Captiveportal max users

jimp

As far as I know there isn't a limit.

Is there something that happens when you get to the 55th user?

Usually when the numbers get that high people tend to offload the user accounts to a RADIUS server (or the FreeRADIUS package at least)

ianrhen

seems like when it reaches on the 55th, client is no longer allowed by the firewall so he can not connect to the internet anymore.

knight313

Hi,
Same problem with me.

jimp

We need a lot more detail here. After that last person authenticates, do they get sent back to the portal login? Or are they stuck somewhere else? Anything showing up in the firewall logs? What do your firewall rules on that interface look like? What exactly does your captive portal configuration look like?

ianrhen

i will look try to take note of the logs when it happen again. but to add some details, it seems like it got stucked somewhere else. the authentication takes so much time when the concurrent users went to 45 and up then on the 55th and up users got stucked. they can not login any more. i tried issuing the command "ipfw table 1 list" and i dont see the 55th clients IP and MAC on the table anymore. when you try login using the web configurator, the response is also slow.

ianrhen

by the way im using the local database option in the captiveportal. because of our system requirements, i  embedded a code to the captiveprotal.inc that would record the transaction of each user (userid, logintime, logouttime, totalhoursused, ipaddress, macaddress) to my database backend using POSTGRESQL for recording purposes to monitor their access and total hours consumed.

ianrhen

hello guys im back.

everything is working with my setup now. :) the 54 user limitation on login problem was solved.
the last time i monitored my setup was having 149 users connected concurrently. i tried login as the 150th captiveportal user and
the authentication time is just almost the same with the 1st captiveportal user.

my setup was: instead of using the file captiveportal.db to store the captiveportal users information, i off loaded it from the pfsense box, then just execute an sql query instead to my PostgreSQL Database Server to add, retrieve and delete a user.

I am so thankful to Sir Scott Ullrich for compiling the modules i needed for my setup :)

eri--

Would you mind sharing the changes you made for login/logout to possibly be integrated into pfSense itself?

This would relieve you from the job to always modify pfSense, and CP code will change in 2.1 and allow other user to test your changes and find any flaws in it!

ianrhen

sure. just give me some time to organize it first. i will also explain things about my setup so those others out there who might also looking for this kind of setup would benefit from it :)

ianrhen

i mean i wouldn't mind :)

dhatz

Perhaps the Pfsense project could also consider SQLite (http://en.wikipedia.org/wiki/SQLite http://www.freebsd.org/cgi/cvsweb.cgi/ports/databases/sqlite3/) instead of PostgresSQL

ianrhen

this is my customized monitoring module for captiveportal logged-in users in one of our network segment. :) using pfsense 2.0, apache2, php5, postgresql9 DBserver.

valshare

is the bug existent in 2.0 Final?

If not, are there any workaround?

dhatz

I wonder, what are the practical limitations of pfsense's Captive Portal?
Has anyone used pfsense for large hotspots, e.g. 2000 or even 5000 active users?
What are the bottlenecks of the built-in voucher system?

I've been experimenting with /var/etc/lighty-CaptivePortal.conf in an attempt to improve performance.

I've also checked the suggestions in http://mum.mikrotik.com/presentations/US10/FelixWindt.pdf some are obviously platform-specific, others however are general, e.g.:

Lots of applications use HTTP but are not prepared to handle Hotspots

We see an average of 14 redirects to the login page before the user interacts with it

Malware can spawn HTTP requests at a very high rate
Offload services: DHCP, DNS, User Authentication
etc

eri--

From what i know in pfSense 2.0 there is not much overhead on lighty and the speed should be quite managable.
Usually it depends on the hardware but i can say it can scale up-to 5000 if you have more than 2GB of RAM and a decent CPU.

dhatz

Thx for feedback Ermal.

I'm asking because a diff /var/etc/lighty-*conf shows very few differences between the config used for pfsense webGUI and CP, basically only the server.max-request-size

I did some testing with ab (apachebench)

$ ab -n 300 -c 4 http://pfsense-ip:8000/

but the benchmark results weren't very high (however this was on a lowly 256MB VM)

So I'm experimenting with increasing RAM and tuning lighttpd, e.g. server.max-keep-alive-requests and increasing php-fcgi children.

eri--

I am not sure you will gain much.
What will help with tweaking is pretty much an option on the GUI.

Though i wonder how you test the CP performance?

valshare

Hi,

is there a fix for the limit of the max. users?

regards, valle

dhatz

@ermal:

I am not sure you will gain much.
What will help with tweaking is pretty much an option on the GUI.

Though i wonder how you test the CP performance?

Right, I can't think of an easy way to simulate many (1000+) users actually logging-in via the CP. It seems one would have to obtain multiple MAC addresses and hold all of the received IPs in use with virtual interfaces and submit a form post of the username+pass via the CP login form. Which is why I asked for any real-life hotspots using pfsense.

However, I did try some performance testing of just /usr/local/captiveportal/index.php using apachebench (stats I've seen suggest that it takes ~20 redirects to a CP splash-page for every actual login, apparently due to the various widgets that people run on their devices, e.g. to retrieve weather info, stockmarket data, update antivirus db etc)

valshare

@ianrhen:

sure. just give me some time to organize it first. i will also explain things about my setup so those others out there who might also looking for this kind of setup would benefit from it :)

why you didn´t share your setup with us?