OPNsense Forum
English Forums => General Discussion => Topic started by: tomj@northwestusa.com on June 16, 2015, 02:36:57 am
-
Hello everybody. I am brand spanking new to this OpnSense forum. I have high hopes for OpnSense :)
I have used PfSense Captive Portal for many years now and because of issues I have been experiencing with the other CP, I am trying to build on OpnSense and get a Captive Portal running.
Here is some back ground info:
#1 - WAN & LAN * Opt_FreeRadius (three networks - the "Opt_FreeRadius" is a 3rd network just for talking to my FreeRadius servers.
#2 - Captive Portal users to authenticate using Radius is about 120 to 500 simultaneous Ethernet connected users.
#3 - I use bandwidth control for up & down from FreeRadius so that Captive Portal can rate-limit client speeds.
#4 - No NAT - all LIve IPs
#5 - I currently run about 6 different Captive Portal systems.
I am having some problems with CP and I have check and rechecked my CP settings.
Question #1 - Is CP operational at this time using external FreeRadius servers?
Question #2 - Does CP support the three networks the way I described my network?
Question #3 - How stable is the CP with Radius at this time?
--- The reason I am changing form PfSense Captive Portal to OpnSense Captive Portal is for the following reason:
PfSense appears to be having problems not authentication all users to the FreeRadius servers. I have verified and rebuild and re-verified my FreeRadius servers are correct. It just appears that PfSense Captive Portal has problems authenticating a large user network and some MAC address will not get checked - thus I have been having to put some users in the PfSense MAC pass-through. (Again - I have verified everything I can think of many many times). I suspect my problems are a potential but with PfSense CP. Thus the reason I am asking my above questions about stability and load handeling ability of OpnSense Captive Portal.
Note - I hope and with the programming staff for OpnSense and all users using OpnSense great success with this new platform
I look forward to your responses - thank you
North Idaho Tom Jones
-
Hi Tom,
welcome and thanks for considering OPNsense. :) Let's get straight to the answers...
(1) As far as I know the current Radius backend for the captive portal is either dysfunctional or unplugged for not having a working test setup. We've rewritten large portions of the captive portal to better adapt to FreeBSD and to move code over to the new MVC framework. Maybe it still works, but I honestly don't know. We've fixed issues with vouchers and manual user accounts up until now.
(2) What do you mean by "support"? Which of the interfaces do use the captive portal? LAN only or really *all* of them?
(3) As stated in (1) we do not know, out of lack of test deployments and feedback.
It looks as though you have tough luck with OPNsense right now regarding your requirements. However, we do want to fix and advance the captive portal to make it viable for more use cases, especially when the functionality is already there and only needs maintenance and the occasional code rewrite/refactor.
If we can find a base to start testing and working on bringing this particular feature back on track count me in. :)
Cheers,
Franco
-
Franco,
Thank you for your reply.
I would like to sign up as a tester for, routing, CP, firewall, Nat, bandwidth control functions to assist in testing OpnSense. I've got multi-gigibits of Internet connectivity, thousands of networks consisting of Lans (some are super nets), about 1000 WiFi WISP customers, FTTH customers, businesses & home users. Plenty of horse power on some VMware ESXi servers.
How may I help? Need a dedicated download server (rsynced I would assume).
I just love it when a good clean project pulls together to better everybody.
North Idaho Tom Jones
-
(2) What do you mean by "support"? Which of the interfaces do use the captive portal? LAN only or really *all* of them?
Cheers,
Franco
By "support", I am wanting build & test a 3-Ethernet CP system.
1st Ethernet: WAN - Live IPs
2nd Ethernet: LAN - Live IPs (No NAT). Captive Portal with MAC authentication and Bandwidth up/down limits (getting info from my FreeRadius servers).
3rd Ethernet: OPT1_Radius: A private network dedicated for CP to use to talk to my FreeRadius servers. This network has no user traffic. It is dedicated for CP communications to my FreeRadius servers. This way, if the WAN or LAN for some reason becomes saturated, I still have good clean access from CP to my FreeRadius servers for Auth & Accounting. Below is a sample of one of the thousands of user accounts in my FreeRadius servers:
#
22-22-22-e3-f8-23 Cleartext-Password:= "pfsenseietf"
WISPr-Bandwidth-Max-Up = 180000,
WISPr-Bandwidth-Max-Down = 256000
#
Typically, I would use many CP systems in different places for different customer networks. Some accounts are 1/4 th a meg up/down and some accounts are 100 meg up/down. Some are natted, some are routed. All are virtual.
-
Hi Tom,
thank you for your help. We have features pretty well covered in general. A single deployment running the latest release would help us catch regressions for your specific use case(s) -- there is no need to actively test something you are not going to use in production. We try to address bugs and push minor updates out depending on severity and scope, averaging to almost weekly updates. :)
The clarification makes sense. I am a bit concerned with sqlite database handling of so many clients and the push into IPFW, but nothing that can't be refactored or sped up mid-term. We've specifically written the MAC handling and IP mapping to flatten the interface into FreeBSD's IPFW away from what was previously the case with a patched version of IPFW.
If you can, it would be good to know if OPNsense is still capable of connecting to a Radius backend for authentication and for us to mop up any errors that you encounter. How does that sound?
Cheers,
Franco
-
Franco,
I have not been able to get OPNsense to talk to FreeRadius in Captive Portal.
Last week and today, I tried several times to get CaptivePortal MAC Authentication working/talking to an external FreeRadius server. I am on the latest OPNsense software I downloaded today:
Versions OPNsense 15.1.12-amd64
FreeBSD 10.1-RELEASE-p12
OpenSSL 1.0.2c 12 Jun 2015
I do not even see the query on the FreeRadius server logs.
My test network consisted of existing in-use in-production FreeRadius servers and PfSense servers.
The Captive Portal settings used in working PfSense servers were copied into the OPNsense Captive Portal settings. I also re-checked and re-verified all of my settings several times. At this time, it appears the OPNsence Captive Portal is not checking to talking to my FreeRadius servers.
Are there some CLI command lines I can use to manually perform some testing which will enable me to see the status of communication to an external FreeRadius server for MAC authentication checks.
North Idaho Tom Jones
-
Tom,
I did a packet capture to a Radius Server. I don't see any packet going out. N'either a log entry.
Jakob
-
Thank you Tom and Jakob. I'll take a closer look. Did not think it was this broken. :(
-
Hi All,
Yes, it's broken.. https://github.com/opnsense/core/issues/162
The captive portal code really needs a rewrite at some point, I rewrote the ipfw firewall parts recently to integrate with the new traffic shaper. But the the rest is still on the list unfortunately.
Cheers,
Ad
-
The accounting part maybe, but I just set up a freeradius3 server, uncommented the test credentials for bob ("hello") and ran a query against localhost:1812, which succeeded.
The test server 75.146.8.57 mentioned does not seem to respond, I have been unable to contact it even using radtest utility.
Tom, could you provide a test server connection for me to try to connect remotely? You can message me to keep the config details private.
-
Franco, strange that you where unable to reach it.
telnet 75.146.8.57 1812
Trying 75.146.8.57...
Connected to amaranthinetech.com.
Escape character is '^]'.
Jakob
-
I thought the link was here too, but that was a parallel email from Jakob, sorry:
http://amaranthinetech.com/index.php?option=com_content&view=article&id=5&Itemid=9
I can't connect to the IP for one reason or another. Instead, I have set up a remote test server that works with:
# radtest bob hello 108.61.175.156 1812 testing123
I can also authenticate against that using my local OPNsense. Please let me know if that works or doesn't work. :)
-
Franco, my OPNsense does not send any packet to this radius server. I checked this with the packet capture. I did also a test with my "own" radius server which is based on Zeroshell. I do not get any radius request on the zeroshell. Jakob
Gesendet von iPhone mit Tapatalk
-
Hi,
I tested with with two Radius Servers (the server franco provided and ironwifi.com) it works. My issue was, a firewall rule misconfiguration. (with all the previous testing of other functions I messed this up.
Thanks franco for your help.
Jakob
-
Good news! What rule was missing exactly? I am worried that the Radius Client needs explicit firewall rules to connect to a server, even though it is running on the firewall, maybe because it tries to bind to a certain address or so...
-
Franco, will be back in the office end of the day. Will report tomorrow. Jakob
Gesendet von iPhone mit Tapatalk