Project

General

Profile

Actions

Regression #13323

closed

Captive Portal breaks policy based routing for MAC address bypass clients

Added by Axel Taferner over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
Captive Portal
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Relevant information about my network

LAN segment
VLAN for IoT and wifi devices
WAN1 is used as the default gateway
WAN2 is used as the gateway for devices on the IoT and wifi VLAN
Captive portal is configured on the IoT and wifi VLAN

Here is the issue:
When the captive portal is disabled everything is routed as described above.

But when I enable the captive portal, devices that are allowed to bypass the captive portal via mac address are suddenly routed through the default gateway instead of WAN2.
Only devices that authenticate through the captive portal are still correctly routed over WAN2.


Files

13323.patch (2.36 KB) 13323.patch Marcos M, 07/04/2022 02:05 PM
Actions #1

Updated by Jim Pingle over 2 years ago

  • Assignee set to Kristof Provost
  • Priority changed from High to Normal
  • Target version changed from 23.01 to 2.7.0
Actions #3

Updated by Kristof Provost over 2 years ago

The draft patch wouldn't work, but a similar fix does:

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/831

Actions #4

Updated by Axel Taferner over 2 years ago

Kristof, the link you posted doesn't work. DNS_PROBE_FINISHED_NXDOMAIN
You probably linked to something internal that's not accessible to the public.

Actions #5

Updated by Kristof Provost over 2 years ago

Yes, that's internal. It'll turn up in the public tree once I find a victim to review it. That's going to take a day or two, because most of the team is celebrating Independence day right now.

Actions #6

Updated by Marcos M over 2 years ago

If you'd like to test it and provide feedback, here's the patch - apply it with the System Patches package.

Actions #7

Updated by Axel Taferner over 2 years ago

I've applied the patch and it fixed the problem for me. Thanks a bunch!

Actions #8

Updated by Kristof Provost over 2 years ago

  • Status changed from New to Feedback
Actions #9

Updated by Chris Linstruth over 2 years ago

Duplicated similar environment in 22.05. Confirmed policy routing was ignored for passthrumac entry hosts.

Upgraded to 22.09 (Jul 27) and confirmed captiveportal.inc was the patched version.

Confirmed policy routing was honored for passthrumac hosts.

Unsure if further testing is requested/required so leaving in Feedback.

Actions #10

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 0 to 100

If it works as expected on a snapshot with the fix that's sufficient.

Actions #11

Updated by Flole Systems over 2 years ago

The comment

/* block non-authenticated clients access to internet */

should not be removed, instead the comment
/* Allowed IP/MAC passthrough */

should be removed as that is what the rule that was removed does.....

Actions #12

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #13

Updated by Jim Pingle about 2 years ago

  • Tracker changed from Bug to Regression
  • Subject changed from Captive Portal breaks policy based routing for mac address bypassed clients after upgrade to 22.05 to Captive Portal breaks policy based routing for MAC address bypass clients

Updating subject for release notes.

Actions

Also available in: Atom PDF