Allowed IP Address does not work in captive portal

nomanharoon

@rcoleman-netgate I can send video if they need.

nomanharoon

@rcoleman-netgate U know this is one of the main feature of captive portal which is not working. A lot of community who are using this feature of captive portal speed limitation, when they will upgrade to 2.7 they will be disappointed. so this need to be fixed urgently.

rcoleman-netgate

@nomanharoon Include as much detail in the redmine as you can today as that will save the engineers time and help get any bug addressed more quickly.

nomanharoon

@rcoleman-netgate I have shared a video link, kindly check it. Also I am sharing with PF Sense engineering team.

https://drive.google.com/drive/folders/1kVCGz0lYrItvGxy6muFJ05PSN0l2O5B4?usp=sharing

Gertjan

@nomanharoon

I'm not using 2.7.0, I have 23.05.1, so I'm not sure if my observations are comparable.
I do know I use the same 'pf' version (the firewall), and the captive portal pfSense script file are identical.

I'm using FreeRadius, where I only assigned a user name and password.
The advantage is : I can chose one user (one user account) to have, for example, a speed limit only for this user.

I've set up my test user, and added :

Btw : these setting, on the captive portal settings page, isn't used :

I've checked on the command line :

pfSsh.php playback pfanchordrill
...

cpzoneid_2_auth/192.168.2.6_32 rules/nat contents:
ether pass in quick proto 0x0800 from e0:92:5c:d9:6c:fe l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2008
ether pass out quick proto 0x0800 to e0:92:5c:d9:6c:fe l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2009
....

192.168.2.6 is my 'Phone' device.

192.168.2.6 is using the pipes 2008/2009 :

I've tested on my Phone test up download speed :

It was close to 1 Mbits Up and Down :

instead of the usual +100 Mbit up / down :

edit : well ... raw speed depends a lot on the number of actve portal users, and right now, there are a lot (tourists).

My advise : if bandwidth limiting is important : use 23.05.1 (and FreeRadius for fine control) : it works.

nomanharoon

@nomanharoon The BUG is in 2.7.0 CE for real. you are using 23 plus which probably do not have this issue.
Our concern is to solve captive portal allow ip problem. thanks

Did you see my videos !!!

nomanharoon

@Gertjan kindly watch these two videos. One identify the issue of 2.7.0 CE
Second tells that in pfsense old edition 2.3 works perfectly fine.

https://drive.google.com/drive/folders/1kVCGz0lYrItvGxy6muFJ05PSN0l2O5B4?usp=sharing

Gertjan

I reread the entire thread.

I'm still using

@nomanharoon said in Allowed IP Address does not work in captive portal:

captive portal not restricting incoming speed when i
try to restrict it throught Allow IP interface

but ...

I've added my iPhone IP 192.168.2.6 to the Allowed IP list :

with a 1,5 Mbits sec band with limiter, up and down.

I connected my phone - double checked the IP it received : 192.168.2.6

pfSsh.php playback pfanchordrill
.......
cpzoneid_2_allowedhosts/192.168.2.6_32 rules/nat contents:
ether pass in quick proto 0x0800 l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2008
ether pass in quick proto 0x0800 l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2009

so pipes are 2008/2009 :

Limiters:

....
02008:   1.500 Mbit/s    0 ms burst 0 
q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
 sched 67544 type FIFO flags 0x0 16 buckets 0 active
02009:   1.500 Mbit/s    0 ms burst 0 
q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
 sched 67545 type FIFO flags 0x0 16 buckets 0 active
....

Speedtest on the phone : 30 Mbits sec up and down ......
Yeah, something isn't good.

MAC based speed limiting works ...

(I removed the Allowed IP entry / 192.168.2.6)

Added the Phone MAC entry to MACs list :
Still using the same IP 192.168.2.6

cpzoneid_2_passthrumac rules/nat contents:

pfSsh.php playback pfanchordrill
......
cpzoneid_2_passthrumac/e0925cd96cfe rules/nat contents:
ether pass in quick from e0:92:5c:d9:6c:fe l3 all tag cpzoneid_2_auth dnpipe 2014
ether pass out quick to e0:92:5c:d9:6c:fe l3 all tag cpzoneid_2_auth dnpipe 2015

And I can see that these pipes 'do something' == are being used :

edit :
IP : "tag"
MAC : "all tag"

nomanharoon

@Gertjan Dear Gertjan I am not delusional :), Did you see the videos I uploaded. ? I am not making this up. It did'nt
control.

Gertjan

@nomanharoon

Me seeing you experiencing isn't that important ;)
I believe you.

IMHO, me - or some one else - being able to reproduce, is also important.

From what I saw, Allowed MACs placed in the "cpzoneid_2_passthrumac" anchor use the attached pipes, pipes that limit the flow speed.

Allowed IPs, placed in the cpzoneid_2_allowedhosts anchor do not seem to use the attached pipes, pipes that should limit the flow speed.

nomanharoon

@Gertjan By See this "Allowed IPs, placed in the cpzoneid_2_allowedhosts anchor do not seem to use the attached pipes, pipes that should limit the flow speed." I now knew that you know it does'nt work. Which needed to be fixed :) And I am waiting when the stable version will be released which have these problems corrected. THanks