Problems after upgrade to 2.2 in captive portal



  • hi.
    first of all to thank for the fabulous work that the team pfsense .

    My problem is this , after upgrading to version 2.2 from 2.1.5 .
    access to captive portal does not work.

    My configuration is as follows .

    the captive portal runs on a dedicated interface with a virtual ip carp ,
    which use as gateway users.

    I have seen that the ip virutal carp is not added to ipfw rules that
    facilitate access to the login page

    this are the ipfw rules that actually i can see

    65310 allow ip from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 }
    in
    65311 allow ip from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any
    out
    65312 allow icmp from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to
    any out icmptypes 0
    65313 allow icmp from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7
    } in icmptypes 8

    the first ip 10.128.0.7 should be 10.128.0.2 wich is the ip virtual carp

    10.128.0.2 –-> ip virtual carp

    10.128.0.7 ---> phisycal ip interface

    I tried to manually put the rules and it works perfectly , but of course,
    this process should be automatic.

    also I have seen that:

    before in version 2.1.5

    em3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0
    mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx
            inet 10.128.0.7 netmask 0xffff0000 broadcast 10.128.0.255
            media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active

    lan_vip15: flags=49 <up,loopback,running>metric 0 mtu 1500
            inet 10.128.0.2 netmask 0xffff0000
            carp: MASTER vhid 15 advbase 1 advskew 200

    now in version 2.2

    em3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0
    mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether xx:xx:xx:xx:xx:xx
            inet 10.128.0.7 netmask 0xffffff00 broadcast 10.128.0.255
            inet 10.128.0.2 netmask 0xffffff00 broadcast 10.128.0.255 vhid 15
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            carp: BACKUP vhid 15 advbase 1 advskew 0

    this is a possible cause of this issue.

    before in ipfw_context

    captive: em3,lan_vip15,

    now in ipfw zone list

    captive: em3,

    any comment would be fantastic.</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast>



  • Sorry, 2.23 was ditched for …. let's say: bugs  ;)
    Try 2.2.2.



  • There are no CARP virtual interfaces in 2.2.x versions as that's a deprecated concept in FreeBSD 10.x. CP never redirected to CARP IPs as far as I can recall. The gateway IP being CARP doesn't affect the redirect, which is to the interface IP.

    @Gertjan:

    Sorry, 2.23 was ditched for …. let's say: bugs  ;)
    Try 2.2.2.

    huh? No, 2.2.3 is coming out today and is better than 2.2.2 in many ways and worse in none.



  • @cmb:

    huh? No, 2.2.3 is coming out today and is better than 2.2.2 in many ways and worse in none.

    That goes without saying : 2.2.3 will be better as 2.2.2 ;)

    edit: aha : it's out :

    2.2.2-RELEASE (amd64)
    built on Mon Apr 13 20:10:22 CDT 2015
    FreeBSD 10.1-RELEASE-p9
    Update available. Click Here to view update.

    :)



  • then you mean, that functionality will no longer be present from the 2.2 release?

    thanks



  • then as I can make high availability of captive portal if the gateway ip of clients is not already virtual?

    thanks



  • @uaxero:

    then you mean, that functionality will no longer be present from the 2.2 release?

    No, just saying in that context, lan_vip15 is no longer listed because it no longer exists.

    You get redirected to 127.0.0.1, not the CARP IP, which is always how things worked. There is no need to do anything with the CARP IP there.