CARP and captive portal ?
-
Hi everyone :),
I'm trying to set up a redundancy system with 2 pfsense on my lan and captive portals activated on both
(i followed http://pfsense.bol2riz.com/tutorials/carp/carp-cluster-new.htm and the carp wiki)I have got on my lan :
192.168.135.1 (master)
192.168.135.2 (slave)
192.168.135.5 (vip)CARP is working on master and slave.
When i am setting my master and slave to have 192.168.135.5 as default dns and gateway in dhcp server, i can't access anymore to the captive portal, there are no more dns resolutions etc…
Any ideas ?
Thank you
-
Can you show me the output of 'ipfw show' and the rules on the interface of CP?
-
Here it is
$ ipfw show 65291 36209 11686848 allow pfsync from any to any 65292 22576 1264256 allow carp from any to any 65301 169 6352 allow ip from any to any layer2 mac-type 0x0806 65302 0 0 allow ip from any to any layer2 mac-type 0x888e 65303 0 0 allow ip from any to any layer2 mac-type 0x88c7 65304 0 0 allow ip from any to any layer2 mac-type 0x8863 65305 0 0 allow ip from any to any layer2 mac-type 0x8864 65306 0 0 allow ip from any to any layer2 mac-type 0x888e 65307 11341 567050 deny ip from any to any layer2 not mac-type 0x0800 65310 36 11808 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in 65311 0 0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in 65312 18 5904 allow udp from { 255.255.255.255 or 192.168.135.1 } 67 to any dst-port 68 out 65313 0 0 allow icmp from { 255.255.255.255 or 192.168.135.1 } to any out icmptypes 0 65314 0 0 allow icmp from any to { 255.255.255.255 or 192.168.135.1 } in icmptypes 8 65315 111 7000 allow udp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 53 in 65316 111 24982 allow udp from { 255.255.255.255 or 192.168.135.1 } 53 to any out 65317 6 705 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8000 in 65318 5 679 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8000 to any out 65319 259 37428 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8001 in 65320 267 110240 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8001 to any out 65321 0 0 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 80 in 65322 0 0 allow tcp from { 255.255.255.255 or 192.168.135.1 } 80 to any out 65323 0 0 allow ip from table(3) to any in 65324 0 0 allow ip from any to table(4) out 65325 0 0 pipe tablearg ip from table(5) to any in 65326 0 0 pipe tablearg ip from any to table(6) out 65327 59 8644 allow ip from any to table(7) in 65328 53 46391 allow ip from table(8) to any out 65329 0 0 pipe tablearg ip from any to table(9) in 65330 0 0 pipe tablearg ip from table(10) to any out 65331 2776 304464 allow ip from table(1) to any in 65332 4447 5823719 allow ip from any to table(2) out 65531 210 18063 fwd 127.0.0.1,8000 tcp from any to any in 65532 68 8217 allow tcp from any to any out 65533 306 59292 deny ip from any to any 65534 0 0 allow ip from any to any layer2 65535 0 0 allow ip from any to anyThe rule on my lan is the "Default allow LAN to any rule "
-
Try new snapshot or this fix https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/906f11b572b75f62b5f5e2aedde2dd5909b435f8
-
I tried with the build of "Sun May 9 04:13:00 EDT 2010" but still no success
Looks like the VIP doesn't respond at all.
With Wireshark i see that my client is asking for a dns from 192.168.135.5 (so correct /etc/resolv.conf for my client) but no response
And the vip doesn't create any packets or anything, looks dead to me.I checked and my vip is on the same subnet :
192.168.135.5/24 : lan-carp
192.168.135.1/24 : first pfsense with captive portal activated
192.168.135.2/24 : second pfsense with captive portal activatedAgain my ipfw :
ipfw show 65291 6463 1821368 allow pfsync from any to any 65292 3209 179704 allow carp from any to any 65301 60 2238 allow ip from any to any layer2 mac-type 0x0806 65302 0 0 allow ip from any to any layer2 mac-type 0x888e 65303 0 0 allow ip from any to any layer2 mac-type 0x88c7 65304 0 0 allow ip from any to any layer2 mac-type 0x8863 65305 0 0 allow ip from any to any layer2 mac-type 0x8864 65306 0 0 allow ip from any to any layer2 mac-type 0x888e 65307 1745 86748 deny ip from any to any layer2 not mac-type 0x0800 65310 6 1968 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in 65311 0 0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in 65312 6 1968 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 67 to any dst-port 68 out 65313 0 0 allow icmp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } to any out icmptypes 0 65314 0 0 allow icmp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } in icmptypes 8 65315 0 0 allow udp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 53 in 65316 0 0 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 53 to any out 65317 0 0 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8000 in 65318 0 0 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8000 to any out 65319 16 2443 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8001 in 65320 15 4284 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8001 to any out 65321 153 18053 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 443 in 65322 181 164591 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 443 to any out 65323 0 0 allow ip from table(3) to any in 65324 0 0 allow ip from any to table(4) out 65325 0 0 pipe tablearg ip from table(5) to any in 65326 0 0 pipe tablearg ip from any to table(6) out 65327 0 0 allow ip from any to table(7) in 65328 0 0 allow ip from table(8) to any out 65329 0 0 pipe tablearg ip from any to table(9) in 65330 0 0 pipe tablearg ip from table(10) to any out 65331 0 0 allow ip from table(1) to any in 65332 0 0 allow ip from any to table(2) out 65531 0 0 fwd 127.0.0.1,8000 tcp from any to any in 65532 0 0 allow tcp from any to any out 65533 73 13238 deny ip from any to any 65534 0 0 allow ip from any to any layer2 65535 0 0 allow ip from any to anyAm i doing something wrong ???
-
Can you show me you /tmp/rules.debug.