Project

General

Profile

Actions

Regression #13290

closed

Error ``dummynet: bad switch 21!`` when using Captive Portal with Limiters

Added by Rafael Ferreira over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
Captive Portal
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

After upgrading from 2.6.0 to 2.7.0, my Captives Portal users are dropped randomly, having to re-authenticate... There is a new version available (released today), but it's developer, so I don't have the security that everything can work out...

Actions #1

Updated by Marcos M over 1 year ago

  • Tracker changed from Bug to Regression
  • Status changed from New to Feedback
  • Priority changed from High to Normal

There's not enough info here to troubleshoot this. Discussion of the issue may be continued on the forums: https://forum.netgate.com/topic/172665/dummynet-bad-switch-21

Actions #2

Updated by Axel Taferner over 1 year ago

I've updated to pfSense+ 22.05 today and I'm seeing the same thing on the console when activating a captive portal.

Actions #3

Updated by Axel Taferner over 1 year ago

I've posted some additional info on the forums here: https://forum.netgate.com/topic/173061/captive-portal-broken-after-upgrade-to-22-05
In addition to the repeating "dummynet bad switch 21" message in the console enabling the captive portal also breaks policy-based routing, but only for devices that are allowed to bypass the captive portal with their mac address. devices that authenticate through the captive portal are correctly routed.

Actions #4

Updated by Kristof Provost over 1 year ago

The 'bad switch' message originates in dummynet_send(), and the '21' is decimal, so 0x15. Representing PROTO_IPV6 | PROTO_LAYER2 | DIR_IN.

Presumably there's IPv6 traffic on the captive portal that's now also being directed into dummynet, but we don't have a case for that in the switch statement, so we fall into this warning (and drop the v6 traffic). The fix is trivial: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/100

I don't think that error message is related to policy routing not working for devices with a whitelisted MAC address. That sounds a lot more like incorrect rules, and will need a separate fix.

Actions #5

Updated by Jim Pingle over 1 year ago

  • Subject changed from My PfSense version 2.7 is returning the error "dummynet bad switch 21" every time I activate my Captive Portals (7). to Error ``dummynet: bad switch 21!`` with Captive Portals and Limiters active
Actions #6

Updated by Kristof Provost over 1 year ago

I believe the failure to apply policy routing on whitelisted mac addresses is due to rules like `pass in quick all flags S/SA keep state ridentifier 13003 tagged cpzoneid_2_passthru`. That is, we tag them in the ethernet rules (based on the MAC address) and then use that rule to allow that. As it's 'pass quick' we no longer apply 'route-to' rules that might come later.

I think we need to create the same rule for passthru tagged packets as for auth tagged packets:

diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc
index c9ea3c9ce1..2914eaf6fa 100644
--- a/src/etc/inc/captiveportal.inc
+++ b/src/etc/inc/captiveportal.inc
@@ -2690,7 +2690,7 @@ function filter_captiveportal_pass() {
                                                $rules .= "pass out quick on {$realif} proto tcp from {$cpip} port {$portalias} to any flags any ridentifier {$captiveportal_increment()} keep state(sloppy)\n";
                                        }
                                        /* Allowed IP/MAC passthrough */
-                                       $rules .= "pass in quick from any to any tagged {$passthrutag} ridentifier {$captiveportal_increment()} keep state\n";
+                                       $rules .= "block in quick on {$realif} from any to ! <{$cpips}> ! tagged {$passthrutag} ridentifier {$captiveportal_increment()}\n";
                                        /* block non-authenticated clients access to internet */
                                        $rules .= "block in quick on {$realif} from any to ! <{$cpips}> ! tagged {$authtag} ridentifier {$captiveportal_increment()}\n";
                                }
Actions #7

Updated by Marcos M over 1 year ago

For reference:

There's a redmine report for the policy routing issue here https://redmine.pfsense.org/issues/13323

The error message issue fix is available in the pfSense DEV version.

Actions #8

Updated by Marcos M over 1 year ago

  • Status changed from Feedback to Resolved
  • Assignee set to Kristof Provost
  • Plus Target Version set to 23.01
  • Affected Architecture All added
  • Affected Architecture deleted (amd64)
Actions #9

Updated by Jim Pingle over 1 year ago

  • Subject changed from Error ``dummynet: bad switch 21!`` with Captive Portals and Limiters active to Error ``dummynet: bad switch 21!`` when using Captive Portal with Limiters

Updating subject for release notes.

Actions

Also available in: Atom PDF