Captive portal hangs

  • Poor description in the subject, sorry bout that.
    My issue is that the captive portal stops responding. My client joins a wireless network, can view the captive portal login screen and hit accept, but nothing further happens. If they try and go to another web page manually, they are prompted again to accept the agreement on the captive portal page.

    The environment is used for guest access only as follows:

    Wireless network consisting of 400 wireless APs,
    a single SSID is broadcast across all APs which connects to a VLAN on the LAN side of my pfsense box.
    The pfsense does dhcp, DNS proxy/forwarding and captive portal. Captive portal simply displays terms of use, user clicks accept and away they go.

    Upstream from the pfsense is another firewall which does content filtering. pfsense is configured for 1:1 NAT. I'm actually doing NAT twice, once by pfsense and again by mycontent filter firewall. Not ideal, but seems to work.

    I installed pfsense in place of m0n0wall because m0n0wall couldn't handle the load. We have roughly 350 users typically online. Most of these are cell phones and whatnot that use not too much bandwidth; the guest network is limited to 10 Mb anyway.

    A couple things I've noticed:
    dhcp table shows 912 devices, even though my wireless system shows only 350. About 700 of those are marked as active
    changing a setting on my captive portal page (which resets the captive portal) seems to fix it for a while

    We're using 75% of 256MB memory, and 13K of 50K table state (i increased table size from the default)

    Anyone seen this before or can suggest anything I might want to do to pfsense for this size environment?

  • Which pfsense version? Does it work for some time and then it stops accepting new logins ? (note: while trivial, have you checked the CP html login form? there are differences in how various browsers handle http post forms when pressing "enter")

    Have you monitored pfsense itself? At the very least you should increase the amount of memory from your current 256MB. And while smartphones use relatively low bandwidth, just 10Mbps for the guest WLAN probably won't suffice.

    Offering captive portal and Internet services to a WLAN of 400 APs (even if you only have 1-3 devices per AP) is a rather complex project both on the Wifi side and the Internet-sharing side, so you might want to get a 2nd opinion from a consultant who has done it before …

  • pfsense 2.01

    We've only had it running for a day or so, but I'm trying to address issues early, like I said m0n0wall didn't work so well for us, we found ourselves restarting it every couple of weeks.

    pfsense itself seems fine, the only stat I saw go too high was CPU usage, but that happened only when I reset the captive portal, and everyone had to log back in. State table is under 50% used, memory 75% used, everything else shows similar levels of usage.

    You're right about 10Mb/s being insufficient, but this is for a school, giving students all the bandwidth they want for their smart phones isn't something they can do. The whole guest network is done on the cheap.

    I am the consultant who's done it before. Like I said, the wireless is fine, we're just doing the guest captive portal part on the cheap.

    I'll throw some more memory on the VM and see how it works.

Log in to reply