Project

General

Profile

Actions
Copy link

Bug #16264

open

In some circumstances, ethernet rules generated by the Captive portal block the ARP

Added by Lev Prokofev 4 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Captive Portal
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
24.11
Affected Architecture:

Description

The setup is on an HA pair, Captive portal configured on LAN interface (ix0)

            <if>ix0</if>
            <spoofmac></spoofmac>
            <enable></enable>
            <ipaddr>192.168.7.4</ipaddr>
            <subnet>29</subnet>

Ethernet ruleset:

# pfctl -s ether
ether pass on ix0 l3 all tag cpzoneid_2_rdr
ether anchor "cpzoneid_2_auth/*" on ix0 l3 all
ether anchor "cpzoneid_2_passthrumac/*" on ix0 l3 all
ether anchor "cpzoneid_2_allowedhosts/*" on ix0 l3 all
After the random time, the primary node stops passing the ARPs on IX0 for all hosts

It starts to work if the subnet is tagged by "cpzoneid_2_auth"

 echo 'ether pass in quick proto 0x0806 l3 from 192.168.7.0/29 tag cpzoneid_2_auth' | pfctl -a 'cpzoneid_2_auth/192.168.7.0_29' -f -

The issue never occurs on the secondary node.

Ticket for reference #23118866478 (additionally probably related tkt #24032478035)

Files

Download all files
clipboard-202507031604-v3sfd.png (928 KB) clipboard-202507031604-v3sfd.png Lev Prokofev, 07/03/2025 01:04 PM
clipboard-202507031604-svctj.png (479 KB) clipboard-202507031604-svctj.png Lev Prokofev, 07/03/2025 01:04 PM
clipboard-202507031605-zvwil.png (517 KB) clipboard-202507031605-zvwil.png Lev Prokofev, 07/03/2025 01:05 PM
clipboard-202507031606-apesg.png (382 KB) clipboard-202507031606-apesg.png Lev Prokofev, 07/03/2025 01:06 PM
Actions
Copy link

Also available in: Atom PDF