Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and captive portal ?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    6 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nicolinux
      last edited by

      Hi everyone  :),

      I'm trying to set up a redundancy system with 2 pfsense on my lan and captive portals activated on both
      (i followed http://pfsense.bol2riz.com/tutorials/carp/carp-cluster-new.htm and the carp wiki)

      I have got on my lan :
      192.168.135.1 (master)
      192.168.135.2 (slave)
      192.168.135.5 (vip)

      CARP is working on master and slave.

      When i am setting my master and slave to have 192.168.135.5 as default dns and gateway in dhcp server, i can't access anymore to the captive portal, there are no more dns resolutions etc…

      Any ideas ?
      Thank you

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Can you show me the output of 'ipfw show' and the rules on the interface of CP?

        1 Reply Last reply Reply Quote 0
        • N
          Nicolinux
          last edited by

          Here it is

          
          $ ipfw show
          65291 36209 11686848 allow pfsync from any to any
          65292 22576  1264256 allow carp from any to any
          65301   169     6352 allow ip from any to any layer2 mac-type 0x0806
          65302     0        0 allow ip from any to any layer2 mac-type 0x888e
          65303     0        0 allow ip from any to any layer2 mac-type 0x88c7
          65304     0        0 allow ip from any to any layer2 mac-type 0x8863
          65305     0        0 allow ip from any to any layer2 mac-type 0x8864
          65306     0        0 allow ip from any to any layer2 mac-type 0x888e
          65307 11341   567050 deny ip from any to any layer2 not mac-type 0x0800
          65310    36    11808 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in
          65311     0        0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in
          65312    18     5904 allow udp from { 255.255.255.255 or 192.168.135.1 } 67 to any dst-port 68 out
          65313     0        0 allow icmp from { 255.255.255.255 or 192.168.135.1 } to any out icmptypes 0
          65314     0        0 allow icmp from any to { 255.255.255.255 or 192.168.135.1 } in icmptypes 8
          65315   111     7000 allow udp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 53 in
          65316   111    24982 allow udp from { 255.255.255.255 or 192.168.135.1 } 53 to any out
          65317     6      705 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8000 in
          65318     5      679 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8000 to any out
          65319   259    37428 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8001 in
          65320   267   110240 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8001 to any out
          65321     0        0 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 80 in
          65322     0        0 allow tcp from { 255.255.255.255 or 192.168.135.1 } 80 to any out
          65323     0        0 allow ip from table(3) to any in
          65324     0        0 allow ip from any to table(4) out
          65325     0        0 pipe tablearg ip from table(5) to any in
          65326     0        0 pipe tablearg ip from any to table(6) out
          65327    59     8644 allow ip from any to table(7) in
          65328    53    46391 allow ip from table(8) to any out
          65329     0        0 pipe tablearg ip from any to table(9) in
          65330     0        0 pipe tablearg ip from table(10) to any out
          65331  2776   304464 allow ip from table(1) to any in
          65332  4447  5823719 allow ip from any to table(2) out
          65531   210    18063 fwd 127.0.0.1,8000 tcp from any to any in
          65532    68     8217 allow tcp from any to any out
          65533   306    59292 deny ip from any to any
          65534     0        0 allow ip from any to any layer2
          65535     0        0 allow ip from any to any
          
          

          The rule on my lan is the "Default allow LAN to any rule "

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Try new snapshot or this fix https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/906f11b572b75f62b5f5e2aedde2dd5909b435f8

            1 Reply Last reply Reply Quote 0
            • N
              Nicolinux
              last edited by

              I tried with the build of  "Sun May 9 04:13:00 EDT 2010" but still no success

              Looks like the VIP doesn't respond at all.
              With Wireshark i see that my client is asking for a dns from 192.168.135.5 (so correct /etc/resolv.conf for my client) but no response
              And the vip doesn't create any packets or anything, looks dead to me.

              I checked and my vip is on the same subnet :
              192.168.135.5/24 : lan-carp
              192.168.135.1/24 : first pfsense with captive portal activated
              192.168.135.2/24 : second pfsense with captive portal activated

              Again my ipfw :

              
               ipfw show
              65291 6463 1821368 allow pfsync from any to any
              65292 3209  179704 allow carp from any to any
              65301   60    2238 allow ip from any to any layer2 mac-type 0x0806
              65302    0       0 allow ip from any to any layer2 mac-type 0x888e
              65303    0       0 allow ip from any to any layer2 mac-type 0x88c7
              65304    0       0 allow ip from any to any layer2 mac-type 0x8863
              65305    0       0 allow ip from any to any layer2 mac-type 0x8864
              65306    0       0 allow ip from any to any layer2 mac-type 0x888e
              65307 1745   86748 deny ip from any to any layer2 not mac-type 0x0800
              65310    6    1968 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in
              65311    0       0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in
              65312    6    1968 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 67 to any dst-port 68 out
              65313    0       0 allow icmp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } to any out icmptypes 0
              65314    0       0 allow icmp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } in icmptypes 8
              65315    0       0 allow udp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 53 in
              65316    0       0 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 53 to any out
              65317    0       0 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8000 in
              65318    0       0 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8000 to any out
              65319   16    2443 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8001 in
              65320   15    4284 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8001 to any out
              65321  153   18053 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 443 in
              65322  181  164591 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 443 to any out
              65323    0       0 allow ip from table(3) to any in
              65324    0       0 allow ip from any to table(4) out
              65325    0       0 pipe tablearg ip from table(5) to any in
              65326    0       0 pipe tablearg ip from any to table(6) out
              65327    0       0 allow ip from any to table(7) in
              65328    0       0 allow ip from table(8) to any out
              65329    0       0 pipe tablearg ip from any to table(9) in
              65330    0       0 pipe tablearg ip from table(10) to any out
              65331    0       0 allow ip from table(1) to any in
              65332    0       0 allow ip from any to table(2) out
              65531    0       0 fwd 127.0.0.1,8000 tcp from any to any in
              65532    0       0 allow tcp from any to any out
              65533   73   13238 deny ip from any to any
              65534    0       0 allow ip from any to any layer2
              65535    0       0 allow ip from any to any
              
              

              Am i doing something wrong  ???

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Can you show me you /tmp/rules.debug.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.