Problem with multiple Interfaces since Version 22.05
-
When you select multiple Interfaces in a Captive Portal Zone, its just creating Rules for one Interface and that cause that just one Interface will work with Captive Portal...
You can see this by viewing the /tmp/rules.debug File (# Captive Portal)
There should be multiple "cpzoneid_" and "pass on" and "anchor" rule entries for each interface. But it just create them for one Interface and not for all selected!If you create multiple Zones, its creating that rules just fine and everything works as it should...
-
I though straight away : multiple interfaces ?
To have multiple IPv4 networks ? To save a switch ?But you are right:
It says :Select the interface(s) to enable for captive portal.The doc :
so it looks like you're good for a bug report.
Multiple interfaces means : a web GUI for http and https that can listen to more then one interface - but not ANY interface, like the pfSEnse Web GUI does.
The scripts to build the nginx captive portal web GUI config file hardcodes one (1) IP address : the one of an interface used. No trace of scripts that it can have multiple IP's ( = interfaces).edit : I'm wrong. See below : the portal web server IS multiple interface aware.
And of course, what you saw : no 'pf' firewall rule support.
Btw : multiple interfaces in a portal zone means : multiple firewall rules sets, one set per interface, to maintain ...
Strange.
I would add a switch ;)Can you tell why multiple interfaces for one zone is better for you ?
-
Selecting multiple interfaces is easier for me, because i have multiple VLAN's where i need Captive Portal with the same settings. So it does not make sense to setup extra Zones for each interface.
-
I hope this is not an urgent thing for you - and I hope to be wrong here.
IMHO, you didn't find a bug, but a functionality that doesn't exist, except for the documentation. Implementing will be far more complex as putting out a simple simple patch.edit : just maybe : the doc is ready for the upcoming version that does contain multiple interfaces support.
edit2 : I had to edit my post above :
I created some more LZAN interfaces, assigned it and IPv4 like 192.168.100.1/24 and 192.168.200.1/24 and added these interfaces to my captive portal zone.I found this in the nginx config file :
if ($http_host ~* 192.168.100.1) { set $cp_redirect no; } if ($http_host ~* 192.168.2.1) { set $cp_redirect no; } if ($http_host ~* 192.168.200.1) { set $cp_redirect no; }so that part looks good.
-
@gertjan
i think its a Bug, when you look at the /tmp/rules.debug File. It will create 4 Entries with # Captive Portal. As you can see, its adding my selected interface BUT not on every setting. In version 22.01 all was working fine.You can see that just 1 Interface ist listed, but it should be 2, as can can see below.
Captive Portal
table <cpzoneid_2_cpips> { 10.5.50.1 }
Captive Portal
ether pass on { igc0 igc0.50 } tag "cpzoneid_2_rdr"
ether anchor "cpzoneid_2_auth/" on { igc0 igc0.50 }
ether anchor "cpzoneid_2_passthrumac/" on { igc0 igc0.50 }
ether anchor "cpzoneid_2_allowedhosts/*" on { igc0 igc0.50 }Captive Portal
rdr on igc0 inet proto tcp from any to ! <cpzoneid_2_cpips> port 80 tagged cpzoneid_2_rdr -> 192.168.10.254 port 8002
rdr on igc0.50 inet proto tcp from any to ! <cpzoneid_2_cpips> port 80 tagged cpzoneid_2_rdr -> 10.5.50.1 port 8002Captive Portal
pass in quick on igc0 proto tcp from any to <cpzoneid_2_cpips> port 8002 ridentifier 13001 keep state(sloppy)
pass out quick on igc0 proto tcp from 192.168.10.254 port 8002 to any flags any ridentifier 13002 keep state(sloppy)
pass in quick from any to any tagged cpzoneid_2_passthru ridentifier 13003 keep state
block in quick on igc0 from any to ! <cpzoneid_2_cpips> ! tagged cpzoneid_2_auth ridentifier 13004
pass in quick on igc0.50 proto tcp from any to <cpzoneid_2_cpips> port 8002 ridentifier 13005 keep state(sloppy)
pass out quick on igc0.50 proto tcp from 10.5.50.1 port 8002 to any flags any ridentifier 13006 keep state(sloppy)
pass in quick from any to any tagged cpzoneid_2_passthru ridentifier 13007 keep state
block in quick on igc0.50 from any to ! <cpzoneid_2_cpips> ! tagged cpzoneid_2_auth ridentifier 13008 -
I created a Bug Report
-
Recently, the 'ipfw' firewall, used for captive portal instances, was ditched and replaced by the 'pf' firewall.
'pf' is the one we use when we create our GUI firewall rules.
The conversion was a big task, and maybe ( ? ) the 'multiple interfaces' options was just omitted, or forgotten ( coders are still human ;) ).
-
@gertjan
yeah it looks like the just have forgotten some things there but i also think that this should not be a big Problem to correct this.... :=) -
If you can edit a file :
Open /etc/inc/captiveportal.inc
Goto line 2576 ( ? )You'll find
$cpiplist = $cpip . ' ';Change it to ( add a single point . ) :
$cpiplist .= $cpip . ' ';Now you will see in the firewall rules file :
.... # Captive Portal table <cpzoneid_2_cpips> { 192.168.100.1 192.168.2.1 } ....and these are the IP addresses of my two interfaces added to a captive portal zone.
I can't test drive this myself.
Can you test ? -
-
I also found maybe another Problem. When you upload a Logo or a Background Logo, its created with 2 .. (Points) in the extension. So you have "captiveportal-logo..png or "captiveportal-background..png"
The Logos are displayed normally, so its just seams to be a cosmetic "Bug"
-
Hummm.
The point you just added should be remove somewhere else ;) -
Not i add the Dot, the Netgate add it. I Upload a "logo.png" and the Netgate generates "captiveportal-logo..png"
-
You didn't understood the suggestion.
Open /usr/local/www/services_captiveportal.php
Look for every function :
image_type_to_extensionAnd look closely to the example of the image_type_to_extension PHP function definition.
<?php // Create image instance $im = imagecreatetruecolor(100, 100); // Save image imagepng($im, './test' . image_type_to_extension(IMAGETYPE_PNG)); imagedestroy($im); ?>The example :
Right after '/test there is no point included - so the point comes back with with the image_type_to_extension(IMAGETYPE_PNG) function call - so this function resturns
".png".Now, back to our /usr/local/www/services_captiveportal.php, locate every line with image_type_to_extension and then look closely the line.
Example :$logo_name = "captiveportal-logo." . image_type_to_extension(is_supported_image($_FILES['logo-img']['tmp_name']));Do you see the point that you have to remove ?
It's right after captiveportal-logoRedo the same thing for where the "captiveportal-background." is handled, and you'll be fine.
My suggestion was :you should remove some points '.' ^^
-
ahhhh, now i know what you mean "The point you just added should be remove somewhere else" .... heheh :=)
THX!
Should all of this here be Mailed to Netgate directly, so that they can fix this stuff in the next Version or with a Patch? Our das Netgate read all the Forum Posts here?!
-
O OpIT GmbH referenced this topic on Aug 4, 2022, 7:23 AM
-
@opit-gmbh said in Problem with multiple Interfaces since Version 22.05:
Should all of this here be Mailed to Netgate directly
You opened a bug report, a regression actually, that points to this thread.
Some author will read the report, read the thread, and deal with it in no time.
Jimp already saw your report.
As I see it, 2.7.0 and 22.11 will contain the solution. -
i also added a comment about the "Dot" Problem in the Bug Report. So i think all should be fine for now.
THX Gertjan for your help!
-
G Gertjan referenced this topic on Sep 1, 2022, 9:52 AM
-
G Gertjan referenced this topic on Sep 2, 2022, 7:16 AM