Anyone else running a WiSP and using pfSense?



  • Hey guys, i am hoping to get some info or just a chat with some other people in a similar situation to me.  I am from Australia, and i live in Brazil.  Myse lf and a partner have started a WiSP here, which we are hoping very shortly to have our whole city (smallish, around 5 square Kilometers).

    We are using some fantastic Wireless equipment from Ruckus Wireless, and i am using pfSense 2.0-RELEASE as my gateway/firewall etc..

    What i would like to know is what do you guys use as far as software to manage clients, payments and all that.  Also, Network administration.. I would love to know what tools or software i can use to troubleshoot any networking problems that my customers have.  I already have a few (all connected to us via 2.4ghz directional antennas) who are having slowness problems with general web browsing, and others are not. Traffic graph shows that i have plenty of available bandwidth at the times the people are complaining.. so could pfSense not be giving out all the available bandwidth? or is it an antenna problem?  They all have very good signal and connection to my towers.

    SO basically i am after assistance is knowing how to properly troubleshot these types of issues, and hopefully find out what other WiSP's are using as far as client management software and go from there.

    Thanks in advance.



  • how many users are connected at one time to the ap's that are giving poor performance ?



  • What is the transport method between your router and your tower radio's?

    Keep in mind that 2.4gHz is a very busy band. Everything from Microwave ovens, some cordless phones, bluetooth, besides wireless networking reside in and around these frequencies.



  • @ericab:

    how many users are connected at one time to the ap's that are giving poor performance ?

    Currently have 2 towers each with an AP and a PTP.  These AP's can handle 100 concurrent conections.  My first one i currently have 58 conected, the second i have 18 connected.  Bear in mind that of that 58 connected, i have around maybe 10 that are complaingin that the internet is bottlenecking, oscilating alot.. and then others that are connected are telling me hoe got is it.. We give our clients a 2mb down/1mb up connection.



  • @chpalmer:

    What is the transport method between your router and your tower radio's?

    Keep in mind that 2.4gHz is a very busy band. Everything from Microwave ovens, some cordless phones, bluetooth, besides wireless networking reside in and around these frequencies.

    Basically, the first tower is connected directly into my network via CAT5 cable (its on the roof of my office) and the second tower, which is around 1500meters away is conected via PTPs (the main one being conected to my network via CAT5, the other at the second tower)

    As far as i can see from using inSSIDer, there are other networks around but our AP's auto select the best channel which from looking at seems to be uncongested.

    Just for the record, our AP's are: Ruckus ZoneFlex 2741
    And our PTP's are: Ruckus ZoneFlex 7731



  • @luke240778:

    Just for the record, our AP's are: Ruckus ZoneFlex 2741
    And our PTP's are: Ruckus ZoneFlex 7731

    Hi, did you have specific reasons for choosing Ruckus gear for your WISP "last-mile" setup? FWIW I think Ruckus products are great, however it seems that most small-/mid-sized WISPs around the world typically deploy Mikrotik and Ubiquity gear.



  • @dhatz:

    @luke240778:

    Just for the record, our AP's are: Ruckus ZoneFlex 2741
    And our PTP's are: Ruckus ZoneFlex 7731

    Hi, did you have specific reasons for choosing Ruckus gear for your WISP "last-mile" setup? FWIW I think Ruckus products are great, however it seems that most small-/mid-sized WISPs around the world typically deploy Mikrotik and Ubiquity gear.

    '
    We did alot of research and testing of all these and none of the others perform, anywhere near as good as the Ruckus.  The main benefits being the larger Backhaul capabilites, More users per radio, simple to install and setup, Beamforming.. etc.  The Ruckus equipment just works fantastically and is very simple to setup.  From talking with someone at Ubiquity, i was told that we could only really get around 30 simultanious connections per radio.. and its 100 with Ruckus currently, and will be 250 with the next firmware upgrade in a couple more weeks.



  • As I wrote in my previous post, I certainly agree that Ruckus performs great, but the other two seem to be primarily geared towards the small-/medium-size WISP niche, and a lot of the necessary functionality you asked for (e.g. managing clients, payments etc) is either built-in or readily available from 3rd party software.

    I'm a bit surprised that Ubiquity told you that their gear can only get 30 users per AP, because they're marketing their proprietary "AirMax" technology which reportedly supports ~100 clients per AP, as long as both AP and all clients support it.



  • @dhatz:

    As I wrote in my previous post, I certainly agree that Ruckus performs great, but the other two seem to be primarily geared towards the small-/medium-size WISP niche, and a lot of the necessary functionality you asked for (e.g. managing clients, payments etc) is either built-in or readily available from 3rd party software.

    Do you know of any of these 3rd party softwares that are good?  I am currenly using a FreeRADIUS server for authentication, with daloRADIUS for webgui, but it doesnt seem to be that good.. Freeside is another i have heard of but i can't even get it installed and working after about a month of trying..

    @dhatz:

    I'm a bit surprised that Ubiquity told you that their gear can only get 30 users per AP, because they're marketing their proprietary "AirMax" technology which reportedly supports ~100 clients per AP, as long as both AP and all clients support it.

    The main issue with Ubiquity was on the backhaul, it just couldnt support where we are needing to go. we  needed to go with carrier class gear to support the amount of clients and bandwidth we are aiming at.. Going with Ubiquity gear for us just meant we would need to swap it out for Ruckus later on anyways, so we went with Ruckus from the get go.

    Are you also a WiSP dhatz?  If so what kind of setup are you using?



  • No, I don't run a WISP, but I was involved in related work a few years ago.



  • Ok great, would love to hear and ideas for software for user management that you might know that works well.



  • You could check Radius Manager (http://www.dmasoftlab.com/) but keep in mind that certain key features are NAS-specific. E.g. Radius Manager has a feature called "instant access service" that allows a user to create a Hotspot-account on the fly, after paying first. But for this feature to work, one would obviously need to add certain sites to captive portal's walled-garden, incl. wildcard domain matches for *.akamaiedge.net servers.

    Check the filter by hostnam/fqdn threads to understand the issues involved. Latest pfsense2 has a daemon that resolves hostnames into IPs periodically, but I'd have to check to see if CP can be configured to allow traffic to the entire akamai's IP range (if you plan to use a payment gateway that uses it).



  • I run a WISP and we're about to try pfSense 2.0-Release. There was a bug in pfSense 1.2.3 where it didn't like our MikroTik Quad-NICs, but 2.0 doesn't appear to have that problem.



  • @dhatz:

    You could check Radius Manager (http://www.dmasoftlab.com/) but keep in mind that certain key features are NAS-specific. E.g. Radius Manager has a feature called "instant access service" that allows a user to create a Hotspot-account on the fly, after paying first. But for this feature to work, one would obviously need to add certain sites to captive portal's walled-garden, incl. wildcard domain matches for *.akamaiedge.net servers.

    Check the filter by hostnam/fqdn threads to understand the issues involved. Latest pfsense2 has a daemon that resolves hostnames into IPs periodically, but I'd have to check to see if CP can be configured to allow traffic to the entire akamai's IP range (if you plan to use a payment gateway that uses it).

    Thanks for this.  I have actually contacted them to do a demo.  They are telling me that their software works best with Mikrotik, and not so great with pfsense… not sure what to do now..  Can i somehow use both Mikrotik and pfSense?



  • @luke240778:

    Dont be too quick to try pfSense 2.0-RELEASE.. my captive portal worked perfectly before the upgrade to 2.0-RELEASE.. now i am having people bypass the CP and straight onto the net.. big bug in my opinion.

    I've noticed you posting about having problems, but IIRC you were just using the MAC-passthrough feature and manually adding/removing MACs.

    You'll need to provide more info about your config and ipfw settings (/tmp/ipfw.cp.rules, ipfw show, ipfw table all list), for anyone to attempt a diagnosis.



  • dhatz i am not sure what you are saying.. dont know what those ipfw commands you mention are.  I have posted about this in another thread i mentioned.. but no one assisted, just someone else saying they have also got the same problem.

    if i run: /tmp/ipfw.cp.rules it tells me i dont have permission (logged in as root)

    ipfw table all lsit i get nothing.. it just goes to a new prompt..

    ipfw show and i get:

    00002  4332989  5006773709 pipe 20003 ip from any to any MAC 00:05:9e:84:e6:20 any
    00003  3075455  310604103 pipe 20002 ip from any to any MAC any 00:05:9e:84:e6:20
    00004  9842576  7583812500 allow ip from any to any MAC 00:0c:29:13:78:e0 any
    00005  9631009  1639719585 allow ip from any to any MAC any 00:0c:29:13:78:e0
    00006        0          0 allow ip from any to any MAC 00:0c:29:41:51:16 any
    00007        0          0 allow ip from any to any MAC any 00:0c:29:41:51:16
    00008    2667      210140 allow ip from any to any MAC 00:0c:29:a3:32:e0 any
    00009  222347    10321860 allow ip from any to any MAC any 00:0c:29:a3:32:e0
    00010        0          0 pipe 20011 ip from any to any MAC 00:0c:29:a4:2c:51 any
    00011        0          0 pipe 20010 ip from any to any MAC any 00:0c:29:a4:2c:51
    00012    16154    1302958 pipe 20013 ip from any to any MAC 00:15:6d:4e:4e:1a any
    00013    25416    2561760 pipe 20012 ip from any to any MAC any 00:15:6d:4e:4e:1a
    00014        0          0 allow ip from any to any MAC 00:18:8b:4b:ed:f8 any
    00015        0          0 allow ip from any to any MAC any 00:18:8b:4b:ed:f8
    00016    5937      820358 allow ip from any to any MAC 00:18:8b:4b:ed:fa any
    00017    21567    5593215 allow ip from any to any MAC any 00:18:8b:4b:ed:fa
    00018        0          0 allow ip from any to any MAC 00:1b:b9:6f:25:06 any
    00019        0          0 allow ip from any to any MAC any 00:1b:b9:6f:25:06
    00020  2271099  2114454968 pipe 20021 ip from any to any MAC 00:1c:26:a9:fc:f4 any
    00021  1975314  471339914 pipe 20020 ip from any to any MAC any 00:1c:26:a9:fc:f4
    00022      126      12583 pipe 20023 ip from any to any MAC 00:26:66:03:23:af any
    00023      206      14510 pipe 20022 ip from any to any MAC any 00:26:66:03:23:af
    00024  622301  524288168 pipe 20025 ip from any to any MAC 00:26:ce:0f:57:35 any
    00025  459052    66340065 pipe 20024 ip from any to any MAC any 00:26:ce:0f:57:35
    00026  330032    26467120 allow ip from any to any MAC 04:4f:aa:33:53:f0 any
    00027  469297  274555701 allow ip from any to any MAC any 04:4f:aa:33:53:f0
    00028  325160    26040717 allow ip from any to any MAC 04:4f:aa:33:5c:b0 any
    00029  457004  267463375 allow ip from any to any MAC any 04:4f:aa:33:5c:b0
    00030  7568554  5860475360 pipe 20031 ip from any to any MAC 08:10:74:75:7d:44 any
    00031  7516046  4757064328 pipe 20030 ip from any to any MAC any 08:10:74:75:7d:44
    00032  3518218  3854560400 pipe 20033 ip from any to any MAC 08:10:74:75:7f:06 any
    00033  2568860  365464108 pipe 20032 ip from any to any MAC any 08:10:74:75:7f:06
    00034  115475  131312084 pipe 20035 ip from any to any MAC 08:10:74:75:84:be any
    00035    72804    7707477 pipe 20034 ip from any to any MAC any 08:10:74:75:84:be
    00036        0          0 pipe 20037 ip from any to any MAC 08:10:74:c8:46:86 any
    00037        0          0 pipe 20036 ip from any to any MAC any 08:10:74:c8:46:86
    00038  1474309  1939345218 pipe 20039 ip from any to any MAC 08:10:74:75:8b:e6 any
    00039  894634    72499724 pipe 20038 ip from any to any MAC any 08:10:74:75:8b:e6
    00040  565946  417136068 pipe 20041 ip from any to any MAC 08:10:74:75:8f:3c any
    00041  429217    75869270 pipe 20040 ip from any to any MAC any 08:10:74:75:8f:3c
    00042  2985854  3239996369 pipe 20043 ip from any to any MAC 08:10:74:75:90:32 any
    00043  1921277  217632925 pipe 20042 ip from any to any MAC any 08:10:74:75:90:32
    00044  1288158  1706708950 pipe 20045 ip from any to any MAC 08:10:74:75:9a:9c any
    00045  723971    74211447 pipe 20044 ip from any to any MAC any 08:10:74:75:9a:9c
    00046  2002579  1943272834 pipe 20047 ip from any to any MAC 08:10:74:75:a5:06 any
    00047  1013172    98836047 pipe 20046 ip from any to any MAC any 08:10:74:75:a5:06
    00048 28290720 39669941815 pipe 20049 ip from any to any MAC 08:10:74:75:a8:80 any
    00049 16095239  2111785148 pipe 20048 ip from any to any MAC any 08:10:74:75:a8:80
    00050  166331  188546282 pipe 20051 ip from any to any MAC 08:10:74:75:ab:68 any
    00051  103300    12669065 pipe 20050 ip from any to any MAC any 08:10:74:75:ab:68
    00052  2300984  3172667786 pipe 20053 ip from any to any MAC 08:10:74:75:b1:4e any
    00053  1418983  109118422 pipe 20052 ip from any to any MAC any 08:10:74:75:b1:4e
    00054  5163631  6991035861 pipe 20055 ip from any to any MAC 08:10:74:75:b9:88 any
    00055  3273357  266203334 pipe 20054 ip from any to any MAC any 08:10:74:75:b9:88
    00056  3025463  1976128448 pipe 20057 ip from any to any MAC 08:10:74:75:bb:52 any
    00057  2171779  280907648 pipe 20056 ip from any to any MAC any 08:10:74:75:bb:52
    00058  459865  537204506 pipe 20059 ip from any to any MAC 08:10:74:75:a6:8c any
    00059  277890    40061967 pipe 20058 ip from any to any MAC any 08:10:74:75:a6:8c
    00060        0          0 pipe 20061 ip from any to any MAC 08:10:74:75:c5:d8 any
    00061        0          0 pipe 20060 ip from any to any MAC any 08:10:74:75:c5:d8
    00062  1873946  1953949464 pipe 20063 ip from any to any MAC 08:10:74:77:fe:7e any
    00063  1636396  347991776 pipe 20062 ip from any to any MAC any 08:10:74:77:fe:7e
    00064  2759491  3410703235 pipe 20065 ip from any to any MAC 08:10:74:78:08:8e any
    00065  1595431  156613288 pipe 20064 ip from any to any MAC any 08:10:74:78:08:8e
    00066  764212  807967272 pipe 20067 ip from any to any MAC 08:10:74:85:fd:48 any
    00067  474708    64712594 pipe 20066 ip from any to any MAC any 08:10:74:85:fd:48
    00068  4833764  6321102547 pipe 20069 ip from any to any MAC 08:10:74:86:02:6a any
    00069  2655256  171925890 pipe 20068 ip from any to any MAC any 08:10:74:86:02:6a
    00070  184133  178950476 pipe 20071 ip from any to any MAC 08:10:74:86:03:70 any
    00071  128563    18067939 pipe 20070 ip from any to any MAC any 08:10:74:86:03:70
    00072  2174920  348846173 pipe 20073 ip from any to any MAC 08:10:74:86:07:0e any
    00073  3356930  3814734310 pipe 20072 ip from any to any MAC any 08:10:74:86:07:0e
    00074  3578092  4460492829 pipe 20075 ip from any to any MAC 08:10:74:86:14:a6 any
    00075  2585431  274397409 pipe 20074 ip from any to any MAC any 08:10:74:86:14:a6
    00076  7462527 10502227054 pipe 20077 ip from any to any MAC 08:10:74:86:1a:22 any
    00077  3952707  255584104 pipe 20076 ip from any to any MAC any 08:10:74:86:1a:22
    00078  4286126  4185272568 pipe 20079 ip from any to any MAC 08:10:74:86:25:b6 any
    00079  3421293  490149811 pipe 20078 ip from any to any MAC any 08:10:74:86:25:b6
    00080  955203  732193600 pipe 20081 ip from any to any MAC 08:10:74:86:26:d6 any
    00081  688034  139381334 pipe 20080 ip from any to any MAC any 08:10:74:86:26:d6
    00082  1041003  1269900124 pipe 20083 ip from any to any MAC 08:10:74:86:29:82 any
    00083  719576    70296111 pipe 20082 ip from any to any MAC any 08:10:74:86:29:82
    00084  2241588  2871263310 pipe 20085 ip from any to any MAC 08:10:74:c8:c5:42 any
    00085  1354726  214935886 pipe 20084 ip from any to any MAC any 08:10:74:c8:c5:42
    00086  4736888  6161902089 pipe 20087 ip from any to any MAC 08:10:74:86:2e:36 any
    00087  2664496  235005501 pipe 20086 ip from any to any MAC any 08:10:74:86:2e:36
    00088  131322  115975933 pipe 20089 ip from any to any MAC 08:10:74:86:2f:42 any
    00089    88701    16339203 pipe 20088 ip from any to any MAC any 08:10:74:86:2f:42
    00090  1002356  987145289 pipe 20091 ip from any to any MAC 08:10:74:86:2f:d6 any
    00091  727255    97393671 pipe 20090 ip from any to any MAC any 08:10:74:86:2f:d6
    00092  1533181  1934887741 pipe 20093 ip from any to any MAC 08:10:74:86:30:5c any
    00093  864980    82982534 pipe 20092 ip from any to any MAC any 08:10:74:86:30:5c
    00094        0          0 pipe 20095 ip from any to any MAC 08:10:74:c8:00:00 any
    00095        0          0 pipe 20094 ip from any to any MAC any 08:10:74:c8:00:00
    00096  130061  168854494 pipe 20097 ip from any to any MAC 08:10:74:c8:bc:6c any
    00097    73496    6046004 pipe 20096 ip from any to any MAC any 08:10:74:c8:bc:6c
    00098  5137037  6155347004 pipe 20099 ip from any to any MAC 08:10:74:c8:c0:70 any
    00099  2885155  558971080 pipe 20098 ip from any to any MAC any 08:10:74:c8:c0:70
    00100  195441  185029323 pipe 20101 ip from any to any MAC 08:10:74:c8:c5:42 any
    00101  155105    24313030 pipe 20100 ip from any to any MAC any 08:10:74:c8:c5:42
    00102    13138      830143 pipe 20103 ip from any to any MAC 08:10:74:c8:c5:f4 any
    00103    10808    1148591 pipe 20102 ip from any to any MAC any 08:10:74:c8:c5:f4
    00104    15813    2527914 pipe 20105 ip from any to any MAC 08:10:74:c8:c9:fa any
    00105    14031    1566746 pipe 20104 ip from any to any MAC any 08:10:74:c8:c9:fa
    00106  1453843  1680267944 pipe 20107 ip from any to any MAC 08:10:74:c8:ce:58 any
    00107  1039868  124427774 pipe 20106 ip from any to any MAC any 08:10:74:c8:ce:58
    00108  478918  689777112 pipe 20109 ip from any to any MAC 08:10:74:c8:ce:68 any
    00109  247947    12775142 pipe 20108 ip from any to any MAC any 08:10:74:c8:ce:68
    00110  657883  555438755 pipe 20111 ip from any to any MAC 08:10:74:c8:da:b2 any
    00111  452525    99963657 pipe 20110 ip from any to any MAC any 08:10:74:c8:da:b2
    00112  722741  553149713 pipe 20113 ip from any to any MAC 08:10:74:c8:dc:74 any
    00113  785433  203374557 pipe 20112 ip from any to any MAC any 08:10:74:c8:dc:74
    00114 14722725 11822029016 pipe 20115 ip from any to any MAC 08:10:74:c8:de:94 any
    00115 14176511  9000714251 pipe 20114 ip from any to any MAC any 08:10:74:c8:de:94
    00116  458948  420041242 pipe 20117 ip from any to any MAC 08:10:74:c8:e0:b0 any
    00117  343544    77904548 pipe 20116 ip from any to any MAC any 08:10:74:c8:e0:b0
    00118    1311      411509 pipe 20119 ip from any to any MAC 08:10:74:c8:e0:e6 any
    00119      886      70264 pipe 20118 ip from any to any MAC any 08:10:74:c8:e0:e6
    00120  1010311  1218800362 pipe 20121 ip from any to any MAC 08:10:74:c8:e5:d0 any
    00121  624559    76458597 pipe 20120 ip from any to any MAC any 08:10:74:c8:e5:d0
    00122  1988198  2351126255 pipe 20123 ip from any to any MAC 08:10:74:c8:ed:f4 any
    00123  1187285  118790792 pipe 20122 ip from any to any MAC any 08:10:74:c8:ed:f4
    00124 14350111 20900275604 pipe 20125 ip from any to any MAC 08:10:74:c8:f0:6a any
    00125  7247990  347228464 pipe 20124 ip from any to any MAC any 08:10:74:c8:f0:6a
    00126  103746  109188989 pipe 20127 ip from any to any MAC 08:10:74:c8:f0:a6 any
    00127    64535    6460202 pipe 20126 ip from any to any MAC any 08:10:74:c8:f0:a6
    00128  1103923  1198607577 pipe 20129 ip from any to any MAC 08:10:74:c8:f3:aa any
    00129  786784  106228806 pipe 20128 ip from any to any MAC any 08:10:74:c8:f3:aa
    00130  910998  1175609674 pipe 20131 ip from any to any MAC 08:10:74:c8:f6:8e any
    00131  520111    79062272 pipe 20130 ip from any to any MAC any 08:10:74:c8:f6:8e
    00132  1026676  1001090013 pipe 20133 ip from any to any MAC 08:10:74:c8:f7:e2 any
    00133  809725  176497032 pipe 20132 ip from any to any MAC any 08:10:74:c8:f7:e2
    00134  4602213  5479895709 pipe 20135 ip from any to any MAC 08:10:74:c8:f8:9c any
    00135  3085460  525300497 pipe 20134 ip from any to any MAC any 08:10:74:c8:f8:9c
    00136  923329  1144883035 pipe 20137 ip from any to any MAC 08:10:74:c8:f8:aa any
    00137  615328    46524778 pipe 20136 ip from any to any MAC any 08:10:74:c8:f8:aa
    00138  568334  296974594 pipe 20139 ip from any to any MAC 08:10:74:c8:fa:14 any
    00139  490189    91737144 pipe 20138 ip from any to any MAC any 08:10:74:c8:fa:14
    00140  8981296  9393993251 pipe 20141 ip from any to any MAC 08:10:74:c8:fa:40 any
    00141  6054045  590900973 pipe 20140 ip from any to any MAC any 08:10:74:c8:fa:40
    00142  1644037  1904953778 pipe 20143 ip from any to any MAC 08:10:74:c8:fa:4c any
    00143  1032831  145128109 pipe 20142 ip from any to any MAC any 08:10:74:c8:fa:4c
    00144  853769  868850701 pipe 20145 ip from any to any MAC 08:10:74:c8:fa:5c any
    00145  645901    93591692 pipe 20144 ip from any to any MAC any 08:10:74:c8:fa:5c
    00146  4320838  4499445123 pipe 20147 ip from any to any MAC 08:10:74:c8:fd:b2 any
    00147  2905435  749661585 pipe 20146 ip from any to any MAC any 08:10:74:c8:fd:b2
    00148  474845  516573968 pipe 20149 ip from any to any MAC 08:10:74:c8:dd:b8 any
    00149  296075    36403578 pipe 20148 ip from any to any MAC any 08:10:74:c8:dd:b8
    00150    1439      393932 pipe 20151 ip from any to any MAC 08:10:74:c8:f6:ac any
    00151      748      74389 pipe 20150 ip from any to any MAC any 08:10:74:c8:f6:ac
    00152  7476571  6214598572 pipe 20153 ip from any to any MAC 08:10:74:c9:00:cc any
    00153  5954648  2546952560 pipe 20152 ip from any to any MAC any 08:10:74:c9:00:cc
    00154  3181630  4062422740 pipe 20155 ip from any to any MAC 08:10:74:c9:01:f0 any
    00155  1883407  165582295 pipe 20154 ip from any to any MAC any 08:10:74:c9:01:f0
    00156    49210    32270556 pipe 20157 ip from any to any MAC 08:10:74:c9:02:6c any
    00157    34342    6889467 pipe 20156 ip from any to any MAC any 08:10:74:c9:02:6c
    00158 13877616 17589938436 pipe 20159 ip from any to any MAC 08:10:74:c9:02:9e any
    00159  8831606  1230984896 pipe 20158 ip from any to any MAC any 08:10:74:c9:02:9e
    00160  4065141  5326504356 pipe 20161 ip from any to any MAC 08:10:74:c9:04:72 any
    00161  2352751  225342377 pipe 20160 ip from any to any MAC any 08:10:74:c9:04:72
    00162        0          0 pipe 20163 ip from any to any MAC 08:10:74:c8:59:16 any
    00163        0          0 pipe 20162 ip from any to any MAC any 08:10:74:c8:59:16
    00164  276006  216198548 pipe 20165 ip from any to any MAC 08:10:74:c8:e0:92 any
    00165  222463    35028691 pipe 20164 ip from any to any MAC any 08:10:74:c8:e0:92
    00166  877308  540245232 pipe 20167 ip from any to any MAC 90:00:4e:5a:5a:7f any
    00167  692340    86802756 pipe 20166 ip from any to any MAC any 90:00:4e:5a:5a:7f
    00168        0          0 allow ip from any to any MAC a4:ba:db:3d:24:5a any
    00169        0          0 allow ip from any to any MAC any a4:ba:db:3d:24:5a
    00170    48128    4248350 allow ip from any to any MAC ac:67:06:37:90:60 any
    00171    48765    5809853 allow ip from any to any MAC any ac:67:06:37:90:60
    00172    48273    4255706 allow ip from any to any MAC ac:67:06:37:91:90 any
    00173    48831    5775983 allow ip from any to any MAC any ac:67:06:37:91:90
    00174      207      45439 pipe 20175 ip from any to any MAC b8:70:f4:92:0f:2e any
    00175      437      44620 pipe 20174 ip from any to any MAC any b8:70:f4:92:0f:2e
    00176      199      55265 pipe 20177 ip from any to any MAC f8:7b:7a:3a:ce:7f any
    00177      218      50668 pipe 20176 ip from any to any MAC any f8:7b:7a:3a:ce:7f
    00178  9250394  1277797068 pipe 20179 ip from any to any MAC c8:3a:35:d2:53:cf any
    00179 14148558 14986388983 pipe 20178 ip from any to any MAC any c8:3a:35:d2:53:cf
    00180        0          0 pipe 20181 ip from any to any MAC 08:10:74:86:26:fe any
    00181      246      14496 pipe 20180 ip from any to any MAC any 08:10:74:86:26:fe
    00182        0          0 pipe 20183 ip from any to any MAC 08:10:74:c8:06:ac any
    00183        0          0 pipe 20182 ip from any to any MAC any 08:10:74:c8:06:ac
    00184  954445  682284918 allow ip from any to any MAC 00:1e:64:52:a0:16 any
    00185  1186802  1104938693 allow ip from any to any MAC any 00:1e:64:52:a0:16
    00186        0          0 pipe 20187 ip from any to any MAC 08:10:74:75:98:9e any
    00187      458      24248 pipe 20186 ip from any to any MAC any 08:10:74:75:98:9e
    00188        0          0 pipe 20189 ip from any to any MAC 08:10:74:c8:e9:6c any
    00189      62      15572 pipe 20188 ip from any to any MAC any 08:10:74:c8:e9:6c
    00190    15236    17844494 pipe 20191 ip from any to any MAC 1c:65:9d:b3:75:42 any
    00191    11055    1464218 pipe 20190 ip from any to any MAC any 1c:65:9d:b3:75:42
    00192        0          0 pipe 20193 ip from any to any MAC 00:27:22:2e:11:65 any
    00193    2051      160090 pipe 20192 ip from any to any MAC any 00:27:22:2e:11:65
    00194    87117  128987267 allow ip from any to any MAC 00:0c:29:44:04:2d any
    00195    51242    2831873 allow ip from any to any MAC any 00:0c:29:44:04:2d
    00196        0          0 pipe 20197 ip from any to any MAC 08:10:74:c8:bd:14 any
    00197      10        2580 pipe 20196 ip from any to any MAC any 08:10:74:c8:bd:14
    00198        0          0 pipe 20199 ip from any to any MAC 08:10:74:75:98:9e any
    00199        0          0 pipe 20198 ip from any to any MAC any 08:10:74:75:98:9e
    00200        0          0 pipe 20201 ip from any to any MAC 08:10:74:86:2f:42 any
    00201        0          0 pipe 20200 ip from any to any MAC any 08:10:74:86:2f:42
    00202        0          0 pipe 20203 ip from any to any MAC 08:10:74:c8:1d:b8 any
    00203        0          0 pipe 20202 ip from any to any MAC any 08:10:74:c8:1d:b8
    65291        0          0 allow pfsync from any to any
    65292        0          0 allow carp from any to any
    65301    20191      738580 allow ip from any to any layer2 mac-type 0x0806
    65302        0          0 allow ip from any to any layer2 mac-type 0x888e
    65303        0          0 allow ip from any to any layer2 mac-type 0x88c7
    65304        0          0 allow ip from any to any layer2 mac-type 0x8863
    65305        0          0 allow ip from any to any layer2 mac-type 0x8864
    65306        0          0 allow ip from any to any layer2 mac-type 0x888e
    65307    18936    1012360 deny ip from any to any layer2 not mac-type 0x0800
    65310    49077    9426797 allow ip from any to { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } in
    65311      927      569345 allow ip from { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } to any out
    65312        0          0 allow icmp from { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } to any out icmptypes 0
    65313        0          0 allow icmp from any to { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } in icmptypes 8
    65314        0          0 allow ip from table(3) to any in
    65315        0          0 allow ip from any to table(4) out
    65316        0          0 pipe tablearg ip from table(5) to any in
    65317        0          0 pipe tablearg ip from any to table(6) out
    65318        0          0 allow ip from any to table(7) in
    65319        0          0 allow ip from table(8) to any out
    65320        0          0 pipe tablearg ip from any to table(9) in
    65321        0          0 pipe tablearg ip from table(10) to any out
    65322        0          0 pipe tablearg ip from table(1) to any in
    65323        0          0 pipe tablearg ip from any to table(2) out
    65531      746      71739 fwd 127.0.0.1,8000 tcp from any to any in
    65532      643      154006 allow tcp from any to any out
    65533    92768    19184302 deny ip from any to any
    65534        0          0 allow ip from any to any layer2
    65535      86      79613 allow ip from any to any



  • Well, the idea was to check whether the MAC-addresses you wanted blocked are actually still in the 'ipfw show' list you just posted, even though you've removed them from the MAC-pass-through page of pfsense's webGUI.


  • Rebel Alliance

    @luke240778:

    Thanks for this.  I have actually contacted them to do a demo.  They are telling me that their software works best with Mikrotik, and not so great with pfsense… not sure what to do now..  Can i somehow use both Mikrotik and pfSense?

    Im using pfSense ( failover & Sip Proxy ) + MikroTik ( PPPoE ) and  Ubiquiti Rocket M5 as AP, for CPE: NanoStation, NanoStation Loco & NanoBridge ( all 5M series ), and Linksys SPA2102 for clients with VoIP service . I do the PPPoE & traffic shapping at CPE.



  • @dhatz:

    Well, the idea was to check whether the MAC-addresses you wanted blocked are actually still in the 'ipfw show' list you just posted, even though you've removed them from the MAC-pass-through page of pfsense's webGUI.

    Ah ok, i see..  i will check that.  Thankyou.

    Is it strange that the other ipfw commands that you mentioned before didn't do anything when i ran them?



  • @luke240778:

    Is it strange that the other ipfw commands that you mentioned before didn't do anything when i ran them?

    Well, perhaps I wasn't clear enough

    /tmp/ipfw.cp.rules is a text-file that contains the ipfw configuration, so you just check its contents (using vi, more etc)
    ipfw table all list was to check if you had any entries in ipfw tables. Since it came empty, it means you don't (which is to be expected, since you only use MAC passthrough).

    So, as I wrote above, you need to check whether any MAC-addresses you want blocked are still in the 'ipfw show' list. And you need to check that you haven't disabled MAC filtering.



  • What about MAC addr 08:10:74:75:98:9e which seems to appear in two rule pairs?

    00186        0           0 pipe 20187 ip from any to any MAC 08:10:74:75:98:9e any
    00187      458       24248 pipe 20186 ip from any to any MAC any 08:10:74:75:98:9e
    […]
    00198        0           0 pipe 20199 ip from any to any MAC 08:10:74:75:98:9e any
    00199        0           0 pipe 20198 ip from any to any MAC any 08:10:74:75:98:9e

    What is the result of
    fgrep 08:10:74:75:98:9e /cf/conf/config.xml



  • luke -or anyone else who is regularly adding/removing MACs from CP's MAC-passthrough page-, could you please check your router's ipfw show output for:

    • MACs that appear in more than one rule pair (as shown in the excerpt above)

    • multiple lines with the same rule number (as shown in issue #1958 )

    TIA



  • Just a quick reply to let you know i am traveling at the moment and will check this out and post back as soon as i am back home



  • If you're using MAC passthrough and deleting entries, it will delete the one you specify but it also deletes part of others that will break their access. ticket here: http://redmine.pfsense.org/issues/1976

    work around, hit Save under Status>Captive Portal to correctly reload.



  • dhatz, could you tell me how i do this?  ther isalot more data than i can see on screen when i run ipfw show.. can u pipe it through more to see a screen at a time?

    I hope we can sort this out, i am getting to a point where this is causing problems.  My network is open replying on the Captive Portal catching people who connect. Currently, ever new connection is getting online without being authenticated via CP.. they are somehow just passing by.  This is only happening on the outdoor clients connecting through my outdoor AP (which is on LAN interface) but prople connecting through my office AP (connected on OPT1 interface) arr getting stopped by the CP login page.

    We are currently adding more and more clients, but i am having to hide my SSID currently to try and stop unwanted peopl eusing the network.. what i really need is that SSID broadcasting cause it is a good way for us to get more clients when people see it and phone us up.



  • Any more ideas here?



  • I suspect CP on LAN might be a fairly uncommon configuration and consequently not well tested.

    You do have CP enabled on BOTH LAN and OPT1? If so, can you move the offending AP to (say) OPT2.



  • It was all working until i did the upgrade to 2.0-RELEASE.

    I dont have an Opt2 interface. Only WAN, LAN and OPT1.  I will try swapping the AP from LAN to OPT1 and see if it works, just to see if the issue is the AP or the Captive Portal.. cause as i said before, on OPT1 currently i have just a small indoor WAP, and the Captive portal works.. but for my outdoor Ruckus AP it isn't anymore.



  • @luke240778:

    It was all working until i did the upgrade to 2.0-RELEASE.

    Upgrades can sometimes change the configuration file. Do you have CP enabled on LAN?



  • Yes, it is as it was before the upgrade. I have CP enabled on both LAN and OPT1



  • CP works fine on LAN and is extensively used and tested there. Probably want to gitsync to RELENG_2_0, or wait for 2.0.1 that will be coming this week, if you're using a lot of MAC passthroughs and editing them frequently since we fixed an issue there.



  • And i am guessing not go the upgrade route?  do a clean install?  I dont mind if i have to do that, just alot more work and i have the problem that i want to keep all cache and lightsquid logs..



  • luke, if you're in a hurry, you could also manually apply the bugfix, it's this one:

    https://github.com/bsdperimeter/pfsense/commit/e3db5627224a0293f74e0d032a9b230f98f85952

    I haven't noticed any issues with MAC passthrough since.



  • dhatz thanks for that.. a hurry i definately am in.  Ill give this a try and see what happens and report back.  Thanks

    just to be clear, i am just to add this line:
    +  $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true);

    (do i add the "+" at the start also?)

    Or am is supposed to delete these lines also:
    -  if ($enBwup && $enBwdown)
    945  
    -    $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true);
    946  
    -  else
    947  
    -    $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false);


  • Rebel Alliance

    You must delete the lines marked with "-" and add the line marked with "+"

    Or you can do as indicated by cmb

    Probably want to gitsync to RELENG_2_0

    edit:

    you have attached the "captiveportal.inc.png" from a pfsense 2.0.1 amd 64

    remove the .png and upload to  /etc/inc/

    captiveportal.inc.png



  • Ok, so here is my problem that i have absolutely no idea how to fix.  I just applied that patch thanks to dhatz, i dont know what that will fix but we will see.  I have rebooted since applying.

    So i have 1 client. His MAC is not even in the Captive Portal MAC passthrough list, he is on the DHCP Leases list and also on the ARP Table. Lightsquid logs shows his usage.  I currently see him onlne and see the Lightsquid logs for this user changing so i assume he is browsing, however.. i just did a ipfw show and his MAC is not in there at all…

    What is going on here??



  • Your clients need to have an IP address before they can talk with the captive portal. Hence they could well have ARP entries and DHCP leases and still not be able to communicate with the web.

    I don't know about Lightsquid - perhaps it captures a web access BEFORE it gets to Captive Portal.



  • @wallabybob:

    Your clients need to have an IP address before they can talk with the captive portal. Hence they could well have ARP entries and DHCP leases and still not be able to communicate with the web.

    I don't know about Lightsquid - perhaps it captures a web access BEFORE it gets to Captive Portal.

    Wallabybob i think you are missing the point i have been making here.. this is the issue, clients ARE getting on the web, and passed teh Captive Portal but i have no idea why? They should be getting stopped at the Captive Portal logon screen but no longer are.  This particular MAC isnt showing in the ipfw show but i know for certain that the client is browsing the web no problems..



  • @luke240778:

    This particular MAC isnt showing in the ipfw show but i know for certain that the client is browsing the web no problems..

    Please run a packet capture on that particular client's IP address and interface. The capture may give some clues as to how they are bypassing CP.

    @luke240778:

    Wallabybob i think you are missing the point i have been making here.. this is the issue, clients ARE getting on the web, and passed teh Captive Portal but i have no idea why?

    Sorry, when you said @luke240778:

    So i have 1 client. His MAC is not even in the Captive Portal MAC passthrough list, he is on the DHCP Leases list and also on the ARP Table. Lightsquid logs shows his usage.  I currently see him onlne and see the Lightsquid logs for this user changing so i assume he is browsing, however.. i just did a ipfw show and his MAC is not in there at all…

    I thought you were offering "having a DHCP lease and an ARP entry" as part of the evidence of being able to bypass CP.

    Now that I have thought about things a bit more, I wonder if the issue is that the client is getting into SQUID rather than CP and the squid accesses on behalf of that client are able to bypass CP because they are sourced "locally". I don't know enough about squid, CP and their interactions to be able to suggest how you might explore that theory.



  • @wallabybob:

    @luke240778:

    This particular MAC isnt showing in the ipfw show but i know for certain that the client is browsing the web no problems..

    Please run a packet capture on that particular client's IP address and interface. The capture may give some clues as to how they are bypassing CP.

    @luke240778:

    Wallabybob i think you are missing the point i have been making here.. this is the issue, clients ARE getting on the web, and passed teh Captive Portal but i have no idea why?

    Sorry, when you said @luke240778:

    So i have 1 client. His MAC is not even in the Captive Portal MAC passthrough list, he is on the DHCP Leases list and also on the ARP Table. Lightsquid logs shows his usage.  I currently see him onlne and see the Lightsquid logs for this user changing so i assume he is browsing, however.. i just did a ipfw show and his MAC is not in there at all…

    I thought you were offering "having a DHCP lease and an ARP entry" as part of the evidence of being able to bypass CP.

    Now that I have thought about things a bit more, I wonder if the issue is that the client is getting into SQUID rather than CP and the squid accesses on behalf of that client are able to bypass CP because they are sourced "locally". I don't know enough about squid, CP and their interactions to be able to suggest how you might explore that theory.

    IP address of the MAC i know is bypassing the CP is 192.168.10.241, here is a packet capture i just ran:

    00:59:28.164510 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 588
    00:59:28.164549 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 0
    00:59:28.465596 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 313
    00:59:28.465816 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 43
    00:59:28.531317 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 0
    00:59:36.671760 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
    00:59:36.814082 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
    00:59:36.987721 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
    01:00:18.851057 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
    01:00:19.000373 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
    01:00:19.137851 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
    01:00:50.510226 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 612
    01:00:50.510265 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 0
    01:00:50.972113 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 313
    01:00:50.972267 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 43
    01:00:51.028514 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 0
    01:00:59.014654 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
    01:00:59.157985 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
    01:00:59.289235 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
    01:01:15.188511 IP 74.125.234.91.80 > 192.168.10.241.1739: tcp 0
    01:01:15.208393 IP 192.168.10.241.1739 > 74.125.234.91.80: tcp 0
    01:01:16.187616 IP 195.28.181.138.80 > 192.168.10.241.1740: tcp 0
    01:01:16.199754 IP 192.168.10.241.1740 > 195.28.181.138.80: tcp 0
    01:01:17.186638 IP 184.173.254.59.80 > 192.168.10.241.1746: tcp 0
    01:01:17.195715 IP 192.168.10.241.1746 > 184.173.254.59.80: tcp 0
    01:01:18.185736 IP 213.8.137.51.80 > 192.168.10.241.1748: tcp 0
    01:01:18.196753 IP 192.168.10.241.1748 > 213.8.137.51.80: tcp 0
    01:01:46.015915 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 37241, length 24
    01:01:46.017889 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 42361, length 24
    01:01:46.018875 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 47481, length 24
    01:01:46.101480 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 37241, length 24
    01:01:46.142832 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 42361, length 24
    01:01:46.144745 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 47481, length 24
    01:01:47.158082 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
    01:01:47.302091 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
    01:01:47.465471 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
    01:01:59.586950 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 572
    01:01:59.586991 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 0
    01:01:59.967533 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 313
    01:01:59.967812 IP 204.236.234.74.80 > 192.168.10.241.1534: tcp 43
    01:01:59.978150 IP 192.168.10.241.1534 > 204.236.234.74.80: tcp 0
    01:02:31.315672 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
    01:02:31.462128 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
    01:02:31.614572 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
    01:02:56.311476 IP 192.168.5.28.4193 > 192.168.10.241.137: UDP, length 50
    01:03:11.479934 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 5
    01:03:11.624158 IP 65.54.49.80.1863 > 192.168.10.241.2717: tcp 8
    01:03:11.761804 IP 192.168.10.241.2717 > 65.54.49.80.1863: tcp 0
    01:03:16.497933 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 46464, length 24
    01:03:16.501866 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 50048, length 24
    01:03:16.501872 IP 192.168.5.28 > 192.168.10.241: ICMP echo request, id 1024, seq 53632, length 24
    01:03:16.565799 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 46464, length 24
    01:03:16.583443 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 50048, length 24
    01:03:16.585429 IP 192.168.10.241 > 192.168.5.28: ICMP echo reply, id 1024, seq 53632, length 24

    Sorry i wasnt meaning that the DHCP entry and the ARP entry were evidence of being able to bypass CP.. just that i can see that the MAC and IP of that client is online and not in the MAC passthough list, and is definately online and surfing, so it is somehow bypassing the CP.

    That thought about Squid is an interesting one.. i am just running Squid as a transparent proxy.. can someone with more knowledge of Squid possible give your two cents worth here?


Log in to reply