5. CARP and captive portal ?

CARP and captive portal ?

  • N

    Hi everyone  :),

    I'm trying to set up a redundancy system with 2 pfsense on my lan and captive portals activated on both
    (i followed http://pfsense.bol2riz.com/tutorials/carp/carp-cluster-new.htm and the carp wiki)

    I have got on my lan :
    192.168.135.1 (master)
    192.168.135.2 (slave)
    192.168.135.5 (vip)

    CARP is working on master and slave.

    When i am setting my master and slave to have 192.168.135.5 as default dns and gateway in dhcp server, i can't access anymore to the captive portal, there are no more dns resolutions etc…

    Any ideas ?
    Thank you

    0
  • E

    Can you show me the output of 'ipfw show' and the rules on the interface of CP?

    0
  • N

    Here it is

    
$ ipfw show
65291 36209 11686848 allow pfsync from any to any
65292 22576  1264256 allow carp from any to any
65301   169     6352 allow ip from any to any layer2 mac-type 0x0806
65302     0        0 allow ip from any to any layer2 mac-type 0x888e
65303     0        0 allow ip from any to any layer2 mac-type 0x88c7
65304     0        0 allow ip from any to any layer2 mac-type 0x8863
65305     0        0 allow ip from any to any layer2 mac-type 0x8864
65306     0        0 allow ip from any to any layer2 mac-type 0x888e
65307 11341   567050 deny ip from any to any layer2 not mac-type 0x0800
65310    36    11808 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in
65311     0        0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.1 } dst-port 67 in
65312    18     5904 allow udp from { 255.255.255.255 or 192.168.135.1 } 67 to any dst-port 68 out
65313     0        0 allow icmp from { 255.255.255.255 or 192.168.135.1 } to any out icmptypes 0
65314     0        0 allow icmp from any to { 255.255.255.255 or 192.168.135.1 } in icmptypes 8
65315   111     7000 allow udp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 53 in
65316   111    24982 allow udp from { 255.255.255.255 or 192.168.135.1 } 53 to any out
65317     6      705 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8000 in
65318     5      679 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8000 to any out
65319   259    37428 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 8001 in
65320   267   110240 allow tcp from { 255.255.255.255 or 192.168.135.1 } 8001 to any out
65321     0        0 allow tcp from any to { 255.255.255.255 or 192.168.135.1 } dst-port 80 in
65322     0        0 allow tcp from { 255.255.255.255 or 192.168.135.1 } 80 to any out
65323     0        0 allow ip from table(3) to any in
65324     0        0 allow ip from any to table(4) out
65325     0        0 pipe tablearg ip from table(5) to any in
65326     0        0 pipe tablearg ip from any to table(6) out
65327    59     8644 allow ip from any to table(7) in
65328    53    46391 allow ip from table(8) to any out
65329     0        0 pipe tablearg ip from any to table(9) in
65330     0        0 pipe tablearg ip from table(10) to any out
65331  2776   304464 allow ip from table(1) to any in
65332  4447  5823719 allow ip from any to table(2) out
65531   210    18063 fwd 127.0.0.1,8000 tcp from any to any in
65532    68     8217 allow tcp from any to any out
65533   306    59292 deny ip from any to any
65534     0        0 allow ip from any to any layer2
65535     0        0 allow ip from any to any

    The rule on my lan is the "Default allow LAN to any rule "

    0
  • E

    Try new snapshot or this fix https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/906f11b572b75f62b5f5e2aedde2dd5909b435f8

    0
  • N

    I tried with the build of  "Sun May 9 04:13:00 EDT 2010" but still no success

    Looks like the VIP doesn't respond at all.
    With Wireshark i see that my client is asking for a dns from 192.168.135.5 (so correct /etc/resolv.conf for my client) but no response
    And the vip doesn't create any packets or anything, looks dead to me.

    I checked and my vip is on the same subnet :
    192.168.135.5/24 : lan-carp
    192.168.135.1/24 : first pfsense with captive portal activated
    192.168.135.2/24 : second pfsense with captive portal activated

    Again my ipfw :

    
 ipfw show
65291 6463 1821368 allow pfsync from any to any
65292 3209  179704 allow carp from any to any
65301   60    2238 allow ip from any to any layer2 mac-type 0x0806
65302    0       0 allow ip from any to any layer2 mac-type 0x888e
65303    0       0 allow ip from any to any layer2 mac-type 0x88c7
65304    0       0 allow ip from any to any layer2 mac-type 0x8863
65305    0       0 allow ip from any to any layer2 mac-type 0x8864
65306    0       0 allow ip from any to any layer2 mac-type 0x888e
65307 1745   86748 deny ip from any to any layer2 not mac-type 0x0800
65310    6    1968 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in
65311    0       0 allow udp from any 68 to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 67 in
65312    6    1968 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 67 to any dst-port 68 out
65313    0       0 allow icmp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } to any out icmptypes 0
65314    0       0 allow icmp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } in icmptypes 8
65315    0       0 allow udp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 53 in
65316    0       0 allow udp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 53 to any out
65317    0       0 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8000 in
65318    0       0 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8000 to any out
65319   16    2443 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 8001 in
65320   15    4284 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 8001 to any out
65321  153   18053 allow tcp from any to { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } dst-port 443 in
65322  181  164591 allow tcp from { 255.255.255.255 or 192.168.135.5 or 192.168.135.1 } 443 to any out
65323    0       0 allow ip from table(3) to any in
65324    0       0 allow ip from any to table(4) out
65325    0       0 pipe tablearg ip from table(5) to any in
65326    0       0 pipe tablearg ip from any to table(6) out
65327    0       0 allow ip from any to table(7) in
65328    0       0 allow ip from table(8) to any out
65329    0       0 pipe tablearg ip from any to table(9) in
65330    0       0 pipe tablearg ip from table(10) to any out
65331    0       0 allow ip from table(1) to any in
65332    0       0 allow ip from any to table(2) out
65531    0       0 fwd 127.0.0.1,8000 tcp from any to any in
65532    0       0 allow tcp from any to any out
65533   73   13238 deny ip from any to any
65534    0       0 allow ip from any to any layer2
65535    0       0 allow ip from any to any

    Am i doing something wrong  ???

    0
  • E

    Can you show me you /tmp/rules.debug.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy