Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.0.2 Captive Portal - NAT and DNS Forwarder problems

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cpereira
      last edited by

      Hi Guys,

      After a bunch of failed attempts at running 2.1 I've reverted to 2.0.2 and I'm noticing the following problem:

      • When the captive portal is turned on, clients start experiencing really slow address resolution and website responses.
        I've looked at the firewall log and it seems like when the captive portal is on, states are lost and the firewall drops packets due to them being out-of-state.
        Also, the DNS forwarder is unable to deliver dns responses to the clients behind the captive portal failing with "Host is Down".

      Here's the output of my ipfw table all list:

      [2.0.3-PRERELEASE][root@auth.hsia.torontoprimrosehotel.com]/root(1): ipfw table all list
---table(1)---
10.10.0.24/32 0 2348 433047
10.10.0.45/32 0 662 119508
10.10.0.69/32 0 6347 759363
10.10.0.87/32 0 17752 2294652
10.10.0.109/32 0 53 9798
10.10.0.146/32 0 8729 772241
10.10.0.150/32 0 2180 481073
10.10.0.192/32 0 3802 353322
10.10.0.225/32 0 979 127292
10.10.1.8/32 0 2462 361732
10.10.1.12/32 0 1196 259208
10.10.1.149/32 0 1031 105232
10.10.2.30/32 0 16267 1373434
10.10.2.47/32 0 5030 692970
10.10.2.56/32 0 1820 204946
10.10.2.59/32 0 1231 148054
10.10.2.60/32 0 1272 212983
10.10.2.73/32 0 7562 725435
10.10.2.90/32 0 3883 564616
10.10.2.101/32 0 1480 221249
10.10.2.102/32 0 823 154637
10.10.2.109/32 0 3649 578132
10.10.2.110/32 0 426 86768
10.10.2.116/32 0 1488 287811
10.10.2.141/32 0 557 38548
10.10.2.147/32 0 1963 312442
10.10.2.149/32 0 792 107790
10.10.2.151/32 0 39 6805
10.10.2.157/32 0 421 36379
10.10.2.159/32 0 2746 313984
10.10.2.167/32 0 1504 239382
10.10.2.172/32 0 3028 628128
10.10.2.173/32 0 1210 174446
10.10.2.175/32 0 3448 286939
10.10.2.193/32 0 1912 315841
10.10.2.198/32 0 1071 171054
10.10.2.207/32 0 7959 682335
10.10.2.208/32 0 896 169682
10.10.2.218/32 0 4009 432745
10.10.2.219/32 0 11 1941
10.10.2.224/32 0 26322 1518281
10.10.2.229/32 0 1917 181703
10.10.2.251/32 0 19338 1248760
10.10.2.252/32 0 138 15210
10.10.3.6/32 0 25153 1590038
10.10.3.7/32 0 12029 1059149
10.10.3.19/32 0 1617 233734
10.10.3.40/32 0 962 171463
10.12.3.67/32 0 1643 180081
---table(2)---
10.10.0.24/32 0 1888 1136302
10.10.0.45/32 0 574 419932
10.10.0.69/32 0 10798 14147372
10.10.0.87/32 0 21395 26050690
10.10.0.109/32 0 40 8465
10.10.0.146/32 0 14439 20566597
10.10.0.150/32 0 2255 2030159
10.10.0.192/32 0 5605 7795850
10.10.0.225/32 0 934 702689
10.10.1.8/32 0 2534 2517145
10.10.1.12/32 0 1226 1127362
10.10.1.149/32 0 1456 1569867
10.10.2.30/32 0 25551 34323543
10.10.2.47/32 0 5732 5897442
10.10.2.56/32 0 1645 1284604
10.10.2.59/32 0 1739 1894924
10.10.2.60/32 0 699 374047
10.10.2.73/32 0 12298 16909715
10.10.2.90/32 0 4642 5202988
10.10.2.101/32 0 1473 1226624
10.10.2.102/32 0 881 686711
10.10.2.109/32 0 4030 4203547
10.10.2.110/32 0 366 226982
10.10.2.116/32 0 1464 1023867
10.10.2.141/32 0 794 994494
10.10.2.147/32 0 1422 1139792
10.10.2.149/32 0 444 78428
10.10.2.151/32 0 5 447
10.10.2.157/32 0 1180 1600159
10.10.2.159/32 0 2336 1361466
10.10.2.167/32 0 1736 1721010
10.10.2.172/32 0 3303 2016170
10.10.2.173/32 0 840 498236
10.10.2.175/32 0 5750 7933600
10.10.2.193/32 0 2349 2365749
10.10.2.198/32 0 1630 1869290
10.10.2.207/32 0 12872 17508964
10.10.2.208/32 0 681 401505
10.10.2.218/32 0 5321 5965526
10.10.2.219/32 0 10 2765
10.10.2.224/32 0 51482 75857817
10.10.2.229/32 0 2904 3736192
10.10.2.251/32 0 34740 50798601
10.10.2.252/32 0 147 158926
10.10.3.6/32 0 56352 83037548
10.10.3.7/32 0 16241 20561344
10.10.3.19/32 0 1301 574753
10.10.3.40/32 0 678 100504
10.12.3.67/32 0 1492 1705404

      And here's the output of my ipfw show

      [2.0.3-PRERELEASE][root@auth.hsia.torontoprimrosehotel.com]/root(103): ipfw show
65291      0         0 allow pfsync from any to any
65292      0         0 allow carp from any to any
65301   6294    266934 allow ip from any to any layer2 mac-type 0x0806
65302      0         0 allow ip from any to any layer2 mac-type 0x888e
65303      0         0 allow ip from any to any layer2 mac-type 0x88c7
65304      0         0 allow ip from any to any layer2 mac-type 0x8863
65305      0         0 allow ip from any to any layer2 mac-type 0x8864
65307      5       360 deny ip from any to any layer2 not mac-type 0x0800
65310  24712   2343923 allow ip from any to { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } in
65311  34977  15879932 allow ip from { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } to any out
65312      0         0 allow icmp from { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } to any out icmptypes 0
65313      0         0 allow icmp from any to { 255.255.255.255 or 10.10.0.1 or 10.12.0.1 } in icmptypes 8
65314      0         0 allow ip from table(3) to any in
65315      0         0 allow ip from any to table(4) out
65316      0         0 pipe tablearg ip from table(5) to any in
65317      0         0 pipe tablearg ip from any to table(6) out
65318      0         0 allow ip from any to table(7) in
65319      0         0 allow ip from table(8) to any out
65320      0         0 pipe tablearg ip from any to table(9) in
65321      0         0 pipe tablearg ip from table(10) to any out
65322 422743  38521619 allow ip from table(1) to any in
65323 677801 910376653 allow ip from any to table(2) out
65531  44852  10509661 fwd 127.0.0.1,8000 tcp from any to any in
65532  32693   2615216 allow tcp from any to any out
65533  13781   1848137 deny ip from any to any
65534      0         0 allow ip from any to any layer2
65535      0         0 allow ip from any to any

      Can anyone give me a hand with this please? I have 300+ angry college teens with pitchforks right outside my office… lol

      Thanks,

      Carlos

      1 Reply Last reply Reply Quote 0
      • C
        cpereira
        last edited by

        Some additional information:
        From the syslog:

        Jan 25 19:41:35	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:35	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:31	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:31	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:29	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:29	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:28	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:28	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:27	dnsmasq[59277]: failed to send packet: Host is down
Jan 25 19:41:27	dnsmasq[59277]: failed to send packet: Host is down

        Also, I've noticed that when I turn on the captive portal, I start seeing a lot of firewall drops (probably out-of-state) that are triggered by rules on interfaces where they shouldn't be.
        Basically I have two internal networks protected by the captive portal, one infrastructure network and four wan connections.

        1 Reply Last reply Reply Quote 0
        • F
          fsantaana
          last edited by

          I'm also experiencing the same problem. However i have 3 boxes with the same config and it's only happening on one of them. I noticed that if i switch the interface it starts working again. Anyone got any help?

          Jan 31 22:23:19	dnsmasq[11129]: failed to send packet: Host is down
Jan 31 22:23:24	dnsmasq[11129]: failed to send packet: Host is down
Jan 31 22:23:24	dnsmasq[11129]: failed to send packet: Host is down
Jan 31 22:23:27	dnsmasq[11129]: failed to send packet: Host is down
Jan 31 22:23:27	dnsmasq[11129]: failed to send packet: Host is down
Jan 31 22:23:30	dnsmasq[11129]: failed to send packet: Host is down
Jan 31 22:23:30	dnsmasq[11129]: failed to send packet: Host is down

          and i also see something weird on this where it's the only site i'm getting rebind attacks and i think it's filling the logs or doing something to bring down the dnsmasq service.

          Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com
Jan 31 22:26:15	dnsmasq[38233]: possible DNS-rebind attack detected: ap.fire4.com

          is there a way to see where the attacks are coming from?

          1 Reply Last reply Reply Quote 0
          • C
            cpereira
            last edited by

            Hi fsantana,

            What do you mean with switching the interface?
            Also, the DNS rebinding messages are usually due to clients that accessed other hotspots before - no need to worry there.

            Cheers,

            Carlos

            1 Reply Last reply Reply Quote 0
            • F
              fsantaana
              last edited by

              The box i'm running pfsense on has 8 Ethernet connections so it has wan/lan and 6 opt interfaces. When i speak about switching is i have replicated the config on each interface and when i physically switch it comes back.

              I corrected this and it's ok also i found where the units where asking for the rebind attack and correct that as well. However i still have the host is down dnsmasq error.

              Have you found anything new on your side on this?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.