PROBLEM with captive portal and limite



  • I have one problem with traffic sharper limiter and captive portal, when i set the option portal cautive there is not problem but when give a limiter traffic i cannot open internet, if  set together (portal captive and limiter per ip) not working.
    If configure the limiter all is ok, each ip or host have internet, then.. i want to use captive portal, i set captive portal and all is wrong.. all hosts cannot connect to internet.



  • Can you please give me a
    ipfw show
    ipfw pipe show
    /conf/config.xml
    /tmp/rules.debug
    ifconfig -a
    netstat -rn
    sysctl -a | grep pfil



  • Thanks for your reply, here i send attachment files about your request, i use the last version, i hope that you can resolved this problem. Limiter rules of Firewall is OK, but when i actived the captive portal i cannot open web page of captive portal here send one picture. i hug from Peru.



    [ipfw show.txt](/public/imported_attachments/1/ipfw show.txt)
    [ipfw pipe show.txt](/public/imported_attachments/1/ipfw pipe show.txt)
    config_xml.txt
    tmp_rules.debug.txt
    [ifconfig -a.txt](/public/imported_attachments/1/ifconfig -a.txt)
    [netstat -rn.txt](/public/imported_attachments/1/netstat -rn.txt)
    [$ sysctl -a grep pfil.txt](/public/imported_attachments/1/$ sysctl -a grep pfil.txt)



  • Hello,
      I am also seeing similar behavior.  I haven't tested the limiter without captive portal though.  When I add any combination of in/out limiter to my default allow rule for the interface I want to limit, all new connections are blocked.  Existing connections seem to stay up.

    I will send my info also, just in case it will help.  I'm going to send it just to Ermal, I don't really feel comfortable posting all that info for the world to see.



  • I have been trying to get the limiter to work without the captive portal, and I am having no luck.  Every time I assign the limiter to a rule, I loose the ability to make new connections.

    I'm running 2.0-Alpha-alpha (Fri Jul 10 09:02:11 EDT 2009 FreeBSD 7.2-Release-p2) on a pentium III box with 2 XLx's and a DCx.

    I have searched the form for examples of how to setup the limiter and found a few posts from Ermal that give examples.

    @ermal:

    Try the Traffic shaper->limiter it might be better than squid for that.
    If i understand it correctly you are just sharing the bandwidth equally between hosts
    Just create a limiter and after that create a child of that with mask src address and use it in In/Out part of the rules as the IN that would do the same for incoming traffic.
    For outgoing create the another limiter with another child and use it as the OUT.

    With the current version of alpha, I couldn't see how it would be possible to create a child of a pipe.

    @ermal:

    Anybody inerested in this, please test.

    To limit users to fix bandwidth on a network just create to limiters with the bandwidth each user will get and select source-address as mask for one limiter and destination for the other.
    Open the default lan rule and select for in the limiter with the source address mask and out the one with destination address.
    This is the simplest of setups but will give each user on the lan the configured bandwidth.

    Report back if it works as advertised.

    I used this as a guide to setup 2 pipes and assign them to the default lan rule.

    Here is a link to another discussion about this same problem, there was no resolution posted though.
    http://forum.pfsense.org/index.php/topic,15570.msg81482.html#msg81482

    Everything seems to be setup fine.

    
    $ ipfw pipe list
    00001: 250.000 Kbit/s    0 ms   50 sl. 2 queues (64 buckets) droptail
        mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
      0 ip    192.168.206.20/0             0.0.0.0/0     20995245 1987547496 50 4740 2188
      0 ip   192.168.206.244/0             0.0.0.0/0     6093835 1767212150 21 6090   0
    00002: 250.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail
    
    

    Pipe 1 is seeing the pings I am sending out, the Total packets for 192.168.206.20 is incrementing.

    From my rules.debug, here are the relevant sections.

    
    dnpipe 1 bandwidth 250Kb mask src-ip 0xffffffff 
    
    dnpipe 2 bandwidth 250Kb mask dst-ip 0xffffffff
    
    pass  in  quick  on $LAN  from 192.168.206.0/24 to any keep state  dnpipe ( 1, 2)  label "USER_RULE: Default allow LAN to any rule"
    
    

    I am using the packet shaper also, which is working great for my single wan, multi lan setup.  Is it possible to use both the limiter and the packet shaper at the same time?

    Any help would be appreciated.
    Thanks
    Josh



  • plase show ipfw pipe show and your rulese and ipfw show.

    Yeah it is possible to use both at same time.



  • Hello,

    ipfw pipe show looks like it gives the same as ipfw pipe list, but here you go again.  Let me know if you need anything else, or if you want to ssh into the box, I can set that up if you would like.  I'm just experimenting with this install.

    
    $ ipfw pipe show
    00001: 250.000 Kbit/s    0 ms   50 sl. 2 queues (64 buckets) droptail
        mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
      0 ip    192.168.206.20/0             0.0.0.0/0     21922940 2074915884  0    0 3050
      0 ip   192.168.206.244/0             0.0.0.0/0     6392742 1853895180  0    0   0
    00002: 250.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail
    00003: 512.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail
    
    

    jrs-ipfw.show.txt
    jrs-rules-debug.txt



  • Dear Ermal i wonder if  ???  is it possible to use both the LIMITER and CAPTIVE PORTAL at the same time?
    I hope your answer



  • I am still investigating about why it may give issues and will get back to you when i have the correct answer.



  • check latest snapshots they should be ok.
    Seems the correct patches where not backported from 8.0 FreeBSD builds.



  • Dear Ermal, the problem is resolved in part, here i send you more information
    1. I set captive portal
    2. I login by captive portal with my computer and i get internet
    3. then i am going to traffic shaper –>limiter and I set limiter to my network
    4. i see that there is not problem, i have internet, limiter and captive portal works at the same time.

    but when I work it in this order all changes LIMITER AND CAPTIVE PORTAL DOESN'T WORK AT THE SAME time(below)

    1. First I set limiter in traffic shaper
    2. i have limiter in my network, i have got internet and there isn't problem
    3. then i want to use captive portal, i set captive portal
    4. and when i want to use the internet i cannot connect to internet, i cannot see any page

    PLEASE can you send me what's happend?
    I appreciate your help.
    Best regards
    I use pfSense-Developers-2.0-ALPHA-ALPHA-20090726-0123.iso.gz



  • give me the same info as before.
    Just add to it kldstat output and sysctl net.inet output

    One in the case that works and one with the other case.



  • Dear Ermal here send your request information, this configuration is about this case:
    1. I set captive portal
    2. I login by captive portal with my computer and i get internet
    3. then i am going to traffic shaper –>limiter and I set limiter to my network
    4. i see that there is not problem, i have internet, limiter and captive portal works at the same time.

    [$ ifconfig -a_ RIGHT.txt](/public/imported_attachments/1/$ ifconfig -a_ RIGHT.txt)
    [$ ipfw pipe show_ RIGHT.txt](/public/imported_attachments/1/$ ipfw pipe show_ RIGHT.txt)
    [$ ipfw show_RIGHT.txt](/public/imported_attachments/1/$ ipfw show_RIGHT.txt)
    [$ kldstat_ RIGHT.txt](/public/imported_attachments/1/$ kldstat_ RIGHT.txt)
    [$ netstat -rn_ RIGHT.txt](/public/imported_attachments/1/$ netstat -rn_ RIGHT.txt)
    [config_ RIGHT.txt](/public/imported_attachments/1/config_ RIGHT.txt)
    [rules.debug_ RIGHT.txt](/public/imported_attachments/1/rules.debug_ RIGHT.txt)
    [sysctl -a l grep pfil_ RIGHT.txt](/public/imported_attachments/1/sysctl -a l grep pfil_ RIGHT.txt)
    [sysctl net.inet_ RIGHT.txt](/public/imported_attachments/1/sysctl net.inet_ RIGHT.txt)



  • Dear Ermal here send the other configuration when all works wrong, you can see above the first configuration.
    I appreciate your help, and send you a hug from Peru.
    Cesar
    LIMITER AND CAPTIVE PORTAL DOESN'T WORK AT THE SAME time(below)

    1. First I set limiter in traffic shaper
    2. i have limiter in my network, i have got internet and there isn't problem
    3. then i want to use captive portal, i set captive portal
    4. and when i want to use the internet i cannot connect to internet, i cannot see any page

    [$ ifconfig -a_ WRONG.txt](/public/imported_attachments/1/$ ifconfig -a_ WRONG.txt)
    [$ ipfw pipe show_ WRONG.txt](/public/imported_attachments/1/$ ipfw pipe show_ WRONG.txt)
    [$ ipfw show_ WRONG.txt](/public/imported_attachments/1/$ ipfw show_ WRONG.txt)
    [$ kldstat_ WRONG.txt](/public/imported_attachments/1/$ kldstat_ WRONG.txt)
    [$ netstat -rn_ WRONG.txt](/public/imported_attachments/1/$ netstat -rn_ WRONG.txt)
    [$ sysctl -a l grep pfil_ WRONG.txt](/public/imported_attachments/1/$ sysctl -a l grep pfil_ WRONG.txt)
    [$ sysctl net.inet_ WRONG.txt](/public/imported_attachments/1/$ sysctl net.inet_ WRONG.txt)
    [config_ WRONG.txt](/public/imported_attachments/1/config_ WRONG.txt)
    [rules.debug_ WRONG.txt](/public/imported_attachments/1/rules.debug_ WRONG.txt)



  • Ermal,
      I just tested things out with the latest snapshot (7.2-RELEASE-p2 2.0-Alpha-Alpha built on Sat Jul 25 23:59:13 EDT 2009) and my first test of just limiting lan hosts worked wonderfully.  The ability to limit each host individually is really exciting, and then to have the whole connection shaped with altq also seem like it will really help smooth out some traffic problems a few of my sites have been having.  Thank you for taking the time to look into this.

    Now I'm going to test out the situation that rojocesar is having, and see if I can have the limiter and captive portal work at the same time.
    Josh



  • Hello,
      I setup the limiter with the captive portal using the settings found on the captive portal page, and that does seem to work fine.  My upload and download is working, the login page comes up.  I attached an image of what I have it set at.  I'm not quite understanding how that limiter is setup though.  Is that limiter truly per-user, so if one user had 3 laptops, and logged in with the same credentials on each one, then the total bandwidth for those 3 laptops would be throttled as a whole?  Or is per-user = per node/host?  I'm not planning on using authentication, just a splash page with an EULA.  Will this method of limiting work for me?

    When I look at the pipes that were created for the captive portal limiter they look a little different.  They do not show up under the traffic shaper, limiter menu.

    $ ipfw pipe show
    00001: 250.000 Kbit/s    0 ms   50 sl. 1 queues (64 buckets) droptail
        mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
     18 ip   192.168.206.253/0             0.0.0.0/0     8098  2969711  0    0   0
    00002: 400.000 Kbit/s    0 ms   50 sl. 1 queues (64 buckets) droptail
        mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
     44 ip           0.0.0.0/0     192.168.206.253/0     9137 10626184  0    0   0
    00003: 512.000 Kbit/s    0 ms   50 sl. 0 queues (64 buckets) droptail
    50501: 250.000 Kbit/s    0 ms  100 sl. 1 queues (1 buckets) droptail
        mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
      0 tcp    192.168.1.198/4627    206.183.1.139/80    14403  1539968  0    0   0
    55501: 350.000 Kbit/s    0 ms  100 sl. 1 queues (1 buckets) droptail
        mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
      0 tcp    206.183.1.139/80      192.168.1.198/4627  19802 28268162  1 1500   0
    
    

    Pipe 1&2 are for a lan limit, 3 is for another test, and 50501 and 55501 look like they are for the captive portal.  They are not masked for source or destination, so I am assuming that each user (or node/host) gets a dynamically created pipe just for them. If that is the case it is pretty sweet.

    I will keep playing around with it, and try manually adding a limiter to see if I see the same problem as rojocesar.
    Josh




  • Hello,
      I am seeing the same problems as rojocesar.  I can have the captive portal working fine.  IP's given out.  Splash page shown.  If I add the pair of limiters to the default wireless interface rule, then all traffic stops because the client cannot get to the splash page, and no connections can be made.

    If I first click through the splash page, and an entry for that client is made in the captive portal db first, and then I add the pipes to the default rule.  Everything works just fine.  So the pipes must be interfering with the redirection to the splash page.  Maybe that is why someone designed the built in limiter for the captive portal in the first place.  I'm inclined to just use the built in one for now, since that works.

    Josh



  • Can you try a snapshot later than this post message and see if it fixes things.



  • BTW CP has its own shaper cause you can use it with radius settings etc and you may want to do some very advanced shaping on boxes with multiple interfaces with limiter altq and CP ones.



  • I use the last snapshots from pfsense and doesn't work.. still the problem..



  • You have to wait the snapshots are not that fast.
    Try a snapshot after at least 5+ hours :)



  • @ermal:

    BTW CP has its own shaper cause you can use it with radius settings etc and you may want to do some very advanced shaping on boxes with multiple interfaces with limiter altq and CP ones.

    Ermal, do you know if the CP shaper is providing per user limits or per host?  If the CP is documented somewhere could you provide a link or a hint to that documentation?
    Thanks
    Josh



  • Its per user ip so basically its per ip.



  • I cannot download the last version of pfsense 2.0 alpha   :'( how long time i have to wait?  I want to use and prove captive portal with limiter  :'( :'( :'( :'( :'( :'( :'( :'(



  • @ermal:

    You have to wait the snapshots are not that fast.
    Try a snapshot after at least 5+ hours :)

    Dear Ermal I wonder if the last snapshot is from July 26? or maybe i have wait a couple days  :-[



  • Can i have any feedback on this?



  • I am so sorry i was travelling in place where there is not internet and i arrived yesterday and prove the last version pfsense 2.0 and see that there is a problem with limiter, doesnt work i dont know why? anybody help me or fix this problem???



  • Provide output of commands:
    ipfw show
    ipfw table 3 list
    ipfw table 4 list
    ipfw table 1 list
    ipfw table 2 list
    ipfw pipe show
    ifconfig
    sysctl -a | grep pfil
    kldstat

    Related logs



  • I'm using 2.0-ALPHA-ALPHA built on Sat Aug 22 01:39:53 UTC 2009 FreeBSD 7.2-RELEASE-p3 nanobsd.  The built in limiter setup with captive portal works just fine.  Set it up on the captive portal page and each client is limited to that amount of bandwidth.

    When I setup a set of limiters for lan and assign lan clients to it, it also works just fine.

    I guess I don't see the point of assigning a set of limiters to the captive portal port since the built in one does the same thing, and works.  Unless you only want certain traffic to go through the limiter.  rojocesar, is that what you are trying to do?
    Josh



  • Well i know it that captive portal has limiter per user but i want to use the limiter from Traffic Shaper why?? because i want to use rules in firewall, in the firewall i want to give rules for each port, for example limiter 600kbps only port 80 and port 443 (internet) and give rules limiter 200kbps all of them.
    Hi Ermal.. here send your information
    when now when i set up limiter and captive portal there is ping to my dns here send a picture but when i connect any webpage nothing here send other picture
    i hope that all is ok  send you a hug from Peru and thanks for your words stompro
    ….
    more information.. I only set up limiter and doesn't work..

    ![reply from my dns.JPG](/public/imported_attachments/1/reply from my dns.JPG)
    ![reply from my dns.JPG_thumb](/public/imported_attachments/1/reply from my dns.JPG_thumb)
    ![captive and limiter.JPG](/public/imported_attachments/1/captive and limiter.JPG)
    ![captive and limiter.JPG_thumb](/public/imported_attachments/1/captive and limiter.JPG_thumb)
    [$ ifconfig.txt](/public/imported_attachments/1/$ ifconfig.txt)
    [$ ipfw pipe show.txt](/public/imported_attachments/1/$ ipfw pipe show.txt)
    [$ ipfw show.txt](/public/imported_attachments/1/$ ipfw show.txt)
    [$ ipfw table list.txt](/public/imported_attachments/1/$ ipfw table list.txt)
    [$ kldstat.txt](/public/imported_attachments/1/$ kldstat.txt)
    [$ sysctl -a l grep pfil.txt](/public/imported_attachments/1/$ sysctl -a l grep pfil.txt)



  • rojocesar,

    I just want to be sure I know what you are trying to do.  Are you talking about per client limits or per pipe limits?

    For port 80 and 443 you want 600kbps per client.
    For the default allow you want 200kbps per client.

    Let me know if you really mean to limit all clients to 600kbps.

    I wonder if your port 80 rule is interfering with the captive portal redirection of port 80 traffic.  If you take out the rule for port 80, leave in the rule for port 443 and the default, do you have any luck?  Does https traffic get limited like you want?

    Ermal, what order do ipfw and pf rules get evaluated?  Does it go through the ipfw rules first, and then the pf rules?
    Josh

    @rojocesar:

    Well i know it that captive portal has limiter per user but i want to use the limiter from Traffic Shaper why?? because i want to use rules in firewall, in the firewall i want to give rules for each port, for example limiter 600kbps only port 80 and port 443 (internet) and give rules limiter 200kbps all of them.
    Hi Ermal.. here send your information
    when now when i set up limiter and captive portal there is ping to my dns here send a picture but when i connect any webpage nothing here send other picture
    i hope that all is ok  send you a hug from Peru and thanks for your words stompro
    ….
    more information.. I only set up limiter and doesn't work..



  • This is an example
    For port 80 and 443 i want 400Kbps per client
    For other ports i want 100Kpbs per client
    But in firewall i can give more rules..

    captive portal doesn't use port 80 it use port 8000.
    The others version of PFSENSE 2.0 work fine (excellent)  8) , but i want to use captive portal, when i set captive portal up all doesn't work  >:( .
    The pfsense is excellent but i need use captive portal and limiter i hope that Ermal can fixed all this problem  :'(



  • The captive portal rules automatically redirect port 80 connections to port 8000 or 8001 for clients that are not authenticated.  That is how the splash page works.

    run "ipfw list" and look for this line.

    01990 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
    
    

    That forwards all connections with a destination port of 80 coming in the CP interface to localhost port 8000.  So it does use port 80  :P
    Josh

    @rojocesar:

    This is an example
    For port 80 and 443 i want 400Kbps per client
    For other ports i want 100Kpbs per client
    But in firewall i can give more rules..

    captive portal doesn't use port 80 it use port 8000.
    The others version of PFSENSE 2.0 work fine (excellent)  8) , but i want to use captive portal, when i set captive portal up all doesn't work  >:( .
    The pfsense is excellent but i need use captive portal and limiter i hope that Ermal can fixed all this problem  :'(



  • I just setup a config just like you described.

    Port 80 traffic limited to 100kbit per user.

    All other traffic limited to 500kbit per user.

    When I connect a client, the splash page comes up, I'm able to log in, and I can confirm that my port 80 traffic is being limited to 100kbit.

    I'm using
    2.0-ALPHA-ALPHA
    built on Sat Aug 22 01:39:53 UTC 2009
    FreeBSD 7.2-RELEASE-p3 Nanobsd.

    Can you get it to work if you just limit all traffic to a certain speed.  I'm wondering if you can simplify your config until you get something that works, and then add in more complexity to try and figure out what element is causing the problem.

    Josh



  • all can simplify if captive portal and limiter works but at the momento only can use the limiter of captive portal…  :'( I hope that Ermal fixed all..



  • and what's happend with limiter and captive portal problems??? is it fixed???  :'(



  • not yet. Since i have had no time to it.



  • well i will wait it..    :) thanks for your answer…



  • This works as expected on latest snapshot i tested.
    Not sure what you have done just be aware that on the firewall->rules of the interface you have CP active you have to allow the traffic to pass too!

    Otherwise as i already told it works quite well.



  • THANKSSSSSSSSSSSSS SO MUCH.. all is right now..


Log in to reply