Problems with Captive Portal (seems solved)



  • Hello,

    I have made a post in spanish forum about a Captive Portal problem, but I put it here too in english.

    I have a powerful machine with pFSense 1.2 Release installed (Dell PowerEdge 1950, Quad Core, 4 Gbytes of RAM). I have WAN, LAN, DMZ and WLAN interfaces configured. In the LAN, I have 150 users, 19 servers in DMZ, and public ethernet IP in WLAN, with 19 Virtual IP (public too, Proxy ARP), tah gave external access to services.

    The problema that I have, is when I configure Captive Portal in WLAN interface, configured to validate users with Radius - Windows Server 2003 IAS. Aparently, it works, but when is working 30 minutes, it starts to kill connections, and to have a low bandwidth for users. I usually not have more than 50 users on WLAN, and a minimum of 5 or 6.

    I searched over the forum, and the internet, and I haven't success.

    Any suggest?

    Thanks in advanced, and sorry for my poor english.



  • Are you using the "reauthenticate users every minute" option? This option was never meant for very large environments. The process is not threaded which means it will only send one request at a time and waits for the result before it performs the next request. Within a minute you can't reauthenticate many users this way. Search the m0n0wall mailinglist for more details as it has been discussed there. The pfSense captive portal is nearly a 100% copy of the m0n0wall code so we have the same limitations here. Without that option turned on it will run even for installations with many users.



  • @hoba:

    Are you using the "reauthenticate users every minute" option? This option was never meant for very large environments. The process is not threaded which means it will only send one request at a time and waits for the result before it performs the next request. Within a minute you can't reauthenticate many users this way. Search the m0n0wall mailinglist for more details as it has been discussed there. The pfSense captive portal is nearly a 100% copy of the m0n0wall code so we have the same limitations here. Without that option turned on it will run even for installations with many users.

    Hello,

    no, I don't use any 'special options' like 'reauthenticate users every minute'. In fact, I've disabled the timeouts, logoff banner etc. I only have options for the radius server.

    I will look monowall forum.

    Thanks



  • Hello,

    today I tried with no radius auth, configuring a local user account, and the problem persists. When the system is working 30 or 40 minutes, then it hungs the captive portal.

    Bye.



  • What kind of setup do you have for your WLAN?

    Is this a  local hotspot or are you a wireless ISP or a business setting?

    50 users on 1 AP is way too many!  Usually 30 is the max - and that is if you have all of your client devices setup correctly.  50 Laptops on 1 AP probably won't work!

    At an absolute maximum, you have about 20mb of usable bandwidth on 802.11g.  If you have 50 users, of course your bandwidth is going to be cut and users are going to be dropped off.

    If you can explain your wireless environment more, that will help give us more insight.  I doubt it is a pfSense problem - other than pfSense isn't a very good platform for doing wireless.  Much better to have a dedicated AP.

    Regards,
    Aaron



  • @SlickNetAaron:

    What kind of setup do you have for your WLAN?

    Is this a  local hotspot or are you a wireless ISP or a business setting?

    50 users on 1 AP is way too many!  Usually 30 is the max - and that is if you have all of your client devices setup correctly.  50 Laptops on 1 AP probably won't work!

    At an absolute maximum, you have about 20mb of usable bandwidth on 802.11g.  If you have 50 users, of course your bandwidth is going to be cut and users are going to be dropped off.

    If you can explain your wireless environment more, that will help give us more insight.  I doubt it is a pfSense problem - other than pfSense isn't a very good platform for doing wireless.  Much better to have a dedicated AP.

    Regards,
    Aaron

    Hello,

    thanks for your interest.

    I have a WLAN interface (Intel Pro 1000 Gigabit Ethernet) connected to my Cisco Switch to a port mapped to a VLAN (number 101). Then , I have 9 Linksys Access Points connected to this VLAN, all arround the building.

    I have the problem only when the Captive Portal is enabled. If not, wireless network works perfectly. When I enabled it, the connection goes slower, and in a lapse of time, captive portal doesn't work, and some connections (for example, SSH from WLAN to DMZ) doesn't work too (and the rules are OK).

    I've tried with Captive Portal auth over Radius on Windows Server, and with Local Auth, and the problem is the same.

    Thanks,

    Bye



  • Well, now I'm not sure.  I'm just going to throw out some questions to see if it might ring some bells.

    What kind of Linksys APs are you running?  Are they running 3rd party firmware? How are they configured?  Pure AP/

    I'm pretty sure CP shouldn't affect any traffic between LAN & DMZ at all - Only between WAN and any non-wan interfaces.

    My network is fully routed (and no VLANs), except my AP is in bridged mode - directly attached to pfSense.  I don't have the traffic you have either.

    My only thought is there may be a bug/conflict with CP and using VLANs?  CP has not given me one bit of trouble.  It performs as I expect it to.

    Aaron



  • CP works fine on vlans. I have such a setup with a netgear WAG102 that originally supports vlans. Every vlan is a seperate virtual accesspoint. I have 3 vlans/wireless networks this way, one for company use with wpa hidden ssid, one visible with wpa-psk that only grants access to our conference room subnet and the internet for presentations and tutorials and one visible unencrypted hotspot vlan/wlan with captive portal. Works like a charm.



  • Hello,

    thanks to everybody.

    I will make more tests. If I not suceed, I will explain, with screenshots, all my topology, and report exactly the problem, in a few days.

    Bye,



  • Hello,

    seems that the problem is solved. Before I configured the captive portal, I made some test with schedules. The fact of having schedules programmed (instead they are not in use in any rule), seems that made problems to Captive Portal (I have read something similar in the forum).

    Now, the CP is working since last friday.

    Thanks,

    Bye



  • Schedules and Captive Portal is not compatible to be used together. This is a known limitation.



  • @hoba:

    Schedules and Captive Portal is not compatible to be used together. This is a known limitation.

    Is it still same problems with shedule an captive portal at 1.2 rls ?
    i have shedule running and i cant get captive portal running.

    Regards KuBuntU



  • Yes, this applies to any version of pfSense and I doubt that this will work in 1.3 either as nobody intends to make this work currently.


Locked