Captive Portal blocking white listed MAC addresses in 2.5.0

AndrewDuey

@michmoor I'll check in on the r/pfsense reddit and see what I hear. I was hesitant to put it in redmine until after it was confirmed was a bug that other people were seeing and not some sort of a configuration issue (since redmine isn't there for support).

But after hanging it out and having a few others review what I'm seeing, I'm pretty comfortable saying it's a bug - even if there's not a lot of others seeing it.

Gertjan

@andrewduey said in Captive Portal blocking white listed MAC addresses in 2.5.0:

The firewall is now running 21.05.2 and still seeing the issue. I was hoping it would be cleared up in a minor release but hasn't yet.

There was a major update ( !! keep on reading, do not upgrade yet !!)
A reason you stay on an older version ? 22.01 exists these day.
There were some 'captive portal' fixes.

I'm using 2.6.0 CE my self, and presume that 22.01 is identical : my add macs work : I can add the MAC of my phone, connect to the portal wifi, and I have access right away.
It keeps working if I change some general portal settings, or MAC settings. Or reboot.

What Netgate appliance are you using ?
If it's a arm based device, and you have some time, get an old PC, slide in an 4 port NIC, and install 2.6.0 CE and clone your pfSense. I know, this is far fetched, but hey, I'm using one portal - have a amd64 type device, and 'it works'.

I didn't test what happens when I activate a second captive portal on a dedicated NIC (I tend to stay away from VLAN stuff as I have no real experience wit that ).

This is scary :

@free4 said in Captive Portal blocking white listed MAC addresses in 2.5.0:

Since I don't have a clue on what could be issues...

If @free4 can't find it ....

There is a major 2.6.0 - and thus with 22.01 ( ??! ) :
Upon installing all seems fine. But then ... you probably saw the forum about it : the portal doesn't pass ICMP and UDP any more. Only TCP.

To make a long story short : something good came out of this : the pfSense Patch package was updated and comes now with "build in "Netgate" patches", added upfront with upstream patches, and the portal UDP/ICMP issue can be repaired with a click of the Apply button.

One issue is still there :
If you use the captive portal and you do, then 'limiters' won't work any more / at the moment.
There is a still an unresolved issue that is based upon the captive portal using ipfw, and pfSense uses itself for the GUI rules (and aliases, and other 'hidden' rules) the pf firewall.
The two together break limiters. So, you have to remove them for the moment.

As I said earlier : the pipes that ipfw uses for the captive portal, are these the same as limiters ? I know that I probably don't know what I'm talking about.
For me, not using limiters isn't really a show stopper. My portal works fine now.

AndrewDuey

@gertjan As always, thanks for the response and thoughts.

Since we were still having issues we did move to 22.01 (aka 2.6.0) last night since (a few hours before you responded) since I saw substantial changes to captive portal. I did see the UDP/ICMP issue and applied the system patch too.

The issue only comes up every couple weeks so we'll have to give it time to see if it keeps happening.

I appreciate the warning on the limiters. We do use them, but can live without them for a while.

--Andrew