Too many concurrent users!



  • Hi Guys,

    I've got a captive portal with radius authentication set-up, which has been working fine until recently.

    This summer I've been having problems with the number of clients connecting, I have 300+ devices on the network at one time and the DHCP server simply does not have enough address' to cope.

    I've tried setting the DHCP lease time to a minute which helped a little until even more people arrived and started using the portal.

    To give you an idea of the setup:

    [Internet]–---[Router]–---[pfsense]–---[switch]–--[Multiple WAPs]

    My DHCP server is running 192.168.1.0/24
    My DHCP range is set to 192.168.1.2 to 192.168.1.248 as WAPs are present from 249 to 254.

    I tried reconfiguring the DCHP server to use 192.168.1.0/16, but all the devices that got IPs on 192.168.2.X couldn't connect to the internet or ping the gateway.

    I'm not to familiar with networking at this level, do I need to change something on the DCHP server? Can I solve this using the captive portal somehow? Do the clients need special configuration to use a 16 bit netmask?

    Any help would be greatly appreciated.

    Thanks!

    edit Sorry, if this should be in the DHCP section please can a mod move it?



  • Just woke up so bare with me, I believe that the reason they could not ping anything is because you switched to a /16 from a /24. They would still have the /24 addresses and thus need to renew there lease. This could be done (on Windows for example) by opening a cmd prompt and performing an 'ipconfig /release' and then 'ipconfig /renew' (without the marks of course :P ). Clients as far as I know do not require anything special to use a /16 except that they need to have the new /16 address.

    Hope this helps you out :)

    edit
    I forgot to add, any static addresses(possibly in your WAP?) will need to be updated to a /16 as well



  • Hi fredfred5,

    decreasin g the DHCP lease time will help but only until there are more clients than IP addresses. If you only offer ~230IPs and there are 250 clients which want to connect there is nothing you can change but the IP address range.

    • To increase the DHCP IP address range you need to change the LAN interface's subnet mask from /24 to /16

    • Then change the DHCP server address range from lets say: 192.168.2.0 - 192.168.4.255 (~2048 hosts)

    • This will not conflict with your static WAPs IP addresses on 192.168.1.x

    • You need to change the subnet mask on the WAPs from /24 (255.255.255.0) to /16 (255.255.0.0)

    • The clients connected to your WAPs do not need to change anything - they will get all parameters from your DHCP. They probably just need to disconnect and reconnect one time if they are using an IP from your old range and should get a new IP from the new range.

    • Then you have to go to your firewall rules -> LAN and check if the firewall rule allows access from all your source IP addresses (change the subnet mask where needed). Best way to use there is "LAN subnet"



  • @Nachtfalke:

    • Then you have to go to your firewall rules -> LAN and check if the firewall rule allows access from all your source IP addresses (change the subnet mask where needed). Best way to use there is "LAN subnet"



  • @fredfred5,

    your firewall rule is ok. :)

    You DHCP IP address range will cause a problem in future. The DHCP server will assign a client the IP 192.168.1.249 because this IP is in its range. But then this IP is used by two clients: your WAP and the client. That's why I told you to use another range for the DHCP server.

    Can you post screenshots of your LAN interface, DHCP server on LAN interface?

    Can you go to CaptivePortal configuration page and just reselect the "LAN" interface and click save so that the CP configuration will be saved again.

    Set the Gateway and DNS (your LAN interface's IP) in DHCP Server configuration page and increase the lease time back to a normal value and not 1 minute.



  • @Nachtfalke:

    @fredfred5,

    your firewall rule is ok. :)

    Good to know.

    @Nachtfalke:

    You DHCP IP address range will cause a problem in future. The DHCP server will assign a client the IP 192.168.1.249 because this IP is in its range. But then this IP is used by two clients: your WAP and the client. That's why I told you to use another range for the DHCP server.

    OK I've changed it to what you specified.

    @Nachtfalke:

    Can you post screenshots of your LAN interface, DHCP server on LAN interface?

    Yes:

    LAN Interface -

    DHCP -

    @Nachtfalke:

    Can you go to CaptivePortal configuration page and just reselect the "LAN" interface and click save so that the CP configuration will be saved again.

    Set the Gateway and DNS (your LAN interface's IP) in DHCP Server configuration page and increase the lease time back to a normal value and not 1 minute.

    Done.

    Still no internet and no ping response from the gateway on subnet 2  :(



  • DHCP and LAN interface seems to be correct.
    Do you have access when you connect your notebook directly to the switch ?

    Did you set the correct subnetmask on the WAPs ?

    What is the subnet on the WAN site ? Probably there is a conflict with your LAN (overlapping subnets).
    If you WAN has an address on 192.168.x.y then it will conflict with your LAN. Then we must adjust the subnet mask



  • @Nachtfalke:

    DHCP and LAN interface seems to be correct.

    Excellent.

    @Nachtfalke:

    Do you have access when you connect your notebook directly to the switch ?

    No, same situation.

    @Nachtfalke:

    Did you set the correct subnetmask on the WAPs ?

    Yes all WAPs are set to netmask 255.255.0.0

    @Nachtfalke:

    What is the subnet on the WAN site ? Probably there is a conflict with your LAN (overlapping subnets).
    If you WAN has an address on 192.168.x.y then it will conflict with your LAN. Then we must adjust the subnet mask

    The subnet on the WAN is 192.168.2.0/24.

    The WAN IP is 192.168.2.253.

    Is this the problem I'm having? Would setting the IP on the LAN interface to 192.168.3.1/16 and the IP range from 192.168.4.0 to 192.168.6.255 work?



  • Yes, your problem is the overlapping subnet from you LAN and WAN

    chose this interface IP and subnet for your LAN:
    192.168.8.0/22 (SubnetMask: 255.255.252.0)
    This will be address space from
    192.168.8.1 - 192.168.11.254 (~2048 hosts]

    Best way would be to setup all static IPs (router, fileserver, WAPs, switch, etc.) in the range between:
    192.168.8.1 - 192.168.8.254
    Then setup the DHCP server with a range from:
    192.168.9.1 - 192.168.11.254

    If the time has come and you need more IPs then you just have to change the subnet mask from /22 to /21 (255.255.248.0)
    which will give you address space from 192.168.8.0 - 192.168.15.255 (~8096 hosts).

    PS: If you start changing the IPs - start to change them on your WAPs and the switch and so on - you will lost connection after you did that. Setup all correct (Gateway, subnetmask, IP, DNS). After you have changed the pfsense LAN address and the pfsense DHCP server you will get access to your WAPs.



  • It worked!  ;D

    Thanks for all your help!


Locked