Bug #13148
closed
Traffic passed by Captive Portal cannot use limiter queues on other rules
0%
Description
Traffic that has been passed by the captive portal on an interface will fail if it passed into a dummynet queue by other rules.
So for example if you have OUT rules on WAN that are using Limiters with queues defined.
pass out quick on em0 route-to (em0 172.21.16.1) inet proto tcp all flags S/SA keep state label "id:1652095021" label "gw:WAN_DHCP" label "USER_RULE: Allow all Limited OUT" dnqueue(1, 4) ridentifier 1652095021
It does not fail if the rules put traffic into pipes directly:
pass out quick on em0 route-to (em0 172.21.16.1) inet proto tcp all flags S/SA keep state label "id:1652095021" label "gw:WAN_DHCP" label "USER_RULE: Allow all Limited OUT" dnpipe(1, 2) ridentifier 1652095021
Traffic that has not passed the captive portal, such as from the firewall itself, passes as expected with pipes or queues.
Tested: 22.05.b.20220510.1811
Updated by Kristof Provost over 2 years ago
Do you have anything special configured for captive portal? Bandwidth restrictions or something?
I've tried to replicate this here, and can pass traffic just fine with this rule:
@95 pass out quick on vtnet0 route-to (vtnet0 1.0.2.1) inet proto tcp all flags S/SA keep state label "id:1652268183" label "gw:WAN_DHCP" label "USER_RULE" dnqueue(1, 2) ridentifier 1652268183
Updated by Kristof Provost over 2 years ago
It looks like you need to have multiple queues defined on the pipe for this to manifest.
Updated by Kristof Provost over 2 years ago
https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/83 should fix the problem.
Updated by Viktor Gurov over 2 years ago
- Status changed from New to Feedback
- Assignee set to Kristof Provost
- Release Notes changed from Default to Force Exclusion
- Affected Version set to 2.7.0
Updated by Reid Linnemann over 2 years ago
- Status changed from Feedback to Assigned
This appears to still be broken.
Updated by Reid Linnemann over 2 years ago
- Target version changed from 2.7.0 to CE-Next
- Plus Target Version changed from 22.05 to Plus-Next
Updated by Jim Pingle over 2 years ago
- Target version changed from CE-Next to 2.7.0
- Plus Target Version changed from Plus-Next to 22.09
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 22.09 to 22.11
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Kristof Provost almost 2 years ago
- Status changed from Assigned to Ready To Test
My understanding is that this is fixed, but that Reid had an unrelated issue. @Reid, can you confirm?
Updated by Marcos M almost 2 years ago
- Status changed from Ready To Test to Resolved
- Private changed from Yes to No
- Release Notes changed from Force Exclusion to Default
Tested on latest snap - this is indeed fixed.
Updated by Jim Pingle almost 2 years ago
- Subject changed from Traffic passed by the captive portal cannot use additional dummynet queues to Traffic passed by Captive Portal cannot use limiter queues on other rules
Updating subject for release notes.