Regression #13323
closed
Captive Portal breaks policy based routing for MAC address bypass clients
100%
Description
Relevant information about my network
LAN segment
VLAN for IoT and wifi devices
WAN1 is used as the default gateway
WAN2 is used as the gateway for devices on the IoT and wifi VLAN
Captive portal is configured on the IoT and wifi VLAN
Here is the issue:
When the captive portal is disabled everything is routed as described above.
But when I enable the captive portal, devices that are allowed to bypass the captive portal via mac address are suddenly routed through the default gateway instead of WAN2.
Only devices that authenticate through the captive portal are still correctly routed over WAN2.
Files
Updated by Jim Pingle over 2 years ago
- Assignee set to Kristof Provost
- Priority changed from High to Normal
- Target version changed from 23.01 to 2.7.0
Updated by Marcos M over 2 years ago
Potential fix here: https://redmine.pfsense.org/issues/13290#note-6
Updated by Kristof Provost over 2 years ago
The draft patch wouldn't work, but a similar fix does:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/831
Updated by Axel Taferner over 2 years ago
Kristof, the link you posted doesn't work. DNS_PROBE_FINISHED_NXDOMAIN
You probably linked to something internal that's not accessible to the public.
Updated by Kristof Provost over 2 years ago
Yes, that's internal. It'll turn up in the public tree once I find a victim to review it. That's going to take a day or two, because most of the team is celebrating Independence day right now.
Updated by Marcos M over 2 years ago
- File 13323.patch 13323.patch added
If you'd like to test it and provide feedback, here's the patch - apply it with the System Patches package.
Updated by Axel Taferner over 2 years ago
I've applied the patch and it fixed the problem for me. Thanks a bunch!
Updated by Kristof Provost over 2 years ago
- Status changed from New to Feedback
And that fix has landed: https://github.com/pfsense/pfsense/commit/add6447b9dc801144141bb24f8c264e03a0e7cae
Updated by Chris Linstruth over 2 years ago
Duplicated similar environment in 22.05. Confirmed policy routing was ignored for passthrumac entry hosts.
Upgraded to 22.09 (Jul 27) and confirmed captiveportal.inc was the patched version.
Confirmed policy routing was honored for passthrumac hosts.
Unsure if further testing is requested/required so leaving in Feedback.
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
If it works as expected on a snapshot with the fix that's sufficient.
Updated by Flole Systems over 2 years ago
The comment
/* block non-authenticated clients access to internet */
should not be removed, instead the comment
/* Allowed IP/MAC passthrough */
should be removed as that is what the rule that was removed does.....
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle almost 2 years ago
- Tracker changed from Bug to Regression
- Subject changed from Captive Portal breaks policy based routing for mac address bypassed clients after upgrade to 22.05 to Captive Portal breaks policy based routing for MAC address bypass clients
Updating subject for release notes.