CP misbehavor after 2.3 Upgrade

  • –-Gertjan--- If you´re reading this... "A LOT OF THANKS" you´ve been of great help before...

    There are two things not working properly after I (the day before yesterday) upgraded my Pfsense box... (I waited until now just to make sure that 2.3 was stable  :) and maybe avoid this type of trouble)...

    1- The main issue is that after a client it´s been successfully logged in with voucher (I use voucher plus Pass-through MAC Auto Entry) soon afterwards the client will lose conectivity (I don´t know how soon it happens (for one client it was less than 15 minutes)) If I try to use the same voucher on the client, the portal page will tell me that such voucher it´s already logged in with a different mac address... and indeed if I take a look at the MACs tab... I will find that client´s mac addres on the list with that same voucher that was used...

    ---when I say "the client lose conectivity" I mean that the client is treated as if it´s not logged in.. it is redirected to the cp portal page---

    I test the voucher... and it is still good (not expired)

    I look at the logs... nothing there concerning the client´s disconnection...

    If I go the the    Services/Captive/Portal/test/Configuration page... and click on "save button" then those clients who have lost conectivity get back online just like that... (not sure if they lose it again, hope not)...

    one more thing

    2- my system has a crash report wich I think is related to the problem... there it goes as an attachment..." and that crash is persistent... I delete it.. and it happens again...

    ---Gertjan--- If you´re reading this... "A LOT OF THANKS" you´ve been of great help before...

    and excuse my english....
    ![Crash Report.PNG](/public/imported_attachments/1/Crash Report.PNG)
    ![Crash Report.PNG_thumb](/public/imported_attachments/1/Crash Report.PNG_thumb)

  • :) Me ?

    A couple of question first :
    The vouchers you are using : were they generated BEFORE you upgraded to 2.3.0 ?
    I don't know if voucher stats are really saved now (using 2.3.0) - I know they were NOT so before.

    More info : https://forum.pfsense.org/index.php?action=search and type the magic word rc.savevoucher.

    I guess this is not related with you https://forum.pfsense.org/index.php?topic=111132.msg618826#msg618826

    You should use this page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

    It shows you how to check on a "firewall level" who is authorized to get out.

    65291     0        0 allow pfsync from any to any
    65292     0        0 allow carp from any to any
    65301   377    14858 allow ip from any to any layer2 mac-type 0x0806,0x8035
    65302     0        0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    65303     0        0 allow ip from any to any layer2 mac-type 0x8863,0x8864
    65307    14      644 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    65310  1815   166508 allow ip from any to table(100) in
    65311  6559  1319786 allow ip from table(100) to any out
    65312    36     8790 allow ip from any to in
    65313     0        0 allow ip from to any out
    65314     0        0 pipe tablearg ip from table(3) to any in
    65315     0        0 pipe tablearg ip from any to table(4) in
    65316     0        0 pipe tablearg ip from table(3) to any out
    65317     0        0 pipe tablearg ip from any to table(4) out
    65318 78786 16651440 pipe tablearg ip from table(1) to any in
    65319 82570 87958140 pipe tablearg ip from any to table(2) out
    65531  3494   304165 fwd,8003 tcp from any to any dst-port 443 in
    65532   929   110438 fwd,8002 tcp from any to any dst-port 80 in
    65533  3936  1803687 allow tcp from any to any out
    65534   931   246594 deny ip from any to any
    65535   136    58995 allow ip from any to any

    Inspecting "table 1" like this: mac 30:10:e4:c3:94:8e 6644 mac 2c:f0:ee:dd:d0:ee 6646 mac 18:4f:32:b1:27:9f 6640 mac 8c:29:37:41:00:fb 6638 mac 58:2a:f7:85:1e:30 6642

    Shows me the 4 people logged in (their IP and MAC).

    Btw : I'm not using vouchers on my pfSense system.

  • Im running the system on a Netgate apu4, but I have no SD card on it.. I have a Sata Hard Disk.
    at first when I finished upgrading,the chrash dump looked exactly the same as the one you pointed me to… but I´m not running NanoBSD... I¨m on a full install on a Hard Disk.
    [2.3-RELEASE][admin@Hardy.NET]/root: ipfw zone list
    Currently defined contexts and their members:
    2: re2_vlan5,
    4: re2_vlan6,

    [2.3-RELEASE][admin@Hardy.NET]/root: ipfw -x 2 table 1 list (doesn´t show any results) maybe ´cuz I´m just using (voucher plus Pass-through MAC Auto Entry) nothing more…
    You asked if vouchers were created prior to upgrading the system…. yes they were...

    a little note... I have two captive portals running... zone 2 and zone 4.... the the issue seems to be only on zone 2, (I mean... I have no reports or complaints of zone 4 misbehaving)
    that said (I have to say that the configuration on both zones is the same... but the authentication page is not... zone 2 has a custom page while zone 4 has the default page)...
    this line was missing on zone 2 portal page

    I added it... and reloaded cp configuration... (I don´t think that´s the problem... but see no other difference) Im waiting to see the results...

    [ipfw -x 2 show.txt](/public/imported_attachments/1/ipfw -x 2 show.txt)

  • If you have any more troubles, I advise you to ditch the old vouchers.
    Deactivate the voucher system. I guess a bug doesn't allow you to do so (I can't), so do it the hard way :

    Backup a complete config.xml
    Look for this pair <voucher>and a couple of line further on</voucher>
    Mine (minimal) looks like this:


    Remove all that … including the <voucher>.....</voucher>
    Import config.
    => I advise you also to remove all voucher related files like /var/db/voucher_ZONEX_active_0.db
    Re-setup vouchers.
    You'll be fine.

    Btw : when updating, hand made settings like a "portal login page" should be checked with eventually new parameters etc ;)

  • Hi!!!

    Well, ditch old vouchers… yes I can do that... actually I did... I created new rolls... the system keeps reporting the same crash every now and then (but I haven't had the problem in which clients get disconnected )

    But deactivate the vouches, and remove all that's within .... uhmmmm I don't like the idea... I have 200+ voucher logged in...

Log in to reply