4. Captive Portal + FreeRadius + Maximum Bandwidith Param Issue

Captive Portal + FreeRadius + Maximum Bandwidith Param Issue

  • R

    Hello, I recently updated pfSense from 2.3.5->2.4.0->2.4.1 and now i have an issue with all users that use the “Maximum Bandwidth Down” and “Maximum Bandwidth Up” parameters in FreeRadius.
    I run 2 types of captive portals on the network. I have one normal, MAC Filtered portal for a limited section of devices that does NOT use FreeRadius and works fine.

    I have a second captive portal that uses FreeRadius users as voucher like authentication.
    Now if i create uses that have NO max bandwidth set then the voucher will work just fine, however, i then create users WITH a max bandwidth up or down the user cannot receive internet. As most my vouchers have a limited bandwidth most have ceased to work.

    The logs show the logins are successful and all redirects, re-auth every minute etc work fine, but they cannot get internet in any capacity not DNS resolves, pings etc. I will note that local traffic works ok.

    I have 7 installations of pfSense that use the FreeRadius voucher system, and the 2 systems that are updated to 2.4.1 have the same issue and the others remain ok.

    Does anyone have a similar problem? or know where i can look to solve this?

    The below log shows the auth on my test voucher working ok, but as you can see there is no traffic passing.

    Oct 31 10:45:27 radiusd 12655 (35) Login OK: [789/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)
    Oct 31 10:47:42 root FreeRADIUS: User 23456 has used 0 MB of 2000 MB forever allotted traffic. The login request was accepted.
    Oct 31 10:47:42 radiusd 12655 (37) Login OK: [23456/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)
    Oct 31 10:48:29 root FreeRADIUS: User 23456 has used 0 MB of 2000 MB forever allotted traffic. The login request was accepted.
    Oct 31 10:48:29 radiusd 12655 (41) Login OK: [23456/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)

    Logins and logouts seem to be normal as well.

    Oct 31 10:49:43 logportalauth 90799 Zone: vouchertestnetwork - DISCONNECT: 23456, dc:a9:04:2a:bb:df, 192.168.18.22
    Oct 31 10:50:43 logportalauth 90799 Zone: vouchertestnetwork - USER LOGIN: 789, dc:a9:04:2a:bb:df, 192.168.18.22
    Oct 31 10:53:45 logportalauth 65640 Zone: vouchertestnetwork - DISCONNECT: 789, dc:a9:04:2a:bb:df, 192.168.18.22
    Oct 31 10:53:54 logportalauth 76791 Zone: vouchertestnetwork - USER LOGIN: 23456, dc:a9:04:2a:bb:df, 192.168.18.22
    Oct 31 11:00:50 logportalauth 72347 Zone: vouchertestnetwork - TIMEOUT: 23456, dc:a9:04:2a:bb:df, 192.168.18.22

    0
  • A

    I am having the same issue.

    0
  • R

    we are facing same issues when in freeRadius users Bandwidth allocated means user able to login but not getting internet,if we removed the bandwidth in freeradius user can able to access internet

    0
  • A

    But normal captive portal data rate limiters are still working just the radius ones that are not.

    0
  • A

    I am having the same issue.

    0
  • Rebel Alliance Developer Netgate

    What exact values are you passing back for user bandwidth?

    What values do you see for the user in “ipfw pipe show”? Does it match what you sent through RADIUS?

    Some people had issues with fractional bandwidth values which do not function properly, the values must be integers.

    0
  • R

    I have several voucher speeds provided, but mostly they are:
    Maximum Bandwidth Down: 150 OR 250
    Maximum Bandwidth UP: 75 OR 150

    All speeds are always set as integers

    But regardless of the value placed there the issue is the same, all config options i set are:
    Username
    Password <– Always numbers
    Amount of Download and Upload Traffic <-- 10 OR 20 OR 60 OR 200 etc etc
    Time Period <-- Always Forever
    and Bandwidth as above

    Example Voucher:
    Username: alex
    Password: 1234
    Amount of Download and Upload Traffic: 50
    Time Period: Forever
    max Bandwidth down: 512
    Max Bandwidth up: 256

    Users.conf shows this:

    “alex” Cleartext-Password := “1234”

    WISPr-Bandwidth-Max-Up := 262144,
    WISPr-Bandwidth-Max-Down := 524288,
    Exec-Program-Wait = “/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh alex forever”

    I did the command you sent and i will post the output below:

    00001: 250.000 Kbit/s    0 ms burst 0
    q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
    sched 65537 type FIFO flags 0x0 0 buckets 0 active
    00002: 150.000 Kbit/s    0 ms burst 0
    q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
    sched 65538 type FIFO flags 0x0 0 buckets 0 active
    02002: unlimited        0 ms burst 0
    q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
    sched 67538 type FIFO flags 0x0 16 buckets 0 active
    02003: unlimited        0 ms burst 0
    q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
    sched 67539 type FIFO flags 0x0 16 buckets 0 active
    02000: unlimited        0 ms burst 0
    q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
    sched 67536 type FIFO flags 0x0 16 buckets 0 active
    02001: unlimited        0 ms burst 0
    q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
    sched 67537 type FIFO flags 0x0 16 buckets 0 active
    02006: unlimited        0 ms burst 0
    q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
    sched 67542 type FIFO flags 0x0 16 buckets 0 active
    02007: unlimited        0 ms burst 0
    q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
    sched 67543 type FIFO flags 0x0 16 buckets 0 active
    02004: unlimited        0 ms burst 0
    q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
    sched 67540 type FIFO flags 0x0 16 buckets 0 active
    02005: unlimited        0 ms burst 0
    q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
    sched 67541 type FIFO flags 0x0 16 buckets 0 active
    [2.4.1-RELEASE][admin@Firewall.company]/root: ipfw pipe show
    00001: 250.000 Kbit/s    0 ms burst 0
    q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
    sched 65537 type FIFO flags 0x0 0 buckets 0 active
    00002: 150.000 Kbit/s    0 ms burst 0
    q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
    sched 65538 type FIFO flags 0x0 0 buckets 0 active
    02002: unlimited        0 ms burst 0
    q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
    sched 67538 type FIFO flags 0x0 16 buckets 0 active
    02003: unlimited        0 ms burst 0
    q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
    sched 67539 type FIFO flags 0x0 16 buckets 0 active
    02000: unlimited        0 ms burst 0
    q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
    sched 67536 type FIFO flags 0x0 16 buckets 0 active
    02001: unlimited        0 ms burst 0
    q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
    sched 67537 type FIFO flags 0x0 16 buckets 0 active
    02006: unlimited        0 ms burst 0
    q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
    sched 67542 type FIFO flags 0x0 16 buckets 0 active
    02007: unlimited        0 ms burst 0
    q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
    sched 67543 type FIFO flags 0x0 16 buckets 0 active
    02004: unlimited        0 ms burst 0
    q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
    sched 67540 type FIFO flags 0x0 16 buckets 0 active
    02005: unlimited        0 ms burst 0
    q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
    sched 67541 type FIFO flags 0x0 16 buckets 0 active
    [2.4.1-RELEASE][admin@Firewall.company]/root:
    [2.4.1-RELEASE][admin@Firewall.company]/root: ipfw pipe show
    00001: 250.000 Kbit/s    0 ms burst 0
    q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
    sched 65537 type FIFO flags 0x0 0 buckets 0 active
    00002: 150.000 Kbit/s    0 ms burst 0
    q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
    sched 65538 type FIFO flags 0x0 0 buckets 0 active
    02008: 262.000 bit/s    0 ms burst 0
    q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
    sched 67544 type FIFO flags 0x0 16 buckets 1 active
    BKT Prot Source IP/port_ Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
      0 ip          0.0.0.0/0            0.0.0.0/0      699    54291 100 7688 564
    02009: 524.000 bit/s    0 ms burst 0
    q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
    sched 67545 type FIFO flags 0x0 16 buckets 1 active
      0 ip          0.0.0.0/0            0.0.0.0/0      26    1924  3  222  0
    02002: unlimited        0 ms burst 0
    q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
    sched 67538 type FIFO flags 0x0 16 buckets 0 active
    02003: unlimited        0 ms burst 0
    q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
    sched 67539 type FIFO flags 0x0 16 buckets 0 active
    02000: unlimited        0 ms burst 0
    q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
    sched 67536 type FIFO flags 0x0 16 buckets 0 active
    02001: unlimited        0 ms burst 0
    q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
    sched 67537 type FIFO flags 0x0 16 buckets 0 active
    02006: unlimited        0 ms burst 0
    q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
    sched 67542 type FIFO flags 0x0 16 buckets 0 active
    02007: unlimited        0 ms burst 0
    q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
    sched 67543 type FIFO flags 0x0 16 buckets 0 active
    02004: unlimited        0 ms burst 0
    q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
    sched 67540 type FIFO flags 0x0 16 buckets 1 active
      0 ip          0.0.0.0/0            0.0.0.0/0      250  378091  0    0  0
    02005: unlimited        0 ms burst 0
    q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
    sched 67541 type FIFO flags 0x0 16 buckets 1 active
      0 ip          0.0.0.0/0            0.0.0.0/0      207    14754  0    0  0

    0
  • Rebel Alliance Developer Netgate 

    02008: 262.000 bit/s     0 ms burst 0
q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
 sched 67544 type FIFO flags 0x0 16 buckets 1 active
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0      699    54291 100 7688 564
02009: 524.000 bit/s     0 ms burst 0
q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
 sched 67545 type FIFO flags 0x0 16 buckets 1 active
  0 ip           0.0.0.0/0             0.0.0.0/0       26     1924  3  222   0

    The bandwidth values in RADIUS need to be an integer when divided by 1000, or else ipfw won’t parse them properly. Yours end up as 262.144 and 524.288, which ipfw doesn’t parse properly and it drops the scale, so you can see here it made a 262 bit/s and 524 bit/s. Looks like maybe that’s because captive portal divides by 1000 and FreeRADIUS multiplies by 1024.

    I made a ticket for the Captive Portal part here: https://redmine.pfsense.org/issues/8097

    I’ll see about changing FreeRADIUS to use 1000 as well so it matches Captive Portal.

    0
  • Rebel Alliance Developer Netgate

    If you update the pfSense FreeRADIUS 3.x package now (To 0.15.3) it will calculate the bandwidth values the same as Captive Portal so it will not trigger the issue

    0
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy