Captive portal allowed hostnames / allowed IP not working as expected, how to debug?

nemesisdev

I have 2 zones.

The 1st is working fine.
The 2nd I added does not allow any sort of traffic to the allowed hostnames / allowed IPs.
The firewall logs do not show anything is being blocked.

How can I debug what is going on from the shell?

Thanks in advance.

Gertjan

@nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

How can I debug what is going on from the shell?

Troubleshooting Captive Portal

nemesisdev

@gertjan thanks for the info.

How can I debug the allowed hostnames / allowed ip feature?
I don't seem to find this info in the troubleshooting page.

It's really weird because I added allowed IPs and hostnames to the captive portal zone, but it seems to have no effect and I don't know how to troubleshoot this.

Gertjan

@nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

I don't seem to find this info in the troubleshooting page.

This command

ipfw table all list

Shows the cp[zone]_allowed_down cp[zone]_allowed_up tables.
They contain the IPv4 of the allowed IP's and host names.
The listed host names are regularly converted from host names to IPv4, as firewall don't work with host names.

nemesisdev

@gertjan ah ok thank you for expanding, this was not clear to me.

nemesisdev

Bytheway, is it just me or changes done to "Allowed Hostnames" do not become effective until after a reboot? I am on version 2.5.2-RELEASE, I tried restarting the captive portal service and the DNS forwarder to no avail, only reboot works for me.

Gertjan

@nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

Bytheway, is it just me or changes done to "Allowed Hostnames"

Firewalls, like 'pf' used by FreeBSD (pfSense) doesn't work with host names. It works with IP addresses.

Read this part of the manual, and you'll get the picture ;)
There is a warning : not every host name can be used to be resolved.

nemesisdev

@nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

Bytheway, is it just me or changes done to "Allowed Hostnames" do not become effective until after a reboot? I am on version 2.5.2-RELEASE, I tried restarting the captive portal service and the DNS forwarder to no avail, only reboot works for me.

Update: I tried the following steps and I was able to make changes to allowed hostnames in the captive portal configuration effective without rebooting:

• log in via SSH
• service ipfw onerestart
• restart the captive portal from the UI

Gertjan

@nemesisdev

Another test :
Connect to the SSID of your captive portal - but do not identify.
Test that you can't access test-domaine.fr

Now add this domain to the allawed host names :

On your device :
Select another SSID - or de activate your Wifi, activate it, and connect to the captive portal SSID.
This step is needed to accelerate the flush DNS entries (in your device), and important : firewall states.
Do not identify.
But you can access "test-domaine.fr" (http probably and surely https).

Btw : host names are not used in firewall rules.
Instead of test-domaine.fr, the IPs

test-domaine.fr has address 5.196.43.182
test-domaine.fr has IPv6 address 2001:41d0:2:927b::15

are entered into the "allowed IP tables". (only IPv4 is used as the portal doesn't handle IPv6)

Also : I restarted nothing myself.

nemesisdev

@gertjan Allowed IPs work without restart, Allowed Hostnames do not, but I prefer working with hostnames.

Gertjan

@nemesisdev

Hummmm.
Looked for IP host names :

......
ipfw table all list

--- table(xxxxxx_allowed_up), set(0) ---
188.165.53.87/32 2008 0 0 0
192.168.2.2/32 2004 4021 449133 1628860182
192.168.2.3/32 2006 3463 359548 1628860780
192.168.2.4/32 2008 2129 247869 1628860389
2001:41d0:2:927b::3/128 2008 0 0 0
--- table(xxxxxx_allowed_down), set(0) ---
188.165.53.87/32 2009 0 0 0
192.168.2.2/32 2005 114 8664 1628860182
192.168.2.3/32 2007 116 8816 1628860780
192.168.2.4/32 2009 113 8588 1628860389
2001:41d0:2:927b::3/128 2009 0 0 0

Tthe table(xxxxx_allowed_up) and table(xxxxx_allowed_up) are the tow tables with the allowed IP and allowed (resolved !) host names.

I added a host name.

I checked again us the "ipfw table all list" command : nothing was added.
I waited for 5 minutes or so (maybe not enough ?).
ok, no big deal, I restarted the captive portal.
Now the new host showed up (that is, the IPv4 and IPv6 ( ?!?) of that host):

--- table(xxxxxx_allowed_up), set(0) ---
5.196.43.182/32 2418 0 0 0
188.165.53.87/32 2180 0 0 0
192.168.2.2/32 2004 0 0 0
192.168.2.3/32 2006 0 0 0
192.168.2.4/32 2008 0 0 0
2001:41d0:2:927b::15/128 2418 0 0 0
--- table(xxxxxx_allowed_down), set(0) ---
5.196.43.182/32 2419 0 0 0
188.165.53.87/32 2181 0 0 0
192.168.2.2/32 2005 0 0 0
192.168.2.3/32 2007 0 0 0
192.168.2.4/32 2009 0 0 0
2001:41d0:2:927b::15/128 2419 0 0 0

viktor_g

@gertjan This is pfSense 2.5.2 ?
Could you create a bugreport?

Gertjan

@viktor_g said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

This is pfSense 2.5.2 ?

Yes.
I'll file one as soon as I found it ;)