Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continue - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #13226

closed

Disconnecting a user from Captive Portal may allow previously established connections to continue

Added by Danilo Zrenjanin over 2 years ago. Updated 9 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

Marcos M

Category:

Captive Portal

Target version:

2.8.0

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

24.03

Release Notes:

Default

Affected Version:

2.4.5-p1

Affected Architecture:

Description

Steps to reproduce:

1. Connect to the network through the CP portal.
2. Establish OpenVPN forcing all traffic through it.
3. Under Status/Captive Portal disconnect your client.
4. Test the connectivity. Your Internet access still works.

Tested on the:

2.7.0-DEVELOPMENT (amd64)
built on Fri May 27 06:19:08 UTC 2022
FreeBSD 12.3-STABLE

Related issues

Related to Feature #11556: Kill states using the pre-NAT address

Resolved

Marcos M

02/26/2021

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

It looks like pfSense_kill_states() and pfSense_kill_srcstates() does not work properly:
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L886-L888

Needs more testing.

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Status changed from New to Confirmed

Able to reproduce.

It looks like pfSense_kill_status() and pfSense_kill_src states() are successfully kill TCP and ICMP sessions, but not UDP.

This may also be an issue prior to pfSense 22.05/2.7 (ipfw captive portal).

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Assignee set to Reid Linnemann

Actions

Copy link

Updated by Marcos M almost 2 years ago

Subject changed from Captive Portal doesn't disconnect established OpenVPN link to Disconnecting a user from Captive Portal may allow previously established connections to continue.
Affected Version changed from 2.7.x to 2.4.5-p1

The root issue here is actually #11556. When pfSense_kill_states() is called, the state on WAN using NAT will remain due to the referenced issue, hence allowing reply traffic. That reply traffic will then reach the host behind the Captive Portal due the default rule which allows all traffic from the firewall itself. See the following states:

Before calling pfSense_kill_states()

all udp 198.51.100.7:1196 <- 10.0.1.100:62722       MULTIPLE:MULTIPLE
   age 00:01:05, expires in 00:01:00, 254:238 pkts, 42969:117085 bytes, rule 539
   id: db5e9a6300000000 creatorid: 4da82510 gateway: 0.0.0.0
   origif: vmx0
all udp 192.0.2.5:39681 (10.0.1.100:62722) -> 198.51.100.7:1196       MULTIPLE:MULTIPLE
   age 00:01:05, expires in 00:01:00, 254:238 pkts, 42969:117085 bytes, rule 145
   id: dc5e9a6300000000 creatorid: 4da82510 gateway: 177.231.47.1
   origif: vmx0.99

After calling pfSense_kill_states() and before reply from remote:

all udp 192.0.2.5:39681 (10.0.1.100:62722) -> 198.51.100.7:1196       MULTIPLE:MULTIPLE
   age 00:01:21, expires in 00:00:49, 264:248 pkts, 44119:118305 bytes, rule 145
   id: dc5e9a6300000000 creatorid: 4da82510 gateway: 177.231.47.1
   origif: vmx0.99

After calling pfSense_kill_states() and after reply from remote:

all udp 192.0.2.5:39681 (10.0.1.100:62722) -> 198.51.100.7:1196       MULTIPLE:MULTIPLE
   age 00:01:29, expires in 00:00:59, 268:253 pkts, 44569:118869 bytes, rule 145
   id: dc5e9a6300000000 creatorid: 4da82510 gateway: 177.231.47.1
   origif: vmx0.99
all udp 198.51.100.7:1196 -> 10.0.1.100:62722       MULTIPLE:MULTIPLE
   age 00:00:08, expires in 00:00:59, 5:4 pkts, 564:450 bytes, rule 143
   id: 65659a6300000000 creatorid: 4da82510 gateway: 0.0.0.0
   origif: vmx0

Actions

Copy link

Updated by Marcos M almost 2 years ago

Related to Feature #11556: Kill states using the pre-NAT address added

Actions

Copy link

Updated by Marcos M 12 months ago

Subject changed from Disconnecting a user from Captive Portal may allow previously established connections to continue. to Disconnecting a user from Captive Portal may allow previously established connections to continue
Status changed from Confirmed to Feedback
Assignee changed from Reid Linnemann to Marcos M
Target version changed from CE-Next to 2.8.0
Plus Target Version changed from Plus-Next to 24.03

Actions

Copy link

Updated by Marcos M 9 months ago

Status changed from Feedback to Resolved

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #13226

Disconnecting a user from Captive Portal may allow previously established connections to continue

Updated by Viktor Gurov over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Marcos M almost 2 years ago

Updated by Marcos M almost 2 years ago

Updated by Marcos M 12 months ago

Updated by Marcos M 9 months ago