How to protect Captive Portal from been flooded?
Few devices on our LAN generate a lots of requests to the Captive Portal. It uses a lots of CPU. Adjust the “Maximum concurrent connections” in Services->Captive portal does not seems lower the CPU usage. A single device can still put several Mbits of load on the pfSense CP.
How to do limit the connection rate per IP to the CP?
There is something unclear to me so far. :-[
My understanding of CP is that it provides web page (application) prompting for authentication which, in case of success, generates FW rules in order to allow access through FW.
With such behaviour in mind, unless page displayed by CP is quite heavy, I don't understand how this could generates Mbits of load.
Thus I suspect there is something else to be investigated.
My CP login page is quite simple and small. From state table, that device has over 9000 tcp entries, among them only two are established connections. And those state entries can regenerate very fast after state table is cleared. I think that device only make very few connection at a time, less than the CP' Maximum concurrent connections setting, but it makes new connections at high rate, that might be the reason for a single device put a lot of traffic and CPU load on pfSense.
May I assume in pfSense, ipfw rules has higher precedence than pf rules, therefor can not limit CP connection rate by change firewall rules in web GUI? I tested use a dummynet pipe to limit the bandwidth used by that device, it works, but only by use command line in the console. An even better solution might be attach a queue to that pipe so the pipe bandwidth can be shared equally among users access CP login page.
People have devices that constantly request web pages and they just sit there and run and run and run before the user navigates the portal. It could be hours or days.