problem with some old android device



  • hi there
    i have pfsense software install on network node and its work for captive portal for my client its about 450 client active for this node i have some problem some old android device they connect for first time and get internet connection for some time but after that they didnt get any access to internet but other new device work fine , these old device when i open in it vpn connection they get internet but when i disconnect vpn connection they didnt get any access .
    NOTE : I USE PFSENSE AS HOTSPOT GATEWAY FOR OPENWRT AP
    NOTE: WHEN I PING TO GOOGLE DNS 8.8.8.8 THEIRS REQUEST BUT WHEN OPEN GOOGLE WEB I GET BAD DNS CONFIG AND YOUTUBE APP DIDNT WORK ANY MORE
    any help ?

    thx


  • Netgate Administrator

    I assume if you bypass the captive portal for those devices using their MAC address they work OK?

    Do you see those devices listed in Status > Captive Portal when they're failing?

    Do these devices request a different DHCP lease time? Is it less that any timeout values you have set in the captive portal?
    That will cause odd behaviour.

    Steve



  • thank u steve

    yes i use bypass by mac for these device
    i see them in captive portal voucher but ip of these device i didnt see theme i dhcp lease
    i didnt set any timeout values in captive portal



  • @mustafa-0 said in problem with some old android device:

    i didnt set any timeout values in captive portal

    That's a typical 99,99 % chance of "bad" ....



  • @gertjan said in problem with some old android device:

    That's a typical 99,99 % chance of "bad" ....

    if i set timeout in captive portal should i add same values in dhcp ?



  • the problem is app like facebook , instagram , whatsapp , telegram , viber these device work fine but google apps dont work any more like youtube gmail google search and any https web site didnt work !!


  • Netgate Administrator

    Well the first thing to try is set a timeout values in the captive portal that is less than the DHCP lease length. And check if those particular devices are requesting a different lease length than others.
    When they fail are they being redirected to the login page or just timing out trying to reach http(s) sites?

    Steve



  • @mustafa-0 said in problem with some old android device:

    .... these device work fine but google apps dont work any more like youtube gmail google search and any https web site didnt work !!

    As soon as a device/usr is authenticated, the IP and his MAC are loaded into a table into ipfw - these tables are instructed to "pass" if both are matching.
    Their s no distinction of "destination address" or port.

    Do not just read and "accpet" my words, go check ,ow yourself (you are the pfSEnse admin, right ? right ! this is thus a job for you) :

    Never ever use the captive portal without reading this first : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html

    Example :

    ...
    --- table(cpzone1_auth_down), set(0) ---
    192.168.2.9/32 2093 5635 2509550 1538397950
    192.168.2.174/32 2095 116931 137182691 1538400859
    192.168.2.227/32 2091 10535 9600861 1538392193
    ...
    
    ...
    --- table(cpzone1_auth_up), set(0) ---
    192.168.2.9/32 90:b9:31:77:5e:26 2092 6661 4863261 1538397733
    192.168.2.174/32 00:1c:bf:8c:87:ec 2094 70701 7802528 1538400860
    192.168.2.227/32 fc:d8:48:75:e2:68 2090 10447 2638637 1538392097
    ...
    

    These are the "up" and "down" tables for my captive portal zone called "cpzone1".
    You can see the 3 devices, their IP and MAC (and some other maintance stuff).

    There is no such thing as "do nag Youtube and Google apps... but do accept Facebook".
    No difference is made about ports, any source or destination port can be used.
    http ? = port 80 : just fine
    https ? = port 443 : just fine
    SSH ? = port 22 : Ok.
    smtps = port 465 => why not.
    imaps ... pops 993/995 => be my guest.
    Sincky FTP on port 21 ? If you insist.
    DNS : 53 ... Let have it.

    The Captive portal can't if "see" what's in the packets (ssl ? plain text ? a ping ?) so he doesn't care.

    Clear ?

    Btw : Ok, YOU can put rules on the interface of the captive portal in the GUI that can make a mess of things.



  • This post is deleted!


  • @stephenw10

    my dear steve
    i add idle time out in captive portal 60 M and hard timeout 60M
    and in dhcp server i add Default lease time 7200 and Maximum lease time 86400

    same problem



  • Also : MAC's on the Services => Captive Portal => YourCPZone => MACs are also listed :
    If have 4 :

    --- table(cpzone1_pipe_mac), set(0) ---
    88:1f:a1:54:98:c9 any 2081 0 0 0
    any 88:1f:a1:54:98:c9 2080 0 0 0
    48:88:ca:41:0d:55 any 2075 0 0 0
    any 48:88:ca:41:0d:55 2074 0 0 0
    4c:8d:79:91:ec:52 any 2077 0 0 0
    any 4c:8d:79:91:ec:52 2076 0 0 0
    64:80:99:9a:01:a0 any 2079 0 0 0
    any 64:80:99:9a:01:a0 2078 0 0 0

    These guys can connect to the portal interface as if the captive portal wasn't there.

    Works fine for me for years now.


  • Netgate Administrator

    Ok, then start digging deeper. As Gertjan said the ipfw firewall that the captive portal uses does not differentiate between services so it's almost certainly something else blocking that traffic.

    Look at the firewall states to/from those devices.

    Looks at the firewall logs for blocked traffic.

    Run packet captures to determine where that traffic is going.

    Steve



  • @gertjan

    thank u for your reply im new in pfsense i work with mikrotik hotspot but i have change my network to pfsense so i get this problem , i do every things to do it work its same problem i add firewall rules for https , http , dns , and i add any rules its same



  • @mustafa-0 said in problem with some old android device:

    @gertjan

    ... its same problem i add firewall rules for https , http , dns , and i add any rules its same

    What rules ? Show them please.

    Start with one global pass rule on the Captive Portal interface.
    Check that everything works.
    Then add one rule .... and test severely.
    Add another one, etc.


  • Netgate Administrator

    Yes we need more information that 'I've tried everything and it's still the same'. There is no way we can help you with just that. 😉

    What did you actually try?
    How did you test that?
    What was the result?

    Steve



  • @stephenw10

    more information :

    i add rules with :
    main rules (first one )
    protocol : any
    Source : any
    Destination : any
    Destination Port Range : any

    result : some device get same problem the get ping from 8.8.8.8 but when i try open google.com theirs no connection bad dns config

    add new rules

    protocol : tcp/udp
    Source : any
    Destination : any
    Destination Port Range : https (433)

    result : some device get same problem they get ping from 8.8.8.8 but when i try open google.com theirs no connection bad dns config
    add new rules

    protocol : tcp/udp
    Source : any
    Destination : any
    Destination Port Range : dns (53)

    result : some device get same problem they get ping from 8.8.8.8 but when i try open google.com theirs no connection bad dns config

    these all rules i add .

    add ideal timeout and hard timeout in captive portal
    add Default lease time in dhcp server Maximum lease time in dhcp server

    NOTE : the pfsense server get internet connection with dhcp from mikrotik ccr 1036 .


  • Netgate Administrator

    Ok so it looks like those clients cannot resolve URLs. To confirm that try to ping google.com rather than an IP address. Does it resolve?

    If it doesn't then find out why. What are they using for DNS? I would expect that to be handed to them via DHCP and your any/any/any rule should allow traffic to any DNS server.
    Check the state table traffic from those clients to port 53.

    Steve



  • @stephenw10

    hi steve
    i think i know whats problem with it i give u my network diagram and explain the problem

    1- i install pfsense in hp workstation pc with 8 gb ram
    pfsense have 1 lan this lan is wan connection for pfsense from my ccr 1036 and i add vlan 10 for captive portal and i insert it on mikrotik switch . the problem in my network i have 2 main wireless link these link for my access point each wireless work with wds so the problem if i disable any one of theme my problem solved but when i use these 2 link in same time i get the problem is there any help in this .

    NOTE : theirs no problem in link i test it in other router they work fine but the problem when i but theme in pfsense

    thx


  • Netgate Administrator

    So are those wireless links your WAN connections?

    Or do you mean just that you have two wifi access points?

    And disabling one of them removes the issue?

    A diagram may help here.

    Steve



  • @stephenw10

    hi steve i think it solved i change wan connection from dhcp to pppoe the problem solved in some device

    thank u