Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal dont show logged users after marked mac pass-through

    Scheduled Pinned Locked Moved Captive Portal
    13 Posts 5 Posters 971 Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG Offline
      Gertjan @edicastro
      last edited by Gertjan

      @edicastro said in Captive portal dont show logged users after marked mac pass-through:

      why?

      True, the user has to log in ones to have it's MAC added to the list with MAC(s) that are allowed to go though without pfSense 'seeing' any further traffic of this device = they will show up on the Services > Captive Portal > [portal name] > MACs.
      An early ipfw firewall has a table with all the MAC's that are allowed without further interaction.
      This means that this device doesn't use a something that can is considered by pfSense as a session.

      But : checking out the xxxxx_pipe_macipfw table shows :

      --- table(xxxxx_pipe_mac), set(0) ---
      .....
       b0:cc:2d:45:aa:da any 2049 533 555054 1602673668
       any cc:70:2d:45:aa:da 2048 477 39677 1602673668
      ....
      

      This " b0:cc:2d:45:aa:da" has been auto MAC added upon the first login.
      Because auto added MAC's have pipes, the traffic they generate is counted.
      pfSense could parse this traffic info - the 555054 (bytes down) and 39677 (bytes up) numbers in my example - to see if the device is actually generating traffic, and if so, showing it in the "Captive Portal Status" list like the other, logged in , users . And remove it from the list after, for example, when "Idle timeout (Minutes)" arrives without seeing any traffic change during this "Idle timeout (Minutes)".

      So, it can be done. The feature could be implemented.

      edit :

      Services > Captive Portal > ZONE > MACs
      

      Or do you want this page to be shown as a widget on the dashboard ?
      When

      83142f33-39b1-44bf-8ae2-5cc76ad89287-image.png

      is selected, this :

      f5e22fa0-2aab-4a9c-a76c-9f2e584d9449-image.png

      has no meaning any more - it will stay empty because the auto mac add is valid for every portal user.
      .... and - feature - could be populated with 'active auto MAC users'.

      Btw : I left the option auto mac add activated for the night.
      This morning, I found this :

      b1e889df-06ea-4c23-bc3f-5ad04aa4957b-image.png
      I know they logged in, and I could even find out when, and I could throw them off, which I did.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      E viktor_gV 2 Replies Last reply Reply Quote 0
      • E Offline
        edicastro @viktor_g
        last edited by

        @viktor_g This feature has accepted for pfsense team?

        1 Reply Last reply Reply Quote 0
        • E Offline
          edicastro @Gertjan
          last edited by edicastro

          @Gertjan your images post dont show. try imgur.com to send images

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @edicastro
            last edited by

            @edicastro said in Captive portal dont show logged users after marked mac pass-through:

            try imgur.com to send images

            I added them.
            I prefer not to use add-black-holes .... and keeping pfSense info at the pfSense forum.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • V Offline
              victoriaSwalker
              last edited by

              Great! This post is very use full.

              1 Reply Last reply Reply Quote 0
              • viktor_gV Offline
                viktor_g Netgate @Gertjan
                last edited by

                @Gertjan said in Captive portal dont show logged users after marked mac pass-through:

                True, the user has to log in ones to have it's MAC added to the list with MAC(s) that are allowed to go though without pfSense 'seeing' any further traffic of this device = they will show up on the Services > Captive Portal > [portal name] > MACs.
                An early ipfw firewall has a table with all the MAC's that are allowed without further interaction.

                Correct, see https://github.com/pfsense/pfsense/blob/2e1cfbf9957a559a49af37c00f07db8854950ae3/src/etc/inc/captiveportal.inc#L746
                in other words this is just static firewall rules

                Because auto added MAC's have pipes, the traffic they generate is counted.
                pfSense could parse this traffic info - the 555054 (bytes down) and 39677 (bytes up) numbers in my example - to see if the device is actually generating traffic, and if so, showing it in the "Captive Portal Status" list like the other, logged in , users . And remove it from the list after, for example, when "Idle timeout (Minutes)" arrives without seeing any traffic change during this "Idle timeout (Minutes)".

                "Idle Timeout (Minutes)" can confuse pfSense administrators in a different way. When you see MAC on the configuration page, but not on Active users page due to incorrect timeout settings or host inactivity (printers, phones, servers etc)

                feel free to leave your comments/ideas on https://redmine.pfsense.org/issues/9627

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @viktor_g
                  last edited by

                  @viktor_g said in Captive portal dont show logged users after marked mac pass-through:

                  "Idle Timeout (Minutes)" can confuse pfSense administrators in a different way.

                  Like a smart wall outlet that calls home, opens a channel, and waits for incoming instructions, that might come in after hours or days.
                  Yeah, when I think about the possible pitfalls : they are there.

                  I did not mean that "Idle Timeout (Minutes)" should be used to disconnect a device. The disconnecting thing is only meant to be used for logged in users that will get removed after after a certain time of non connectivity.

                  As soon as "Pass-through MAC Auto Entry" is set, something like "Idle Timeout (Minutes)" has no meaning any more, as ALL logged in devices will get auto-MAC-add.

                  The captive portal status widget becomes .... useless / not needed as it will be empty : the connected user database would be empty.
                  So, why not showing something useful like "these are the "auto MAC" devices that generated traffic the last xx time" ?
                  Or list all the auto mac added devices ? (with traffic usage statistics ?)
                  Because "Pass-through MAC Auto Entry" is set, one could change the title of the widget, and change the behaviour off the disconnect function, so it will remove the MAC from the list / firewall table rule ?

                  Any way, nothing that can be pulled of by @viktor_g in an hour or two ;)

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    edicastro
                    last edited by edicastro

                    how to identify the activities of the users of the "mac past-through" in the logs?

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG Offline
                      Gertjan @edicastro
                      last edited by

                      @edicastro said in Captive portal dont show logged users after marked mac pass-through:

                      how to identify the activities of the users of the "mac past-through" in the logs?

                      Re read my post above where I say :

                      But : checking out the xxxxx_pipe_macipfw table shows :

                      Yo can do so with your fingers and keyboard : type the command mentionned, do some number subtractions and you'll find the traffic.
                      Or bring @viktor_g to the bounty room.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      E 1 Reply Last reply Reply Quote 0
                      • E Offline
                        edicastro @Gertjan
                        last edited by edicastro

                        @Gertjan said in Captive portal dont show logged users after marked mac pass-through:

                        But : checking out the xxxxx_pipe_macipfw table shows :

                        @Gertjan I dont understand... where i find "xxxxx_pipe_macipfw" in pfsense? this is a command line? or gui functionality?

                        F 1 Reply Last reply Reply Quote 0
                        • F Offline
                          free4 Rebel Alliance @edicastro
                          last edited by free4

                          @edicastro type the command line

                          ipfw table all list

                          The result should indicate you the status of the two ipfw tables named xxxxx_pipe_mac

                          These tables indicate who is connected

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.