Integrate patch sent to m0n0wall-dev by Peter Allgeyer:

we have configured the captive portal to authenticate users against a
Radius server with reauthentication every minute. When using the MAC
Pass-Through feature, we have problems reaching hosts on the WAN side on
other ports then port 80. The log says, that the connections passes the
filter, but tcpdump tells me that the packet never reaches the next hop
router.

I've found some messages in the captive portal log, which make me
believe, that it has something to do with radius reauthentication:

Apr 22 18:18:20 RADIUS_DISCONNECT: unauthenticated, 00:02:a5:fa:b9:35,
192.168.1.198

1 files changed, 25 insertions, 0 deletions

diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
index 674c646..0d4cbfe 100644
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@@ -461,6 +461,10 @@ function captiveportal_prune_old() {
         $timedout = false;
         $term_cause = 1;
 
+		/* no pruning for fixed mac address entry */
+		if (portal_mac_fixed($cpdb[$i][3])) {
+			continue; // check next value
+		}
         /* hard timeout? */
         if ($timeout) {
             if ((time() - $cpdb[$i][0]) >= $timeout) {
@@ -1095,4 +1099,25 @@ function getNasIP()
     return $nasIp;
 }
 
+function portal_mac_fixed($clientmac) {
+	global $g ;
+
+	/* open captive portal mac db */
+	if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) {
+		$fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ;
+		if (!$fd) {
+			return FALSE;
+		}
+		while (!feof($fd)) {
+			$mac = trim(fgets($fd)) ;
+			if(strcasecmp($clientmac, $mac) == 0) {
+				fclose($fd) ;
+				return TRUE ;
+			}
+		}
+		fclose($fd) ;
+	}
+	return FALSE ;
+}
+
 ?>
\ No newline at end of file