Project

General

Profile

Actions

Regression #13146

closed

Captive Potal: Hosts remain connected after removing them from the table

Added by Steve Wheeler almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Viktor Gurov
Category:
Captive Portal
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Force Exclusion
Affected Version:
2.7.0
Affected Architecture:
All

Description

When you remove a connected client using the 'Disconnect this user' button in Status > Captive Portal the user is removed from the table but is still able to pass traffic.

The logs indicate the host was de-authed:

May 10 13:01:55     logportalauth     386     Zone: test_zone - DISCONNECT: unauthenticated, 3a:d2:8d:84:6e:56, 192.168.20.10 

But it's still able to open outbound connections:

LAN     icmp     192.168.20.10:16 -> 8.8.8.8:16     0:0     4 / 4     336 B / 336 B     
WAN     icmp     172.21.16.179:11535 (192.168.20.10:16) -> 8.8.8.8:11535     0:0     4 / 4     336 B / 336 B

Tested: 22.05.a.20220509.2034


Related issues

Related to Todo #13100: Transition Captive Portal from IPFW to PFResolvedViktor Gurov

Actions
Actions #1

Updated by Viktor Gurov almost 2 years ago

  • Related to Todo #13100: Transition Captive Portal from IPFW to PF added
Actions #2

Updated by Viktor Gurov almost 2 years ago

  • Release Notes changed from Default to Force Exclusion
  • Affected Version set to 2.7.0
Actions #4

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Steve Wheeler almost 2 years ago

That patch looks good. After removing the host the anchor is removed from the ruleset:

[22.05-DEVELOPMENT][admin@plusdev.stevew.lan]/root: pfctl -vsA
  ipsec
  miniupnpd
  natearly
  natrules
  openvpn
  tftp-proxy
  userrules
  cpzoneid_2_allowedhosts
  cpzoneid_2_auth
  cpzoneid_2_auth/192.168.20.10_32
  cpzoneid_2_authmac
  cpzoneid_2_passthrumac
[22.05-DEVELOPMENT][admin@plusdev.stevew.lan]/root: pfctl -vsA
  ipsec
  miniupnpd
  natearly
  natrules
  openvpn
  tftp-proxy
  userrules
  cpzoneid_2_allowedhosts
  cpzoneid_2_auth
  cpzoneid_2_authmac
  cpzoneid_2_passthrumac

Works as expected.

Actions #6

Updated by Jim Pingle almost 2 years ago

  • Status changed from Pull Request Review to Feedback

PR was merged several days ago.

Actions #7

Updated by Danilo Zrenjanin almost 2 years ago

  • Status changed from Feedback to Resolved

Tested:

22.05-BETA (amd64)
built on Fri May 20 06:20:45 UTC 2022
FreeBSD 12.3-STABLE

It works as expected. Disconnected users can't pass traffic.

I am marking this ticket resolved.

Actions #8

Updated by Jim Pingle almost 2 years ago

  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF