What a chase, and I'm sure you're all entertained. To get this working, I had to (instead of passthrough MACs) set an 'allow from' IP for each cluster member in the CP - this allows CARP to work and prevents a split brain. Then, I had to add an 'allow to' IP for the virtual so unauthenticated clients could at least get DNS resolution so they'd start to be redirected. Finally, my CP page had to be altered so that the submit button in the form's value had no spaces in it.
That last bit (text of the button) was my only catch - that sucks. I looked through the code and didn't really find anything, but didn't have time to look too hard. I suspect it has to do with line 171 of captiveportal/index.php and PHP's interpretation of truth; I would expect that the evaluation of $_POST['accept'] should probably be enclosed in quotes. RB On Dec 7, 2007 11:39 AM, RB <[EMAIL PROTECTED]> wrote: > Clarification: I have to add both the peer MACs as well as the virtual > MAC to prevent a split-brain situation. Unfortunately, adding the > virtual seems to allow all clients to fully bypass the CP page and get > straight outside. > > Just the peer MACs and an 'allow to IP' CP entry works for redirecting > clients to the login page, but each node thinks it's the master of the > cluster and logging in just redirects the user back to the CP page and > no one gets out. > > > On Dec 7, 2007 10:48 AM, RB <[EMAIL PROTECTED]> wrote: > > I feel like I'm missing something, but here goes. > > > > As prior posted, I have an HA cluster routing for a client subnet. > > When I enable the captive portal, I have to add each peer's MAC into > > the pass-thru MAC table; that's fine, as it allows CARP to continue > > working (otherwise we get a split-brain situation). The problem now > > is that the clients can't access the virtual IP for DNS/routing, etc. > > If I add the virtual MAC in to the CP-allow table, clients pass > > through without ever seeing the CP, but if it's not there they can't > > even reach DNS. Of course, they can always reach port 8000, but... > > > > Any hope? I know there's got to be something I'm not thinking of, but > > have been poking at this for a day now and am coming up with nothing. > > > > > > RB > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
