Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [FIXED] Captive + SSL + CARP VIP: VIP does'nt respond

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 1 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ChrisProls
      last edited by

      Hello everybody,

      I use pfsense 1.2.2 as a captive portal.

      I've 2 servers with pfsense where the captive portal is enable on my LAN . My 2 servers had these LAN IP address: 10.119.225.83 & 84. The CARP VIP address is 10.119.225.85. (CARP is working on the 2 servers, one is in master .83 and the other is in backup .84 in Staus/CARP)

      My client address pool is in the range 10.254.0.0/18 so I tick the "Disable MAC filtering" option in the captive portal. The translation between private network and public network is done by an aother equipment connected on the wan port of my 2 pfsense servers (so I disable "Disable all packet filtering" in the: system/advance menu and pfsense is now a router).

      I generate a SSL certificat and install it successfully on my 2 servers. For this certificat I use the url: wifi.myrealdomain.com and I put the IP address 10.119.225.85 .

      In my DNS server I put:
      wifi.myrealdomain.com  A 10.119.225.85

      I can ping 10.119.225.85

      All seems to be good but when I use the captive portal, it redirect me to https://wifi.myrealdomain.com:8081 (for me it's normal) but I have a time out.
      If I try to connect to https://10.119.225.85:8081, it's the same pb: time out
      If I try to connect to https://10.119.225.83:8081, I've a security alert on the ssl certificat (it's normal), and I can access to the captive portal and log-in, and I can surf on the internet

      The question is:  How can I use captive portal with the carp fail over ? Is it normal that the captive portal doesn't work on the VIP IP address ?  How can I bypass this problem ?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        ChrisProls
        last edited by

        Now I can't ping the VIP Address…

        My server with the .83 is the CARP Master when I look in status/CARP, and when I try to ping it from my .84 (Backup on the CARP status) server, it doesn't respond...

        When I look in the ARP table in my .84 server (the backup) I have this:

        ? (10.119.225.85) at 00:00:5e:00:01:0b on em0 [ethernet]
        ? (10.119.225.83) at 00:15:17:a8:ac:c1 on em0 [ethernet]

        When I ping .83 i'ts OK, but .85 doesn't respond…
        Hum think it's a carp problem and not a captive portal pb...

        1 Reply Last reply Reply Quote 0
        • C
          ChrisProls
          last edited by

          OK I found the problem.

          When you activate the captive portal it's impossible to join the CARP IP address of the interface where the captive portail activated.
          Just go in the menu: Services/Captive Portl /  Allowed IP addresses
          and add rules "direction" => To and put the CARP IP Address, in my case .85  And thats all good (very usefull for DNS reolution, you can now put .85 for the DNS in DHCP configuration, and the SSL for the captive portal working on the virtual IP address.)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.