@dmchavoc said in Multiple login limits for captive portal voucher system:

option to update the password within the captive portal..... hopefully it'll update the radius user password rather than "regular user"

Noop.
The pfSense System > User Manager > Users
and
Services > FreeRADIUS > Users
are different lists, and have to be maintained separately.

You can check the "flat file" that is used to indicate the allowed FreeRadius users :
See for yourself Services > FreeRADIUS > View Configuration and click on the Users button.

Or look here : /usr/local/etc/raddb/mods-config/files/ and check out the 4 files you find there.
Look in all the file you can find in /usr/local/etc/raddb/ and all sub folders.
( Now you start to understand what FreeRadius is ..... don't worry, I see you running 👍 I did the same thing )

@dmchavoc said in Multiple login limits for captive portal voucher system:

QuickQuestion - would I need to type in this configuration each time a add a user in the RAD? :/

Maybe not. Can't remember.
If you declare :

b2697b3f-a8c0-4c94-a306-3851824530a6-image.png

for the very first user in the file, and you omit the "Fall-Trough=Yes", and that "Simultaneous-Use" for the rest of the file, unless set to another value.
You test, and you tell me ^^, (and answer yourself while doing so)

@Neverstopdreaming too bad no one ever answered. I'm having the same problem, and it started after I configured carp HA. After entering CP settings and saving without doing any changes it starts working again, like your said. Logs after doing this show a check_reload_status activity followed by a minicron "(/etc/rc.prunecaptiveportal) terminated by signal 15 (Terminated)" message that is what actually gets it back to working.

@Gertjan

I read the thread from @DanieleIT . I saw a new Version at bottom.

Everything works properly now with voucher-template-printer-2.6.0.

Thank you for your help

@Swicago said in Different rate limits based on login ?:

I hope my voucher and radius mods will be able to help others as well.

I am sure the working application will help numerous developers as the concept alone is powerful for freeRadius users that wish to "manage" Captive Portal Attributes that aren't exposed by the standard installation.

iOS, i.e. Apple, created DHCP 114 and it is now mature enough that it is seeing wide spread use. See what you can do with the vendor URL in addition to just logging out.

@EDaleH said in FreeRadius: Something reduces the value in octet file (used):

@jarlel said in FreeRadius: Something reduces the value in octet file (used):

Once or twice every day/night something is randomly reducing the value

I thought I would clarify one point even though implementing the reply above should have corrected it. I realized the explanation as to why I believe you see "reduced values" in the used-octets file may not have been clarified.

Thank for the detailed explanation :-) We are and have been running "interim" for accounting updates. It seems that enabling "Idle timeout" solved it, then it will force an update that updates the octet-file and closes the session file.

Maybe we also should change it to "Stop/Start (FreeRADIUS)" as you suggest above?

@Gertjan said in How to use the pfsense name instead of the IP address in http?:

Well ok, not an issue for me, and it will their problem. Its fine that they block their device's incoming connections, I get that. But when they also start to limiting to port X and port Y, but not port Z, that has nothing to do with security, that's just an overdoses of Toctic.

I don't agree that this is their problem. CP is running on a different port that is not designated for http(s) traffic.

Port 8002/8003 are used for different purposes. eg. Port 8002 is used by Teradata ORDBMS and port 8003 by M'sft SCCM. Blocking these outgoing ports IS better for security. This way a user is not able to (accidentally) connect to a service on an unknown network Not blocking this traffic could potentially lead to an information leak (depending on the services). Especially services that can be configured through DHCP or other autoconfig services.

I do get your point that this is somewhat ridiculous, as a device always needs to allocate high dynamic ports to connect to other servers anyway. But security wise it is (a little) better to block these requests by default.

I have a brand new pc with a clean installation of Windows 11. It was not able to connect to port 8002/8003 as it was blocked by the WIndows Firewall by default! I think this block happened because i had chosen "untrusted network" when connected for the very first time (= do not share device on the network). In this instance I do have control over this local firewall.

@Gertjan said in How to use the pfsense name instead of the IP address in http?:

When visiting a site, any site, it will be a https site. As there are no more http sites left to visit. Browser will even warn if a site is http only.

The https certificate only works for my CP domain (of course). I have disabled the interception of https traffic.
Yes, you are correct that most browsers will not use http in favor of https. Especially on websites using HSTS, which enforces https for a certain period on that domain. This is not an issue. When a Windows, Android or iOS device connects to a network, the device will always start a normal http request in the background. A message or notification is shown to the user when it receives a redirect to a CP page. This is sufficient. There is no need to show invalid Https certificates when browsing other public domains.

The renewal of LE certificates works. However, the CP process does needs a restart after the renewal in order to pick up the new certificate by nginx. No big deal. This can be configured on cert renewal.

@Gertjan said in How to use the pfsense name instead of the IP address in http?:

Be ware that the pfSense GUI nginx listens to ALL interfaces, and that includes even WAN.
You've showed it yourself :

My PF GUI is not exposed to my WAN interfaces. However, nginx does listen on all interfaces. This traffic is blocked on my WAN interfaces (main and failover WAN).

@Gertjan said in How to use the pfsense name instead of the IP address in http?:

It's not defined what happens when multiple instances of the same process are listening to the same interface, port and protocol.

This is defined in the nginx doc. more specifically:

nginx first tests the IP address and port of the request against the listen directives of the server blocks. It then tests the “Host” header field of the request against the server_name entries of the server blocks that matched the IP address and port. If the server name is not found, the request will be processed by the default server.

The listen directive with an explicit IP will take precedence over the wildcard directive. So in this case the PF GUI will be shown when the CP process is stopped. However, The red PF page will be shown on the CP domain because the hostname is invalid. But you can access the PF gui when entering the right domain / hostname. As it will be listening on that interface.

example:
PF GUI domain: router.somedomain.com
CP GUI domain: guests.somedomain.com

When CP process active:

browsing to router.somedomain.com will redirect and serve the CP GUI browsing to guests.somedomain.com will serve the CP GUI

When CP process is inactive:

browsing to router.somedomain.com will serve the PF GUI (with login option) browsing to guests.somedomain.com will serve the PF error page (invalid hostname)

In other words: this setup could expose the PF GUI on the Guest interface when something bad happens with the CP process. This could result in a security issue. I just wanted to point this out that I'm aware of this.

@rt050 said in External Captive Portal. Is it actually possible?:

but I'm almost sure it's because the symlinks are wrong.

When you upload these files :

1912b189-e60d-4477-9fb6-8feccf8517aa-image.png

2style.css, custom.css mac-block.html etc
you can use them with the names captiveportal- 2style.css etc

67c4e090-d618-4249-9c4c-255861c32807-image.png

@rt050 said in External Captive Portal. Is it actually possible?:

nor can I get a database connection

what database ?
MySQL ?
in the good old days, the PHP MYSQL extension could be installed easily.*
These days, when you install the FreeRadius pfSense package, you'll get the PHP MYSQL extension also. No need to actually use FreeRadius.

@rt050 said in External Captive Portal. Is it actually possible?:

the page where the user then clicks connect and lives happily ever after.

Do they ?
Already years ago, its was nearly "impossible" to ask for people's mail address so they would gain access to my hotel portal. They wouldn't fall for it back then and now even less.
These days, here in Europe, collecting private info is 'not done' as you need to deal with all kind of administrative barriers to be able to store things like email addresses. It's just to much of a hassle.

@Gertjan said in Captive Portal not working on iOS devices only (DHCP 114):

Anyway, I've edited services.inc :

I assume you are now aware of the fact Kea's Affinity memfile does not survive a reboot and will loose expired leases that still have affinity "protection". Netgate has raised Redmine #15934 to attempt to address this and other lease expiry concerns but so has the Kea development team. See the link in the Redmine.

The Kea development team have scheduled this for possible correction in V 3.0 which is slated for an April 2025 release. There is no certainty that they will include it.

Until Kea supports Affinity surviving a reboot, using Kea with Captive Portal is very risky as a reboot will likely scramble the IP/MAC assignments unless the devices reconnect in the exact same order. We will have to use ISC until then, religiously have idle timeouts less than lease duration (and the frequent re-logins that implies), or incorporate a MAC Captive Portal authorization scheme like that proposed in Redmines 15854 or 15904

This suggests that we are unlikely to have a built in solution for Captive Portal ISC equivalent support under Kea at the next plus release (25.03?) or until Netgate incorporates Kea 3.0 into the pfSense plus and CE releases.

hello, sorry reply an old but interesting post. can i use this solution on premise inside my net without internet access , i meant in a local server with apache or nginx whatever.

@Jozy good luck with that mess.. I asked if you had messed with your outbound nat, I didn't say set it to manual..

Auto is the default - all of this would work with clicky, clicky with pfsense out of the box - the only reason it wouldn't is you messed with the defaults, etc..

Or you not even using pfsense as the gateway.. Which it seems your not.. ugggh..

@Gertjan said in Issues After Update from 24.03 to 24.11:

@Cornel

It took me a while, but the issue was hiding in plain sight.

Thx - glad we now fully understand what was happening.

@heper

yeah, that's probably the one.
It was solved. I was using 2.7.2 in the post for a while and had no issues what so ever.

@EDaleH said in Feature #15321 shows how to use Option 114 in Kea:

Hopefully the Jan release of Plus .... continue using 24.11 or have the #15321 patch updated.

The patch is an easy one. An extra entry box is added to the GUI, and the info entered is stored (and retried from) in the main pfSEnse config.
The second part is where this info (JSON structure) it is inserted on the right spot when the kea config file is created. Also pretty straight forward.
If 25.0x is any different, then it will be easy to modified it somewhat.

@EDaleH said in Feature #15321 shows how to use Option 114 in Kea:

I would also like to point out .... you want to add any suggestions.

I didn't even considered this as an issue, as I had just a couple of users connected when I was switching.
Switching from ISC to KEA is something that, in theory, only should happen ones . A small reminder 'somewhere' that portal users should be disconnected will do just fine.
Maybe converting the existing leases from from ISC leases file to Kea leases file when switching ? ( Yep, I'm joking ).

Btw : I always thought that an authenticated portal users were 'recognized' by a matching IP + MAC pair. If one of these two changes changes, the device (user) is considered being another device (user) and login has to reoccur.
But nope. The rfc8910 file just checks the IP if it is listed as a authenticated user, and doesn't check the MAC.

I will dig it.

Many thanks!

@carlosi7

Hover the mouse over the Stop button :

1fc11747-ea64-46c2-b13d-3b8481586f5b-image.png

The "Services Status" status dash board widget is a file you can find here : /usr/local/www/widgets/widgets/smart_status.widget.php
This file will bring you straight to /etc/inc/services-utils.inc, where services like the captive portal can be stopped and started.

As cron task can be an executable (so you have to build your own^^) or, most often, look at all the pfSense cron tasks already present, a script file.
Now you know where to find the examples that shows you how to do that.

@chinraam said in Nginx "404 Not Found" Error after POST action to "$PORTAL_ACTION%2quot;:

Can you please guide or let me know how to overcome?

I'm not modifying or editing any of the pfSense PHP files. So I have no issues neither errors.

I can't do "self registration" as I'm not allowed (and not want to, neither maintain) ask for any private info like phone numbers or email addresses.