Home Support Store Academy Sign In

rXg Knowledge Base

Wired Users Cannot Browse -- Bandwidth Queue disable_auto_ip_queues

April 08, 2026

Overview

When disable_auto_ip_queues is enabled on bandwidth queues, wired captive portal users lose internet access because PF never generates per-IP pass rules. Wireless users are unaffected because their internet access comes from a VLAN transition, not firewall rule changes.

Problem

  • All wired users receive valid DHCP leases and DNS resolution but cannot browse the internet
  • Issue is global across all wired users
  • Wireless (Post-Auth) users are unaffected
  • Wired users have active LoginSessions (online=true) but zero internet PF states
  • Wired was previously working; stopped after bandwidth queue changes

Root Cause

Setting disable_auto_ip_queues=true on bandwidth queues prevents PF from creating per-IP pass rules for authenticated wired users.

Why only wired breaks:

  • Wired (same-VLAN, firewall unlock): Device connects, authenticates via captive portal/MAC auto-login, stays on the same VLAN. The firewall (PF) creates per-IP pass rules to unlock internet traffic. With disable_auto_ip_queues=true, those rules are never created -- the device stays firewalled even after authentication.

  • Wireless (VLAN transition): Device connects to Pre-Auth VLAN, authenticates via RADIUS, rXg creates a VTA (VLAN Tag Assignment) that moves the device to a Post-Auth VLAN with no captive portal and no firewall restrictions. Internet access comes from the VLAN move itself, not from firewall rule changes.

The setting change is visible in AdminLog records with timestamps correlating to when wired access stopped working.

Solution

Step 1: Identify the Setting Change

/usr/local/bin/bundle exec rails runner '
BandwidthQueue.all.each { |bq|
  puts "#{bq.name}: disable_auto_ip=#{bq.disable_auto_ip_queues} sharing=#{bq.sharing}"
}'

If any bandwidth queue has disable_auto_ip_queues=true and wired users are affected, this is the cause.

Step 2: Disable the Setting

  1. Navigate to: Admin UI > Policies > Bandwidth Queues
  2. Edit each affected bandwidth queue
  3. Uncheck Disable Auto IP Queues
  4. Save

Alternatively via Rails runner: bash /usr/local/bin/bundle exec rails runner ' BandwidthQueue.where(disable_auto_ip_queues: true).each { |bq| bq.update!(disable_auto_ip_queues: false) puts "Fixed: #{bq.name}" }'

Step 3: Verify PF States Restored

PF states should appear for wired users within one rxgd cycle (~60 seconds):

/usr/local/bin/bundle exec rails runner '
LoginSession.where(online: true).joins(:ip_group).where(ip_groups: { name: "Wired Users" }).each { |ls|
  internet = PfState.where(source_ip: ls.ip).where.not(destination_port: [53,67,68]).count
  dns = PfState.where(source_ip: ls.ip, destination_port: 53).count
  puts "#{ls.ip} (#{ls.mac}) internet=#{internet} dns=#{dns}"
}'

Expected: each wired user should show non-zero internet PF states.

Step 4: Check RADIUS Configuration (Secondary)

If investigating a site with wired authentication issues, also verify:

  1. Wired switches are registered as infrastructure devices on the RADIUS realm
  2. always_perform_account_lookup=true on the Wired RADIUS realm
  3. guess_count is set (e.g., 23) on the Wired RADIUS realm
/usr/local/bin/bundle exec rails runner '
rs = RadiusServer.find_by(name: "Wired RADIUS Realm")
if rs
  puts "guess_count=#{rs.guess_count} always_perform_account_lookup=#{rs.always_perform_account_lookup}"
  puts "Infrastructure devices: #{rs.infrastructure_devices.count}"
end
'

CLI Verification

# Check bandwidth queue settings
/usr/local/bin/bundle exec rails runner '
BandwidthQueue.all.each { |bq|
  puts "#{bq.name}: disable_auto_ip=#{bq.disable_auto_ip_queues} sharing=#{bq.sharing}"
}'

# Check wired PF states
/usr/local/bin/bundle exec rails runner '
LoginSession.where(online: true).each { |ls|
  internet = PfState.where(source_ip: ls.ip).where.not(destination_port: [53,67,68]).count
  dns = PfState.where(source_ip: ls.ip, destination_port: 53).count
  puts "#{ls.ip} (#{ls.mac}) internet=#{internet} dns=#{dns}" if internet == 0
}'

# Check RADIUS Server Options
/usr/local/bin/bundle exec rails runner '
RadiusServerOption.all.each { |o| puts "#{o.name}: enable_eap=#{o.enable_eap}" }
'

# Check admin log for recent bandwidth queue changes
/usr/local/bin/bundle exec rails runner '
AdminLog.where("message LIKE ?", "%BandwidthQueue%").order(created_at: :desc).limit(10).each { |l|
  puts "#{l.created_at} | #{l.admin&.name} | #{l.message}"
}'
back to articles home
Categories
Configuration Guides
FAQ
3rd Party
Features and Capabilities
Known Issues
Tags
SoftGRE
RUCKUS
SmartZone
IPMI
Dell
Fleet Manager
ESXI
Hardware
Extreme
NAT
Bhyve
Upgrading
DHCP
Performance Improvements
DNS
Licensing
RADIUS
CLI
API
Configuration Templates
SD-WAN
IDV
NVIDIA
IPv6
Site Surveys
OpenWiFi

About

RG Nets is the premium provider of gateways and centralized-authentication appliances designed to manage, provision, and protect revenue-generating networks. Our mission is to create tools that are so good, we would use our own money to buy them.

Company Links

Contact

316 California Ave.
Suite 331
Reno, NV 89509
+1 (408) 441 0100
[email protected]
Copyright 2026 RG Nets, Inc.
v2026.04-10-gb3ce9
Cookies help us deliver our services. By using our services, you agree to our use of cookies.