[Captive Portal] Blocking a Previously White-listed MAC Doesn't Work Right

  • I'm using the Captive Portal in Pfsense 2.4.2-p1 for MAC access control. Blocking a MAC address ahead of time works normally, however, when I try blocking a MAC address that had previously been white-listed, the device is still able to pass through the firewall. The obvious things didn't fix it—restarting the Captive Portal, resetting the state table… To fix it I had to go to Status > Captive Portal and click 'Disconnect all Users' despite the fact that no users were logged into the portal. Seems a little counter-intuitive... A device I thought I blocked could have had access through the portal and I would have never known had I not tested it.

  • Hi,

    Tried what you dit, and found the same thing.
    Adding a MAC went fine :

    [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw table all list
    --- table(cp_ifaces), set(0) ---
    sis0 2100 81332 26542518 1514277511
    --- table(cpzone1_pipe_mac), set(0) ---
     90:b9:31:77:5e:26 any 2089 735 146170 1514277508
     any 90:b9:31:77:5e:26 2088 1226 160686 1514277508

    and it was there : "90:b9:31:77:5e:26".

    But deleting it …. didn't work.
    The rule was still there -> oops.

    When I saw the error in the log:

    /services_captiveportal_mac.php: The command '/sbin/ipfw -q /tmp/cpzone1_mac5a420a8e8cffc_tmp' returned exit code '65', the output was 'Line 1: Table _pipe_mac does not exist' 

    I understood that "$cpzone" wasn't defined so this is what I did to make it work:
    Open /etc/inc/captiveportal.inc - locate this line (around 1194) :

    function captiveportal_passthrumac_delete_entry($macent) {

    and add line this just below it :

    	global $cpzone;

    The result is :

    function captiveportal_passthrumac_delete_entry($macent) {
    	global $cpzone;
    	$rules = "";

    Can you edit the same file, and add that one line ? and confirm the results  ?

  • I modified the file as directed. Blocking MAC addresses now works as expected, however, now the captive portal is prompting my test vm for the portal login even after white-listing it.

    ==EDIT 8:10 PM EST==
    This might have been due to Chrome's cache interfering. Will test more.

    ==EDIT 8:18 PM EST==
    It was my browser cache playing tricks on me. Your edit seems to have done it.  :)

  • Good !

    This is probably a small bug then - consider it squashed.

    edit : notified : https://redmine.pfsense.org/issues/8238

Log in to reply