(SOLVED)A possible idea/solution to pfSense Bug #9977

tman904 · Jan 13, 2020, 3:55 PM

Hi.

I apologize if this is the wrong place to post this.

From looking over the notes in redmine that pertain to the connectivity dropping when captive portal is enabled. Specifically IPFW being the culprit. I'm wondering if the issue isn't simply

IPFW dropping packets that aren't part of existing connections?
or
pf.ko and ipfw.ko can't interoperate when looking at packets from the tcp/ip stack.

2 would most likely be harder to fix.
But as far as 1 goes couldn't pf be used for the captive portal as well? Especially since it already has all the active states in RAM.

I may have to take a look around on FreeBSD's forums. But I'm not sure pf.ko and ipfw.ko can interoperate, when looking at packets from the tcp/ip stack at the same time. Also because two processes are reading potentially the same mbufs it seems like that could result in some type of lock in the network stack. Or the socket that captive portal is listening on.

I'm no expert just thought I could provide some help in the matter.

Gertjan · Jan 13, 2020, 10:56 AM

@tman904 said in A possible idea/solution to pfSense Bug #9977:

But as far as 1 goes couldn't pf be used for the captive portal as well? Especially since it already has all the active states in RAM

Hi,

The captive portal uses ipfw and pf.
ipfw : is used for the implementation of the captive portal login page redirection, and hadling the devices authorized by MAC and/or IP. You can see them using this.
pf : is being used for the firewall rules entered in the GUI - the interface on which the captive portal is running.

I don't know if pfSense (Netgate) modifies (the source of) these core FreeBSD programmes / libraries (ko files).
I guess your question belongs upstream (FreeBSD itself).

tman904 · Jan 13, 2020, 12:13 PM

I wasn't aware that it used both but thank you for explaining it. Anyway I suppose the captive portal is working in 2.4.4? That must mean this problem isn't related to the OS at all.

All things considered it seems my idea is counter productive.

Gertjan · Jan 13, 2020, 12:16 PM

@tman904 said in A possible idea/solution to pfSense Bug #9977:

captive portal is working in 2.4.4?

It rocks on 2.4.4-p3.

tman904 · Jan 13, 2020, 12:16 PM

Good to hear. I'll have to find a way to utilize it. I just haven't found a need to at the moment.

stephenw10 · Jan 13, 2020, 3:35 PM

We have to use ipfw in the captive portal to filter at layer 2 initially (by MAC). pf is a layer 3 (and higher) filter only.

Steve

tman904 · Jan 13, 2020, 3:42 PM

I forgot that IPFW can filter at layer 2. Thanks Steve that helps clear up my confusion about the issue. I couldn't understand why both were being used at once but now I do.

Sorry for taking up everyone's time with a silly post.

Tyler.

jimp · Jan 13, 2020, 3:42 PM

#9977 is a regression which only affects pfSense 2.4.5 snapshots. It's not a fundamental incompatibility problem, but something that changed in the FreeBSD source which we need to adjust our code to work with.

tman904 · Jan 13, 2020, 3:47 PM

When I read the notes I wasn't sure what was wrong. I had thought it was just a ruleset issue or something similar. Not a code base change... My bad.

Thank you guys for all the work you put into pfSense and FreeBSD.

Tyler.