Captive Portal Allowed IP Addresses/Hostnames not working

mdmogren · Feb 4, 2013, 11:48 PM

Subject pretty much says it all. Adding an IP or hostname to the allowed list for the captive portal seems to have no effect.

Using latest snapshot: 2.1-BETA1 (amd64) built on Mon Feb 4 03:47:53 EST 2013

Just 1 zone defined. Have seen this issue in snapshots for at least the last week.

bardelot · Feb 5, 2013, 9:52 AM

Did some test and noticed that that behavior is also seen on recent i386 builds. The "Allowed IP addresses" rules are never matched except for when I use an IP address such as 128.0.0.0/1 which seems to match all.

mdmogren · Feb 6, 2013, 4:12 AM

This is a very important feature for me as I use an external captive portal login page.

I am currently stuck using a build from November at several locations. As far as I can tell this is the only remaining captive portal issue that is stopping me from updating.

Can anyone offer any insight? Any help is much appreciated.

eri-- · Feb 10, 2013, 12:50 PM

Can you show me a sysctl -a | grep pfil

bardelot · Feb 10, 2013, 7:31 PM

$ sysctl -a | grep pfil
net.inet.ip.pfil.inbound: pf, ipfw*
net.inet.ip.pfil.outbound: pf, ipfw*
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0
net.inet6.ip6.pfil.inbound: pf, ipfw*
net.inet6.ip6.pfil.outbound: pf, ipfw*

$ ipfw -x guest table all list
---table(3)---
66.219.34.171/32 2002 0 0
---table(4)---
66.219.34.171/32 2003 0 0

$ ipfw pipe show
02002: unlimited         0 ms burst 0
q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
 sched 67538 type FIFO flags 0x0 16 buckets 0 active
02003: unlimited         0 ms burst 0
q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
 sched 67539 type FIFO flags 0x0 16 buckets 0 active

$ ipfw -x guest show
65291   0     0 allow pfsync from any to any
65292   0     0 allow carp from any to any
65301  26  1034 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302   0     0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303   0     0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307   0     0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310  97 10724 allow ip from any to { 255.255.255.255 or 192.168.10.1 } in
65311 100 40071 allow ip from { 255.255.255.255 or 192.168.10.1 } to any out
65312   0     0 allow icmp from { 255.255.255.255 or 192.168.10.1 } to any out icmptypes 0
65313   0     0 allow icmp from any to { 255.255.255.255 or 192.168.10.1 } in icmptypes 8
65314   0     0 pipe tablearg ip from table(3) to any in
65315   0     0 pipe tablearg ip from any to table(4) out
65316   0     0 pipe tablearg ip from table(1) to any in
65317   0     0 pipe tablearg ip from any to table(2) out
65532  55  5271 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
65533  55  7285 allow tcp from any to any out
65534 110  9050 deny ip from any to any
65535   0     0 allow ip from any to any


$ kldstat
Id Refs Address    Size     Name
 1   13 0xc0400000 103b9b4  kernel
 2    1 0xc4ca0000 5000     glxsb.ko
 3    1 0xc5e2a000 12000    ipfw.ko
 4    1 0xc5e45000 e000     dummynet.ko

mdmogren · Feb 12, 2013, 7:40 PM

sysctl -a | grep pfil

net.inet.ip.pfil.inbound: pf, ipfw*
net.inet.ip.pfil.outbound: pf, ipfw*
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0
net.inet6.ip6.pfil.inbound: pf, ipfw*
net.inet6.ip6.pfil.outbound: pf, ipfw*

eri-- · Feb 13, 2013, 9:44 PM

Can you try with a newer snapshot and see if that works better?
Need to do a full-upgrade due to binary changes.

bardelot · Feb 14, 2013, 8:36 PM

@ermal:

Can you try with a newer snapshot and see if that works better?
Need to do a full-upgrade due to binary changes.

Unfortunately there is no change with the new snapshot, same behavior and output. Neither "Allowed IP addresses" nor "Allowed Hostnames" are working.

mdmogren · Feb 14, 2013, 8:43 PM

@ermal:

Can you try with a newer snapshot and see if that works better?
Need to do a full-upgrade due to binary changes.

What do you mean by full upgrade? How is that different than upgrading from the GUI?

cmb · Feb 14, 2013, 8:44 PM

Full upgrade just means don't gitsync

mdmogren · Feb 14, 2013, 11:40 PM

Just upgraded to the 2/14 AMD64 snapshot, allowed hostnames still not working.

m4st3rc1p0 · Feb 15, 2013, 10:22 AM

same here, im downloading the latest update hope the issue resolve with the latest snapshot

mdmogren · Feb 19, 2013, 5:20 PM

Still not working in 2.1-BETA1 (amd64) built on Mon Feb 18 22:59:54 EST 2013

mdmogren · Feb 24, 2013, 7:01 PM

Still broken in 2.1-BETA1 (amd64) built on Sat Feb 23 22:58:00 EST 2013.
Is anyone working on this? Would a bounty help?

m4st3rc1p0 · Mar 2, 2013, 12:59 AM

any updates on this issues ?

bardelot · Mar 2, 2013, 10:39 AM

Should be fixed.
http://redmine.pfsense.org/issues/2780

mdmogren · Mar 5, 2013, 1:10 AM

Confirmed fixed :)

Big thanks to everyone who worked on it.