Captive portal always bypasing



  • Hi, I administrate a Pfsense setup at my dorm. There we have a captrive protal to ensure certain users only have a certain quota for their internet. The captive portal has a login site, and identifies the loged in users by their mac address. The authentication is done through a freeradius server with mysql. The pf captvie portal is using interim mode to check agains freeradius.

    Since a few days however every traffic is bypassed, that means no user has to log in in order to get to the internet. I don't see what could have changed.
    Pfsense is at: 2.4.4-RELEASE-p3
    freeradius: Version 2.2.8


  • Rebel Alliance

    do you have routers (such as wifi router) between your pfsense and your devices ?



  • Yes and no. We offer both, wifi and ethernet. The wifi router only work as AP. That means they don't do NAT and no DHCP. Captive portal does not work from wifi as well as ethernet.


  • Rebel Alliance

    ok, sorry wrong clue

    I was asking because many users have this issue because they are using a router with NAT between devices and pfsense

    what's displayed inside the status->captive portal page? how many users are connected?

    could you go to diagnosis -> command prompt, execute the command ipfw table all list and post here anonymized results?



  • what's displayed inside the status->captive portal page?

    Anmerkung 2019-05-28 220238.png

    ipfw table all list:

    --- table(cp_ifaces), set(0) ---
    vmx0 2100 295497766 292079367206 1559073824
    --- table(lan_auth_up), set(0) ---
    10.10.0.81/32 xx:xx:xx:xx:xx:xx 2082 0 0 0
    10.10.0.82/32 xx:xx:xx:xx:xx:xx 2072 0 0 0
    10.10.0.181/32 xx:xx:xx:xx:xx:xx 2106 0 0 0
    10.10.0.187/32 xx:xx:xx:xx:xx:xx 2064 0 0 0
    10.10.0.249/32 xx:xx:xx:xx:xx:xx 2094 0 0 0
    10.10.1.16/32 xx:xx:xx:xx:xx:xx 2074 0 0 0
    10.10.1.24/32 xx:xx:xx:xx:xx:xx 2110 0 0 0
    10.10.1.27/32 xx:xx:xx:xx:xx:xx 2098 0 0 0
    10.10.1.48/32 xx:xx:xx:xx:xx:xx 2090 0 0 0
    10.10.1.71/32 xx:xx:xx:xx:xx:xx 2096 0 0 0
    10.10.1.188/32 xx:xx:xx:xx:xx:xx 2080 0 0 0
    10.10.1.216/32 xx:xx:xx:xx:xx:xx 2066 0 0 0
    10.10.2.8/32 xx:xx:xx:xx:xx:xx 2112 0 0 0
    10.10.2.35/32 xx:xx:xx:xx:xx:xx 2092 0 0 0
    10.10.2.40/32 xx:xx:xx:xx:xx:xx 2084 0 0 0
    10.10.2.114/32 xx:xx:xx:xx:xx:xx 2114 0 0 0
    10.10.2.126/32 xx:xx:xx:xx:xx:xx 2104 0 0 0
    10.10.2.130/32 xx:xx:xx:xx:xx:xx 2102 0 0 0
    10.10.2.147/32 xx:xx:xx:xx:xx:xx 2116 0 0 0
    10.10.2.234/32 xx:xx:xx:xx:xx:xx 2068 0 0 0
    10.10.3.6/32 xx:xx:xx:xx:xx:xx 2070 0 0 0
    10.10.3.28/32 xx:xx:xx:xx:xx:xx 2120 0 0 0
    10.10.3.98/32 xx:xx:xx:xx:xx:xx 2118 0 0 0
    10.10.3.120/32 xx:xx:xx:xx:xx:xx 2108 0 0 0
    10.10.3.141/32 xx:xx:xx:xx:xx:xx 2078 0 0 0
    10.10.3.159/32 xx:xx:xx:xx:xx:xx 2076 0 0 0
    10.10.3.238/32 xx:xx:xx:xx:xx:xx 2100 0 0 0
    --- table(lan_host_ips), set(0) ---
    10.10.7.201/32 0 18460 3416339 1559073821
    10.10.7.254/32 0 956754 162666520 1559073823
    --- table(lan_pipe_mac), set(0) ---
     xx:xx:xx:xx:xx:xx any 2013 0 0 0
     any xx:xx:xx:xx:xx:xx 2012 0 0 0
     xx:xx:xx:xx:xx:xx any 2033 40337 13662578 1559073744
     any xx:xx:xx:xx:xx:xx 2032 62146 75082844 1559073725
     xx:xx:xx:xx:xx:xx any 2005 0 0 0
     any xx:xx:xx:xx:xx:xx 2004 0 0 0
     xx:xx:xx:xx:xx:xx any 2041 0 0 0
     any xx:xx:xx:xx:xx:xx 2040 0 0 0
     xx:xx:xx:xx:xx:xx any 2003 0 0 0
     any xx:xx:xx:xx:xx:xx 2002 0 0 0
     xx:xx:xx:xx:xx:xx any 2027 113775 136528994 1559066142
     any xx:xx:xx:xx:xx:xx 2026 60099 13043501 1559065621
     xx:xx:xx:xx:xx:xx any 2043 0 0 0
     any xx:xx:xx:xx:xx:xx 2042 0 0 0
     xx:xx:xx:xx:xx:xx any 2049 0 0 0
     any xx:xx:xx:xx:xx:xx 2048 0 0 0
     xx:xx:xx:xx:xx:xx any 2001 40942 9473306 1559073786
     any xx:xx:xx:xx:xx:xx 2000 40948 5337083 1559073786
     xx:xx:xx:xx:xx:xx any 2025 16262 19875180 1559073820
     any xx:xx:xx:xx:xx:xx 2024 6945 593038 1559073820
     xx:xx:xx:xx:xx:xx any 2009 0 0 0
     any xx:xx:xx:xx:xx:xx 2008 0 0 0
     xx:xx:xx:xx:xx:xx any 2023 0 0 0
     any xx:xx:xx:xx:xx:xx 2022 0 0 0
     xx:xx:xx:xx:xx:xx any 2035 0 0 0
     any xx:xx:xx:xx:xx:xx 2034 0 0 0
     xx:xx:xx:xx:xx:xx any 2031 5736 1951675 1559073728
     any xx:xx:xx:xx:xx:xx 2030 7036 932558 1559073728
     xx:xx:xx:xx:xx:xx any 2053 0 0 0
     any xx:xx:xx:xx:xx:xx 2052 0 0 0
     xx:xx:xx:xx:xx:xx any 2021 661433 883394044 1559073771
     any xx:xx:xx:xx:xx:xx 2020 90765 10294113 1559073653
     xx:xx:xx:xx:xx:xx any 2007 42854 45520096 1559073777
     any xx:xx:xx:xx:xx:xx 2006 30950 3358468 1559073777
     xx:xx:xx:xx:xx:xx any 2047 0 0 0
     any xx:xx:xx:xx:xx:xx 2046 0 0 0
     xx:xx:xx:xx:xx:xx any 2045 40800 50765159 1559073824
     any xx:xx:xx:xx:xx:xx 2044 14798 2001444 1559073824
     xx:xx:xx:xx:xx:xx any 2017 332135 324588686 1559073822
     any xx:xx:xx:xx:xx:xx 2016 255655 191986930 1559073822
     xx:xx:xx:xx:xx:xx any 2061 219419 300051570 1559073767
     any xx:xx:xx:xx:xx:xx 2060 110327 8765703 1559073767
     xx:xx:xx:xx:xx:xx any 2039 0 0 0
     any xx:xx:xx:xx:xx:xx 2038 0 0 0
     xx:xx:xx:xx:xx:xx any 2037 379560 470206774 1559073823
     any xx:xx:xx:xx:xx:xx 2036 239337 29587450 1559073823
     xx:xx:xx:xx:xx:xx any 2057 0 0 0
     any xx:xx:xx:xx:xx:xx 2056 0 0 0
     xx:xx:xx:xx:xx:xx any 2015 15645 10564113 1559073823
     any xx:xx:xx:xx:xx:xx 2014 14474 1363211 1559073823
     xx:xx:xx:xx:xx:xx any 2029 0 0 0
     any xx:xx:xx:xx:xx:xx 2028 0 0 0
     xx:xx:xx:xx:xx:xx any 2011 424988 515776136 1559073818
     any xx:xx:xx:xx:xx:xx 2010 266988 28753324 1559073818
     xx:xx:xx:xx:xx:xx any 2051 0 0 0
     any xx:xx:xx:xx:xx:xx 2050 0 0 0
     xx:xx:xx:xx:xx:xx any 2019 349689 497773419 1559064286
     any xx:xx:xx:xx:xx:xx 2018 77000 4801787 1559063778
     xx:xx:xx:xx:xx:xx any 2059 1156141 1703206065 1559073570
     any xx:xx:xx:xx:xx:xx 2058 430631 22792756 1559073571
     xx:xx:xx:xx:xx:xx any 2055 478831 451309939 1559049933
     any xx:xx:xx:xx:xx:xx 2054 400380 28902792 1559049635
    --- table(lan_auth_down), set(0) ---
    10.10.0.81/32 2083 0 0 0
    10.10.0.82/32 2073 0 0 0
    10.10.0.181/32 2107 0 0 0
    10.10.0.187/32 2065 0 0 0
    10.10.0.249/32 2095 0 0 0
    10.10.1.16/32 2075 0 0 0
    10.10.1.24/32 2111 0 0 0
    10.10.1.27/32 2099 0 0 0
    10.10.1.48/32 2091 0 0 0
    10.10.1.71/32 2097 0 0 0
    10.10.1.188/32 2081 0 0 0
    10.10.1.216/32 2067 0 0 0
    10.10.2.8/32 2113 0 0 0
    10.10.2.35/32 2093 0 0 0
    10.10.2.40/32 2085 0 0 0
    10.10.2.114/32 2115 0 0 0
    10.10.2.126/32 2105 0 0 0
    10.10.2.130/32 2103 0 0 0
    10.10.2.147/32 2117 0 0 0
    10.10.2.234/32 2069 0 0 0
    10.10.3.6/32 2071 0 0 0
    10.10.3.28/32 2121 0 0 0
    10.10.3.98/32 2119 0 0 0
    10.10.3.120/32 2109 0 0 0
    10.10.3.141/32 2079 0 0 0
    10.10.3.159/32 2077 0 0 0
    10.10.3.238/32 2101 0 0 0
    --- table(lan_allowed_up), set(0) ---
    10.10.0.0/21 2062 89390755 24792069760 1559073824
    --- table(lan_allowed_down), set(0) ---
    10.10.0.0/21 2063 198092339 261271319196 1559073824
    

    The reason why there are still people loged in I guess is because they are used to log in when they enter the dorm. But I am sure they didn't log in because Network was not working for them. As normally we have ~200 people listed here.



  • This looks very strange to me :
    @schabi said in Captive portal always bypasing:

    ...
    --- table(lan_allowed_up), set(0) ---
    10.10.0.0/21 2062 89390755 24792069760 1559073824
    --- table(lan_allowed_down), set(0) ---
    10.10.0.0/21 2063 198092339 261271319196 1559073824

    This means :
    10.10.0.1 to 10.10.7.254 goes right through ... is that what you want ?
    Nota : Mask /21 = 111 1111 1111 = $7ff

    What did you put in "Allowed IP Addresses" ?


  • Rebel Alliance

    @Gertjan is right

    please check your "Allowed IP address" settings. I don't think you wanted to allow 10.10.0.0/21



  • Update :
    I just tried it out myself :

    5fc53e09-a974-4f2a-a653-d202066c5b18-image.png

    192.168.2.0/24 is my captive portal network.

    Adding a network like does everybody offer a free ride !! Works great actually.
    Although, it could be done more easier : just shut down the captive portal ...

    edit : I guess I know who's slamming his head right now ^^



  • Ah wtf, I din't see that. How did this setting even get there?
    Thank you very much. I'll remove it on Monday as I am currently on vacation.



  • @schabi said in Captive portal always bypasing:

    Ah wtf, I din't see that. How did this setting even get there?

    Config changes are logged - so bring along the baseball bat, and consult the log ;)


Log in to reply