CARP and captive portal ?



  • Hi everyone  :),

    I'm trying to set up a redundancy system with 2 pfsense on my lan and captive portals activated on both
    (i followed http://pfsense.bol2riz.com/tutorials/carp/carp-cluster-new.htm and the carp wiki)

    I have got on my lan :
    192.168.135.1 (master)
    192.168.135.2 (slave)
    192.168.135.5 (vip)

    CARP is working on master and slave.

    When i am setting my master and slave to have 192.168.135.5 as default dns and gateway in dhcp server, i can't access anymore to the captive portal, there are no more dns resolutions etc…

    Any ideas ?
    Thank you



  • Can you show me the output of 'ipfw show' and the rules on the interface of CP?



  • Here it is

    
    $ ipfw show
    65291 36209 11686848 allow pfsync from any to any
    65292 22576  1264256 allow carp from any to any
    65301   169     6352 allow ip from any to any layer2 mac-type 0x0806
    65302     0        0 allow ip from any to any layer2 mac-type 0x888e
    65303     0        0 allow ip from any to any layer2 mac-type 0x88c7
    65304     0        0 allow ip from any to any layer2 mac-type 0x8863
    65305     0        0 allow ip from any to any layer2 mac-type 0x8864
    65306     0        0 allow ip from any to any layer2 mac-type 0x888e
    65307 11341   567050 deny ip from any to any layer2 not mac-type 0x0800
    65310    36    11808 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in
    65311     0        0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in
    65312    18     5904 allow udp from { 255.255.255.255 or 192.168.135.1 } 67 to any dst-port 68 out
    65313     0        0 allow icmp from { 255.255.255.255 or 192.168.135.1 } to any out icmptypes 0
    65314     0        0 allow icmp from any to { 255.255.255.255 or 192.168.135.1 } in icmptypes 8
    65315   111     7000 allow udp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 53 in
    65316   111    24982 allow udp from { 255.255.255.255 or 192.168.135.1 } 53 to any out
    65317     6      705 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8000 in
    65318     5      679 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8000 to any out
    65319   259    37428 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8001 in
    65320   267   110240 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8001 to any out
    65321     0        0 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 80 in
    65322     0        0 allow tcp from { 255.255.255.255 or 192.168.135.1 } 80 to any out
    65323     0        0 allow ip from table(3) to any in
    65324     0        0 allow ip from any to table(4) out
    65325     0        0 pipe tablearg ip from table(5) to any in
    65326     0        0 pipe tablearg ip from any to table(6) out
    65327    59     8644 allow ip from any to table(7) in
    65328    53    46391 allow ip from table(8) to any out
    65329     0        0 pipe tablearg ip from any to table(9) in
    65330     0        0 pipe tablearg ip from table(10) to any out
    65331  2776   304464 allow ip from table(1) to any in
    65332  4447  5823719 allow ip from any to table(2) out
    65531   210    18063 fwd 127.0.0.1,8000 tcp from any to any in
    65532    68     8217 allow tcp from any to any out
    65533   306    59292 deny ip from any to any
    65534     0        0 allow ip from any to any layer2
    65535     0        0 allow ip from any to any
    
    

    The rule on my lan is the "Default allow LAN to any rule "





  • I tried with the build of  "Sun May 9 04:13:00 EDT 2010" but still no success

    Looks like the VIP doesn't respond at all.
    With Wireshark i see that my client is asking for a dns from 192.168.135.5 (so correct /etc/resolv.conf for my client) but no response
    And the vip doesn't create any packets or anything, looks dead to me.

    I checked and my vip is on the same subnet :
    192.168.135.5/24 : lan-carp
    192.168.135.1/24 : first pfsense with captive portal activated
    192.168.135.2/24 : second pfsense with captive portal activated

    Again my ipfw :

    
     ipfw show
    65291 6463 1821368 allow pfsync from any to any
    65292 3209  179704 allow carp from any to any
    65301   60    2238 allow ip from any to any layer2 mac-type 0x0806
    65302    0       0 allow ip from any to any layer2 mac-type 0x888e
    65303    0       0 allow ip from any to any layer2 mac-type 0x88c7
    65304    0       0 allow ip from any to any layer2 mac-type 0x8863
    65305    0       0 allow ip from any to any layer2 mac-type 0x8864
    65306    0       0 allow ip from any to any layer2 mac-type 0x888e
    65307 1745   86748 deny ip from any to any layer2 not mac-type 0x0800
    65310    6    1968 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in
    65311    0       0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in
    65312    6    1968 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 67 to any dst-port 68 out
    65313    0       0 allow icmp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } to any out icmptypes 0
    65314    0       0 allow icmp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } in icmptypes 8
    65315    0       0 allow udp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 53 in
    65316    0       0 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 53 to any out
    65317    0       0 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8000 in
    65318    0       0 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8000 to any out
    65319   16    2443 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8001 in
    65320   15    4284 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8001 to any out
    65321  153   18053 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 443 in
    65322  181  164591 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 443 to any out
    65323    0       0 allow ip from table(3) to any in
    65324    0       0 allow ip from any to table(4) out
    65325    0       0 pipe tablearg ip from table(5) to any in
    65326    0       0 pipe tablearg ip from any to table(6) out
    65327    0       0 allow ip from any to table(7) in
    65328    0       0 allow ip from table(8) to any out
    65329    0       0 pipe tablearg ip from any to table(9) in
    65330    0       0 pipe tablearg ip from table(10) to any out
    65331    0       0 allow ip from table(1) to any in
    65332    0       0 allow ip from any to table(2) out
    65531    0       0 fwd 127.0.0.1,8000 tcp from any to any in
    65532    0       0 allow tcp from any to any out
    65533   73   13238 deny ip from any to any
    65534    0       0 allow ip from any to any layer2
    65535    0       0 allow ip from any to any
    
    

    Am i doing something wrong  ???



  • Can you show me you /tmp/rules.debug.


Locked