Captive Portal blocking white listed MAC addresses in 2.5.0

Gertjan

@free4 said in Captive Portal blocking white listed MAC addresses in 2.5.0:

I believe forum would be flooded from complains if the issue was global.

Not only here.
The ipfw firewall, mac's listed in a at table for black or white listing, its just a FreeBSD command. If ipfw, the pipe handling was misbehaving, the FreeBSD support would know about it.
pfSense hides, but executes commands for you, and you could have enter them your self on the command line.

If you can't tear down your network - smart witches, VLAN's, bridges, I understand. But try to bring a device that troubles nearby, have it work 'locally' with just a switch, and see if you can replicate the issue.
Like : packet capturing shwos the device, it's MAC, coming in, and the pipe doing nothing (blocking).
If so, the issue becomes 'FreeBSD'.

AndrewDuey

Well, it's been nearly a month and we have not seen the issue re-appear. At this point I feel like somehow even though the MAC addresses were listed in the table there was something not right and blocking traffic somewhere in BSD/pfsense. When we click to save each entry it seemed to fix them. I suspect that we missed clicking save on a few entries the first time around because I have no explanation why the issue would come back once but not again (I SWEAR we clicked through the list and re-saved all entries, but we all know end users lie :) )

If I see anything further I'll post those details up here, but as of now there's nothing further to troubleshoot.

Thanks again to everyone that took time to review and offer suggestions.

--Andrew

cneep

@andrewduey, for what it's worth...I experienced what appears to be this same problem on two sets of CARP firewalls in two different networks with similar configurations to each other shortly after upgrading all four of them from 2.4.4 to 2.5.x. I have several more very similarly-configured firewalls to upgrade at my various clients, but have stopped doing any additional upgrades for now because it appears upgrading will invariably break an important part of most of my clients' networks.

My temporary work-around has been to disable Captive Portal for now in these two networks, since not having CP running is preferable to having it running but breaking the devices that need to pass the CP. I haven't done as much diagnosing as it appears you've done but am curious to carefully read back through this thread and see if I can discover/add anything useful.

I'm only chiming in to say that you're not alone, since that appears to be in question! I noticed the problem right away too, but only just now had a spare few minutes to hit the forums to see if there was a known solution to the problem.

FWIW.

AndrewDuey

@cneep said in Captive Portal blocking white listed MAC addresses in 2.5.0:

@andrewduey, for what it's worth...

Glad someone else saw it too.

I'm not sure it's enough to go on, but our firewalls are also setup with CARP. I wouldn't think that would have much to do with it since we're not failing over (that I am aware of and I'm pretty sure we're not as we have notifications enabled).

Between this in 2.5.0 and Multi-WAN NAT broken by 2.5.1 we've had a rough go recently with pfsense firmware upgrades :(

AndrewDuey

Still having the same issues nearly a year later. By this time we've confirmed that every time the firewall acts up then we just re-save the MAC address in the captive portal zone. No changes, just clicking the save button again changes it to allow that MAC address even though it's already on the list. We have about 30 devices and we'll need to click edit on each one and save it.

According to the helpdesk staff, they have to do each entry. Doing one does not cause any others to work, only the one you just saved.

The firewall is now running 21.05.2 and still seeing the issue. I was hoping it would be cleared up in a minor release but hasn't yet.

Any other ideas would be appreciated.

michmoor

@andrewduey did you open a redmine tracker for this?

AndrewDuey

@michmoor Nope, I hadn't yet as previous posters seemed to think it wasn't a bug, but an issue with our setup. But I was thinking it's about time since I think we've ruled everything else out.

michmoor

@andrewduey so before i post a redmine issue I do the following

1. post to netgate forums - usually not the most reliable place to seek help.
2. post to pfsense reddit forums - usually a more responsive crowd but quality of support varies
3. open redmine

Hate to say it but option 2 usually works more for me than the official channel here but who knows you may get lucky. I haven't had that issue show up in my portal deployments.

AndrewDuey

@michmoor I'll check in on the r/pfsense reddit and see what I hear. I was hesitant to put it in redmine until after it was confirmed was a bug that other people were seeing and not some sort of a configuration issue (since redmine isn't there for support).

But after hanging it out and having a few others review what I'm seeing, I'm pretty comfortable saying it's a bug - even if there's not a lot of others seeing it.

Gertjan

@andrewduey said in Captive Portal blocking white listed MAC addresses in 2.5.0:

The firewall is now running 21.05.2 and still seeing the issue. I was hoping it would be cleared up in a minor release but hasn't yet.

There was a major update ( !! keep on reading, do not upgrade yet !!)
A reason you stay on an older version ? 22.01 exists these day.
There were some 'captive portal' fixes.

I'm using 2.6.0 CE my self, and presume that 22.01 is identical : my add macs work : I can add the MAC of my phone, connect to the portal wifi, and I have access right away.
It keeps working if I change some general portal settings, or MAC settings. Or reboot.

What Netgate appliance are you using ?
If it's a arm based device, and you have some time, get an old PC, slide in an 4 port NIC, and install 2.6.0 CE and clone your pfSense. I know, this is far fetched, but hey, I'm using one portal - have a amd64 type device, and 'it works'.

I didn't test what happens when I activate a second captive portal on a dedicated NIC (I tend to stay away from VLAN stuff as I have no real experience wit that ).

This is scary :

@free4 said in Captive Portal blocking white listed MAC addresses in 2.5.0:

Since I don't have a clue on what could be issues...

If @free4 can't find it ....

There is a major 2.6.0 - and thus with 22.01 ( ??! ) :
Upon installing all seems fine. But then ... you probably saw the forum about it : the portal doesn't pass ICMP and UDP any more. Only TCP.

To make a long story short : something good came out of this : the pfSense Patch package was updated and comes now with "build in "Netgate" patches", added upfront with upstream patches, and the portal UDP/ICMP issue can be repaired with a click of the Apply button.

One issue is still there :
If you use the captive portal and you do, then 'limiters' won't work any more / at the moment.
There is a still an unresolved issue that is based upon the captive portal using ipfw, and pfSense uses itself for the GUI rules (and aliases, and other 'hidden' rules) the pf firewall.
The two together break limiters. So, you have to remove them for the moment.

As I said earlier : the pipes that ipfw uses for the captive portal, are these the same as limiters ? I know that I probably don't know what I'm talking about.
For me, not using limiters isn't really a show stopper. My portal works fine now.

AndrewDuey

@gertjan As always, thanks for the response and thoughts.

Since we were still having issues we did move to 22.01 (aka 2.6.0) last night since (a few hours before you responded) since I saw substantial changes to captive portal. I did see the UDP/ICMP issue and applied the system patch too.

The issue only comes up every couple weeks so we'll have to give it time to see if it keeps happening.

I appreciate the warning on the limiters. We do use them, but can live without them for a while.

--Andrew