Captive portal and CARP issue



  • Hello:

    We recently setup a pfSense machine (v1.0.1) primarily for captive portal technology for our students.  This worked great when using a single machine and authenticating our users against a RADIUS server.

    After more users evaluated this captive portal, folks liked the idea of having a fail-over unit for redundancy, thus we migrated to a 2-server setup and purchased additional NICs for the SYNC interface.

    When the 2 servers were configured as per tutorial http://pfsense.iserv.nl/tutorials/carp/carp-cluster-new.htm where CARP was configured, fail-over worked like a charm.  Looking at our switch ARP table, I can see the virtual MAC address appear on the same interface of the active pfSense server.  Shutting down one server results in making the other server the active box (master) and the virtual MAC address follows that active interface.  (This applies to both WAN and LAN interfaces on both boxes.)

    The problem came about when we enabled Services –> Captive Portal on the LAN interface of each of the 2 servers.  Clients are not redirected to a portal page... just a dead page.  However, once in a while, if one keeps refreshing their web browser, a portal login page appears although not consistently -- sometimes it's the portal page from server#1, other times it's from server#2.

    When looking at the ARP table on our switch where the LAN interfaces are connected, I see the virtual MAC address appear on 1 port (i.e. server#1 LAN interface), then it moves onto the other port (i.e. server#2 LAN interface).

    Any suggestions on how we can setup Captive Portal and CARP on these 2 machines?

    Thanks in advance,

    • Orlie


  • Try to add the real interface IPs of the opposite box (slave IP at master and master IP at slave) as passthrough IP. I think the keepalive broadcasts are captured by the captive portal and this is causing both machines to become master.



  • @hoba:

    Try to add the real interface IPs of the opposite box (slave IP at master and master IP at slave) as passthrough IP. I think the keepalive broadcasts are captured by the captive portal and this is causing both machines to become master.

    Where exactly should I go to set this up?  (Sorry, newbie here.)

    Thanks in advance,

    • Orlie


  • services>captive portal, allowed IP adresses.



  • (sigh)  Didn't work, but thank you for the suggestion – I was running out of ideas.  I guess there aren't many setups out there using both captive portal and CARP?



  • When the browser tries to redirect you, do you see the carp ip or the real ip of one of the system in the statusbar of the browser? Also what status do you see for the carp IP at status>failover(carp) at both systems?



  • @hoba:

    When the browser tries to redirect you, do you see the carp ip or the real ip of one of the system in the statusbar of the browser? Also what status do you see for the carp IP at status>failover(carp) at both systems?

    'Apologize for the delayed feedback.  Actually, whenever a portal login appears, I never see the CARP IP address – only the real LAN IP address of one of the servers.  As for the CARP status, all looks good -- only 1 of them is the master for both interfaces (LAN & WAN) at a time while the other is the backup for both interfaces.

    Do you know if anyone else is using Captive Portal using a CARP setup?



  • CARP will not work with the CP on 1.0.  The code will grab the real interface IP address, not the CARP IP.



  • @sullrich:

    CARP will not work with the CP on 1.0.  The code will grab the real interface IP address, not the CARP IP.

    Thanks for the reply. We're running 1.0.1 (latest version as of today), but I didn't see any mention of CARP + CP being supported in the updates for version 1.0.1 as compared to version 1.0.  I suppose the alternative is to disable CARP on the 2 servers and just have the 2nd server as a warm spare.

    Question: Is there an automated (or less manual) method of copying/syncing over all changes done from the 1st server and onto the warm spare without enabling CARP?



  • You could try a really evil hack..  Download the configuration… Change the interface from optX to carpX for the captive portal interface, upload the new configuration.... It might just work...



  • If this works note that you will have to change it this way whenever you touch the captive portal settings and hit save.


Log in to reply