Bug #12941
closed
Captive Portal on specific VLAN prevents routing to other networks (since 22.01)
0%
Description
Hello there,
this weekend I updated my 1537 to 22.01-RELEASE from the previous latest stable version.
The update process went fine and everything seemed to work fine.
We use ix0 as our 10G LAN interface with several VLANs (ix0.xxxx). VLAN ix0.80 also has Captive Portal enabled, which worked like a charm for a couple of months now.
Today, I have troubles with all computers on ix0.80, as they can somehow not access any resource on our company network anymore.
After a successful login within the captive portal, clients can access the Internet, but all packets to other networks are somehow dropped.
This is not a firewall related issue. My PC (192.168.1.209) is on LAN and all traffic from it is allowed to everywhere. For the address of one PC on ix0.80 (10.10.81.101), I also set up a temporary "allow everything to everywhere" rule to ensure it is not the firewall causing the issues. Windows firewall have also been completely disabled on the test machines.
As soon as I disable Captive Portal, everything starts to work as expected again.
Overview of our net:
| Description | Interface ID | Network |
|---|---|---|
| LAN | ix0 | 192.168.0.0/16 |
| VLAN w/ Captive Portal | ix0.80 | 10.10.80.0/24 |
| Another VLAN | ix0.96 | 10.10.96.0/24 |
- from 10.10.80.101 ping 192.168.220.31 (DNS-Server)
- from 10.10.80.101 nslookup to 192.168.220.31 (DNS-Server) always fail with "DNS request timed out." This prevents almost anything to work.
- from 192.168.1.209 ping 10.10.80.101
- from 10.10.80.101 ping 192.168.1.209
- from 10.10.80.101 ping 192.168.200.25 (an apache webserver)
- from 10.10.80.101 ping 10.10.96.12 (windows client on ix0.96)
- from 10.10.80.101 ping 192.168.220.101 (windows rdp server)
- from 10.10.80.101 ping 192.168.1.16 (pfsense ix0-IP)
- 10.10.80.101 can surf the internet (even though our DNS is not working! I can't figure out how.)
- from 10.10.80.101 http to 192.168.200.25 via browser (even though ping the same host is not possible)
- from 192.168.1.209 vnc into 10.10.80.101 (ping does not work, but vnc does?)
- from 10.10.80.101 rdp into 192.168.220.101 (even thouhg ping does not work to the very same host)
- from 192.168.1.209 ping 192.168.1.16 (pfsense ix0-IP)
- from 192.168.1.209 ping 10.10.80.1 (pfsense ix0.80-IP)
- from 10.10.80.101 ping 10.10.80.1 (pfsense ix0.80-IP)
It is a very strange situation, it seems everything is working but ping and DNS . As a result of those two, most services / things do not work either.
As soon as I disable Captive Portal, all problems are gone. No firewall rule changed. Furthermore, inspecting System Logs / Firewall confirms that firewall is not causing the issues.
I hope I provided all the information needed in order to recreate the issue.
For the moment, I have no choices but to disable captive portal.
Please feel free to ask any additional information.
Lorenzo
Updated by Jim Pingle about 2 years ago
- Status changed from New to Duplicate
- Priority changed from Very High to Normal
- Target version deleted (
22.01) - Plus Target Version deleted (
22.01)
This is almost certainly a duplicate of #12834 or at least the same root cause. First thing to try is the patch in the system patches package recommended patches list for #12834. Reboot after applying that. If you can, try a recent snapshot of 22.05 and see if it's working again for you as it has a more comprehensive fix present.
Updated by Lorenzo Marroccoli about 2 years ago
Jim Pingle thank you for your quick reply.
That would explain why I can RDP into devices on other VLAN and load a page over HTTP, but can't ping or use DNS, as those works respectively over ICMP and UDP, not TCP.
Sadly, I am not able to test out the DEVEL version 22.05, as we are experiencing the issue on a productive pfSense environment. But I will pull the patch in, reboot and let you know whether the issue is solved or not.
Thank you.
Updated by Lorenzo Marroccoli about 2 years ago
Jim Pingle The suggested system patch successfully fixed the issue! Thank you.