Captive Portal bypass issue

michmoor · Dec 20, 2022, 3:38 PM

@marcosm I will say i am getting these messages in my syslog in abundance now.

🔒 Log in to view

Checking the last 30 days it hasnt been as present but a huge uptick since last night testing.

🔒 Log in to view

@Gertjan I am on 22.05

stephenw10 · Dec 20, 2022, 3:50 PM

That is IPv6 traffic hitting the IPv4 Limiters

It's fixed in 23.01: https://redmine.pfsense.org/issues/13290

michmoor · Dec 20, 2022, 4:34 PM

@stephenw10 Confirmed. Kicked off a iPhone client on the captive portal and those messages are gone.

the other · Dec 20, 2022, 4:50 PM

sorry for being kinda offtopic:
just wanted to say thanks for you guys/girls(?)...
...a) pointing out this "problem"
...b) having a discussion about it
...c) trying to reproduce the issue
...d) helping me getting my peace of mind back

:)
Seriously: thanx for your ongoing support and (my personal opinion) the good work with pfsense so far...hope Santa has you on his list.

stephenw10 · Dec 20, 2022, 7:24 PM

The MAC address block entries now work as expected with the newly added patch.
https://redmine.pfsense.org/issues/13747#note-11
Please test and let us know.

Steve

michmoor · Dec 20, 2022, 8:38 PM

@stephenw10 How do i apply the patch?

https://github.com/pfsense/pfsense/blob/483512b3a3226132b7b249f7ea3e2146d3829c23/src/usr/local/captiveportal/index.php#L181

marcosm · Dec 20, 2022, 9:00 PM

You may use the commit ID 7e5dbbfca68179fd29a685363625c810d4da6417 in the System Patches package - see here: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

stephenw10 · Dec 20, 2022, 9:12 PM

Just add the commit ID in the patches package:

🔒 Log in to view

7e5dbbfca68179fd29a685363625c810d4da6417

michmoor · Dec 20, 2022, 9:40 PM

@stephenw10 @marcosm
Thanks gents. I couldnt find the commitID.
I can confirm that this is fixed. The mac addresses not only cannot get on the network but there is a message indicating to the client that they are blocked.

Also syslogs confirms block

🔒 Log in to view

I really dont know what to say but this has been a journey in troubleshooting and talking to the netgate team. Truly appreciate it.

Time to whip out the old wallet for that TAC sub

Gertjan · Dec 21, 2022, 9:04 AM

@michmoor said in Captive Portal bypass issue:

talking to the netgate team

Euh .... the solution was already on the forum.
13747 went from Not a bug, to Duplicate, to Bug again to get solved. I guess it's a question of finding the right words when writing feedback.

The official patch, as always, is much nicer : why adding a line if removing something does the job

And be careful : https://redmine.pfsense.org/issues/13784 was added on the fly : A MAC can (23.01) be blocked the soft way, the user will see the message that his MAC is blocked. You can chose bewteen an error message, or a MAC block portal page to be uploaded. See here for info and example how to implement that.
Or : new, see 13784 : totally rejected : the MAC becomes part of the pf rules that block any interaction with the captive portal interface. I guess the user would be able to get a DHCP lease sorted out, and that's it, nothing more.