Bug #16540: Reserved dummynet pipes for Captive Portal can overlap - pfSense - pfSense bugtracker

Actions

Copy link

Bug #16540

open

Reserved dummynet pipes for Captive Portal can overlap

Added by Christopher Causer 6 days ago. Updated about 22 hours ago.

Status:

Feedback

Priority:

Normal

Assignee:

Marcos M

Category:

Captive Portal

Target version:

2.9.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

25.11

Release Notes:

Default

Affected Version:

Affected Architecture:

All

Description

Periodically, and outside of work hours (don't know if that's relevant as it may be luck), the allowed hostnames (accessible via services_captiveportal_hostname.php) in our Captive Portal fail to be reachable. Investigation of the issue on the box in question has led to the discovery that while the pf ether pass rules remain up throughout and are being matched and relevant counters are incremented, the associated dnpipe with the rule is missing and is the reason for the outages.

Here is an example rule:

ether pass in quick l3 from any to <cpzoneid_2_hostname_26> tag cpzoneid_2_auth dnpipe 2186

Changing the dnpipe number to one used by another working rule reliably makes traffic flow again

# echo 'ether pass in quick l3 from any to <cpzoneid_2_hostname_26> tag cpzoneid_2_auth dnpipe 2282' | pfctl -a 'cpzoneid_2_allowedhosts/hostname_26' -f  -

Whenever the box is dropping traffic, there is no pipe:

# dnctl pipe show 2186
[NOTHING]

And when traffic does start flowing again (through no intervention on our part) there is a pipe:

# dnctl pipe show 2186
02186: unlimited         0 ms burst 0 
q133258 100 sl. 0 flows (1 buckets) sched 67722 weight 0 lmax 0 pri 0 droptail
 sched 67722 type FIFO flags 0x0 16 buckets 0 active

The dnpipe numbers in the pf ether rules remain constant throughout: it is just the absence and presence of the dnpipe which is causing our issue. Hopefully this is enough information for you, but this situation is 100% repeatable: the hosts become unreachable for 10-12 hours each night, in a staggered fashion, presumably as the dnpipes are reaped and replaced at different times.

We do not use any traffic shaping

Details that may be relevant:
Netgate pfSense Plus
25.07.1-RELEASE (amd64)
built on Fri Oct 24 15:27:00 BST 2025
FreeBSD 15.0-CURRENT

Thank you for your time.

Files

cppatch_25.07.1.txt (5.33 KB) cppatch_25.07.1.txt

Marcos M, 11/19/2025 08:23 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16540

Reserved dummynet pipes for Captive Portal can overlap

Updated by Marcos M 3 days ago

Updated by Christopher Causer 3 days ago

Updated by Christopher Causer 3 days ago

Updated by Christopher Causer 3 days ago

Updated by Marcos M 3 days ago

Updated by Christopher Causer 3 days ago

Updated by Marcos M 3 days ago

Updated by Marcos M 2 days ago

Updated by Marcos M 2 days ago

Updated by Christopher Causer 1 day ago

Updated by Marcos M about 22 hours ago

Updated by Marcos M about 22 hours ago

Updated by Marcos M about 22 hours ago