Captive Portal accepts clients without Voucher

Greyhat

I have a pfSense setup with 2 pfSense 2.3.2p2 in a master slave configuration.
I have 2 Internet connections that are chosen policy based (with fallback).
On a separate Interface (opt5) I intiated a Captive Portal with Vouchers.
Everything worked fine but after a spontaneous reboot of the pfSense all traffic is passed from OPT5 to the Internet with a Voucher being asked for.
CP shows no active users.
All traffic is passed until the Captive Portal is disabled and re-enabled again.
Once re-enabled the portal works fine again - until the next pfCrash when everything is passed again.
Any ideas what happened or how to further analyse?
The config seems to be correct as everything works after disabling and enabling

Peer

Gertjan

@Greyhat:

I have a pfSense setup with 2 pfSense 2.3.2p2 in a master slave configuration.

… and what about the bug in an old version, corrected in the latest stable version  ;)

@Greyhat:

On a separate Interface (opt5) I intiated a Captive Portal with Vouchers.
Everything worked fine but after a spontaneous reboot of the pfSense all traffic is passed from OPT5 to the Internet with a Voucher being asked for.

"with" (as you said)  or "without" ?

@Greyhat:

All traffic is passed until the Captive Portal is disabled and re-enabled again.
Once re-enabled the portal works fine again - until the next pfCrash when everything is passed again.
Any ideas what happened or how to further analyse?

No.
pfSense doesn't crash - mine stays of for months or years if needed.
As soon as it restarted, go console or SSH access and run dmesg - dump it to pastebin.com (NOT in the forum) - and paste link here.
Like to see if FreeBSD complains about your hardware - some driver not ok (Realtek problem or whatever). We'll see.

Detecting why it crashes (reports, logs, details) is also very important. Never say it crahes, show what it says when it crashed, We can't see nothing from here.

@Greyhat:

The config seems to be correct as everything works after disabling and enabling

Often the setup is not good, or hardware not good.
As said, pfSense works - I do not think a double WAN is a problem (I don't have one).

Greyhat

Unfortunately this is a nanoBDS platform that does not support the current 2.4.2 software.
It has been stable for years but nowerdays keeps crashing once or twice a week.
I tried to avoid hardware problems by exchanging promary ans secondary (identical) firewall. Same crashes.
I collected crash dumps (or at least logs) using the serial line output
A crashdump is under
https://pastebin.com/SBcsDe2g
https://pastebin.com/WKuPMk2Q

More dumps on request

Gertjan

@Greyhat:

Unfortunately this is a nanoBDS platform that does not support the current 2.4.2 software.

2.3.5 includes a boatload with fixes. That's why one upgrades ;)

@Greyhat:

It has been stable for years but nowerdays keeps crashing once or twice a week.
I tried to avoid hardware problems by exchanging promary ans secondary (identical) firewall. Same crashes.
I collected crash dumps (or at least logs) using the serial line output
A crashdump is under
https://pastebin.com/SBcsDe2g
https://pastebin.com/WKuPMk2Q

More dumps on request

I'm not an expert in reading crash dumps, but i found something : 252 occurrences of the process "filterdns".
This is what I have :

[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep 'filterdns'
19927  -  Is       0:04.57 /usr/local/sbin/filterdns -p /var/run/filterdns-cpzone1-cpah.pid -i 300 -c /var/etc/filterdns-cpzone1-captiveportal.conf -d 1
20510  -  Ss       0:24.97 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
92118  -  Is       0:02.35 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1
34116  1  S+       0:00.00 grep filter

thus : 3.

Run :

ps ax | grep 'filterdns'

to what you have.

Greyhat

You are right the filterdns is really strange. It usually is in my setting only 2 or 3 times present. In crahses (also in VMs with "real " installations) it is very frequent. So this might be the reason for one problem. A possible reason is quite a number of Laiases using FQDNs.
I tried to update but it seems that the last version is 2.3.4p1. 2.3.5 is not in the release path? I am afk for the weekend. Thanks for the help so far.

Greyhat

As there was a problem with filterdns I logged DNS traffic to my workstation usinf ssh and tcpdump. Just before the next crash I saw a load of unanswered DNS requests from the fpSesne. These originated from an alias list having over 50 dns based entries.
After removing the alias list I did not experience other crashes.
So the problem of reboots mightbe solved.

Greyhat

Actually I had another spontaneous reboot and again a large number of filterdns instances. I tuned the logging so I have the filterdns logs and found unusual messages directly before the reboot and only before the reboot. All are related to the same alias and state problems inserting an IP.

Dec 27 08:33:48 pfslave filterdns: 	adding entry 10.49.212.50 to table Proxies on host 10.49.212.50
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.2 already present on table Proxies as address of hostname 10.49.28.2
Dec 27 08:33:48 pfslave filterdns: 	adding entry 10.49.28.3 to table Proxies on host 10.49.28.3
Dec 27 08:33:48 pfslave filterdns: 	adding entry 10.49.12.13 to table Proxies on host usera1.wibu.local
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.3 already present on table Proxies as address of hostname 10.49.28.3
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.4 already present on table Proxies as address of hostname 10.49.28.4
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.212.50 already present on table Proxies as address of hostname 10.49.212.50
Dec 27 08:33:48 pfslave filterdns: 	adding entry 10.49.132.195 to table Proxies on host lap-usera3.wibu.local
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.2 already present on table Proxies as address of hostname 10.49.28.2
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.3 already present on table Proxies as address of hostname 10.49.28.3
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.2 already present on table Proxies as address of hostname 10.49.28.2
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.3 already present on table Proxies as address of hostname 10.49.28.3
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.0.4 already present on table Proxies as address of hostname 192.168.0.4
Dec 27 08:33:48 pfslave filterdns: 	adding entry 192.168.0.36 to table Proxies on host userc-mac-pro.wibu.local
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.4 already present on table Proxies as address of hostname 10.49.28.4
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.2 already present on table Proxies as address of hostname 10.49.28.2
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.3 already present on table Proxies as address of hostname 10.49.28.3
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.4 already present on table Proxies as address of hostname 10.49.28.4
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.212.50 already present on table Proxies as address of hostname 10.49.212.50
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.0.4 already present on table Proxies as address of hostname 192.168.0.4
Dec 27 08:33:48 pfslave filterdns: 	adding entry 192.168.0.121 to table Proxies on host 192.168.0.121
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.212.50 already present on table Proxies as address of hostname 10.49.212.50
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.0.4 already present on table Proxies as address of hostname 192.168.0.4
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.0.121 already present on table Proxies as address of hostname 192.168.0.121
Dec 27 08:33:48 pfslave filterdns: 	adding entry 192.168.103.10 to table Proxies on host 192.168.103.10
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.28.4 already present on table Proxies as address of hostname 10.49.28.4
Dec 27 08:33:48 pfslave filterdns: IP address 10.49.212.50 already present on table Proxies as address of hostname 10.49.212.50
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.0.4 already present on table Proxies as address of hostname 192.168.0.4
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.0.121 already present on table Proxies as address of hostname 192.168.0.121
Dec 27 08:33:48 pfslave filterdns: IP address 192.168.103.10 already present on table Proxies as address of hostname 192.168.103.10
Dec 27 08:33:48 pfslave filterdns: 	adding entry 10.49.132.160 to table Proxies on host usera-home.wibu.local
Dec 27 08:33:48 pfslave filterdns: 	adding entry 192.168.0.137 to table Proxies on host lap-userb-mbp.wibu.local

The alias list is configured as a list containing other lists. Definition as follows:

		 <alias><name>Proxies</name>
			<type>host</type>

<address>proxy_ha proxy1604 pfIntern lap-userb-mbp.wibu.local proxy1604a UserA userc-mac-pro.wibu.local 192.168.103.10</address>

			<detail></detail></alias> 
		 <alias><name>proxy1604</name>
			<type>host</type>

<address>192.168.0.121</address>

			 <descr><detail></detail></descr></alias> 
		 <alias><name>proxy1604a</name>
			<type>host</type>

<address>10.49.212.50</address>

			 <descr><detail></detail></descr></alias> 
		 <alias><name>proxy_ha</name>
			<type>host</type>

<address>192.168.0.4</address>

			 <descr><detail></detail></descr></alias> 
		 <alias><name>pfIntern</name>
			<type>host</type>

<address>10.49.28.2 10.49.28.3 10.49.28.4</address>

			 <descr><detail></detail></descr></alias> 
		 <alias><name>UserA</name>
			<type>host</type>

<address>usera1.wibu.local lap-usera3.wibu.local usera-home.wibu.local</address>

			 <descr><detail></detail></descr></alias> 

I have no clue if this a reason or consequence of the problem and am considering switching from DNS forwarder to DNS resolver.

Gertjan

There is another thread going on about filterdns.