CP misbehavor after 2.3 Upgrade
–-Gertjan--- If you´re reading this... "A LOT OF THANKS" you´ve been of great help before...
There are two things not working properly after I (the day before yesterday) upgraded my Pfsense box... (I waited until now just to make sure that 2.3 was stable :) and maybe avoid this type of trouble)...
1- The main issue is that after a client it´s been successfully logged in with voucher (I use voucher plus Pass-through MAC Auto Entry) soon afterwards the client will lose conectivity (I don´t know how soon it happens (for one client it was less than 15 minutes)) If I try to use the same voucher on the client, the portal page will tell me that such voucher it´s already logged in with a different mac address... and indeed if I take a look at the MACs tab... I will find that client´s mac addres on the list with that same voucher that was used...
---when I say "the client lose conectivity" I mean that the client is treated as if it´s not logged in.. it is redirected to the cp portal page---
I test the voucher... and it is still good (not expired)
I look at the logs... nothing there concerning the client´s disconnection...
If I go the the Services/Captive/Portal/test/Configuration page... and click on "save button" then those clients who have lost conectivity get back online just like that... (not sure if they lose it again, hope not)...
one more thing
2- my system has a crash report wich I think is related to the problem... there it goes as an attachment..." and that crash is persistent... I delete it.. and it happens again...
---Gertjan--- If you´re reading this... "A LOT OF THANKS" you´ve been of great help before...
and excuse my english....
![Crash Report.PNG](/public/imported_attachments/1/Crash Report.PNG)
![Crash Report.PNG_thumb](/public/imported_attachments/1/Crash Report.PNG_thumb)
Gertjan last edited by
:) Me ?
A couple of question first :
The vouchers you are using : were they generated BEFORE you upgraded to 2.3.0 ?
I don't know if voucher stats are really saved now (using 2.3.0) - I know they were NOT so before.
More info : https://forum.pfsense.org/index.php?action=search and type the magic word rc.savevoucher.
I guess this is not related with you https://forum.pfsense.org/index.php?topic=111132.msg618826#msg618826
You should use this page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
It shows you how to check on a "firewall level" who is authorized to get out.
...... 65291 0 0 allow pfsync from any to any 65292 0 0 allow carp from any to any 65301 377 14858 allow ip from any to any layer2 mac-type 0x0806,0x8035 65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7 65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864 65307 14 644 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 65310 1815 166508 allow ip from any to table(100) in 65311 6559 1319786 allow ip from table(100) to any out 65312 36 8790 allow ip from any to 255.255.255.255 in 65313 0 0 allow ip from 255.255.255.255 to any out 65314 0 0 pipe tablearg ip from table(3) to any in 65315 0 0 pipe tablearg ip from any to table(4) in 65316 0 0 pipe tablearg ip from table(3) to any out 65317 0 0 pipe tablearg ip from any to table(4) out 65318 78786 16651440 pipe tablearg ip from table(1) to any in 65319 82570 87958140 pipe tablearg ip from any to table(2) out 65531 3494 304165 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in 65532 929 110438 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in 65533 3936 1803687 allow tcp from any to any out 65534 931 246594 deny ip from any to any 65535 136 58995 allow ip from any to any
Inspecting "table 1" like this:
192.168.2.27/32 mac 30:10:e4:c3:94:8e 6644
192.168.2.46/32 mac 2c:f0:ee:dd:d0:ee 6646
192.168.2.90/32 mac 18:4f:32:b1:27:9f 6640
192.168.2.104/32 mac 8c:29:37:41:00:fb 6638
192.168.2.162/32 mac 58:2a:f7:85:1e:30 6642
Shows me the 4 people logged in (their IP and MAC).
Btw : I'm not using vouchers on my pfSense system.
Im running the system on a Netgate apu4, but I have no SD card on it.. I have a Sata Hard Disk.
at first when I finished upgrading,the chrash dump looked exactly the same as the one you pointed me to… but I´m not running NanoBSD... I¨m on a full install on a Hard Disk.
[2.3-RELEASE][admin@Hardy.NET]/root: ipfw zone list
Currently defined contexts and their members:
[2.3-RELEASE][admin@Hardy.NET]/root: ipfw -x 2 table 1 list (doesn´t show any results) maybe ´cuz I´m just using (voucher plus Pass-through MAC Auto Entry) nothing more…
You asked if vouchers were created prior to upgrading the system…. yes they were...
a little note... I have two captive portals running... zone 2 and zone 4.... the the issue seems to be only on zone 2, (I mean... I have no reports or complaints of zone 4 misbehaving)
that said (I have to say that the configuration on both zones is the same... but the authentication page is not... zone 2 has a custom page while zone 4 has the default page)...
this line was missing on zone 2 portal page
I added it... and reloaded cp configuration... (I don´t think that´s the problem... but see no other difference) Im waiting to see the results...
[ipfw -x 2 show.txt](/public/imported_attachments/1/ipfw -x 2 show.txt)
Gertjan last edited by
If you have any more troubles, I advise you to ditch the old vouchers.
Deactivate the voucher system. I guess a bug doesn't allow you to do so (I can't), so do it the hard way :
Backup a complete config.xml
Look for this pair <voucher>and a couple of line further on</voucher>
Mine (minimal) looks like this:
<voucher><cpzone1><charset>2345678abcdefhijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ</charset> <rollbits>16</rollbits> <ticketbits>10</ticketbits> <checksumbits>5</checksumbits> <magic>1782799022</magic> <exponent>59171</exponent> <publickey>LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCUXdEUVlKS29aSWh2Y05BUUVCQlFBREV3QXdFQUlKQU1jK243UGtHTkkxQWdNQTV5TT0NCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ0K</publickey> <privatekey>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUQ4Q0FRQUNDUURIUHArejVCalNOUUlEQU9jakFnaHRIT3JIWGNsbWl3SUZBT1pXbENFQ0JRRGRjVHVWQWdVQQ0Ka1JGQlN3SUZBTHZMVmZzQ0JCKzFHWTA9DQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ0K</privatekey> <descrmsgnoaccess></descrmsgnoaccess> <enable></enable></cpzone1></voucher>
Remove all that … including the <voucher>.....</voucher>
=> I advise you also to remove all voucher related files like /var/db/voucher_ZONEX_active_0.db
You'll be fine.
Btw : when updating, hand made settings like a "portal login page" should be checked with eventually new parameters etc ;)
Well, ditch old vouchers… yes I can do that... actually I did... I created new rolls... the system keeps reporting the same crash every now and then (but I haven't had the problem in which clients get disconnected )
But deactivate the vouches, and remove all that's within .... uhmmmm I don't like the idea... I have 200+ voucher logged in...