Bug #14020
openCaptive Portal breaks policy routing for allowed IP addresses with specified bandwidth after upgrade to 2.6.0
0%
Description
The topic on forum.netgate is here: (https://forum.netgate.com/topic/178194/captive-portal-blocking-allowed-ip-addresses-with-bandwidth-in-2-6-0).
This bug showed since we upgraded from 2.5.2 version.
Problem description:
We have devices with static IP address is on allowlist in the captive portal settings. These devices can't connect to internet but they can access firewall via ping to it.
The problem occurs when I set the bandwidth up/down to the allowed ip address to bypass captive portal without authentication. Also, the connection is not cut off immediately after the modification. It is cut off after consuming the amount of data (bytes) set for it by the two bandwidth fields in the captive portal service edit window for zone. I think the limiter (up/down) works here as a quota size for this IP instead of being a speed limit for it.
Note: When we increase the bandwidth value, the connection takes longer time and more packets or a larger amount of bytes event is interrupted by pfSense.
Note 2: To fix this error temporarily, we can just open up their entry in the allowed IPs list, hit the save button, then the stuck devices can communicate with captive portal again.
Here is the issue:
When the captive portal is disabled everything is routed correctly.
But when I enable the captive portal, devices that are allowed to bypass the captive portal via ip address are suddenly stopped.
Only devices that authenticated through the captive portal are still correctly routed over WAN and connected to internet.
There is a similar issue about "Blocking allowed MAC addresses that need bypass Captive Portal" onlink: (https://redmine.pfsense.org/issues/13323)
and the topic is: (https://forum.netgate.com/topic/161952/captive-portal-blocking-white-listed-mac-addresses-in-2-5-0).
No data to display