Netgate SG-1000 microFirewall

Author Topic: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue  (Read 314 times)

0 Members and 1 Guest are viewing this topic.

Offline Race122

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« on: October 31, 2017, 06:17:06 am »
Hello, I recently updated pfSense from 2.3.5->2.4.0->2.4.1 and now i have an issue with all users that use the "Maximum Bandwidth Down" and "Maximum Bandwidth Up" parameters in FreeRadius.
I run 2 types of captive portals on the network. I have one normal, MAC Filtered portal for a limited section of devices that does NOT use FreeRadius and works fine.

I have a second captive portal that uses FreeRadius users as voucher like authentication.
Now if i create uses that have NO max bandwidth set then the voucher will work just fine, however, i then create users WITH a max bandwidth up or down the user cannot receive internet. As most my vouchers have a limited bandwidth most have ceased to work.

The logs show the logins are successful and all redirects, re-auth every minute etc work fine, but they cannot get internet in any capacity not DNS resolves, pings etc. I will note that local traffic works ok.

I have 7 installations of pfSense that use the FreeRadius voucher system, and the 2 systems that are updated to 2.4.1 have the same issue and the others remain ok.

Does anyone have a similar problem? or know where i can look to solve this?



The below log shows the auth on my test voucher working ok, but as you can see there is no traffic passing.

Oct 31 10:45:27   radiusd   12655   (35) Login OK: [789/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)
Oct 31 10:47:42   root      FreeRADIUS: User 23456 has used 0 MB of 2000 MB forever allotted traffic. The login request was accepted.
Oct 31 10:47:42   radiusd   12655   (37) Login OK: [23456/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)
Oct 31 10:48:29   root      FreeRADIUS: User 23456 has used 0 MB of 2000 MB forever allotted traffic. The login request was accepted.
Oct 31 10:48:29   radiusd   12655   (41) Login OK: [23456/002424] (from client firewall port 2008 cli dc:a9:04:2a:bb:df)


Logins and logouts seem to be normal as well.

Oct 31 10:49:43   logportalauth   90799   Zone: vouchertestnetwork - DISCONNECT: 23456, dc:a9:04:2a:bb:df, 192.168.18.22
Oct 31 10:50:43   logportalauth   90799   Zone: vouchertestnetwork - USER LOGIN: 789, dc:a9:04:2a:bb:df, 192.168.18.22
Oct 31 10:53:45   logportalauth   65640   Zone: vouchertestnetwork - DISCONNECT: 789, dc:a9:04:2a:bb:df, 192.168.18.22
Oct 31 10:53:54   logportalauth   76791   Zone: vouchertestnetwork - USER LOGIN: 23456, dc:a9:04:2a:bb:df, 192.168.18.22
Oct 31 11:00:50   logportalauth   72347   Zone: vouchertestnetwork - TIMEOUT: 23456, dc:a9:04:2a:bb:df, 192.168.18.22

Offline asbonet

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #1 on: October 31, 2017, 06:18:42 am »
I am having the same issue.

Offline Rakshith

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #2 on: November 02, 2017, 01:18:52 am »
we are facing same issues when in freeRadius users Bandwidth allocated means user able to login but not getting internet,if we removed the bandwidth in freeradius user can able to access internet 

Offline asbonet

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #3 on: November 06, 2017, 03:50:08 am »
But normal captive portal data rate limiters are still working just the radius ones that are not.

Offline alfrenetico

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #4 on: November 14, 2017, 09:26:02 am »
I am having the same issue.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #5 on: November 14, 2017, 10:00:36 am »
What exact values are you passing back for user bandwidth?

What values do you see for the user in "ipfw pipe show"? Does it match what you sent through RADIUS?

Some people had issues with fractional bandwidth values which do not function properly, the values must be integers.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Race122

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #6 on: November 15, 2017, 04:36:35 am »
I have several voucher speeds provided, but mostly they are:
Maximum Bandwidth Down: 150 OR 250
Maximum Bandwidth UP: 75 OR 150

All speeds are always set as integers

But regardless of the value placed there the issue is the same, all config options i set are:
Username
Password <-- Always numbers
Amount of Download and Upload Traffic <-- 10 OR 20 OR 60 OR 200 etc etc
Time Period <-- Always Forever
and Bandwidth as above


Example Voucher:
Username: alex
Password: 1234
Amount of Download and Upload Traffic: 50
Time Period: Forever
max Bandwidth down: 512
Max Bandwidth up: 256

Users.conf shows this:

"alex" Cleartext-Password := "1234"

   WISPr-Bandwidth-Max-Up := 262144,
   WISPr-Bandwidth-Max-Down := 524288,
   Exec-Program-Wait = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh alex forever"


I did the command you sent and i will post the output below:

00001: 250.000 Kbit/s    0 ms burst 0
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 150.000 Kbit/s    0 ms burst 0
q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
 sched 65538 type FIFO flags 0x0 0 buckets 0 active
02002: unlimited         0 ms burst 0
q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
 sched 67538 type FIFO flags 0x0 16 buckets 0 active
02003: unlimited         0 ms burst 0
q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
 sched 67539 type FIFO flags 0x0 16 buckets 0 active
02000: unlimited         0 ms burst 0
q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
 sched 67536 type FIFO flags 0x0 16 buckets 0 active
02001: unlimited         0 ms burst 0
q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
 sched 67537 type FIFO flags 0x0 16 buckets 0 active
02006: unlimited         0 ms burst 0
q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
 sched 67542 type FIFO flags 0x0 16 buckets 0 active
02007: unlimited         0 ms burst 0
q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
 sched 67543 type FIFO flags 0x0 16 buckets 0 active
02004: unlimited         0 ms burst 0
q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
 sched 67540 type FIFO flags 0x0 16 buckets 0 active
02005: unlimited         0 ms burst 0
q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
 sched 67541 type FIFO flags 0x0 16 buckets 0 active
[2.4.1-RELEASE][admin@Firewall.company]/root: ipfw pipe show
00001: 250.000 Kbit/s    0 ms burst 0
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 150.000 Kbit/s    0 ms burst 0
q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
 sched 65538 type FIFO flags 0x0 0 buckets 0 active
02002: unlimited         0 ms burst 0
q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
 sched 67538 type FIFO flags 0x0 16 buckets 0 active
02003: unlimited         0 ms burst 0
q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
 sched 67539 type FIFO flags 0x0 16 buckets 0 active
02000: unlimited         0 ms burst 0
q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
 sched 67536 type FIFO flags 0x0 16 buckets 0 active
02001: unlimited         0 ms burst 0
q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
 sched 67537 type FIFO flags 0x0 16 buckets 0 active
02006: unlimited         0 ms burst 0
q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
 sched 67542 type FIFO flags 0x0 16 buckets 0 active
02007: unlimited         0 ms burst 0
q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
 sched 67543 type FIFO flags 0x0 16 buckets 0 active
02004: unlimited         0 ms burst 0
q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
 sched 67540 type FIFO flags 0x0 16 buckets 0 active
02005: unlimited         0 ms burst 0
q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
 sched 67541 type FIFO flags 0x0 16 buckets 0 active
[2.4.1-RELEASE][admin@Firewall.company]/root:
[2.4.1-RELEASE][admin@Firewall.company]/root: ipfw pipe show
00001: 250.000 Kbit/s    0 ms burst 0
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 150.000 Kbit/s    0 ms burst 0
q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
 sched 65538 type FIFO flags 0x0 0 buckets 0 active
02008: 262.000 bit/s     0 ms burst 0
q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
 sched 67544 type FIFO flags 0x0 16 buckets 1 active
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0      699    54291 100 7688 564
02009: 524.000 bit/s     0 ms burst 0
q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
 sched 67545 type FIFO flags 0x0 16 buckets 1 active
  0 ip           0.0.0.0/0             0.0.0.0/0       26     1924  3  222   0
02002: unlimited         0 ms burst 0
q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
 sched 67538 type FIFO flags 0x0 16 buckets 0 active
02003: unlimited         0 ms burst 0
q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
 sched 67539 type FIFO flags 0x0 16 buckets 0 active
02000: unlimited         0 ms burst 0
q133072 100 sl. 0 flows (1 buckets) sched 67536 weight 0 lmax 0 pri 0 droptail
 sched 67536 type FIFO flags 0x0 16 buckets 0 active
02001: unlimited         0 ms burst 0
q133073 100 sl. 0 flows (1 buckets) sched 67537 weight 0 lmax 0 pri 0 droptail
 sched 67537 type FIFO flags 0x0 16 buckets 0 active
02006: unlimited         0 ms burst 0
q133078 100 sl. 0 flows (1 buckets) sched 67542 weight 0 lmax 0 pri 0 droptail
 sched 67542 type FIFO flags 0x0 16 buckets 0 active
02007: unlimited         0 ms burst 0
q133079 100 sl. 0 flows (1 buckets) sched 67543 weight 0 lmax 0 pri 0 droptail
 sched 67543 type FIFO flags 0x0 16 buckets 0 active
02004: unlimited         0 ms burst 0
q133076 100 sl. 0 flows (1 buckets) sched 67540 weight 0 lmax 0 pri 0 droptail
 sched 67540 type FIFO flags 0x0 16 buckets 1 active
  0 ip           0.0.0.0/0             0.0.0.0/0      250   378091  0    0   0
02005: unlimited         0 ms burst 0
q133077 100 sl. 0 flows (1 buckets) sched 67541 weight 0 lmax 0 pri 0 droptail
 sched 67541 type FIFO flags 0x0 16 buckets 1 active
  0 ip           0.0.0.0/0             0.0.0.0/0      207    14754  0    0   0


« Last Edit: November 15, 2017, 05:08:54 am by Race122 »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #7 on: November 15, 2017, 07:57:10 am »
Quote
Code: [Select]
02008: 262.000 bit/s     0 ms burst 0
q133080 100 sl. 0 flows (1 buckets) sched 67544 weight 0 lmax 0 pri 0 droptail
 sched 67544 type FIFO flags 0x0 16 buckets 1 active
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0      699    54291 100 7688 564
02009: 524.000 bit/s     0 ms burst 0
q133081 100 sl. 0 flows (1 buckets) sched 67545 weight 0 lmax 0 pri 0 droptail
 sched 67545 type FIFO flags 0x0 16 buckets 1 active
  0 ip           0.0.0.0/0             0.0.0.0/0       26     1924  3  222   0

The bandwidth values in RADIUS need to be an integer when divided by 1000, or else ipfw won't parse them properly. Yours end up as 262.144 and 524.288, which ipfw doesn't parse properly and it drops the scale, so you can see here it made a 262 bit/s and 524 bit/s. Looks like maybe that's because captive portal divides by 1000 and FreeRADIUS multiplies by 1024.

I made a ticket for the Captive Portal part here: https://redmine.pfsense.org/issues/8097

I'll see about changing FreeRADIUS to use 1000 as well so it matches Captive Portal.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: Captive Portal + FreeRadius + Maximum Bandwidith Param Issue
« Reply #8 on: November 15, 2017, 08:45:21 am »
If you update the pfSense FreeRADIUS 3.x package now (To 0.15.3) it will calculate the bandwidth values the same as Captive Portal so it will not trigger the issue
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!