Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Captive portal and CARP issue

    Captive Portal
    3
    11
    4663
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      orliec last edited by

      Hello:

      We recently setup a pfSense machine (v1.0.1) primarily for captive portal technology for our students.  This worked great when using a single machine and authenticating our users against a RADIUS server.

      After more users evaluated this captive portal, folks liked the idea of having a fail-over unit for redundancy, thus we migrated to a 2-server setup and purchased additional NICs for the SYNC interface.

      When the 2 servers were configured as per tutorial http://pfsense.iserv.nl/tutorials/carp/carp-cluster-new.htm where CARP was configured, fail-over worked like a charm.  Looking at our switch ARP table, I can see the virtual MAC address appear on the same interface of the active pfSense server.  Shutting down one server results in making the other server the active box (master) and the virtual MAC address follows that active interface.  (This applies to both WAN and LAN interfaces on both boxes.)

      The problem came about when we enabled Services –> Captive Portal on the LAN interface of each of the 2 servers.  Clients are not redirected to a portal page... just a dead page.  However, once in a while, if one keeps refreshing their web browser, a portal login page appears although not consistently -- sometimes it's the portal page from server#1, other times it's from server#2.

      When looking at the ARP table on our switch where the LAN interfaces are connected, I see the virtual MAC address appear on 1 port (i.e. server#1 LAN interface), then it moves onto the other port (i.e. server#2 LAN interface).

      Any suggestions on how we can setup Captive Portal and CARP on these 2 machines?

      Thanks in advance,

      • Orlie
      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Try to add the real interface IPs of the opposite box (slave IP at master and master IP at slave) as passthrough IP. I think the keepalive broadcasts are captured by the captive portal and this is causing both machines to become master.

        1 Reply Last reply Reply Quote 0
        • O
          orliec last edited by

          @hoba:

          Try to add the real interface IPs of the opposite box (slave IP at master and master IP at slave) as passthrough IP. I think the keepalive broadcasts are captured by the captive portal and this is causing both machines to become master.

          Where exactly should I go to set this up?  (Sorry, newbie here.)

          Thanks in advance,

          • Orlie
          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            services>captive portal, allowed IP adresses.

            1 Reply Last reply Reply Quote 0
            • O
              orliec last edited by

              (sigh)  Didn't work, but thank you for the suggestion – I was running out of ideas.  I guess there aren't many setups out there using both captive portal and CARP?

              1 Reply Last reply Reply Quote 0
              • H
                hoba last edited by

                When the browser tries to redirect you, do you see the carp ip or the real ip of one of the system in the statusbar of the browser? Also what status do you see for the carp IP at status>failover(carp) at both systems?

                1 Reply Last reply Reply Quote 0
                • O
                  orliec last edited by

                  @hoba:

                  When the browser tries to redirect you, do you see the carp ip or the real ip of one of the system in the statusbar of the browser? Also what status do you see for the carp IP at status>failover(carp) at both systems?

                  'Apologize for the delayed feedback.  Actually, whenever a portal login appears, I never see the CARP IP address – only the real LAN IP address of one of the servers.  As for the CARP status, all looks good -- only 1 of them is the master for both interfaces (LAN & WAN) at a time while the other is the backup for both interfaces.

                  Do you know if anyone else is using Captive Portal using a CARP setup?

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich last edited by

                    CARP will not work with the CP on 1.0.  The code will grab the real interface IP address, not the CARP IP.

                    1 Reply Last reply Reply Quote 0
                    • O
                      orliec last edited by

                      @sullrich:

                      CARP will not work with the CP on 1.0.  The code will grab the real interface IP address, not the CARP IP.

                      Thanks for the reply. We're running 1.0.1 (latest version as of today), but I didn't see any mention of CARP + CP being supported in the updates for version 1.0.1 as compared to version 1.0.  I suppose the alternative is to disable CARP on the 2 servers and just have the 2nd server as a warm spare.

                      Question: Is there an automated (or less manual) method of copying/syncing over all changes done from the 1st server and onto the warm spare without enabling CARP?

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich last edited by

                        You could try a really evil hack..  Download the configuration… Change the interface from optX to carpX for the captive portal interface, upload the new configuration.... It might just work...

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba last edited by

                          If this works note that you will have to change it this way whenever you touch the captive portal settings and hit save.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy