Captive portal issue pass-trough MAC [Solved]



  • Im having troubles with captive portal.  Im using Alix board 2.0-RC1 (i386) built on Tue Mar 15 09:27:54 EDT 2011

    If i add somebody in passtrough-mac it blocks a random client in the mac list.

    For example:
    ADD MAC A
    ADD MAC B
    (Now MAC A blocked without reason)
    ADD MAC C
    (MAC A allowed without reason again)

    I dont know if there have been a update of this problem from Mar 15, because its an alix i upgrade every two weeks or more.



  • Can you do ipfw show from diagnostic->exec command
    for before and after you do an operation that causes the mac to be blocked?



  • Hi, ermal.

    This is before change:

    [2.0-RC1][root@quinimari.compuven.local]/root(2): ipfw show
    00002     0        0 pipe 20003 ip from any to any MAC 00:02:2d:b3:21:26 any
    00003     0        0 pipe 20002 ip from any to any MAC any 00:02:2d:b3:21:26
    00004     0        0 allow ip from any to any MAC 00:02:6f:6f:57:7f any
    00005     0        0 allow ip from any to any MAC any 00:02:6f:6f:57:7f
    00005   721   120439 allow ip from any to any MAC 00:02:a5:7c:4f:96 any
    00009     0        0 allow ip from any to any MAC any 00:1d:92:f5:8b:37
    00009     0        0 allow ip from any to any MAC 00:1e:ec:2d:2e:04 any
    00010     0        0 allow ip from any to any MAC any 00:1e:ec:2d:2e:04
    00010     0        0 allow ip from any to any MAC 00:1f:3c:4b:50:97 any
    00011     0        0 allow ip from any to any MAC any 00:1f:3c:4b:50:97
    00011     4      466 allow ip from any to any MAC 00:22:6b:8c:95:56 any
    00012     8     1244 allow ip from any to any MAC any 00:22:6b:8c:95:56
    00012     0        0 allow ip from any to any MAC 00:22:fb:6d:bd:be any
    00013     0        0 allow ip from any to any MAC any 00:22:fb:6d:bd:be
    00013     0        0 allow ip from any to any MAC 00:23:cd:f8:95:a6 any
    00014     0        0 allow ip from any to any MAC any 00:23:cd:f8:95:a6
    00014    15     6393 allow ip from any to any MAC 00:23:cd:f8:97:cd any
    00015    21     2346 allow ip from any to any MAC any 00:23:cd:f8:97:cd
    00015     0        0 allow ip from any to any MAC 00:23:cd:f8:9a:7a any
    00016     0        0 allow ip from any to any MAC any 00:23:cd:f8:9a:7a
    00016  2893  2734843 allow ip from any to any MAC 00:25:86:cf:05:aa any
    00017  2853   582619 allow ip from any to any MAC any 00:25:86:cf:05:aa
    00017    19     4978 allow ip from any to any MAC 00:27:11:00:1c:6b any
    00018    35     6466 allow ip from any to any MAC any 00:27:11:00:1c:6b
    00018     0        0 allow ip from any to any MAC 00:27:11:00:1b:55 any
    00019     0        0 allow ip from any to any MAC any 00:27:11:00:1b:55
    00019  6055  7586193 allow ip from any to any MAC 00:27:11:00:1c:69 any
    00020  6889   641678 allow ip from any to any MAC any 00:27:11:00:1c:69
    00020    16     4491 allow ip from any to any MAC 00:27:11:00:1c:6a any
    00021  2245   112296 allow ip from any to any MAC any 00:27:11:00:1c:6a
    00021    94     3884 allow ip from any to any MAC 00:27:11:00:1c:a4 any
    00022  2195   111142 allow ip from any to any MAC any 00:27:11:00:1c:a4
    00022     0        0 allow ip from any to any MAC 00:27:11:00:1c:a5 any
    00023     0        0 allow ip from any to any MAC any 00:27:11:00:1c:a5
    00023 31192 41939244 allow ip from any to any MAC 00:27:11:00:1d:6a any
    00024 23327  2496817 allow ip from any to any MAC any 00:27:11:00:1d:6a
    00024     0        0 allow ip from any to any MAC 00:27:11:00:21:2b any
    00025     0        0 allow ip from any to any MAC any 00:27:11:00:21:2b
    00025    52    16160 allow ip from any to any MAC 00:27:11:00:22:8a any
    00026    74    14634 allow ip from any to any MAC any 00:27:11:00:22:8a
    00026     0        0 allow ip from any to any MAC 00:27:11:00:22:8e any
    00027     0        0 allow ip from any to any MAC any 00:27:11:00:22:8e
    00027 19155  6043827 allow ip from any to any MAC 00:27:11:00:22:ff any
    00028 20059  2334768 allow ip from any to any MAC any 00:27:11:00:22:ff
    00028     0        0 allow ip from any to any MAC 00:e0:4d:8f:6a:d7 any
    00029     0        0 allow ip from any to any MAC any 00:e0:4d:8f:6a:d7
    00030  3312  2174315 allow ip from any to any MAC 00:1b:b9:a2:f7:9f any
    00031  3985   704163 allow ip from any to any MAC any 00:1b:b9:a2:f7:9f
    00031 24308 15279159 allow ip from any to any MAC 00:1a:70:75:e7:e5 any
    00032 21267  2064256 allow ip from any to any MAC any 00:1a:70:75:e7:e5
    65291     0        0 allow pfsync from any to any
    65292     0        0 allow carp from any to any
    65301   214     8998 allow ip from any to any layer2 mac-type 0x0806
    65302     0        0 allow ip from any to any layer2 mac-type 0x888e
    65303     0        0 allow ip from any to any layer2 mac-type 0x88c7
    65304     0        0 allow ip from any to any layer2 mac-type 0x8863
    65305     0        0 allow ip from any to any layer2 mac-type 0x8864
    65306     0        0 allow ip from any to any layer2 mac-type 0x888e
    65307  1218    59924 deny ip from any to any layer2 not mac-type 0x0800
    65310  2093   209686 allow ip from any to { 255.255.255.255 or 172.16.0.1 } in
    65311  1182   546578 allow ip from { 255.255.255.255 or 172.16.0.1 } to any out
    65312     0        0 allow icmp from { 255.255.255.255 or 172.16.0.1 } to any out icmptypes 0
    65313     0        0 allow icmp from any to { 255.255.255.255 or 172.16.0.1 } in icmptypes 8
    65314     0        0 allow ip from table(3) to any in
    65315     0        0 allow ip from any to table(4) out
    65316     0        0 pipe tablearg ip from table(5) to any in
    65317     0        0 pipe tablearg ip from any to table(6) out
    65318    22     1341 allow ip from any to table(7) in
    65319    29    37722 allow ip from table(8) to any out
    65320     0        0 pipe tablearg ip from any to table(9) in
    65321     0        0 pipe tablearg ip from table(10) to any out
    65322     0        0 allow ip from table(1) to any in
    65323     0        0 allow ip from any to table(2) out
    65531  4915   467735 fwd 127.0.0.1,8000 tcp from any to any in
    65532  4198   489776 allow tcp from any to any out
    65533  1254   147478 deny ip from any to any
    65534     0        0 allow ip from any to any layer2
    65535   537   342462 allow ip from any to any
    
    

    After change

    [2.0-RC1][root@quinimari.compuven.local]/root(2): ipfw show
    00002     0        0 pipe 20003 ip from any to any MAC 00:02:2d:b3:21:26 any
    00003     0        0 pipe 20002 ip from any to any MAC any 00:02:2d:b3:21:26
    00004     0        0 allow ip from any to any MAC 00:02:6f:6f:57:7f any
    00009     0        0 allow ip from any to any MAC any 00:1d:92:f5:8b:37
    00009     0        0 allow ip from any to any MAC 00:1e:ec:2d:2e:04 any
    00010     0        0 allow ip from any to any MAC any 00:1e:ec:2d:2e:04
    00010     0        0 allow ip from any to any MAC 00:1f:3c:4b:50:97 any
    00011     0        0 allow ip from any to any MAC any 00:1f:3c:4b:50:97
    00011     4      466 allow ip from any to any MAC 00:22:6b:8c:95:56 any
    00012     8     1244 allow ip from any to any MAC any 00:22:6b:8c:95:56
    00012     0        0 allow ip from any to any MAC 00:22:fb:6d:bd:be any
    00013     0        0 allow ip from any to any MAC any 00:22:fb:6d:bd:be
    00013     0        0 allow ip from any to any MAC 00:23:cd:f8:95:a6 any
    00014     0        0 allow ip from any to any MAC any 00:23:cd:f8:95:a6
    00014    15     6393 allow ip from any to any MAC 00:23:cd:f8:97:cd any
    00015    21     2346 allow ip from any to any MAC any 00:23:cd:f8:97:cd
    00015     0        0 allow ip from any to any MAC 00:23:cd:f8:9a:7a any
    00016     0        0 allow ip from any to any MAC any 00:23:cd:f8:9a:7a
    00016  3001  2814715 allow ip from any to any MAC 00:25:86:cf:05:aa any
    00017  2965   597573 allow ip from any to any MAC any 00:25:86:cf:05:aa
    00017    29     9372 allow ip from any to any MAC 00:27:11:00:1c:6b any
    00018    45     8185 allow ip from any to any MAC any 00:27:11:00:1c:6b
    00018     0        0 allow ip from any to any MAC 00:27:11:00:1b:55 any
    00019     0        0 allow ip from any to any MAC any 00:27:11:00:1b:55
    00019 10036 13523831 allow ip from any to any MAC 00:27:11:00:1c:69 any
    00020  9660   788823 allow ip from any to any MAC any 00:27:11:00:1c:69
    00020    16     4491 allow ip from any to any MAC 00:27:11:00:1c:6a any
    00021  2485   124240 allow ip from any to any MAC any 00:27:11:00:1c:6a
    00021   102     4584 allow ip from any to any MAC 00:27:11:00:1c:a4 any
    00022  2326   118169 allow ip from any to any MAC any 00:27:11:00:1c:a4
    00022     0        0 allow ip from any to any MAC 00:27:11:00:1c:a5 any
    00023     0        0 allow ip from any to any MAC any 00:27:11:00:1c:a5
    00023 33189 43617762 allow ip from any to any MAC 00:27:11:00:1d:6a any
    00024 25209  3100102 allow ip from any to any MAC any 00:27:11:00:1d:6a
    00024     0        0 allow ip from any to any MAC 00:27:11:00:21:2b any
    00025     0        0 allow ip from any to any MAC any 00:27:11:00:21:2b
    00025    57    16348 allow ip from any to any MAC 00:27:11:00:22:8a any
    00026    81    15336 allow ip from any to any MAC any 00:27:11:00:22:8a
    00026     0        0 allow ip from any to any MAC 00:27:11:00:22:8e any
    00027     0        0 allow ip from any to any MAC any 00:27:11:00:22:8e
    00027 22090  7727354 allow ip from any to any MAC 00:27:11:00:22:ff any
    00028 22985  2807386 allow ip from any to any MAC any 00:27:11:00:22:ff
    00028     0        0 allow ip from any to any MAC 00:e0:4d:8f:6a:d7 any
    00029     0        0 allow ip from any to any MAC any 00:e0:4d:8f:6a:d7
    00030   336   288817 allow ip from any to any MAC 00:1b:b9:a2:f7:9f any
    00031   164    18952 allow ip from any to any MAC any 00:1b:b9:a2:f7:9f
    00032 22938  2206787 allow ip from any to any MAC any 00:1a:70:75:e7:e5
    00032   244    30920 allow ip from any to any MAC 00:02:a5:7c:4f:96 any
    00033   241    18104 allow ip from any to any MAC any 00:02:a5:7c:4f:96
    65291     0        0 allow pfsync from any to any
    65292     0        0 allow carp from any to any
    65301   222     9294 allow ip from any to any layer2 mac-type 0x0806
    65302     0        0 allow ip from any to any layer2 mac-type 0x888e
    65303     0        0 allow ip from any to any layer2 mac-type 0x88c7
    65304     0        0 allow ip from any to any layer2 mac-type 0x8863
    65305     0        0 allow ip from any to any layer2 mac-type 0x8864
    65306     0        0 allow ip from any to any layer2 mac-type 0x888e
    65307  1361    69286 deny ip from any to any layer2 not mac-type 0x0800
    65310  2750   273520 allow ip from any to { 255.255.255.255 or 172.16.0.1 } in
    65311  1933   834726 allow ip from { 255.255.255.255 or 172.16.0.1 } to any out
    65312     0        0 allow icmp from { 255.255.255.255 or 172.16.0.1 } to any out icmptypes 0
    65313     0        0 allow icmp from any to { 255.255.255.255 or 172.16.0.1 } in icmptypes 8
    65314     0        0 allow ip from table(3) to any in
    65315     0        0 allow ip from any to table(4) out
    65316     0        0 pipe tablearg ip from table(5) to any in
    65317     0        0 pipe tablearg ip from any to table(6) out
    65318   155    39459 allow ip from any to table(7) in
    65319   142    96309 allow ip from table(8) to any out
    65320     0        0 pipe tablearg ip from any to table(9) in
    65321     0        0 pipe tablearg ip from table(10) to any out
    65322     0        0 allow ip from table(1) to any in
    65323     0        0 allow ip from any to table(2) out
    65531  7967   751120 fwd 127.0.0.1,8000 tcp from any to any in
    65532  7913   961347 allow tcp from any to any out
    65533  1485   171639 deny ip from any to any
    65534     0        0 allow ip from any to any layer2
    65535   537   342462 allow ip from any to any
    
    

    Note: the MAC: 00:02:a5:7c:4f:96
    Have the problem that even in the passtrough list, the captive portal does not allow browse.

    When i remove and added again it works but another its blocked.

    In 1st only see the mac with this rule: 
    00005   721   120439 allow ip from any to any MAC 00:02:a5:7c:4f:96 any
    
    In the second ipfw show there is two
    00032   244    30920 allow ip from any to any MAC 00:02:a5:7c:4f:96 any
    00033   241    18104 allow ip from any to any MAC any 00:02:a5:7c:4f:96
    

    Looks to be a problem with the IN OUT rules? really i don't have so much idea about it

    In the captive portal config i dont have nothing special, only local database (without users added), enabled on LAN and without timeouts

    Edit
    More info:
    deleted and added again the mac with the problem, but now the mac 00:02:2d:b3:21:26 is not in list, but in the captive portal tab is there added.

    Errors in the syslog:

    Mar 22 17:40:55 	check_reload_status: syncing firewall
    Mar 22 17:40:54 	php: /services_captiveportal_mac.php: The command '/sbin/ipfw delete 4; /sbin/ipfw delete 5' returned exit code '69', the output was 'ipfw: rule 5: setsockopt(IP_FW_DEL): Invalid argument'
    Mar 22 17:08:31 	check_reload_status: syncing firewall
    Mar 22 17:07:36 	php: /services_captiveportal_mac_edit.php: The command '/sbin/ipfw -q /tmp/tmpmacedit2' returned exit code '69', the output was 'Line 2: rule 6: setsockopt(IP_FW_DEL): Invalid argument'
    


  • Update to:
    Version 2.0-RC1 (i386)
    built on Wed Mar 23 01:24:24 EDT 2011

    Same problem  :-[





  • Done, i change the line and reboot to give a try.
    what means this? "Try to not stomp rule to each other."

    Don't add so much rules?



  • It means that rules should not override each other like 'foot stepping each other'.

    Waiting for the results.



  • @ermal:

    It means that rules should not override each other like 'foot stepping each other'.

    Waiting for the results.

    Until now  with some added deleted edited and limited MACs.  without problems  :D
    Thanks

    [2.0-RC1][root@quinimari.compuven.local]/root(1): ipfw show
    00002      0         0 pipe 20003 ip from any to any MAC 00:02:2d:b3:21:26 any
    00003      0         0 pipe 20002 ip from any to any MAC any 00:02:2d:b3:21:26
    00004      0         0 allow ip from any to any MAC any 00:02:6f:6f:57:7f
    00004  51977   7161831 allow ip from any to any MAC 00:02:a5:7c:4f:96 any
    00005  59786   8611488 allow ip from any to any MAC any 00:02:a5:7c:4f:96
    00005 517842 292105249 allow ip from any to any MAC 00:1a:70:75:e7:e5 any
    00006 490410  38676017 allow ip from any to any MAC any 00:1a:70:75:e7:e5
    00006      0         0 allow ip from any to any MAC 00:1a:80:f2:02:ab any
    00007      0         0 allow ip from any to any MAC any 00:1a:80:f2:02:ab
    00007 120743 123749246 allow ip from any to any MAC 00:1b:b9:a2:f7:9f any
    00008  89283  13542185 allow ip from any to any MAC any 00:1b:b9:a2:f7:9f
    00008  10960  13609926 allow ip from any to any MAC 00:1d:92:f5:8b:37 any
    00009   7208    938701 allow ip from any to any MAC any 00:1d:92:f5:8b:37
    00009      0         0 allow ip from any to any MAC 00:1e:ec:2d:2e:04 any
    00010      0         0 allow ip from any to any MAC any 00:1e:ec:2d:2e:04
    00010      0         0 allow ip from any to any MAC 00:1f:3c:4b:50:97 any
    00011      0         0 allow ip from any to any MAC any 00:1f:3c:4b:50:97
    00011  20454  19476067 allow ip from any to any MAC 00:21:27:f1:33:26 any
    00012  17522   3396144 allow ip from any to any MAC any 00:21:27:f1:33:26
    00012  94997 113900837 allow ip from any to any MAC 00:22:6b:8c:95:56 any
    00013  70925   8551948 allow ip from any to any MAC any 00:22:6b:8c:95:56
    00013      0         0 allow ip from any to any MAC 00:22:fb:6d:bd:be any
    00014      0         0 allow ip from any to any MAC any 00:22:fb:6d:bd:be
    00014  49533  59557085 allow ip from any to any MAC 00:23:cd:f8:95:a6 any
    00015  47353   4936692 allow ip from any to any MAC any 00:23:cd:f8:95:a6
    00015  41755  51038612 allow ip from any to any MAC 00:23:cd:f8:97:cd any
    00016  31249   3955573 allow ip from any to any MAC any 00:23:cd:f8:97:cd
    00016   1988   2194783 allow ip from any to any MAC 00:23:cd:f8:9a:1d any
    00017   1737    294107 allow ip from any to any MAC any 00:23:cd:f8:9a:1d
    00017    279    123185 allow ip from any to any MAC 00:23:cd:f8:9a:7a any
    00018    524    325603 allow ip from any to any MAC any 00:23:cd:f8:9a:7a
    00018      0         0 allow ip from any to any MAC 00:25:86:cf:01:d1 any
    00019      0         0 allow ip from any to any MAC any 00:25:86:cf:01:d1
    00019      0         0 allow ip from any to any MAC 00:25:86:ce:fb:e3 any
    00020      0         0 allow ip from any to any MAC any 00:25:86:ce:fb:e3
    00020      0         0 allow ip from any to any MAC 00:25:86:cf:00:7b any
    00021      0         0 allow ip from any to any MAC any 00:25:86:cf:00:7b
    00021 114940 159257826 allow ip from any to any MAC 00:25:86:cf:05:aa any
    00022  77760   6035113 allow ip from any to any MAC any 00:25:86:cf:05:aa
    00022 157628 178130744 allow ip from any to any MAC 00:25:9c:14:05:e4 any
    00023 155219  18717579 allow ip from any to any MAC any 00:25:9c:14:05:e4
    00023  34616  36185409 allow ip from any to any MAC 00:27:11:00:1b:d7 any
    00024  43762   5240806 allow ip from any to any MAC any 00:27:11:00:1b:d7
    00024   9785   8688988 allow ip from any to any MAC 00:27:11:00:1c:6b any
    00025   8723   1267447 allow ip from any to any MAC any 00:27:11:00:1c:6b
    00025  71031  70493621 allow ip from any to any MAC 00:27:11:00:1b:55 any
    00026  85295  18539086 allow ip from any to any MAC any 00:27:11:00:1b:55
    00026  88291  99202415 allow ip from any to any MAC 00:27:11:00:1c:69 any
    00027 106236  12353854 allow ip from any to any MAC any 00:27:11:00:1c:69
    00027  46878  53463407 allow ip from any to any MAC 00:27:11:00:1c:6a any
    00028  49956   6038922 allow ip from any to any MAC any 00:27:11:00:1c:6a
    00028   1045    922766 allow ip from any to any MAC 00:27:11:00:1c:a4 any
    00029   4205    367017 allow ip from any to any MAC any 00:27:11:00:1c:a4
    00029      0         0 allow ip from any to any MAC 00:27:11:00:1c:a5 any
    00030 162944 139005462 pipe 20031 ip from any to any MAC 00:27:11:00:1d:6a any
    00031 143211  37302976 pipe 20030 ip from any to any MAC any 00:27:11:00:1d:6a
    00032  15467   1338181 allow ip from any to any MAC any 00:27:11:00:21:2b
    00032  28725  26521616 allow ip from any to any MAC 00:27:11:00:22:8a any
    00033  27162   5421497 allow ip from any to any MAC any 00:27:11:00:22:8a
    00033  19348  15383230 allow ip from any to any MAC 00:27:11:00:22:8e any
    00034  28742   3775913 allow ip from any to any MAC any 00:27:11:00:22:8e
    00034 103500 123350415 allow ip from any to any MAC 00:27:11:00:22:ff any
    00035  86284  10659014 allow ip from any to any MAC any 00:27:11:00:22:ff
    00035 141923 193217703 allow ip from any to any MAC 00:27:11:00:23:ac any
    00036  95859   9334524 allow ip from any to any MAC any 00:27:11:00:23:ac
    00036  26605  29348500 allow ip from any to any MAC 00:27:11:00:57:30 any
    00037  21061   2722403 allow ip from any to any MAC any 00:27:11:00:57:30
    00037      0         0 allow ip from any to any MAC 00:e0:4d:8f:6a:d7 any
    00038      0         0 allow ip from any to any MAC any 00:e0:4d:8f:6a:d7
    00039      0         0 allow ip from any to any MAC 00:23:cd:f8:96:fc any
    00040      0         0 allow ip from any to any MAC any 00:23:cd:f8:96:fc
    00040 231487 324449546 allow ip from any to any MAC 00:23:cd:f8:9a:7b any
    00041 164734  11210857 allow ip from any to any MAC any 00:23:cd:f8:9a:7b
    
    

    Does not look to be a missed "any"


Locked