PfSense 2.0.2 Captive Portal - NAT and DNS Forwarder problems
-
Hi Guys,
After a bunch of failed attempts at running 2.1 I've reverted to 2.0.2 and I'm noticing the following problem:
- When the captive portal is turned on, clients start experiencing really slow address resolution and website responses.
I've looked at the firewall log and it seems like when the captive portal is on, states are lost and the firewall drops packets due to them being out-of-state.
Also, the DNS forwarder is unable to deliver dns responses to the clients behind the captive portal failing with "Host is Down".
Here's the output of my ipfw table all list:
[2.0.3-PRERELEASE][root@auth.hsia.torontoprimrosehotel.com]/root(1): ipfw table all list ---table(1)--- 10.10.0.24/32 0 2348 433047 10.10.0.45/32 0 662 119508 10.10.0.69/32 0 6347 759363 10.10.0.87/32 0 17752 2294652 10.10.0.109/32 0 53 9798 10.10.0.146/32 0 8729 772241 10.10.0.150/32 0 2180 481073 10.10.0.192/32 0 3802 353322 10.10.0.225/32 0 979 127292 10.10.1.8/32 0 2462 361732 10.10.1.12/32 0 1196 259208 10.10.1.149/32 0 1031 105232 10.10.2.30/32 0 16267 1373434 10.10.2.47/32 0 5030 692970 10.10.2.56/32 0 1820 204946 10.10.2.59/32 0 1231 148054 10.10.2.60/32 0 1272 212983 10.10.2.73/32 0 7562 725435 10.10.2.90/32 0 3883 564616 10.10.2.101/32 0 1480 221249 10.10.2.102/32 0 823 154637 10.10.2.109/32 0 3649 578132 10.10.2.110/32 0 426 86768 10.10.2.116/32 0 1488 287811 10.10.2.141/32 0 557 38548 10.10.2.147/32 0 1963 312442 10.10.2.149/32 0 792 107790 10.10.2.151/32 0 39 6805 10.10.2.157/32 0 421 36379 10.10.2.159/32 0 2746 313984 10.10.2.167/32 0 1504 239382 10.10.2.172/32 0 3028 628128 10.10.2.173/32 0 1210 174446 10.10.2.175/32 0 3448 286939 10.10.2.193/32 0 1912 315841 10.10.2.198/32 0 1071 171054 10.10.2.207/32 0 7959 682335 10.10.2.208/32 0 896 169682 10.10.2.218/32 0 4009 432745 10.10.2.219/32 0 11 1941 10.10.2.224/32 0 26322 1518281 10.10.2.229/32 0 1917 181703 10.10.2.251/32 0 19338 1248760 10.10.2.252/32 0 138 15210 10.10.3.6/32 0 25153 1590038 10.10.3.7/32 0 12029 1059149 10.10.3.19/32 0 1617 233734 10.10.3.40/32 0 962 171463 10.12.3.67/32 0 1643 180081 ---table(2)--- 10.10.0.24/32 0 1888 1136302 10.10.0.45/32 0 574 419932 10.10.0.69/32 0 10798 14147372 10.10.0.87/32 0 21395 26050690 10.10.0.109/32 0 40 8465 10.10.0.146/32 0 14439 20566597 10.10.0.150/32 0 2255 2030159 10.10.0.192/32 0 5605 7795850 10.10.0.225/32 0 934 702689 10.10.1.8/32 0 2534 2517145 10.10.1.12/32 0 1226 1127362 10.10.1.149/32 0 1456 1569867 10.10.2.30/32 0 25551 34323543 10.10.2.47/32 0 5732 5897442 10.10.2.56/32 0 1645 1284604 10.10.2.59/32 0 1739 1894924 10.10.2.60/32 0 699 374047 10.10.2.73/32 0 12298 16909715 10.10.2.90/32 0 4642 5202988 10.10.2.101/32 0 1473 1226624 10.10.2.102/32 0 881 686711 10.10.2.109/32 0 4030 4203547 10.10.2.110/32 0 366 226982 10.10.2.116/32 0 1464 1023867 10.10.2.141/32 0 794 994494 10.10.2.147/32 0 1422 1139792 10.10.2.149/32 0 444 78428 10.10.2.151/32 0 5 447 10.10.2.157/32 0 1180 1600159 10.10.2.159/32 0 2336 1361466 10.10.2.167/32 0 1736 1721010 10.10.2.172/32 0 3303 2016170 10.10.2.173/32 0 840 498236 10.10.2.175/32 0 5750 7933600 10.10.2.193/32 0 2349 2365749 10.10.2.198/32 0 1630 1869290 10.10.2.207/32 0 12872 17508964 10.10.2.208/32 0 681 401505 10.10.2.218/32 0 5321 5965526 10.10.2.219/32 0 10 2765 10.10.2.224/32 0 51482 75857817 10.10.2.229/32 0 2904 3736192 10.10.2.251/32 0 34740 50798601 10.10.2.252/32 0 147 158926 10.10.3.6/32 0 56352 83037548 10.10.3.7/32 0 16241 20561344 10.10.3.19/32 0 1301 574753 10.10.3.40/32 0 678 100504 10.12.3.67/32 0 1492 1705404
And here's the output of my ipfw show
[2.0.3-PRERELEASE][root@auth.hsia.torontoprimrosehotel.com]/root(103): ipfw show 65291 0 0 allow pfsync from any to any 65292 0 0 allow carp from any to any 65301 6294 266934 allow ip from any to any layer2 mac-type 0x0806 65302 0 0 allow ip from any to any layer2 mac-type 0x888e 65303 0 0 allow ip from any to any layer2 mac-type 0x88c7 65304 0 0 allow ip from any to any layer2 mac-type 0x8863 65305 0 0 allow ip from any to any layer2 mac-type 0x8864 65307 5 360 deny ip from any to any layer2 not mac-type 0x0800 65310 24712 2343923 allow ip from any to { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } in 65311 34977 15879932 allow ip from { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } to any out 65312 0 0 allow icmp from { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } to any out icmptypes 0 65313 0 0 allow icmp from any to { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } in icmptypes 8 65314 0 0 allow ip from table(3) to any in 65315 0 0 allow ip from any to table(4) out 65316 0 0 pipe tablearg ip from table(5) to any in 65317 0 0 pipe tablearg ip from any to table(6) out 65318 0 0 allow ip from any to table(7) in 65319 0 0 allow ip from table(8) to any out 65320 0 0 pipe tablearg ip from any to table(9) in 65321 0 0 pipe tablearg ip from table(10) to any out 65322 422743 38521619 allow ip from table(1) to any in 65323 677801 910376653 allow ip from any to table(2) out 65531 44852 10509661 fwd 127.0.0.1,8000 tcp from any to any in 65532 32693 2615216 allow tcp from any to any out 65533 13781 1848137 deny ip from any to any 65534 0 0 allow ip from any to any layer2 65535 0 0 allow ip from any to any
Can anyone give me a hand with this please? I have 300+ angry college teens with pitchforks right outside my office… lol
Thanks,
Carlos
- When the captive portal is turned on, clients start experiencing really slow address resolution and website responses.
-
Some additional information:
From the syslog:Jan 25 19:41:35 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:35 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:31 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:31 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:29 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:29 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:28 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:28 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:27 dnsmasq[59277]: failed to send packet: Host is down Jan 25 19:41:27 dnsmasq[59277]: failed to send packet: Host is down
Also, I've noticed that when I turn on the captive portal, I start seeing a lot of firewall drops (probably out-of-state) that are triggered by rules on interfaces where they shouldn't be.
Basically I have two internal networks protected by the captive portal, one infrastructure network and four wan connections. -
I'm also experiencing the same problem. However i have 3 boxes with the same config and it's only happening on one of them. I noticed that if i switch the interface it starts working again. Anyone got any help?
Jan 31 22:23:19 dnsmasq[11129]: failed to send packet: Host is down Jan 31 22:23:24 dnsmasq[11129]: failed to send packet: Host is down Jan 31 22:23:24 dnsmasq[11129]: failed to send packet: Host is down Jan 31 22:23:27 dnsmasq[11129]: failed to send packet: Host is down Jan 31 22:23:27 dnsmasq[11129]: failed to send packet: Host is down Jan 31 22:23:30 dnsmasq[11129]: failed to send packet: Host is down Jan 31 22:23:30 dnsmasq[11129]: failed to send packet: Host is down
and i also see something weird on this where it's the only site i'm getting rebind attacks and i think it's filling the logs or doing something to bring down the dnsmasq service.
Jan 31 22:26:15 dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com Jan 31 22:26:15 dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com Jan 31 22:26:15 dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com Jan 31 22:26:15 dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
is there a way to see where the attacks are coming from?
-
Hi fsantana,
What do you mean with switching the interface?
Also, the DNS rebinding messages are usually due to clients that accessed other hotspots before - no need to worry there.Cheers,
Carlos
-
The box i'm running pfsense on has 8 Ethernet connections so it has wan/lan and 6 opt interfaces. When i speak about switching is i have replicated the config on each interface and when i physically switch it comes back.
I corrected this and it's ok also i found where the units where asking for the rebind attack and correct that as well. However i still have the host is down dnsmasq error.
Have you found anything new on your side on this?