Project

General

Profile

Actions

Bug #11937

open

HAproxy "Use Client-IP" option breaks Captive Portal

Added by David Quinn 3 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
haproxy
Target version:
-
Start date:
05/19/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

Devices can access https sites without authenticating via Captive portal.
Enabling 'Use Client-IP to connect to backend servers.' in HAproxy appears to add rules in ipfw and prevents 3 of the rules from /etc/inc/captiveportal.inc from being created.

Rules from captive portal which failed to get created in ipfw were:

01000 0 0 skipto tablearg ip from any to any via table(cp_ifaces)
01100 315443004 123076915775 allow ip from any to any
65534 0 0 deny ip from any to any

Without the deny rule all traffic was allowed through except access to port 80 which would still be redirected to the captive portal login page.
Problem not fixed after reboot.
To get it working, I had to remove the option 'Use Client-IP to connect to backend servers.', then delete the rules which haproxy created and add back in the rules from captiveportal.inc file.
Everything works if I do not re-enable the mentioned haproxy option.


Files

Actions #1

Updated by Jim Pingle 3 months ago

  • Project changed from pfSense to pfSense Packages
  • Subject changed from HAproxy and Captive port to HAproxy "Use Client-IP" option breaks Captive Portal
  • Category changed from Captive Portal to haproxy
  • Release Notes deleted (Default)
  • Affected Version deleted (2.5.1)

That option is almost certainly incompatible with Captive Portal, but if there is a way to make it work, it would have to be fixed in the way HAProxy writes its ipfw rules, not in Captive Portal.

Actions #3

Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions

Also available in: Atom PDF