Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal + FreeRadius + Maximum Bandwidith Param Issue

    Scheduled Pinned Locked Moved Captive Portal
    9 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Race122
      last edited by

      Hello, I recently updated pfSense from 2.3.5->2.4.0->2.4.1 and now i have an issue with all users that use the "Maximum Bandwidth Down" and "Maximum Bandwidth Up" parameters in FreeRadius.
      I run 2 types of captive portals on the network. I have one normal, MAC Filtered portal for a limited section of devices that does NOT use FreeRadius and works fine.

      I have a second captive portal that uses FreeRadius users as voucher like authentication.
      Now if i create uses that have NO max bandwidth set then the voucher will work just fine, however, i then create users WITH a max bandwidth up or down the user cannot receive internet. As most my vouchers have a limited bandwidth most have ceased to work.

      The logs show the logins are successful and all redirects, re-auth every minute etc work fine, but they cannot get internet in any capacity not DNS resolves, pings etc. I will note that local traffic works ok.

      I have 7 installations of pfSense that use the FreeRadius voucher system, and the 2 systems that are updated to 2.4.1 have the same issue and the others remain ok.

      Does anyone have a similar problem? or know where i can look to solve this?

      The below log shows the auth on my test voucher working ok, but as you can see there is no traffic passing.

      Oct 31 10:45:27 radiusd 12655 (35) Login OK: [789/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)
      Oct 31 10:47:42 root FreeRADIUS: User 23456 has used 0 MB of 2000 MB forever allotted traffic. The login request was accepted.
      Oct 31 10:47:42 radiusd 12655 (37) Login OK: [23456/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)
      Oct 31 10:48:29 root FreeRADIUS: User 23456 has used 0 MB of 2000 MB forever allotted traffic. The login request was accepted.
      Oct 31 10:48:29 radiusd 12655 (41) Login OK: [23456/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)

      Logins and logouts seem to be normal as well.

      Oct 31 10:49:43 logportalauth 90799 Zone: vouchertestnetwork - DISCONNECT: 23456, dc:a9:04:2a:bb:df, 192.168.18.22
      Oct 31 10:50:43 logportalauth 90799 Zone: vouchertestnetwork - USER LOGIN: 789, dc:a9:04:2a:bb:df, 192.168.18.22
      Oct 31 10:53:45 logportalauth 65640 Zone: vouchertestnetwork - DISCONNECT: 789, dc:a9:04:2a:bb:df, 192.168.18.22
      Oct 31 10:53:54 logportalauth 76791 Zone: vouchertestnetwork - USER LOGIN: 23456, dc:a9:04:2a:bb:df, 192.168.18.22
      Oct 31 11:00:50 logportalauth 72347 Zone: vouchertestnetwork - TIMEOUT: 23456, dc:a9:04:2a:bb:df, 192.168.18.22

      1 Reply Last reply Reply Quote 0
      • A
        asbonet
        last edited by

        I am having the same issue.

        1 Reply Last reply Reply Quote 0
        • R
          Rakshith
          last edited by

          we are facing same issues when in freeRadius users Bandwidth allocated means user able to login but not getting internet,if we removed the bandwidth in freeradius user can able to access internet

          1 Reply Last reply Reply Quote 0
          • A
            asbonet
            last edited by

            But normal captive portal data rate limiters are still working just the radius ones that are not.

            1 Reply Last reply Reply Quote 0
            • A
              alfrenetico
              last edited by

              I am having the same issue.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                What exact values are you passing back for user bandwidth?

                What values do you see for the user in "ipfw pipe show"? Does it match what you sent through RADIUS?

                Some people had issues with fractional bandwidth values which do not function properly, the values must be integers.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • R
                  Race122
                  last edited by

                  I have several voucher speeds provided, but mostly they are:
                  Maximum Bandwidth Down: 150 OR 250
                  Maximum Bandwidth UP: 75 OR 150

                  All speeds are always set as integers

                  But regardless of the value placed there the issue is the same, all config options i set are:
                  Username
                  Password <– Always numbers
                  Amount of Download and Upload Traffic <-- 10 OR 20 OR 60 OR 200 etc etc
                  Time Period <-- Always Forever
                  and Bandwidth as above

                  Example Voucher:
                  Username: alex
                  Password: 1234
                  Amount of Download and Upload Traffic: 50
                  Time Period: Forever
                  max Bandwidth down: 512
                  Max Bandwidth up: 256

                  Users.conf shows this:

                  "alex" Cleartext-Password := "1234"

                  WISPr-Bandwidth-Max-Up := 262144,
                  WISPr-Bandwidth-Max-Down := 524288,
                  Exec-Program-Wait = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh alex forever"

                  I did the command you sent and i will post the output below:

                  00001: 250.000 Kbit/s    0 ms burst 0
                  q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
                  sched 65537 type FIFO flags 0x0 0 buckets 0 active
                  00002: 150.000 Kbit/s    0 ms burst 0
                  q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
                  sched 65538 type FIFO flags 0x0 0 buckets 0 active
                  02002: unlimited        0 ms burst 0
                  q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
                  sched 67538 type FIFO flags 0x0 16 buckets 0 active
                  02003: unlimited        0 ms burst 0
                  q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
                  sched 67539 type FIFO flags 0x0 16 buckets 0 active
                  02000: unlimited        0 ms burst 0
                  q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
                  sched 67536 type FIFO flags 0x0 16 buckets 0 active
                  02001: unlimited        0 ms burst 0
                  q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
                  sched 67537 type FIFO flags 0x0 16 buckets 0 active
                  02006: unlimited        0 ms burst 0
                  q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
                  sched 67542 type FIFO flags 0x0 16 buckets 0 active
                  02007: unlimited        0 ms burst 0
                  q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
                  sched 67543 type FIFO flags 0x0 16 buckets 0 active
                  02004: unlimited        0 ms burst 0
                  q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
                  sched 67540 type FIFO flags 0x0 16 buckets 0 active
                  02005: unlimited        0 ms burst 0
                  q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
                  sched 67541 type FIFO flags 0x0 16 buckets 0 active
                  [2.4.1-RELEASE][admin@Firewall.company]/root: ipfw pipe show
                  00001: 250.000 Kbit/s    0 ms burst 0
                  q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
                  sched 65537 type FIFO flags 0x0 0 buckets 0 active
                  00002: 150.000 Kbit/s    0 ms burst 0
                  q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
                  sched 65538 type FIFO flags 0x0 0 buckets 0 active
                  02002: unlimited        0 ms burst 0
                  q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
                  sched 67538 type FIFO flags 0x0 16 buckets 0 active
                  02003: unlimited        0 ms burst 0
                  q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
                  sched 67539 type FIFO flags 0x0 16 buckets 0 active
                  02000: unlimited        0 ms burst 0
                  q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
                  sched 67536 type FIFO flags 0x0 16 buckets 0 active
                  02001: unlimited        0 ms burst 0
                  q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
                  sched 67537 type FIFO flags 0x0 16 buckets 0 active
                  02006: unlimited        0 ms burst 0
                  q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
                  sched 67542 type FIFO flags 0x0 16 buckets 0 active
                  02007: unlimited        0 ms burst 0
                  q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
                  sched 67543 type FIFO flags 0x0 16 buckets 0 active
                  02004: unlimited        0 ms burst 0
                  q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
                  sched 67540 type FIFO flags 0x0 16 buckets 0 active
                  02005: unlimited        0 ms burst 0
                  q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
                  sched 67541 type FIFO flags 0x0 16 buckets 0 active
                  [2.4.1-RELEASE][admin@Firewall.company]/root:
                  [2.4.1-RELEASE][admin@Firewall.company]/root: ipfw pipe show
                  00001: 250.000 Kbit/s    0 ms burst 0
                  q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
                  sched 65537 type FIFO flags 0x0 0 buckets 0 active
                  00002: 150.000 Kbit/s    0 ms burst 0
                  q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
                  sched 65538 type FIFO flags 0x0 0 buckets 0 active
                  02008: 262.000 bit/s    0 ms burst 0
                  q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
                  sched 67544 type FIFO flags 0x0 16 buckets 1 active
                  BKT Prot Source IP/port_ Dest. IP/port Tot_pkt/bytes Pkt/Byte Drp
                    0 ip          0.0.0.0/0            0.0.0.0/0      699    54291 100 7688 564
                  02009: 524.000 bit/s    0 ms burst 0
                  q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
                  sched 67545 type FIFO flags 0x0 16 buckets 1 active
                    0 ip          0.0.0.0/0            0.0.0.0/0      26    1924  3  222  0
                  02002: unlimited        0 ms burst 0
                  q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
                  sched 67538 type FIFO flags 0x0 16 buckets 0 active
                  02003: unlimited        0 ms burst 0
                  q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
                  sched 67539 type FIFO flags 0x0 16 buckets 0 active
                  02000: unlimited        0 ms burst 0
                  q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
                  sched 67536 type FIFO flags 0x0 16 buckets 0 active
                  02001: unlimited        0 ms burst 0
                  q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
                  sched 67537 type FIFO flags 0x0 16 buckets 0 active
                  02006: unlimited        0 ms burst 0
                  q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
                  sched 67542 type FIFO flags 0x0 16 buckets 0 active
                  02007: unlimited        0 ms burst 0
                  q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
                  sched 67543 type FIFO flags 0x0 16 buckets 0 active
                  02004: unlimited        0 ms burst 0
                  q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
                  sched 67540 type FIFO flags 0x0 16 buckets 1 active
                    0 ip          0.0.0.0/0            0.0.0.0/0      250  378091  0    0  0
                  02005: unlimited        0 ms burst 0
                  q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
                  sched 67541 type FIFO flags 0x0 16 buckets 1 active
                    0 ip          0.0.0.0/0            0.0.0.0/0      207    14754  0    0  0

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    02008: 262.000 bit/s     0 ms burst 0
                    q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
                     sched 67544 type FIFO flags 0x0 16 buckets 1 active
                    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
                      0 ip           0.0.0.0/0             0.0.0.0/0      699    54291 100 7688 564
                    02009: 524.000 bit/s     0 ms burst 0
                    q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
                     sched 67545 type FIFO flags 0x0 16 buckets 1 active
                      0 ip           0.0.0.0/0             0.0.0.0/0       26     1924  3  222   0
                    

                    The bandwidth values in RADIUS need to be an integer when divided by 1000, or else ipfw won't parse them properly. Yours end up as 262.144 and 524.288, which ipfw doesn't parse properly and it drops the scale, so you can see here it made a 262 bit/s and 524 bit/s. Looks like maybe that's because captive portal divides by 1000 and FreeRADIUS multiplies by 1024.

                    I made a ticket for the Captive Portal part here: https://redmine.pfsense.org/issues/8097

                    I'll see about changing FreeRADIUS to use 1000 as well so it matches Captive Portal.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      If you update the pfSense FreeRADIUS 3.x package now (To 0.15.3) it will calculate the bandwidth values the same as Captive Portal so it will not trigger the issue

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.