachments/1/voucher 5 dias 7200 mins2.JPG_thumb)
    ![reusing the voucher.JPG](/public/imported_attachments/1/reusing the voucher.JPG)
    ![reusing the voucher.JPG_thumb](/public/imported_attachments/1/reusing the voucher.JPG_thumb)

  • Vouchers are set up per captive portale instance (zones).

    So (this is what I make of it, I didn't tested neither checked) vouchers from zone1 can't work on zone2.

    It's strange to see that the same :
    Voucher "y4kMaa" is valid for 2451 minutes on 18:42 (Juin 12)
    and also
    Voucher "y4kMaa" is expired the same day, a little bit earlier at 07:25 (Juin 12)

    This voucher was used the first time at 11:33, Juin 9, so it should expire in Juin 14, same hours - NOT before, at Juin 12, what actually happens)

    Your voucher time-household-keeping (these are just files that change all the time) seems messy to me. pfSense restarting isn't something that has a positive influence neither.

    Btw : Why using vouchers valid for 5 days (7200 minutes) if you activate the auto MAC ADD ?
    Ones the MAC gets added, the device - in this case : 2c:54:cf:a9:a6:89 - was added to the MAC list right after login, so it has access afterwards, whatever happens. The vouchers being expired will not disconnect the user, because access is granted upfront (see your ipfw rules).

    Is "2c:54:cf:a9:a6:89" on the list ?
    Is it listed in the firewall rules (NOT the GUI rules, but THESE rules)

  • LAYER 8 Netgate

    If you enable vouchers with:

    Enable Pass-through MAC automatic additions


    Enable Pass-through MAC automatic addition with username

    The captive portal pruner will catch the voucher expiration and, since the username in the MAC passthrough entry is the voucher code, it will automatically delete all passthrough entries for that voucher, effectively terminating the CP sessions for that voucher.

    The text in the CP config screens does not indicate this is the case.

    It really works quite well.

    The only significant problem I ever say was if a user entered the same voucher code there could be multiple entries for the same MAC address.  Pretty harmless and they are all deleted when the voucher expires anyway.

    This is really the only way to issue long-term CP logins that automatically expire without running into a lot of messy things like DHCP pool cycles.

  • Do I understand well that the MAC-list is also purged (the MAC that was entered when the voucher was being used the first time) ?

    ( I guess I could look it in the manual => the code ;) )

  • @Derelict:

    Enable Pass-through MAC automatic additions


    Enable Pass-through MAC automatic addition with username

    I'm using that because I need logins to be persistent after reboot… (and yes... when the voucher is exired... the mac passthrough and username are removed... from the config file... and from the firewall rules... (user not able to go through) at least it was working before...


    Vouchers are set up per captive portale instance (zones).

    Is not the voucher which is expired… is just the session... I can reuse the same voucher... and is gonna work with the remaining time the voucher has left...    what I mean is that the session shouldnt expire... not even after reboot... It was not doing it before... and even now that it's doing it... it is not happening for all voucher users.. just for some of them...
    #voucher "y4kMaa" logs in on Jun 9th at 11:33
    #Session Expires on Jun 12th at 7:28
    #then I reuse the voucher... *and that is all in the same zone... zone 2, walford...

    *** once again... yes the mac addres that is used with a vouchaer is olso purged... when the voucher expires...***

    What about issue number two... captive portal blocking some "macs" after a hard reboot (power failure), and I say macs... because the client doesnt even get an IP address, and if I put a static addres... tha client is not able to navigate at all... nor can it go to the captive portal at all... I can see the client's dchp request, and the dhcp offer made by pfsense.. once I disable or reload cp portal... things get back to normal... also a clean reboot will do the same...

  • Looking at theese two log entries…. "attached below"

    one of them says the voucher is alredy used and expired... and the other only says... invalid!!!, that followed by a session termination..

    that made me think about the public and private keys...
    I went there on the gui...

    "-----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----"

    "-----BEGIN PUBLIC KEY-----
    -----END PUBLIC KEY-----"

    "as you can see...  I have a shorter key.... that was no problem before"...

    I found that there were spaces at the end of each key... I deleted them (spaces)
    I also found that on the private key it was like this :

    "-----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----"

    there is a  "RETURN" difference with this private key... and the one above.... It was like this... and I deleted the "return" and saved voucher settings... vouchers are still working after the changes, I rebooted the firewall... it seems no session was expired other that the ones that were supposed to...

    I have a good feeling about this being the problem.... what do you think?

    I also want to mention Issue number two.... which I'll have to wait for another hard reboot to see if it's still happening (I don't want to cause a hard reboot manually) Id rather wait...
    thanks again

    ![voucher 5 dias 7200 mins2.JPG](/public/imported_attachments/1/voucher 5 dias 7200 mins2.JPG)
    ![voucher 5 dias 7200 mins2.JPG_thumb](/public/imported_attachments/1/voucher 5 dias 7200 mins2.JPG_thumb)
    ![legitimate expiration.JPG](/public/imported_attachments/1/legitimate expiration.JPG)
    ![legitimate expiration.JPG_thumb](/public/imported_attachments/1/legitimate expiration.JPG_thumb)