Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No internet access when user restarts device after connected to CP

    Scheduled Pinned Locked Moved Captive Portal
    10 Posts 3 Posters 820 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ssattannae
      last edited by

      Hi,
      I couldn't find any related topics on this issue so I apologize if this has been discussed before.

      I'm current facing a problem where if users connect to my pfsense router, then they have no problem accessing the internet. If they restart their devices then there will be no internet access, but on the router it still shows they are logged in. I'm thinking the issue might be they need to be disconnected so the current sessions can be but I'm not sure. Any help will be appreciated, thanks!

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        You should know what happened when users are 'logged in'.

        By default, a "portal" is nothing more or less then a firewall that blocks any traffic from any devices.
        The "portal" trick is that incoming connections to "any IP - port 80" and or "any IP port 443" are redirected to the internal web server. This web server shows a "login page". Posting this page back (+ entering credentials) will open up the firewall for the connected device : the MAC address and IP address are placed in a table in the firewall. Any traffic afterwards, from this device, will pas through the firewall.

        When you restart a device, it's MAC address shouldn't change.
        The device will ask again, during startup, an IP address. The DHCP server, running on pfSense, remembers the device very well - it recognizes the MAC in its tables, and give the same IP.
        Your device should pass through - no need to reconnect - the device is still connected from a point of view of pfSense.

        So, the question is : what happens on your network ?
        Does the device gets the same IP after restart ? Normally, it should, DHCP works like that. This is easy to check.

        So, tell us what is so special on your portal network.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • S
          ssattannae
          last edited by

          Thanks for the response!

          I used ifconfig to check the test device IP after after it restarts and it's the same as before restarting.

          I don't think it's there's anything special about the portal network, thought I'm new to pfsense so here's more information about the portal in case I missed any:

          1. the portal uses RADMAC authentication method
          2. portal will re-auth users every minute
          3. popup window disabled
          4. there are some custom code in the portal index.php to fit business logic. The code only handles cases when radius returns no and does not affect anywhere else.
          5. disabling the portal will allow user to get online which is expected, but this should mean the problem lies with my portal.

          I am going to change authentication method and see if anything improves, though I don't think radius server is the issue.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            See https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html

            The console firewall commands will list you the IP's and MAC's of your devices.

            You stated that the device, when restarted, obtained the same IP.
            The MAC is of course the same.

            The portal (pfSense) can't really see or know if your devices restarted, it might as well go out of sight, a Wifi connection became bad or the cable was ripped of.
            All it (pfSense) knows is that device asked again for an IP after it restarted - and because his lease hasn't expired yet, it will hand over the same IP as before.
            So all conditions are met.

            I don't know how RADMAC auth works : is Radius pinging or arping the device to check if its reachable ? If so, if it wasn't there anymore, will RADMAC 'logout' the device. In that case, the portal status page of pfSEnse should reflect that = the device was removed - and thus the related firewall table were removed.
            Is that the case ?

            Also : it's a know fact : it starts with the main index.php file and the underlying /etc/inc/captiveportal.inc file : it's a beautiful mess .... but it works after lighting years of testing hours.
            Ok to change the scripts (the 'code') , but be ready to see unknown side effects.

            On my portal, using FreeRadius - and every 5 minutes it re-authenticate, I can shut down my iPhone, start it up again, and it is still connected (no authentication needed) and my 'login" is still listed in the captive portal status page.

            Btw :

            @ssattannae said in No internet access when user restarts device after connected to CP:

            I'm current facing a problem

            and

            @ssattannae said in No internet access when user restarts device after connected to CP:

            there are some custom code in the portal index.php to fit business logic.

            means you're working on a system with only one expert : you.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • S
              ssattannae
              last edited by ssattannae

              Thanks for the input @Gertjan ! After checking out the link you gave me I was able to find out that the user will disappear from the _auth_down and _auth_up IPFW tables, I'm certain this is the cause for the connection loss. I will post an update if I manage to solve this and hopefully help others in similar situation.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @ssattannae
                last edited by

                @ssattannae said in No internet access when user restarts device after connected to CP:

                will disappear from the _auth_down and _auth_up IPFW

                If they are removed from the xxxxx_auth_down and xxxxx_auth_down tables, then "pfSense" is instructed by the exterior "auth" method to do so.
                FreeRadius that is.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • S
                  ssattannae
                  last edited by ssattannae

                  Sorry for the late update. So basically my problem is really similar to this post https://forum.netgate.com/topic/137824/pfsense-no-internet-when-it-is-said-you-are-connected/13 and this post https://forum.netgate.com/topic/136262/clients-can-t-reconnect-after-pfsense-reboot. From What I've seen there's no perfect solution yet, so I set the idle timeout to 10 minutes and added a check before radius accounting packet is sent. Basically I am checking if octet input and output is 0 when some amount of time has passed (less than the idle timeout) then chances are the user is no longer in the ipfw table and safe to disconnect. I probably violated some networking convention but there doesn't seem to be a perfect solution yet. Hopefully this will help someone in a similar situation.

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    free4 Rebel Alliance @ssattannae
                    last edited by free4

                    @ssattannae one question : did you try to apply the patch?

                    if you are facing the issue mentioned above...it may help

                    1 Reply Last reply Reply Quote 0
                    • S
                      ssattannae
                      last edited by ssattannae

                      @free4 oh my god thanks for reminding me. I went to check my patch url again and I realized I missed the .diff part at the end, initial testing indicates the patch seems to work. Will update after doing some more testing.

                      Okay everything seems to be in order, thanks again @free4 @Gertjan for your inputs. Though it turned out to be a dummy mistake on my end haha

                      F 1 Reply Last reply Reply Quote 1
                      • F
                        free4 Rebel Alliance @ssattannae
                        last edited by free4

                        @ssattannae you are welcome

                        if after further testing you still think that the patch is really fixing your problem...then don't hesitate to make a thumbs up on https://github.com/pfsense/pfsense/pull/4042 and/or make a small comment "friendly bump, this pull request resolve a very impactful problem..."

                        The patch and pull request are ready since a while (2.4.4-p2)...the current stable release is 2.4.4-p3 and the pull request is not merged yet...

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.