Regression #13290
closedError ``dummynet: bad switch 21!`` when using Captive Portal with Limiters
0%
Description
After upgrading from 2.6.0 to 2.7.0, my Captives Portal users are dropped randomly, having to re-authenticate... There is a new version available (released today), but it's developer, so I don't have the security that everything can work out...
Updated by Marcos M over 2 years ago
- Tracker changed from Bug to Regression
- Status changed from New to Feedback
- Priority changed from High to Normal
There's not enough info here to troubleshoot this. Discussion of the issue may be continued on the forums: https://forum.netgate.com/topic/172665/dummynet-bad-switch-21
Updated by Axel Taferner over 2 years ago
I've updated to pfSense+ 22.05 today and I'm seeing the same thing on the console when activating a captive portal.
Updated by Axel Taferner over 2 years ago
I've posted some additional info on the forums here: https://forum.netgate.com/topic/173061/captive-portal-broken-after-upgrade-to-22-05
In addition to the repeating "dummynet bad switch 21" message in the console enabling the captive portal also breaks policy-based routing, but only for devices that are allowed to bypass the captive portal with their mac address. devices that authenticate through the captive portal are correctly routed.
Updated by Kristof Provost over 2 years ago
The 'bad switch' message originates in dummynet_send(), and the '21' is decimal, so 0x15. Representing PROTO_IPV6 | PROTO_LAYER2 | DIR_IN.
Presumably there's IPv6 traffic on the captive portal that's now also being directed into dummynet, but we don't have a case for that in the switch statement, so we fall into this warning (and drop the v6 traffic). The fix is trivial: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/100
I don't think that error message is related to policy routing not working for devices with a whitelisted MAC address. That sounds a lot more like incorrect rules, and will need a separate fix.
Updated by Jim Pingle over 2 years ago
- Subject changed from My PfSense version 2.7 is returning the error "dummynet bad switch 21" every time I activate my Captive Portals (7). to Error ``dummynet: bad switch 21!`` with Captive Portals and Limiters active
Updated by Kristof Provost over 2 years ago
I believe the failure to apply policy routing on whitelisted mac addresses is due to rules like `pass in quick all flags S/SA keep state ridentifier 13003 tagged cpzoneid_2_passthru`. That is, we tag them in the ethernet rules (based on the MAC address) and then use that rule to allow that. As it's 'pass quick' we no longer apply 'route-to' rules that might come later.
I think we need to create the same rule for passthru tagged packets as for auth tagged packets:
diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index c9ea3c9ce1..2914eaf6fa 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -2690,7 +2690,7 @@ function filter_captiveportal_pass() { $rules .= "pass out quick on {$realif} proto tcp from {$cpip} port {$portalias} to any flags any ridentifier {$captiveportal_increment()} keep state(sloppy)\n"; } /* Allowed IP/MAC passthrough */ - $rules .= "pass in quick from any to any tagged {$passthrutag} ridentifier {$captiveportal_increment()} keep state\n"; + $rules .= "block in quick on {$realif} from any to ! <{$cpips}> ! tagged {$passthrutag} ridentifier {$captiveportal_increment()}\n"; /* block non-authenticated clients access to internet */ $rules .= "block in quick on {$realif} from any to ! <{$cpips}> ! tagged {$authtag} ridentifier {$captiveportal_increment()}\n"; }
Updated by Marcos M over 2 years ago
For reference:
There's a redmine report for the policy routing issue here https://redmine.pfsense.org/issues/13323
The error message issue fix is available in the pfSense DEV version.
Updated by Marcos M almost 2 years ago
- Status changed from Feedback to Resolved
- Assignee set to Kristof Provost
- Plus Target Version set to 23.01
- Affected Architecture All added
- Affected Architecture deleted (
amd64)
Updated by Jim Pingle almost 2 years ago
- Subject changed from Error ``dummynet: bad switch 21!`` with Captive Portals and Limiters active to Error ``dummynet: bad switch 21!`` when using Captive Portal with Limiters
Updating subject for release notes.