Captive Portal

• F

  Using captive portal with no internet access need DNS help
  • frankthedruid  

  2
  0
  Votes
  2
  Posts
  10
  Views

  F

  @frankthedruid said in Using captive portal with no internet access need DNS help: I can not get the captive portal to grab web traffic without a valid web address. ...which is perfectly normal as it would involve DNS poisoning. DNS poisoning is a superbad practice and should not be used. some protocols (DoH,DoT,HTTP2) have been specifically designed to fight this shady practice. these protocols are now in use in some browsers (Firefox...) if you are looking for displaying a default page when users are typing a non-existent website...then what you are looking for is probably a proxy server?
• C

  Logo and Background images missing
  • Cameroncitro  

  1
  0
  Votes
  1
  Posts
  9
  Views

  No one has replied

• I

  One Voucher Per Device
  • ishtiaqaj  

  76
  0
  Votes
  76
  Posts
  1078
  Views

  C

  @Gertjan said in One Voucher Per Device: @colleytech said in One Voucher Per Device: the second device comes wit the error "reuse of id not allowed' am i missing something?? Ah, so you're using my code that changes somewhat the way how vouchers login : many only last only first Right ? You can't change that behavior, except if you are will to "play"with the code (PHP script). If you are willing to drop voucher usage, and step over to the classic user/password, and you use FreeRadius then you could have something like " Simultaneous-Use := 3 " (maximum 2 user per login now ) @Gertjan your code works with freeRadius users, thats what i use it for.. i dont mind going without vouchers.. if you use the default pfsense php code, the simultaneous-use =3 will work, but it wil always disconnect the logged in user, to make way for the new login... just like what your code is doing, stopping reuse of id without disconnecting the current user,, is there a way to achieve that with freeRadius.. whereby, after two devices logs in, the third one will be dropped, instead of the already logged in devices.. Regards
• W

  Dell R430 bge (Built-in Port Hangs ) & Captive Portal Stop working
  • wazim4u  

  4
  0
  Votes
  4
  Posts
  44
  Views

  W

  @free4 said in Dell R430 bge (Built-in Port Hangs ) & Captive Portal Stop working: ipfw table all list Once again issue came after 2 days even loop was disabled. now again network port getting hanged and only way to make it work is disable and enable again from interface and it work. when network get down i keep getting error in. once interface down i get error from WAN interface connecting remotely to WEB GUI saying 502 BAD GATEWAY. I got output from command while it was down "ipfw table all list" ipfw table all list --- table(cp_ifaces), set(0) --- bge2 2100 6824547305 5704924933364 1563210003 --- table(campco_auth_up), set(0) --- 10.10.25.80/32 34:8b:75:d3:8a:5e 0 12580 3288176 1563210003 10.10.25.157/32 a0:cb:fd:0e:04:b8 0 22395 1907512 1563210003 --- table(campco_host_ips), set(0) --- --- table(campco_pipe_mac), set(0) --- --- table(campco_auth_down), set(0) --- 10.10.25.80/32 0 13409 3655823 1563210003 10.10.25.157/32 0 35937 45843082 1563210003 --- table(campco_allowed_up), set(0) --- --- table(campco_allowed_down), set(0) --- I have attached interface screenshot you can see error coming on Portal interface.
• R

  user based ACL
  pfsense captive portal squid • • remrem76  

  1
  0
  Votes
  1
  Posts
  20
  Views

  No one has replied

• 

  Captive Portal only shows authenticated users
  • tleadley  

  8
  0
  Votes
  8
  Posts
  73
  Views

  

  This post is pointless if this argument points to rebuilding my network, how else are you going to get 2000 plus users on the same meshed Wifi guest network. I am not sure where your advice is coming from. This is a guest network setup so no mystery here, so if I have a conference center with an event your advice would lead me to believing I would require an astonishing 10 seperate network interfaces and SSID's... Interesting I would use the UniFi controller for this however it will not work the way I need it to without the USG device in addition to the controller appliance. I would have one interface to control and manage everything. Unifi FW and switches are glitchy and the cpative portal doesn't work as expected which is why I switched. pfSense can handle the throughput better. The captive portal on pfSense is rock solid when used with ubiquity AP's! Except for one little asthetic that I could live without, it would be nice to see. That is the point
• J

  Captive Portal - Enable / Disable by Schedule or Cron
  • Joao Paulo  

  4
  0
  Votes
  4
  Posts
  47
  Views

  J

  Yess!!! It Works!! Here my scripts ; File: disable_captive.sh #!/bin/sh ipfw add 10 allow ip from any to any keep-state File: enable_captive.sh #!/bin/sh ipfw delete 10 Now at Cron ; 11:45 AM Captive Portal Ignored. All traffic passes through. 13:00 PM Captive Portal Enabled, rule 10 deleted. Tomorow I'll see if really works fine! Thanks @kiokoman and @Gertjan
• F

  Pfsense captive portal using zentyal server 6.0
  • fcortes  

  1
  0
  Votes
  1
  Posts
  279
  Views

  No one has replied

• J

  CP Quota limit with Freeradius/MySQL
  • jarlel  

  3
  0
  Votes
  3
  Posts
  61
  Views

  

  @jarlel said in CP Quota limit with Freeradius/MySQL: but when using MySQL it doesn't... FreeRadius needs a book-keeping system where it stores its working data. A file system based method exists. MySQL can also be used, as many other databases. Up to you to create a database with tables that contain the correct fields etc. When you setup a limited amount of up- and download traffic for a user like this : You'll be seeing lines in the log : When the quota (dialy in my case) is consumed, you see a line like this in the captive portal page :
• B

  Captive portal cant reach the radius authentication server(windows server 2012r2)
  • Bommus  

  2
  0
  Votes
  2
  Posts
  84
  Views

  

  Why would your VLAN 10 clients need to access the RADIUS server?
• T

  Pfsense lets some smart phones connect despite the captive portal setup with vouchers
  captive portal smart phone vouchers • • tarandalinux  

  19
  0
  Votes
  19
  Posts
  359
  Views

  

  This : Is the 'simple' setup. The ipfw firewall works best when it 'sees' the MAC addresses of the connected devices. If it doesn't, well ... check our AP again : make it work as an AP, not a router. Routers hide MAC addresses for upstream routers (= pfSense). That not good if you want the captive portal to work flawlessly.
• C

  Cannot figure out captive portal
  • Coolykoen  

  6
  0
  Votes
  6
  Posts
  136
  Views

  

  Hey Gertjan, Thank you for your suggestion on my topic. Sadly the only 3 videos i can find are each at least 45 minutes long. Can you please link me to the suggested "Basic" captive portal video? you mentioned it would be up and running in about a minute or so, which would be great. :) You want more videos ? Less ? Keep in mind : managing a captive portal is like driving a car. Takes you a faction of a second to take a seat, start and drive. Took you several months to learn how to do so. The videos : just take the most simple one. Do what Jimp (the author) does. Guaranteed it will work. A setup with FreeRadius ( ... RADIUS MSCHAPv2. AD Server .... ) that already a more advanced setup. See the other videos.
• H

  Captive portal ignoring MACs in latest version and allowing all machines access
  • h2professor  

  27
  0
  Votes
  27
  Posts
  230
  Views

  

  @h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access: been using them for years with no problem. A recent update ? Packages are not static. For example, it happened that FreeRadius was upgraded and breaking my portal access because "there was a small glitch" in the newer version. I don't use darkstat or bandwidthd so I don't know if they were upgraded, which could be a potential reason. I'll install them anyway. Btw : if this setup isn't patched or changed manually, you could take a backup (config file) of the system, and remove these packages for testing purposes. re-installing them afterwards, importing the backup file and a reboot would take care of things. I'll report back Monday, have to leave now. Weekend ;)
• D

  User report
  • drauber  

  4
  0
  Votes
  4
  Posts
  67
  Views

  

  Radius is like adding a tool (package). FreeRadius will hailstorm the log if you set it up to use daily/weekly/monthly quotas. Something like : Jun 14 14:21:46 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:21:46 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:20:45 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:20:45 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:19:45 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:19:45 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:18:44 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:18:44 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:17:43 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:17:43 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:16:42 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:16:41 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:15:40 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:15:40 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:14:40 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Not very informative ....
• T

  Captive Portal via Facebook Login, Voucher, and/or User login
  • TV  

  3
  0
  Votes
  3
  Posts
  150
  Views

  T

  @free4 I believe you can use LDAP with Google auth, but yes, Facebook is a gigantic pain. Not much I can do to fix them, this was just a requirement for us as an ISP to allow our customers to offer free WiFi. You might be able use pass-thru credits to reduce exposure, although I think that would be a whole other can of worms.
• S

  how connect freeradius to MS AD
  • soheil.amiri  

  17
  0
  Votes
  17
  Posts
  1143
  Views

  J

  EDIT: turns out i missed an important part of the logs - the is actually freeradius thinks my user's password is incorrect ("if (ok && User-Password) -> FALSE"), so the "Auth-Type := LDAP" is actually ignored correctly. but now the question is, what's different in the live setup via CISCO WLC 2504, in comparison to running radtest, which authenticates just fine :/ *has this been resolved? I put together bits and pieces from various forums, and kinda got this working, but, the only way to get an LDAP user authenticated, is to run "radtest <user> <pass> 127.0.0.1 1812 <secret>" which returns Access-Accept if I try to login to a real WLAN (cisco WLC 2504) hooked up to the same freeradius, the user gets Authenticated, but not Authorized - according to logs "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user" a "Auth-Type := LDAP" is configured in case of successfull authentication, which is correctly respected when testing locally with radtest (see above), however, the live test receives "Access-Rejected" with the error message listed above.*
• M

  Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps
  • micdeep  

  4
  0
  Votes
  4
  Posts
  94
  Views

  M

  @free4 said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps: @micdeep i would choose solution B gsuite seems to supports LDAP authentication see https://support.google.com/a/answer/9048516?hl=en or maybe https://github.com/hlavki/g-suite-identity-sync ? (pfSense support LDAP logins for captive portal out of the box ) Any tips about captive portal engine modification? https://github.com/hlavki/g-suite-identity-sync seems to be a good suggestion, thanks @free4 said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps: you can configure ldap authentication from the user manager (check the documentation for more info : https://docs.netgate.com/pfsense/en/latest/usermanager/user-authentication-servers.html ) once you added an ldap server, you will be able to use it in the captive portal, as authentication backend Maybe I didn't explained myself well (sorry, English is not my primary language), I already enabled LDAP on my pfsense, and it works quite well, but when a user do login, but this authentication doesn't enable him on Google Suite Apps, he needs to make another login directly on a google App. @micdeep said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps: Actually, my PFSense Captive Portal works fine with the new Google LDAP implementation, my "Google Suite User" login correctly with his account email and password. Then pfsense enable my user to go online, but my user needs to reauthenticate in all Google Suite apps (gmail / gdrive etc and our custom web app). Thank you for your help
• L

  Apply Captive Portal only on 1 internet
  • lukas333  

  4
  0
  Votes
  4
  Posts
  51
  Views

  

  Hi, Captive portal on a WAN interface ? Never saw that before. It should be on a LAN type interface. @lukas333 said in Apply Captive Portal only on 1 internet: and need MAC restriction only on the WAN Same thing. MAC restriction can be enforced by the captive portal MAC tab, or if you use FreeRadius. You can also enforce MAC access by setting up static leases for DHCP server - and refuse unknown MAC's. A DHCP server runs of course on a LAN type interface. edit : I don't have multiple WANs so I don't use and don't have expedience with load balancing.
• A

  CAPTIVE PORTAL VS FREERADIUS: AUTHENTIFCATION WITH PHONE NUMBER XXXXXXXX
  • aliadam  

  4
  0
  Votes
  4
  Posts
  102
  Views

  F

  well first of all HLR don't exist in phone networks anymore. we are now in the age of 3g and 4g, HLR have been replaced by HSS. second of all, unless you are a government agency, you can't have access to such data, for obvious safety reasons. you are not allowed to track the location of any user you want third, the recommanded way to check that a phone number really belong to someone, is to send a confirmation code to the phone. this is what banks do for verifying an user's phone, so you should be safe with it in order to do this, you could either code your own system using a sim card reader, or use an external services for this. multiple companies are offering this services. you can type "confirmation SMS API" or "F2A API" on google to find one
• D

  Up limiter in captive protal cannot be deleted
  • D3messiah  

  3
  0
  Votes
  3
  Posts
  31
  Views

  

  @D3messiah said in Up limiter in captive protal cannot be deleted: When trying to delete or disable the Per-user bandwidth restriction it has no effect. .... I did not use traffic shaping When you use the "Per-user bandwidth restriction", you actually instructed to 'ipfw' to build pipes for the connections, these pipes produces the band with restriction. I guess this is pretty close to traffic shaping ^^ When you de-activate the captive portal on an Interface, ipfw won't run any more. That ends any "bandwidth restriction" related to the captive portal. As @free4 said : show us the ipfw pipe show command when the portal is down. If you don't use any traffic shaping else where, then something bad's going on. Don't use less then 2.4.4-p3. You'll get bitten by other bugs.
• S

  Captive portal always bypasing
  • schabi  

  10
  0
  Votes
  10
  Posts
  165
  Views

  

  @schabi said in Captive portal always bypasing: Ah wtf, I din't see that. How did this setting even get there? Config changes are logged - so bring along the baseball bat, and consult the log ;)
• K

  Freeradius stop working
  • kramtw  

  2
  0
  Votes
  2
  Posts
  38
  Views

  

  @kramtw said in Freeradius stop working: Parse error Hi, As stated : needed files are missing or plain wrong. Beforere you re install FreeRadius, do a file system check (fck).
• X

  Allowed web server IP address through captive portal is very slow
  • xsmael  

  10
  0
  Votes
  10
  Posts
  261
  Views

  X

  In deed the problem was the application is also using external ressources but i didnt notice the change as soon, now I downloaded whatever resources was needed and I load it locally. That solved my problem. Thanks!
• I

  Removing Pass-Through MACs
  • ishtiaqaj  

  7
  0
  Votes
  7
  Posts
  40
  Views

  F

  @ishtiaqaj as everyone said, 2.2.X is end of life, no support will be provided anymore for this version. That includes forum support.
• B

  This MAC address has been blocked
  • bryanfoo79  

  2
  0
  Votes
  2
  Posts
  70
  Views

  

  @bryanfoo79 said in This MAC address has been blocked: My question is how can I modify this page to something else Somehow you totally missed what the captive portal of pfSense can do for you. Check this : View the 3 Captive portal pfSense (Netgate) videos. Apply this simple rule : RTFM. It's all there. Bassically, you should write your own html (with some PHP) file that contains some mandatory info, and other text/images/whatever you like. You'll be needing the error page aoso. This is the same page as the main index file, added to it the red line that shows a message (the error as you saw yourself).
• 

  Config Restore resets used/expired Vouchers
  • Rico  

  3
  0
  Votes
  3
  Posts
  49
  Views

  F

  (Sorry for my previous post, it was a mistake) The information about vouchers that are in expired is stored in /var/db/voucher_{$cpzone}_used_{$roll}.db. This file is a binary file, and it is not exported when performing a backup. Is it expected? Well, i'm not netgate....but in my opinion, yes. Connected users, and inuse/expired vouchers are not configuration elements and should not be saved when performing a backup. Active DHCP leases (for instance) are also not saved when performing a backup. Because they are not configuration elements.
• T

  Device to main network
  • tecnica  

  11
  0
  Votes
  11
  Posts
  46
  Views

  

  Yeah that is just FAIL!! 2.2 has not been supported for years.. Update to current!! 2.4.4p2, the whole 2.3.x line is not even supported any more.
• X

  traffic bandwith spikes even though captive portal is enabled and no one logged in.
  • xsmael  

  3
  0
  Votes
  3
  Posts
  42
  Views

  

  ... and what about looking at the graph of the interface that the portal is using ?
• R

  Captive login not proceeding (MacOS)
  • riessal  

  10
  0
  Votes
  10
  Posts
  105
  Views

  F

  @riessal i have a question : is it the first Time ever that you are using a voucher on your macbook? I mean, did you successfully connected/authencated to the wifi using your macbook (possiblly long time ago)?
• U

  Captive Portal Doesnt Work for 1 interface
  • usaiat  

  8
  0
  Votes
  8
  Posts
  101
  Views

  U

  @Gertjan Yes, Im aware of that.
• S

  Setting up Internet Data Quota
  • SLDude  

  9
  0
  Votes
  9
  Posts
  3668
  Views

  W

  @mtu111 can you please share the steps with me if possible for you.
• O

  Can a captive portal voucher be fixed on only a specific Device
  • OpenWifi  

  4
  0
  Votes
  4
  Posts
  58
  Views

  

  @OpenWifi said in Can a captive portal voucher be fixed on only a specific Device: Hello guys,can i set vouchers to be only used with a specific device(MAC address) and cannot be shared by another person or device.So the voucher when activated on my iphone,then i would not be able to share it with another device maybe my laptop Try what has been said here : One Voucher Per Device I proposed a modification that changes the behaviour of the Concurrent user logins setting. An option for "only the first login" is present. @free4 said in Can a captive portal voucher be fixed on only a specific Device: Pfsense support this feature. Selecting "Disable concurrent logins" will cause tout iphone to get disconnected when your laptop will connect I maintained that possibility which has good reasons to exists. New : the other way around : a reuse use of a voucher or login is prohibited while an active connection using that voucher or login exists. This minimizes the risk of passing along the voucher, voluntary, or not. One could loose his voucher, another person couldn't use it (again).
• P

  Clients can't reconnect after pfsense reboot
  • prophet  

  39
  0
  Votes
  39
  Posts
  1871
  Views

  G

  @prophet said in Clients can't reconnect after pfsense reboot: Configured everything (I'll use pfsense as captive portal) and everything worked perfectly as captive portal without user authentication (a simple splash screen with login button and no auth is enough for me). I had PFBox 2.3 and clean installed 2.4.4 and have the same problem i resolved it somehow by setting Idle timeout to 3 to 4 hours and it work like charm. @Gertjan said in Clients can't reconnect after pfsense reboot: Instead of deleting files - and editing pfSense core fils, I prefer to use the API. Consider this : Install the Shellcmd package which permit us to execute 'commands' at startup. Place a file called "captiveportal_disconnect_all.php" in the directory /root #!/usr/local/bin/php -q <?php /* Disconnect all clients on all captive portal instances */ require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/captiveportal.inc"); global $g, $config, $cpzone, $cpzoneid; /* Are there any portals ? */ if (is_array($config['captiveportal'])) { /* For every portal (cpzone), do */ foreach ($config['captiveportal'] as $cpkey => $cp) /* Sanity check */ if (is_array($config['captiveportal'][$cpkey])) /* Is zone enabled ? */ if (array_key_exists('enable', $config['captiveportal'][$cpkey])) { $cpzone = $cpkey; $cpzoneid = $cp['zoneid']; captiveportal_disconnect_all(); } log_error("All users disconnected after system start-up"); } ?> Add a command in the Shellcmd package : Done. I wanna try @Gertjan API :)
• C

  pfsense captive portal HTTPS
  • curioushuman  

  2
  0
  Votes
  2
  Posts
  109
  Views

  

  @curioushuman said in pfsense captive portal HTTPS: enabling HTTPS on my captive portal http captive portal login, or https captive portal login is identical. The login page doesn't show up ? Check https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html But you do not want to propose home-made certificates on a captive portal. Your "pfsense1.localdomain" will not be trusted by any browser - the usual error messages will show up. Most eople will (and should) bail out when they see these messages. You need a "real" certificate, one that is recognized by every browser. Go buy one, or use the acme package. You need to have an existing domain name !
• X

  Portal "You are connected" but no internet
  • xhivo97  

  5
  0
  Votes
  5
  Posts
  372
  Views

  T

  Hi xhivo97 same problem here!
• L

  Captive Portal disconnects LAN network
  • leonardoba780  

  5
  0
  Votes
  5
  Posts
  94
  Views

  

  Look also at the video https://www.youtube.com/watch?v=qb5TDpihnq4&t=1043s
• 

  A user portal for clients
  • safarad  

  5
  0
  Votes
  5
  Posts
  82
  Views

  

  @safarad said in A user portal for clients: solution Well, you need a proxy, and probabaly more. Read about all the Squid's and so in teh Cache/proxy forum and Traffic monitoring forum. This will not be a click and done solution. (be wise, do not go into this path .... many admins are declared missing since they went on the "let's analyse what users are doing" tour. In Europe, they are probably in prison. Elsewhere : ..... probably worse)
• X

  Captive portal pop up not showing on older Android devices and Windows 7 devices
  • xhivo97  

  6
  0
  Votes
  6
  Posts
  109
  Views

  

  EDIT : I tested the Captive portal on LAN, using a Windows 7 PC, and discovered that things have changed. When I activated the portal on LAN, after setting it up, I disconnected my LAN RJ45 cable (actually, I'm lazy, so I deactivated the network card for several seconds). When I re activated the card, nothing happened .... that's new. I opened my default browser, Firefox, and this is what happened : Firefox informs me that I needed some sort of account to connect !!! Which is 100 % correct. ... so I hit the button as advised. This showed up : So, I maintain : Windows 7 works well.
• T

  [help me]pfsense not redirect to Captive portal when user type HTTPS website url?
  pfsense captive portal https not redirect • • TuanNghia103  

  8
  0
  Votes
  8
  Posts
  259
  Views

  F

  @Gertjan Other one are missing, because of google being blocked in china, cellphones and multiple chinese garbage browsers (360browser, etc...) are usually using one of these URL: https://connect.rom.miui.com/generate_204 (Xiaomi) http://www.qualcomm.cn/generate_204 (Huawei) http://www.265.com/generate_204 (Google Chrome, Asus cellphones. This website is owned by google) I also heard that nintendo devices are using http://conntest.nintendowifi.net for captive portal detection but anyway, i don't think that's very important..
• C

  Captive Portal User Usage Track
  • ccmks  

  3
  0
  Votes
  3
  Posts
  80
  Views

  C

  @free4 said in Captive Portal User Usage Track: @ccmks said in Captive Portal User Usage Track: what website where they visit ...at this point, you are not looking for a captive portal, but a proxy server. You should really have a look to Squid3 package on pfSense and to SARG ? I need a captive portal, due to in the past, the teacher just deliberately gave out the pre-shared wifi password to other people and they were all abusing our network. The school management decide to go with captive portal solution where each teacher will login with their own unique username and password and will be solely liable for their account. With captive portal solution, it will mitigate the outsider access. Please be also aware that you would have to deal with privacy concern. You should really have agreement of parents before setting up a proxy server (if you ever heard about GDPR or Data Privacy Act, you should understand why) The location where I am working on is in Indonesia so those Act won't be applicable. Also, the internet access is meant to be for teacher, not for student (as for now yet). I had all teachers signed our internet usage policy prior giving the credential to login that they are obligated to follow our network policy and we reserve right to retrieve log in event of abuse and take disciplinary action against the offender. If You don't specially want to link visited websites to users, a captive portal on pfSense + an internal DNS server could be enough. DNS logs would tell you the website visited in your school, captive portal status would tell you the bandwith. Of course, you won't be able to tell which user visited which website...Which is (in my opinion) a good thing. Watching visited websites would still make you able to block undesirable websites if necessary. I won't be monitoring the usage all the time. It just need the log to be stored on firewall and retrievable in the event of abuse. In that case, I need to know when the user login and what website did they visit during the session. This will be very helpful especially when we are dealing with legal. A third possiblity would be to setup a SIEM (eg, splunk) that would receive logs from captive portal and from DNS, and would correlate which user visited which website. Any idea on how to accomplish this? Thank you