Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.0.2 Captive Portal - NAT and DNS Forwarder problems

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cpereira
      last edited by

      Hi Guys,

      After a bunch of failed attempts at running 2.1 I've reverted to 2.0.2 and I'm noticing the following problem:

      • When the captive portal is turned on, clients start experiencing really slow address resolution and website responses.
        I've looked at the firewall log and it seems like when the captive portal is on, states are lost and the firewall drops packets due to them being out-of-state.
        Also, the DNS forwarder is unable to deliver dns responses to the clients behind the captive portal failing with "Host is Down".

      Here's the output of my ipfw table all list:

      [2.0.3-PRERELEASE][root@auth.hsia.torontoprimrosehotel.com]/root(1): ipfw table all list
      ---table(1)---
      10.10.0.24/32 0 2348 433047
      10.10.0.45/32 0 662 119508
      10.10.0.69/32 0 6347 759363
      10.10.0.87/32 0 17752 2294652
      10.10.0.109/32 0 53 9798
      10.10.0.146/32 0 8729 772241
      10.10.0.150/32 0 2180 481073
      10.10.0.192/32 0 3802 353322
      10.10.0.225/32 0 979 127292
      10.10.1.8/32 0 2462 361732
      10.10.1.12/32 0 1196 259208
      10.10.1.149/32 0 1031 105232
      10.10.2.30/32 0 16267 1373434
      10.10.2.47/32 0 5030 692970
      10.10.2.56/32 0 1820 204946
      10.10.2.59/32 0 1231 148054
      10.10.2.60/32 0 1272 212983
      10.10.2.73/32 0 7562 725435
      10.10.2.90/32 0 3883 564616
      10.10.2.101/32 0 1480 221249
      10.10.2.102/32 0 823 154637
      10.10.2.109/32 0 3649 578132
      10.10.2.110/32 0 426 86768
      10.10.2.116/32 0 1488 287811
      10.10.2.141/32 0 557 38548
      10.10.2.147/32 0 1963 312442
      10.10.2.149/32 0 792 107790
      10.10.2.151/32 0 39 6805
      10.10.2.157/32 0 421 36379
      10.10.2.159/32 0 2746 313984
      10.10.2.167/32 0 1504 239382
      10.10.2.172/32 0 3028 628128
      10.10.2.173/32 0 1210 174446
      10.10.2.175/32 0 3448 286939
      10.10.2.193/32 0 1912 315841
      10.10.2.198/32 0 1071 171054
      10.10.2.207/32 0 7959 682335
      10.10.2.208/32 0 896 169682
      10.10.2.218/32 0 4009 432745
      10.10.2.219/32 0 11 1941
      10.10.2.224/32 0 26322 1518281
      10.10.2.229/32 0 1917 181703
      10.10.2.251/32 0 19338 1248760
      10.10.2.252/32 0 138 15210
      10.10.3.6/32 0 25153 1590038
      10.10.3.7/32 0 12029 1059149
      10.10.3.19/32 0 1617 233734
      10.10.3.40/32 0 962 171463
      10.12.3.67/32 0 1643 180081
      ---table(2)---
      10.10.0.24/32 0 1888 1136302
      10.10.0.45/32 0 574 419932
      10.10.0.69/32 0 10798 14147372
      10.10.0.87/32 0 21395 26050690
      10.10.0.109/32 0 40 8465
      10.10.0.146/32 0 14439 20566597
      10.10.0.150/32 0 2255 2030159
      10.10.0.192/32 0 5605 7795850
      10.10.0.225/32 0 934 702689
      10.10.1.8/32 0 2534 2517145
      10.10.1.12/32 0 1226 1127362
      10.10.1.149/32 0 1456 1569867
      10.10.2.30/32 0 25551 34323543
      10.10.2.47/32 0 5732 5897442
      10.10.2.56/32 0 1645 1284604
      10.10.2.59/32 0 1739 1894924
      10.10.2.60/32 0 699 374047
      10.10.2.73/32 0 12298 16909715
      10.10.2.90/32 0 4642 5202988
      10.10.2.101/32 0 1473 1226624
      10.10.2.102/32 0 881 686711
      10.10.2.109/32 0 4030 4203547
      10.10.2.110/32 0 366 226982
      10.10.2.116/32 0 1464 1023867
      10.10.2.141/32 0 794 994494
      10.10.2.147/32 0 1422 1139792
      10.10.2.149/32 0 444 78428
      10.10.2.151/32 0 5 447
      10.10.2.157/32 0 1180 1600159
      10.10.2.159/32 0 2336 1361466
      10.10.2.167/32 0 1736 1721010
      10.10.2.172/32 0 3303 2016170
      10.10.2.173/32 0 840 498236
      10.10.2.175/32 0 5750 7933600
      10.10.2.193/32 0 2349 2365749
      10.10.2.198/32 0 1630 1869290
      10.10.2.207/32 0 12872 17508964
      10.10.2.208/32 0 681 401505
      10.10.2.218/32 0 5321 5965526
      10.10.2.219/32 0 10 2765
      10.10.2.224/32 0 51482 75857817
      10.10.2.229/32 0 2904 3736192
      10.10.2.251/32 0 34740 50798601
      10.10.2.252/32 0 147 158926
      10.10.3.6/32 0 56352 83037548
      10.10.3.7/32 0 16241 20561344
      10.10.3.19/32 0 1301 574753
      10.10.3.40/32 0 678 100504
      10.12.3.67/32 0 1492 1705404
      
      

      And here's the output of my ipfw show

      [2.0.3-PRERELEASE][root@auth.hsia.torontoprimrosehotel.com]/root(103): ipfw show
      65291      0         0 allow pfsync from any to any
      65292      0         0 allow carp from any to any
      65301   6294    266934 allow ip from any to any layer2 mac-type 0x0806
      65302      0         0 allow ip from any to any layer2 mac-type 0x888e
      65303      0         0 allow ip from any to any layer2 mac-type 0x88c7
      65304      0         0 allow ip from any to any layer2 mac-type 0x8863
      65305      0         0 allow ip from any to any layer2 mac-type 0x8864
      65307      5       360 deny ip from any to any layer2 not mac-type 0x0800
      65310  24712   2343923 allow ip from any to { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } in
      65311  34977  15879932 allow ip from { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } to any out
      65312      0         0 allow icmp from { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } to any out icmptypes 0
      65313      0         0 allow icmp from any to { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } in icmptypes 8
      65314      0         0 allow ip from table(3) to any in
      65315      0         0 allow ip from any to table(4) out
      65316      0         0 pipe tablearg ip from table(5) to any in
      65317      0         0 pipe tablearg ip from any to table(6) out
      65318      0         0 allow ip from any to table(7) in
      65319      0         0 allow ip from table(8) to any out
      65320      0         0 pipe tablearg ip from any to table(9) in
      65321      0         0 pipe tablearg ip from table(10) to any out
      65322 422743  38521619 allow ip from table(1) to any in
      65323 677801 910376653 allow ip from any to table(2) out
      65531  44852  10509661 fwd 127.0.0.1,8000 tcp from any to any in
      65532  32693   2615216 allow tcp from any to any out
      65533  13781   1848137 deny ip from any to any
      65534      0         0 allow ip from any to any layer2
      65535      0         0 allow ip from any to any
      
      

      Can anyone give me a hand with this please? I have 300+ angry college teens with pitchforks right outside my office… lol

      Thanks,

      Carlos

      1 Reply Last reply Reply Quote 0
      • C
        cpereira
        last edited by

        Some additional information:
        From the syslog:

        Jan 25 19:41:35	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:35	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:31	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:31	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:29	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:29	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:28	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:28	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:27	dnsmasq[59277]: failed to send packet: Host is down
        Jan 25 19:41:27	dnsmasq[59277]: failed to send packet: Host is down
        

        Also, I've noticed that when I turn on the captive portal, I start seeing a lot of firewall drops (probably out-of-state) that are triggered by rules on interfaces where they shouldn't be.
        Basically I have two internal networks protected by the captive portal, one infrastructure network and four wan connections.

        1 Reply Last reply Reply Quote 0
        • F
          fsantaana
          last edited by

          I'm also experiencing the same problem. However i have 3 boxes with the same config and it's only happening on one of them. I noticed that if i switch the interface it starts working again. Anyone got any help?

          Jan 31 22:23:19	dnsmasq[11129]: failed to send packet: Host is down
          Jan 31 22:23:24	dnsmasq[11129]: failed to send packet: Host is down
          Jan 31 22:23:24	dnsmasq[11129]: failed to send packet: Host is down
          Jan 31 22:23:27	dnsmasq[11129]: failed to send packet: Host is down
          Jan 31 22:23:27	dnsmasq[11129]: failed to send packet: Host is down
          Jan 31 22:23:30	dnsmasq[11129]: failed to send packet: Host is down
          Jan 31 22:23:30	dnsmasq[11129]: failed to send packet: Host is down
          

          and i also see something weird on this where it's the only site i'm getting rebind attacks and i think it's filling the logs or doing something to bring down the dnsmasq service.

          Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
          Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
          Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
          Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
          

          is there a way to see where the attacks are coming from?

          1 Reply Last reply Reply Quote 0
          • C
            cpereira
            last edited by

            Hi fsantana,

            What do you mean with switching the interface?
            Also, the DNS rebinding messages are usually due to clients that accessed other hotspots before - no need to worry there.

            Cheers,

            Carlos

            1 Reply Last reply Reply Quote 0
            • F
              fsantaana
              last edited by

              The box i'm running pfsense on has 8 Ethernet connections so it has wan/lan and 6 opt interfaces. When i speak about switching is i have replicated the config on each interface and when i physically switch it comes back.

              I corrected this and it's ok also i found where the units where asking for the rebind attack and correct that as well. However i still have the host is down dnsmasq error.

              Have you found anything new on your side on this?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.