Auto-add Mac address - large installation

  • We've been using pfSense for years for our Captive Portal page.  During a typical day, we get around 700 devices on the captive portal, most of them employees phones, etc.  We just use a click-through TOS page, and we had a 6 hour idle time.  We are in a large office building with probably over 1000 employees here on a given day.  We have lots of people coming in for meetings as well, and they typically need Wifi access while they are here.

    Our management wanted to only need to accept the TOS on an individual device once, so we enabled the feature which automatically adds their MAC address to the captive portal.  A few days went by and things seemed pretty good.  A few more days went by and we were up to over 1300 MACs.  Today, we have over 1400.  It now takes about 8 seconds from the time you accept the TOS before it's done, and during that time the CPU on the pfSense box (1.6 Ghz Atom) seems to be running at or near 100%.  This box has a 30 GB SSD.

    We've also noticed that we are seeing the same MAC in the table a couple of times.  We think this happens when someone is impatient at the TOS screen and presses the Accept button more than once, causing pfSense to add another entry, probably as soon as it finishes writing the first one out.  We suspect that if someone attempts to log in while the CPU is at 100%, they may be delayed in getting the TOS page, but we aren't sure that this is happening.

    Has anyone else has ran into this sort of situation, and what the best way to resolve this issue…

    We have thought of disabling the Auto-Add feature and setting the idle time to something much higher (like 10+ days), but we have previously had issues with DHCP if the lease time is lower than the captive portal idle time.  If we have to increase the lease time, we'll need to double the DHCP pool from the current 2000+ addresses, I'd expect.

    Any other feasible suggestions would be appreciated.


