pfsense + Captive portal blocking ping
-
I just upgraded from 2.5.2 to pfsense +. I use captive portal and allow mac. I have internet connecrtion but cannot ping in the internet. If I add my IP to allowed ip then it can ping. Crazy. Maybe its a bug upgrading from 2.6.0 was recommended and I uopgraded from 2.5.2. lot of apps also unable to connect I have remove some apps like pfblokcer, ntop, haprpoxy still the same.
-
@d3messiah I think we have a similar issue: https://forum.netgate.com/topic/169968/mac-passthrough it appears that when using MAC pass-through the firewall rules for that network are not honored.
-
@worlddrknss did you upgarde from 2.6.0 fresh install ?
I an trying to make another pf box from old hp-t610 using vlan as wan. since it has 1 nec, but I keep getting some problem too.
cant get an IP but ig gets gateway from dhcp server. It function for few hours then the problem start :(. I like to reinstall the pf+ will use 2.6.0 isntead. -
-
@d3messiah I believe this is a CP issue in 2.6.0. MAC-Passthrough are technically unauthenticated systems and ipfw is blocking certain access to the network. Eg why internet access works but ping wont work (for me I can ping only on the vlan interface set in the CP).
-
@worlddrknss Ok i will try 2.5.2 .
-
Your posting in the sub section "Captive portal".
But :
which means : WAN is not connected. That's what I call a major issue. Not only the portal doesn't work any more : "nothing" will work.
That is, there is a link, but the DHCP client running on WAN didn't get an IP from the upstream DHCP server so there will be no traffic.
That should be resolved first. Start by looking in the DHCP log - de "dhclient" lines. I bet it tries to DHCPDISCOVER something, but no answers ....Btw : life iwill be simpler as soon as you slide into your VM host a dedicated Ethernet card reserved exclusivity for the VM running the pfSense WAN. You can share the LAN interface for internal and external LAN networking.
You won't be needing VLAN any more, thus simplifying your setup.If there was a VLAN issue with 2.6.0, then where are the thousands of users impacted by a VLAN bug in 2.6.0 ??
-
This post is deleted! -
@gertjan FIrst I am not using a Vm. as i Said it is ang HPt610 which has only 1 ethernet port I use the phusical as lan while two vlans as wans.
I also check the modem's dhcp log the pfsense indeed was issued an ip address. I have try this with 2.6.0 twice same result. One time it work for about two hours then suddenly connection was cut and cannot get IP again from ISP modem.With pfsense 2.5.x vlans works without any problem.
Anyway I reverted to 2.5.2 and it is smooth. Will try again 2.6.x as soon as they release new upgrade.Edit. I use RB260GS as my smart switch. Maybe its the config in my Mikrotic, but its working fine with 2.5.2
below is my vlan and VLANS setting.
Vlans port 2 as the pfsense trunk. port 3 and 4 are wan1 and wan2 , port 4 is the hybrid to my lan while port1 is for access point since port1 has POE supply.
this works fine with 2.5.2
-
I can also confirm this issue. I recently upgraded to 22.01 on my Netgate 1100 appliance.
Users authenticate via a freeradius server with Pass-through MAC automatic additions enabled. Before, once a user authenticated and got past captive portal, nothing was blocked as the only firewall rule on that interface was to allow any IPv4 traffic, anywhere.
After the upgrade, those with authenticated MAC addresses are only allowed basic web traffic. I can no longer connect to a VPN, ping DNS servers outside the network, or even ping the WAN address or gateway address. The only fix is to disable Captive Portal which I obviously don't want to do.
The network diagram is:
Modem >> Netgate 1100 >> UniFi Switch >> UniFi Access Points
The UniFi switch is connected to the OPT1 (192.168.10.1/24) interface on the router that captive portal is active on. I've got a dumb switch connected to the LAN (192.168.1.1/24) interface that connects all the wired PC's in our office.
-
@bobcat05 I reverted back to 2.5.2. if you do don't install fresh 2.5.2, install first 2.5.0 then upgrade to 2.5.2 if you install direct 2.5.2 you wont be able to run wireguard.
2.5.0 no longer in netgate official download try to google it -
@d3messiah that is what I ended up doing. I opened up a support ticket and requested access to firmware... which in my case was 21.05-RELEASE.
Connected to the console port of the Netgate 1100, installed the image, and restored my old config - now everything works just fine again.
-
@bobcat05
I can confirm I had similar problems after upgrading to 2.6.0.
Setup: pfsense 2.6.0 with Unifi AP's and captive portal.My first indication is that 3 different Mibox devices, running Android TV, came up with "internet connection problems". On the settings page I could see "connection, but no internet".
Most application on the mibox did not work, no amazon prime, no youtube, no vrtnu, ... BUT netflix worked.
Ipad and android phones did work however.
Linux / Windows laptops also seem to work.On the Unifi Network Management Station I got "STUN" errors on the access points after the upgrade.
Disabling the captive portal and re-connecting the clients fixed the problems.
The STUN errors on Unifi also disappeared. -
Read https://forum.netgate.com/topic/170300/new-system-patches-v2-0?_=1646343673426 - Apply patch (Redmine #12834) and case closed.