PROBLEM with captive portal and limite
-
I have one problem with traffic sharper limiter and captive portal, when i set the option portal cautive there is not problem but when give a limiter traffic i cannot open internet, if set together (portal captive and limiter per ip) not working.
If configure the limiter all is ok, each ip or host have internet, then.. i want to use captive portal, i set captive portal and all is wrong.. all hosts cannot connect to internet. -
Can you please give me a
ipfw show
ipfw pipe show
/conf/config.xml
/tmp/rules.debug
ifconfig -a
netstat -rn
sysctl -a | grep pfil -
Thanks for your reply, here i send attachment files about your request, i use the last version, i hope that you can resolved this problem. Limiter rules of Firewall is OK, but when i actived the captive portal i cannot open web page of captive portal here send one picture. i hug from Peru.
[ipfw show.txt](/public/imported_attachments/1/ipfw show.txt)
[ipfw pipe show.txt](/public/imported_attachments/1/ipfw pipe show.txt)
config_xml.txt
tmp_rules.debug.txt
[ifconfig -a.txt](/public/imported_attachments/1/ifconfig -a.txt)
[netstat -rn.txt](/public/imported_attachments/1/netstat -rn.txt)
[$ sysctl -a grep pfil.txt](/public/imported_attachments/1/$ sysctl -a grep pfil.txt) -
Hello,
I am also seeing similar behavior. I haven't tested the limiter without captive portal though. When I add any combination of in/out limiter to my default allow rule for the interface I want to limit, all new connections are blocked. Existing connections seem to stay up.I will send my info also, just in case it will help. I'm going to send it just to Ermal, I don't really feel comfortable posting all that info for the world to see.
-
I have been trying to get the limiter to work without the captive portal, and I am having no luck. Every time I assign the limiter to a rule, I loose the ability to make new connections.
I'm running 2.0-Alpha-alpha (Fri Jul 10 09:02:11 EDT 2009 FreeBSD 7.2-Release-p2) on a pentium III box with 2 XLx's and a DCx.
I have searched the form for examples of how to setup the limiter and found a few posts from Ermal that give examples.
@ermal:
Try the Traffic shaper->limiter it might be better than squid for that.
If i understand it correctly you are just sharing the bandwidth equally between hosts
Just create a limiter and after that create a child of that with mask src address and use it in In/Out part of the rules as the IN that would do the same for incoming traffic.
For outgoing create the another limiter with another child and use it as the OUT.With the current version of alpha, I couldn't see how it would be possible to create a child of a pipe.
@ermal:
Anybody inerested in this, please test.
To limit users to fix bandwidth on a network just create to limiters with the bandwidth each user will get and select source-address as mask for one limiter and destination for the other.
Open the default lan rule and select for in the limiter with the source address mask and out the one with destination address.
This is the simplest of setups but will give each user on the lan the configured bandwidth.Report back if it works as advertised.
I used this as a guide to setup 2 pipes and assign them to the default lan rule.
Here is a link to another discussion about this same problem, there was no resolution posted though.
http://forum.pfsense.org/index.php/topic,15570.msg81482.html#msg81482Everything seems to be setup fine.
$ ipfw pipe list 00001: 250.000 Kbit/s 0 ms 50 sl. 2 queues (64 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 192.168.206.20/0 0.0.0.0/0 20995245 1987547496 50 4740 2188 0 ip 192.168.206.244/0 0.0.0.0/0 6093835 1767212150 21 6090 0 00002: 250.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptailPipe 1 is seeing the pings I am sending out, the Total packets for 192.168.206.20 is incrementing.
From my rules.debug, here are the relevant sections.
dnpipe 1 bandwidth 250Kb mask src-ip 0xffffffff dnpipe 2 bandwidth 250Kb mask dst-ip 0xffffffff pass in quick on $LAN from 192.168.206.0/24 to any keep state dnpipe ( 1, 2) label "USER_RULE: Default allow LAN to any rule"I am using the packet shaper also, which is working great for my single wan, multi lan setup. Is it possible to use both the limiter and the packet shaper at the same time?
Any help would be appreciated.
Thanks
Josh -
plase show ipfw pipe show and your rulese and ipfw show.
Yeah it is possible to use both at same time.
-
Hello,
ipfw pipe show looks like it gives the same as ipfw pipe list, but here you go again. Let me know if you need anything else, or if you want to ssh into the box, I can set that up if you would like. I'm just experimenting with this install.
$ ipfw pipe show 00001: 250.000 Kbit/s 0 ms 50 sl. 2 queues (64 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 192.168.206.20/0 0.0.0.0/0 21922940 2074915884 0 0 3050 0 ip 192.168.206.244/0 0.0.0.0/0 6392742 1853895180 0 0 0 00002: 250.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail 00003: 512.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail -
Dear Ermal i wonder if ??? is it possible to use both the LIMITER and CAPTIVE PORTAL at the same time?
I hope your answer -
I am still investigating about why it may give issues and will get back to you when i have the correct answer.
-
check latest snapshots they should be ok.
Seems the correct patches where not backported from 8.0 FreeBSD builds. -
Dear Ermal, the problem is resolved in part, here i send you more information
1. I set captive portal
2. I login by captive portal with my computer and i get internet
3. then i am going to traffic shaper –>limiter and I set limiter to my network
4. i see that there is not problem, i have internet, limiter and captive portal works at the same time.but when I work it in this order all changes LIMITER AND CAPTIVE PORTAL DOESN'T WORK AT THE SAME time(below)
1. First I set limiter in traffic shaper
2. i have limiter in my network, i have got internet and there isn't problem
3. then i want to use captive portal, i set captive portal
4. and when i want to use the internet i cannot connect to internet, i cannot see any pagePLEASE can you send me what's happend?
I appreciate your help.
Best regards
I use pfSense-Developers-2.0-ALPHA-ALPHA-20090726-0123.iso.gz -
give me the same info as before.
Just add to it kldstat output and sysctl net.inet outputOne in the case that works and one with the other case.
-
Dear Ermal here send your request information, this configuration is about this case:
1. I set captive portal
2. I login by captive portal with my computer and i get internet
3. then i am going to traffic shaper –>limiter and I set limiter to my network
4. i see that there is not problem, i have internet, limiter and captive portal works at the same time.[$ ifconfig -a_ RIGHT.txt](/public/imported_attachments/1/$ ifconfig -a_ RIGHT.txt)
[$ ipfw pipe show_ RIGHT.txt](/public/imported_attachments/1/$ ipfw pipe show_ RIGHT.txt)
[$ ipfw show_RIGHT.txt](/public/imported_attachments/1/$ ipfw show_RIGHT.txt)
[$ kldstat_ RIGHT.txt](/public/imported_attachments/1/$ kldstat_ RIGHT.txt)
[$ netstat -rn_ RIGHT.txt](/public/imported_attachments/1/$ netstat -rn_ RIGHT.txt)
[config_ RIGHT.txt](/public/imported_attachments/1/config_ RIGHT.txt)
[rules.debug_ RIGHT.txt](/public/imported_attachments/1/rules.debug_ RIGHT.txt)
[sysctl -a l grep pfil_ RIGHT.txt](/public/imported_attachments/1/sysctl -a l grep pfil_ RIGHT.txt)
[sysctl net.inet_ RIGHT.txt](/public/imported_attachments/1/sysctl net.inet_ RIGHT.txt) -
Dear Ermal here send the other configuration when all works wrong, you can see above the first configuration.
I appreciate your help, and send you a hug from Peru.
Cesar
LIMITER AND CAPTIVE PORTAL DOESN'T WORK AT THE SAME time(below)1. First I set limiter in traffic shaper
2. i have limiter in my network, i have got internet and there isn't problem
3. then i want to use captive portal, i set captive portal
4. and when i want to use the internet i cannot connect to internet, i cannot see any page[$ ifconfig -a_ WRONG.txt](/public/imported_attachments/1/$ ifconfig -a_ WRONG.txt)
[$ ipfw pipe show_ WRONG.txt](/public/imported_attachments/1/$ ipfw pipe show_ WRONG.txt)
[$ ipfw show_ WRONG.txt](/public/imported_attachments/1/$ ipfw show_ WRONG.txt)
[$ kldstat_ WRONG.txt](/public/imported_attachments/1/$ kldstat_ WRONG.txt)
[$ netstat -rn_ WRONG.txt](/public/imported_attachments/1/$ netstat -rn_ WRONG.txt)
[$ sysctl -a l grep pfil_ WRONG.txt](/public/imported_attachments/1/$ sysctl -a l grep pfil_ WRONG.txt)
[$ sysctl net.inet_ WRONG.txt](/public/imported_attachments/1/$ sysctl net.inet_ WRONG.txt)
[config_ WRONG.txt](/public/imported_attachments/1/config_ WRONG.txt)
[rules.debug_ WRONG.txt](/public/imported_attachments/1/rules.debug_ WRONG.txt) -
Ermal,
I just tested things out with the latest snapshot (7.2-RELEASE-p2 2.0-Alpha-Alpha built on Sat Jul 25 23:59:13 EDT 2009) and my first test of just limiting lan hosts worked wonderfully. The ability to limit each host individually is really exciting, and then to have the whole connection shaped with altq also seem like it will really help smooth out some traffic problems a few of my sites have been having. Thank you for taking the time to look into this.Now I'm going to test out the situation that rojocesar is having, and see if I can have the limiter and captive portal work at the same time.
Josh -
Hello,
I setup the limiter with the captive portal using the settings found on the captive portal page, and that does seem to work fine. My upload and download is working, the login page comes up. I attached an image of what I have it set at. I'm not quite understanding how that limiter is setup though. Is that limiter truly per-user, so if one user had 3 laptops, and logged in with the same credentials on each one, then the total bandwidth for those 3 laptops would be throttled as a whole? Or is per-user = per node/host? I'm not planning on using authentication, just a splash page with an EULA. Will this method of limiting work for me?When I look at the pipes that were created for the captive portal limiter they look a little different. They do not show up under the traffic shaper, limiter menu.
$ ipfw pipe show 00001: 250.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 18 ip 192.168.206.253/0 0.0.0.0/0 8098 2969711 0 0 0 00002: 400.000 Kbit/s 0 ms 50 sl. 1 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 44 ip 0.0.0.0/0 192.168.206.253/0 9137 10626184 0 0 0 00003: 512.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail 50501: 250.000 Kbit/s 0 ms 100 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 192.168.1.198/4627 206.183.1.139/80 14403 1539968 0 0 0 55501: 350.000 Kbit/s 0 ms 100 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 206.183.1.139/80 192.168.1.198/4627 19802 28268162 1 1500 0Pipe 1&2 are for a lan limit, 3 is for another test, and 50501 and 55501 look like they are for the captive portal. They are not masked for source or destination, so I am assuming that each user (or node/host) gets a dynamically created pipe just for them. If that is the case it is pretty sweet.
I will keep playing around with it, and try manually adding a limiter to see if I see the same problem as rojocesar.
Josh
-
Hello,
I am seeing the same problems as rojocesar. I can have the captive portal working fine. IP's given out. Splash page shown. If I add the pair of limiters to the default wireless interface rule, then all traffic stops because the client cannot get to the splash page, and no connections can be made.If I first click through the splash page, and an entry for that client is made in the captive portal db first, and then I add the pipes to the default rule. Everything works just fine. So the pipes must be interfering with the redirection to the splash page. Maybe that is why someone designed the built in limiter for the captive portal in the first place. I'm inclined to just use the built in one for now, since that works.
Josh
-
Can you try a snapshot later than this post message and see if it fixes things.
-
BTW CP has its own shaper cause you can use it with radius settings etc and you may want to do some very advanced shaping on boxes with multiple interfaces with limiter altq and CP ones.
-
I use the last snapshots from pfsense and doesn't work.. still the problem..