No redirection to captiveportal login page with CARP

  • Today I updated from 2.1.5 to 2.2.1

    In my environement I use CARP with virtual addresses in case of failure. On one interface CP is active. I configured it on the master system only because on same hardware I have the radius server. Therefore the slave opens internet access for all users without authentification. This is only an emergency status.

    Till 2.1.5 captiveportal worked fine. After update to 2.2.1 there was almost no user on our internet access and I got calls that internet isn't working. I tried it also. My client's browser said always "Site can not be shown". If I connected my client's gateway and DNS directly to interface address instead of virtual CARP address it works. I removed all cp settings and I deleted all temporary files (like rules, lighty-zone.conf, captiveportal.html).

    After reconfig captiveportal  with radius and standard login page same issue. I saw 3 users were able to login not more. Further I set in client ip settings: Gateway -> CARP virtual address, DNS -> interface address. And see it works!!

    There must be an issue that CP doesn't pass DNS request to CARP virtual address.

    Does anyone have the same problem? Is there a patch or a bugfix?

    Regards Enrica

  • Hello,

    I've just seen a problem while doing the same migration maybe it's the same.

    Our CP was showing login page in https mode with the url of our WIFI interface VIP but since 2.2.1 it does not work.
    When setting the login page in http mode the page is shown with the master server WIFI interface address.
    If I change the DNS entry of the pfSense so it won't resolve the address to the VIP but to the master address the https login page shows to the clients.

    So it looks like CP doesn't bind anymore on the VIPs and knowing that we can see that when we select the interface to run CP on we can't select any VIP.

    The problem is that when master server is down we need to change a DNS entry to keep the service up.

    Is that a bug?

    PS: sorry for my english

  • Hello,

    like the other posts: CP doesn't bind on the VIPs.

    Is there a workaround to bind CP-service with Carp/VIPs for failover ? Guess this was working before the version 2.2.x




  • Hello,

    below a workaround to CP with Carp-Members (tested on Pfsense Version 2.2.2).
    The solution is based on NAT-Port-Forward on each Carp-Member (Forward VIP to memberinterface where CP is running).

    Create new Nat-PF on each Carp-Member

    -> Firewall: NAT: Port Forward:

    –> Interface:  "Lan-Nic for CP-Service"

    --> Source - Type: "Lan-net for for CP-Service"

    --> Destination - Type "VIP for CP-Service"

    --> Destination port range  "Port for CP-Service"

    --> Redirect target IP "Member-IP-Address from Lan"

    --> Redirect target port "Port for CP-Service"

    --> No XMLRPC Sync  "select Checkbox"

    Works fine.



  • Ok nice it should do the work!

    Thanks for sharing

  • I don't know why but this doesn't seems to work for me.

    I don't see any answer from the CP (tcpdump on the network interface with port 8003 only shows clients requesting the vip).

Log in to reply