Hardware or config problem ?
-
Hi all
I'm using pfsense as a captive portal with authentification based on a win 2003 AD to authenticate my wifi users.
I've got 2 network adapters : one for lan which is on the same subnet as the wifi access points (172.16.1.x/21) and the other for wan which is on the subnet for my students (192.168.102.x/24).
All is on the same physical network.At one time, I can have up to 160 user connected.
I've tried pfsense on 3 different hardware :
1 P4 1.6 Ghz 512 Mb Ram with 2 DLink DFE530TX.
1 Atlhlon 64 2 Ghz 512 Mb RAM with 2 broadcom Gb cards.
1 P3 933 Mhz 1 Gb RAM with 2 DLink DFE530TX.On all three platforms, I've seen that CPU load is very often VERY high (between 80% to 100%). When CPU is so high, with a top command, I've seen that there were many PHP processes consumming the cpu load.
When It's 100%, users can not access the authentification page or it's EXTREMELY SLOW.
So i'm wondering if it's a config problem or a hardware problem.
Could you advice me for hardware that could meet the reqirements described above ? (number of connected people)
If you rather think it's a config problem, please let me know. I can send config file.Thanks in advance for your help.
Vincent
-
The problem is by "design" of the cp. It doesn't use threads and can't authenticate more than one user simultaneously. So if you have more than 60 users for example and one authentication against a radius server takes about 1 second and you have "Reauthenticate connected users every minute" enabled it will be busy all the time to authenticate users. Jonathan DeGreave, the creator of the CP in m0n0 is already working on a more powerful CP version that won't have this limitation and which will run threaded.
Atm you simply reach the limit of what the current CP implementation is capable to handle.
-
Thanks Hoba for your response.
Well, while waiting for the new version of CP, do you have any workaround to this limit ?
Am I the only user to have reach this limit ?Thanks in advance for you invaluable help and for your great product
Vincent
-
I don't think there is a workaround for this. The situation can even become worse if a user has a typo during login as some radius servers then usually delay the answer to prevent brute force attacks. You should try to discuss this at the m0n0 list as the CP we use is nearly a 100% port of the m0n0 feature and as it is still under developement there we don't plan to touch it to stay syncable with their code regarding to this.