Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal allowed hostnames / allowed IP not working as expected, how to debug?

    Scheduled Pinned Locked Moved
    Captive Portal
    3
    13
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @nemesisdev
      last edited by

      @nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

      I don't seem to find this info in the troubleshooting page.

      This command

      ipfw table all list

      Shows the cp[zone]_allowed_down cp[zone]_allowed_up tables.
      They contain the IPv4 of the allowed IP's and host names.
      The listed host names are regularly converted from host names to IPv4, as firewall don't work with host names.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      N 1 Reply Last reply Reply Quote 0
      • N
        nemesisdev @Gertjan
        last edited by

        @gertjan ah ok thank you for expanding, this was not clear to me.

        1 Reply Last reply Reply Quote 0
        • N
          nemesisdev
          last edited by

          Bytheway, is it just me or changes done to "Allowed Hostnames" do not become effective until after a reboot? I am on version 2.5.2-RELEASE, I tried restarting the captive portal service and the DNS forwarder to no avail, only reboot works for me.

          GertjanG N 2 Replies Last reply Reply Quote 0
          • GertjanG
            Gertjan @nemesisdev
            last edited by Gertjan

            @nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

            Bytheway, is it just me or changes done to "Allowed Hostnames"

            Firewalls, like 'pf' used by FreeBSD (pfSense) doesn't work with host names. It works with IP addresses.

            Read this part of the manual, and you'll get the picture ;)
            There is a warning : not every host name can be used to be resolved.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • N
              nemesisdev @nemesisdev
              last edited by

              @nemesisdev said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

              Bytheway, is it just me or changes done to "Allowed Hostnames" do not become effective until after a reboot? I am on version 2.5.2-RELEASE, I tried restarting the captive portal service and the DNS forwarder to no avail, only reboot works for me.

              Update: I tried the following steps and I was able to make changes to allowed hostnames in the captive portal configuration effective without rebooting:

              • log in via SSH
              • service ipfw onerestart
              • restart the captive portal from the UI
              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @nemesisdev
                last edited by

                @nemesisdev

                Another test :
                Connect to the SSID of your captive portal - but do not identify.
                Test that you can't access test-domaine.fr

                Now add this domain to the allawed host names :

                d4766160-8cc6-40d3-b2b4-ab215444c362-image.png

                On your device :
                Select another SSID - or de activate your Wifi, activate it, and connect to the captive portal SSID.
                This step is needed to accelerate the flush DNS entries (in your device), and important : firewall states.
                Do not identify.
                But you can access "test-domaine.fr" (http probably and surely https).

                Btw : host names are not used in firewall rules.
                Instead of test-domaine.fr, the IPs

                test-domaine.fr has address 5.196.43.182
test-domaine.fr has IPv6 address 2001:41d0:2:927b::15

                are entered into the "allowed IP tables". (only IPv4 is used as the portal doesn't handle IPv6)

                Also : I restarted nothing myself.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                N 1 Reply Last reply Reply Quote 0
                • N
                  nemesisdev @Gertjan
                  last edited by

                  @gertjan Allowed IPs work without restart, Allowed Hostnames do not, but I prefer working with hostnames.

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @nemesisdev
                    last edited by

                    @nemesisdev

                    Hummmm.
                    Looked for IP host names :

                    ......
                    ipfw table all list

                    --- table(xxxxxx_allowed_up), set(0) ---
188.165.53.87/32 2008 0 0 0
192.168.2.2/32 2004 4021 449133 1628860182
192.168.2.3/32 2006 3463 359548 1628860780
192.168.2.4/32 2008 2129 247869 1628860389
2001:41d0:2:927b::3/128 2008 0 0 0
--- table(xxxxxx_allowed_down), set(0) ---
188.165.53.87/32 2009 0 0 0
192.168.2.2/32 2005 114 8664 1628860182
192.168.2.3/32 2007 116 8816 1628860780
192.168.2.4/32 2009 113 8588 1628860389
2001:41d0:2:927b::3/128 2009 0 0 0

                    Tthe table(xxxxx_allowed_up) and table(xxxxx_allowed_up) are the tow tables with the allowed IP and allowed (resolved !) host names.

                    I added a host name.

                    I checked again us the "ipfw table all list" command : nothing was added.
                    I waited for 5 minutes or so (maybe not enough ?).
                    ok, no big deal, I restarted the captive portal.
                    Now the new host showed up (that is, the IPv4 and IPv6 ( ?!?) of that host):

                    --- table(xxxxxx_allowed_up), set(0) ---
5.196.43.182/32 2418 0 0 0
188.165.53.87/32 2180 0 0 0
192.168.2.2/32 2004 0 0 0
192.168.2.3/32 2006 0 0 0
192.168.2.4/32 2008 0 0 0
2001:41d0:2:927b::15/128 2418 0 0 0
--- table(xxxxxx_allowed_down), set(0) ---
5.196.43.182/32 2419 0 0 0
188.165.53.87/32 2181 0 0 0
192.168.2.2/32 2005 0 0 0
192.168.2.3/32 2007 0 0 0
192.168.2.4/32 2009 0 0 0
2001:41d0:2:927b::15/128 2419 0 0 0

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    viktor_gV 1 Reply Last reply Reply Quote 0
                    • viktor_gV
                      viktor_g Netgate @Gertjan
                      last edited by

                      @gertjan This is pfSense 2.5.2 ?
                      Could you create a bugreport?

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @viktor_g
                        last edited by

                        @viktor_g said in Captive portal allowed hostnames / allowed IP not working as expected, how to debug?:

                        This is pfSense 2.5.2 ?

                        Yes.
                        I'll file one as soon as I found it ;)

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post