https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162013-01-26T20:18:56ZpfSense bugtrackerpfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104112013-01-26T20:18:56ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> set to <i>2.1</i></li><li><strong>Affected Version</strong> set to <i>2.1</i></li></ul> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104122013-01-27T06:41:21ZErmal Luçieri@pfsense.org
<ul></ul><p>Can you show <br /><pre>
ipfw -x $cpzone show
ipfw -x $cpzone table all list
</pre></p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104132013-01-27T07:44:11ZDaniel Berteauddani-pfs@lapiole.org
<ul></ul><p>Here's the result (wifi is the name of my CP zone)</p>
<p>[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(1): ipfw -x wifi show<br />65291 0 0 allow pfsync from any to any<br />65292 0 0 allow carp from any to any<br />65301 14 626 allow ip from any to any layer2 mac-type 0x0806,0x8035<br />65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7<br />65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864<br />65307 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd<br />65310 3 237 allow ip from any to { 255.255.255.255 or 192.168.17.1 } in<br />65311 3 346 allow ip from { 255.255.255.255 or 192.168.17.1 } to any out<br />65312 0 0 allow icmp from { 255.255.255.255 or 192.168.17.1 } to any out icmptypes 0<br />65313 0 0 allow icmp from any to { 255.255.255.255 or 192.168.17.1 } in icmptypes 8<br />65314 0 0 pipe tablearg ip from table(3) to any in<br />65315 0 0 pipe tablearg ip from any to table(4) out<br />65316 0 0 pipe tablearg ip from table(1) to any in<br />65317 0 0 pipe tablearg ip from any to table(2) out<br />65532 0 0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in<br />65533 0 0 allow tcp from any to any out<br />65534 21 2357 deny ip from any to any<br />65535 5 364 allow ip from any to any<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(2): ipfw -x wifi table all list<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(3):</p>
<p>In the CP settings, I've added b8:c6:8e:f3:a1:43 in Mac-Passthrough and 192.168.19.253 in Allowed IP Addresses.</p>
<p>If I log into the CP with the device which has MAC address b8:c6:8e:f3:a1:43 (because I'm redirected to the login page), here's the result of ipfw -x wifi table list all:</p>
<p>[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(5): ipfw <del>x wifi table all list<br />---table(1)--</del><br />192.168.17.11/32 mac b8:c6:8e:f3:a1:43 2046 126 16228<br />---table(2)---<br />192.168.17.11/32 mac b8:c6:8e:f3:a1:43 2047 172 200094<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(6):</p>
<p>Allowed IP Addresses are essentials for me (it allows my own computers to bypass the CP with a VPN connection). For now, I had to revert to Nov 25 snapshot (which is the last I've tried where everything in the Captive Portal works on amd64). Just as a side note (maybe this should go in another bug), in the Allowed IP addresses settings, the Direction drop-down list (both, from or to) doesn't appear anymore.</p>
<p>Regards, Daniel</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104152013-01-27T09:06:37ZCyrill B
<ul></ul><p><a class="user active" href="https://redmine.pfsense.org/users/4071">Ermal LUÇI</a>:<br />It seems that when configuring pipes the context argument is not correctly handled.</p>
<pre><code>ipfw -x guest pipe 2006 config bw 0Kbit/s queue 100 buckets 16<br />ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument</code></pre> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104162013-01-27T09:10:21ZCyrill B
<ul></ul><p>The direction support has been removed in commit [1] but the "Allowed Hostnames" configuration still shows the form fields.</p>
<p>[1] <a class="external" href="https://github.com/bsdperimeter/pfsense/commit/aea564088a335bef9c9d6fb55409dd0ad65b3049">https://github.com/bsdperimeter/pfsense/commit/aea564088a335bef9c9d6fb55409dd0ad65b3049</a></p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104192013-01-27T10:51:48ZErmal Luçieri@pfsense.org
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>FIx has been included and should behave better in the later coming snapshots.</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104272013-01-28T08:20:46ZDaniel Berteauddani-pfs@lapiole.org
<ul></ul><p>I've just tested snapshot Jan 27. MAC passthrough seems to be working fine, but Allowed IP addresses are not. Here's the output of the two ipfw commands:</p>
<p>[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(1): ipfw \-x wifi show<br />00032 0 0 pipe 2080 ip from any to any MAC b8:c6:8e:f3:a1:43 any<br />00033 0 0 pipe 2081 ip from any to any MAC any b8:c6:8e:f3:a1:43<br />65291 0 0 allow pfsync from any to any<br />65292 0 0 allow carp from any to any<br />65301 5 212 allow ip from any to any layer2 mac-type 0x0806,0x8035<br />65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7<br />65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864<br />65307 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd<br />65310 5 372 allow ip from any to { 255.255.255.255 or 192.168.17.1 } in<br />65311 5 494 allow ip from { 255.255.255.255 or 192.168.17.1 } to any out<br />65312 0 0 allow icmp from { 255.255.255.255 or 192.168.17.1 } to any out icmptypes 0<br />65313 0 0 allow icmp from any to { 255.255.255.255 or 192.168.17.1 } in icmptypes 8<br />65314 0 0 pipe tablearg ip from table(3) to any in<br />65315 0 0 pipe tablearg ip from any to table(4) out<br />65316 0 0 pipe tablearg ip from table(1) to any in<br />65317 0 0 pipe tablearg ip from any to table(2) out<br />65532 0 0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in<br />65533 37 15216 allow tcp from any to any out<br />65534 124 20138 deny ip from any to any<br />65535 20 18424 allow ip from any to any<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(2): ipfw \-x wifi table all list<br />---table(3)---<br />192.168.19.253/32 2082 0 0<br />---table(4)---<br />192.168.19.253/32 2083 0 0<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(3):</p>
<p>I don't quite understand what's wrong, looks like the tables have the correct entries (I've allowed IP 192.168.19.253), but I still cannot connect to it until I log into the CP (which is what I want to avoid)</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104322013-01-28T09:57:40ZErmal Luçieri@pfsense.org
<ul></ul><p>Can you check the following sysctl values<br />net.link.ether.ipfw net.inet.ip.fw.one_pass</p>
<p>they should be 1 on both.</p>
<p>Also the output of<br />sysctl -a | grep pfil</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104342013-01-28T13:24:49ZFredrik Reuterswärdfr@frd.net
<ul></ul><p>I have the same problem using build Jan 28 08:16:34 EST 2013</p>
<p>Both net.link.ether.ipfw and net.inet.ip.fw.one_pass are set to 1</p>
<p>sysctl -a | grep pfil<br />net.inet.ip.pfil.inbound: pf, ipfw*<br />net.inet.ip.pfil.outbound: pf, ipfw*<br />net.link.bridge.pfil_local_phys: 0<br />net.link.bridge.pfil_member: 1<br />net.link.bridge.pfil_bridge: 0<br />net.link.bridge.pfil_onlyip: 0<br />net.inet6.ip6.pfil.inbound: pf, ipfw*<br />net.inet6.ip6.pfil.outbound: pf, ipfw*</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=104672013-01-31T02:12:10ZDaniel Berteauddani-pfs@lapiole.org
<ul></ul><p>Sorry for the delay, here's the result:</p>
<p>[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(1): sysctl -a | grep net.link.ether.ipfw<br />net.link.ether.ipfw: 1<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(3): sysctl -a | grep net.inet.ip.fw.one_pass<br />net.inet.ip.fw.one_pass: 1<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(4): sysctl -a | grep pfil<br />net.inet.ip.pfil.inbound: pf, ipfw*<br />net.inet.ip.pfil.outbound: pf, ipfw*<br />net.link.bridge.pfil_local_phys: 0<br />net.link.bridge.pfil_member: 1<br />net.link.bridge.pfil_bridge: 0<br />net.link.bridge.pfil_onlyip: 0<br />net.inet6.ip6.pfil.inbound: pf, ipfw*<br />net.inet6.ip6.pfil.outbound: pf, ipfw*<br />[2.1-BETA1][<a class="email" href="mailto:root@pfsense.domain.local">root@pfsense.domain.local</a>]/root(5):</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=108152013-02-17T07:52:32ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>New</i></li></ul> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=109182013-02-25T10:20:43ZPhil Lavinphil@lavin.me.uk
<ul></ul><p>Also replicated here. Happy to provide debug info if it's required.</p>
<p>Phil</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=109452013-02-27T08:29:15ZRenato Botelhorenato@netgate.com
<ul></ul><p>Since when to/from/both direction options were removed on <a class="changeset" title="Separate ipfw rule no db from limiter ones. Since ipfw has per instance feature while dummynet/li..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/aea564088a335bef9c9d6fb55409dd0ad65b3049">aea564088a</a> it started to consider Allowed IPs just as From. We still need to discuss if this function should or not be restored, I'll keep the ticket as New for now.</p>
<p>I've committed <a class="changeset" title="Consider CP allowed IPs for both directions. It will help ticket #2780" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/5b0e0182c7fa2eb756a574fc7cca4dd0ea1de06a">5b0e0182c7</a> a bandaid to fix it for now.</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=109652013-03-01T05:41:41ZDaniel Berteauddani-pfs@lapiole.org
<ul></ul><p>Just updated to snapshot Wed Feb 27 and I confirme that the problem is fixed now, both MAC passthrough and Allowed IP are working.</p> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=110062013-03-05T13:06:34ZErmal Luçieri@pfsense.org
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul> pfSense - Bug #2780: CP: passthough has no effecthttps://redmine.pfsense.org/issues/2780?journal_id=111472013-03-20T06:05:59ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>