Regression #13323
closed
Captive Portal breaks policy based routing for MAC address bypass clients
Added by Axel Taferner over 2 years ago.
Updated almost 2 years ago.
Plus Target Version:
23.01
Description
Relevant information about my network
LAN segment
VLAN for IoT and wifi devices
WAN1 is used as the default gateway
WAN2 is used as the gateway for devices on the IoT and wifi VLAN
Captive portal is configured on the IoT and wifi VLAN
Here is the issue:
When the captive portal is disabled everything is routed as described above.
But when I enable the captive portal, devices that are allowed to bypass the captive portal via mac address are suddenly routed through the default gateway instead of WAN2.
Only devices that authenticate through the captive portal are still correctly routed over WAN2.
Files
- Assignee set to Kristof Provost
- Priority changed from High to Normal
- Target version changed from 23.01 to 2.7.0
Kristof, the link you posted doesn't work. DNS_PROBE_FINISHED_NXDOMAIN
You probably linked to something internal that's not accessible to the public.
Yes, that's internal. It'll turn up in the public tree once I find a victim to review it. That's going to take a day or two, because most of the team is celebrating Independence day right now.
If you'd like to test it and provide feedback, here's the patch - apply it with the System Patches package.
I've applied the patch and it fixed the problem for me. Thanks a bunch!
- Status changed from New to Feedback
Duplicated similar environment in 22.05. Confirmed policy routing was ignored for passthrumac entry hosts.
Upgraded to 22.09 (Jul 27) and confirmed captiveportal.inc was the patched version.
Confirmed policy routing was honored for passthrumac hosts.
Unsure if further testing is requested/required so leaving in Feedback.
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
If it works as expected on a snapshot with the fix that's sufficient.
The comment
/* block non-authenticated clients access to internet */
should not be removed, instead the comment
/* Allowed IP/MAC passthrough */
should be removed as that is what the rule that was removed does.....
- Plus Target Version changed from 22.11 to 23.01
- Tracker changed from Bug to Regression
- Subject changed from Captive Portal breaks policy based routing for mac address bypassed clients after upgrade to 22.05 to Captive Portal breaks policy based routing for MAC address bypass clients
Updating subject for release notes.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by