Captive Portal

• E

  Captive portal for visually impaired and blind people
  • ebeunder

  2
  0
  Votes
  2
  Posts
  89
  Views

  C

  You need to upload your own version of the captive portal page and add in the needed attributes and make it screen reader compatible. You can create vouchers, please download and install on a virtual machine with a single interface to look at how it works, or set up a VM with multiple interfaces and test using a visually impaired screen reader on any number of linux dumb terminals.
• K

  With CP enable the following stop working
  • kramtw

  14
  0
  Votes
  14
  Posts
  185
  Views

  

  Well the WAN and the LAN just need to be in different subnets. Doesn't really matter which. e.g. keep the LAN on 172.16/16 and move the WAN and Modem to 172.17/16.
• N

  Suggestions for a changing landscape.
  • nrasmus

  4
  0
  Votes
  4
  Posts
  69
  Views

  N

  Thank you! I will check out the hangouts--been meaning to enable https on the portal now that we are rolling w/ ACME, but I didn't realize it would help the situation. It's possible the trouble we've been having with Avast (and I assumed firefox soon) is related to a firewall rule we've used to limit DNS to pfsense. Will dig deeper. Appreciate all you have done and continue to do @jimp
• Q

  CP not allowing "allowed hosts" consistantly
  • qctech

  2
  0
  Votes
  2
  Posts
  33
  Views

  Q

  Might be solved. I had 20 or so hosts listed but have removed all but 2 of them and turned off DNS resolver. This seems to have resolved the situation.
• B

  Captive portal Using VLAN
  • bodat

  2
  0
  Votes
  2
  Posts
  55
  Views

  

  There is nothing special about Captive Portal on VLANs. It works the same as any other interface type.
• T

  Captive Portal shows "auth success" page instead of "login" page
  • thico10

  7
  0
  Votes
  7
  Posts
  99
  Views

  T

  Ok, so I found out that it does not redirect the user to "auth success" when there is no "logout page" configured in the Captive Portal. As you said, I thought that might be a problem with my "logout page", which I use as a "auth success" page. I've uploaded the current "logout page" below: 0_1533819162596_logout.html.zip
• C

  Client who disconnected with a logout button regains Internet access when the voucher (or FreeRadius account) he used is entered in another device
  • conanhughes

  3
  0
  Votes
  3
  Posts
  94
  Views

  

  @conanhughes said in Client who disconnected with a logout button regains Internet access when the voucher (or FreeRadius account) he used is entered in another device: EDIT: I don't know if it matters, but I also already enabled Disable Concurrent user logins. Be careful with this one. Read https://www.netgate.com/docs/pfsense/captiveportal/using-captive-portal-with-freeradius.html The most recent update actually restored somewhat the "expected behavior". When you use the Captive portal and really want to understand what happens, there is something is more then the GUI to look at : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html You'll be seeing the "ipfw" firewall rules that make the portal actaully working. Probably impressive the first time you see them, but, hey, what the heck, you're running a firewall, these rules are what makes it work. (and you would have detected that the GUI said that there is no user connected anymore - but the rules said otherwise, permitting you to find a "problem" in a split second) It's not your question, but still missing today is the "Use the first login, and do not accept any others logins, when using vouchers - thus enforcing the rule : "one voucher - one user - one device, the first device he'll be using - and not share the voucher,, even with himself (the user)".
• J

  Captive portal problem
  • Jfdz

  2
  0
  Votes
  2
  Posts
  67
  Views

  

  Hi, The WAN IP changes for millions of us every day or every week. That didn't "break" the portal. But : changing the LAN could imply far more then "change some data on the Interface page and done". You didn't say what you did - neither if this implies settings on packages like "squid, squidward, clamav, cicap, snort" (I'm using none of these) so ... can't tell from here what you forget to change. Btw ; but you did find one more reason non to run the captive portal on LAN - thanks for that.
• F

  http://connectivitycheck.gstatic.com/generate_204 error with https login
  • FromRome

  8
  0
  Votes
  8
  Posts
  202
  Views

  

  Adding "connectivitycheck.android.com" to the allowed host list doesn't seem a good idea to me. This URL is probably member of the http challenge page that the OS is using to check if a portal is present. When white listing this URL (an IP) the OS will conclude no portal is present, and a direct connection to the net is available. The user will get directed the the captive portal login page when another http request to somewhere else passes by. See also https://android.stackexchange.com/questions/123129/how-does-wifi-in-android-detect-if-the-device-has-to-sign-in-or-not
• M

  Voucher card for one device
  • mustafa 0

  3
  0
  Votes
  3
  Posts
  112
  Views

  

  If you enable the Enable Pass-through MAC automatic addition with username the MAC entry will be expired/pruned along with the voucher when the voucher expires. I am not sure what happens if you disable the voucher as username. I would guess the MAC address entry stays until manually cleared.
• K

  Running v2.4.3 captive Portal
  • kramtw

  3
  0
  Votes
  3
  Posts
  176
  Views

  K

  @gertjan hi thanks for you help got it working. now with the cp working i am not able to get qbittorrent or any torrent client to work nor whatsapp voice to work, ive got the nat and firewall disable and when i disable the cp all the above work fine and this is true for both the cp by it self or with freeradius enable. winamp and yes i am still using winamp wen nat is enable that will stop streaming. can you help thanks
• F

  FreeRadius GUI for windows
  • fr0t

  1
  0
  Votes
  1
  Posts
  58
  Views

  No one has replied

• B

  PHP Fatal error: Maximum execution time of 900 seconds exceeded (xmlparse.inc)
  • brixxster

  3
  0
  Votes
  3
  Posts
  115
  Views

  

  It's a known issue but not one with a good solution at the moment. https://redmine.pfsense.org/issues/3932
• H

  Config Captive Portal to work with OpenVPN?
  • hoangphuong191058

  4
  0
  Votes
  4
  Posts
  93
  Views

  

  Ok, I'll rephase. I don't understand what you are trying to do. I'm using the Captive Portal, and also pfSense as a VPN server, to access my LAN from outside. I'm pretty sure visitors that use my Captive Portal and after being authenticated, they can connect to any VPN service they have access to (but not my pfSense VPN server, of course). You want to tunnel all authenticated trafic from the Captive Portal users through a VPN ?
• R

  Captive Portal Slowing Traffic Between VLANS
  • robertolw

  2
  0
  Votes
  2
  Posts
  66
  Views

  

  Hi, When you use the "Per-user bandwidth restriction" on the Captive portal Config page, then yes, every IP/MAC will be throttled to what you set in Default download (Kbit/s) and Default upload (Kbit/s). On the other hand, when you did not check "Per-user bandwidth restriction" on the Captive portal Config page, you could instruct FreeRadius to handle every IP/MAC differently (this is actually one of the reasons why pfSense proposes FreeRadius).
• B

  Wildcard in "Hostname"
  • bbarzideh

  2
  0
  Votes
  2
  Posts
  71
  Views

  

  That is impossible to accommodate. The rules must work with IP addresses. The hostnames are translated to IP addresses by resolving the hostnames, and you can't resolve *.<domain> via DNS. If there was an option to enter that before, it was broken and never worked. It had only ever worked with complete fully qualified domain names on pfSense.
• B

  Captive Portal - Allowed IP Addresses = Bypass Bandwidth Restrictions?
  • bebop_man

  2
  0
  Votes
  2
  Posts
  102
  Views

  

  @bebop_man said in Captive Portal - Allowed IP Addresses = Bypass Bandwidth Restrictions?: Was I incorrect in thinking that 'Allowed IP Addresses' removed all restrictions on the IP address in question? Yes. Bandwidth Restrictions on the captive portal settings page are valid for all devices on the captive portal interface. @bebop_man said in Captive Portal - Allowed IP Addresses = Bypass Bandwidth Restrictions?: How can I tag IP addresses in a specific range to bypass CP limits ? I tend to say : put them on another interface (other LAN, VLAN) The golden rule is : only "clients with BJOD" == non trusted devices on a captive portal. Btw : a captive portal solution using FreeRadius can give you a bandwidth control per device.
• A

  If a client login in a wifi (in captive portal) all other client access internet.
  • alexcheddar

  5
  0
  Votes
  5
  Posts
  184
  Views

  A

  @gertjan Thank you so much for the information. it gives me insight of the problem.
• Q

  walkthrough / howto / 101 guide for captive portal + payment gateway
  • qctech

  3
  0
  Votes
  3
  Posts
  210
  Views

  Q

  Thanks Andy, Testing with a wired connection currently but yes, it’s for a WiFi rollout. Given the choose (and budget) I would be using Unify but I have inherited a mix of ZyXEL and Ruckus kit so looking for a vendor agnostic option.
• B

  Game Consnoles Only
  • BDMcGrew

  2
  0
  Votes
  2
  Posts
  104
  Views

  

  For that, the closest you will get is whitelisting the MAC addresses of the specific game consoles you have/know of. That would be handled in your AP before the traffic ever reaches pfSense (layer 2).
• M

  Everytime that I connect to the network I get Landing Page
  • Mertygc

  2
  0
  Votes
  2
  Posts
  122
  Views

  

  Look at the Pass-through MAC Auto Entry options in Captive Portal.
• W

  captive portal on lan interface
  • warfreak

  2
  0
  Votes
  2
  Posts
  126
  Views

  

  Captive Portal works fine on a LAN in that situation. Can you elaborate on your setup some more, including what you set in Captive Portal and also what you send the clients for DNS (e.g. the firewall or some external DNS server) and also what the exact client behavior was when Captive Portal was enabled.
• B

  Timed Transparent Portal
  • BDMcGrew

  6
  0
  Votes
  6
  Posts
  154
  Views

  

  ... and if they can't, up to you to add their MAC on the trusted list.
• L

  I cannot used google analytics for captive portal
  • longits

  6
  0
  Votes
  6
  Posts
  281
  Views

  

  That sounds like it is post-auth so there is no need to pass the traffic to google analytics. The portal is already bypassed in that case.
• F

  Delete all pass-through mac address
  • FromRome

  4
  0
  Votes
  4
  Posts
  118
  Views

  

  Check with ipfw table all list if they are gone. The table is called ZONE_pipe_mac After modifying you should re save the settings on the captive portal related zone page (and / or the MACs page)
• A

  Exclude some clients in LAN captive portal
  • alexcheddar

  11
  0
  Votes
  11
  Posts
  221
  Views

  

  @alexcheddar said in Exclude some clients in LAN captive portal: But is there any link or url that i can type to logout manually in CP? As you can see on the settings page, there is a logout page. Also mentioned is the that this page is a popup : The link to this page, as shown in the navigator bar, is the logout URL. Now the fun part. You will probably find out that you didn't saw any popup when logging in. You'd say : it doesn't work. Now it 's time that that you recall that you, and everybody else on the planet have blocked popups in your navigator. You could enable your popups again, but your portal visitor won't. You could show the link on the portal login page, and mention on that page that people should copy it on a safe place (making a favorite link of it ?) but most visitors probably won't. Next best solution : make the Idle time out (and hard time out) counter as low as possible (although when visitors think that they de-connected because they closed all navigators windows, all other processes, like fat mail clients, OS updates, all kind of device drivers GUI update programs, scanners en trojans etc will still use the connection, so it will never Idle out. A Wifi connection could be closed "by hand" (the button, or by GUI), but again, most just visitors don't that ... There is a huge thread in this forum that treats the subject rather well, and explains why a real "logout button" is very hard to "close to impossible" to implement.
• G

  Captive Portal + freeRadius 3 + MySQL (PFSense 2.4.3)
  • giovannio

  6
  0
  Votes
  6
  Posts
  363
  Views

  G

  Thank you my friend, In my case the accounts are stored in the MySQL database and for each group there is a different bandwidth. I'm really in need of the attributes that will tell PFSense to slow down the accounts for same groups.
• M

  Captive Portal - Used Voucher could be reused
  • M4tzen

  6
  0
  Votes
  6
  Posts
  130
  Views

  

  @m4tzen said in Captive Portal - Used Voucher could be reused: -> Does this mean ... after the "reboot" of the Router/Device, the enduser need to login again equal if the enduser device have an applied and enabled voucher code? Yes. After the reboot of pfSense there are no logged in users - the ipfw firewall (rule) states are nor saved, users have to re login. I advice you to try it out - see for yourself. @m4tzen said in Captive Portal - Used Voucher could be reused: -> we are new on this Software ... s we dont have any experience about how much update's are deployed in a year. BUT we will upgrade/update all the time to the latest version ... A couple of times a year. @m4tzen said in Captive Portal - Used Voucher could be reused: Some more question to the IDLE TimeOut ... The captive portal was been designed to give temporary "non trusted clients" Internet access. Your typical railway station, hotel, camping, restaurant, ** or to some extend even your own house that you rent to strangers. The clients just come by, stay some time, do their thing (typically : updating their FB page) and then leave the premises for good. A idle timeout, and hard time out, is needed so the ipfw tables don't get cluttered up. Idle time out happens if the device left for the day (or was shut down for the day) : his owner should re login - and this is possible as long as the voucher remains valid. ** I forget : some are running pfSense Captive portal on aero-ports. Tens of thousands of captive portal connections all the time. These huge system will die in minutes if an idle time out isn't set.
• J

  Captive Portal doesnt resolve DNS
  • Jfdz

  5
  0
  Votes
  5
  Posts
  180
  Views

  

  If, for example, 8.8.8.8 is the DNS server used by the clients, and 8.8.8.8 is added to the "Allowed IP addresses" tab, then you can resolve DNS requests from your client PC's (test that using nslookup for example). You can also 'see' that the IP's are pass-through : go to console or SSL access, enter option 8 - and enter : ipfw table all list You will see the IP's white listed in a table. But, normally, you shouldn't alter any DNS settings, and keep the DNS Resolver running on pfSense. This way the captive portal will work "within 3 clicks" (test this ! and only then move from this position by understanding each step before taking it )
• I

  Template Roll Printer
  • infosoporte

  1
  0
  Votes
  1
  Posts
  84
  Views

  No one has replied

• R

  [Solved] Multiple CP Not Working
  • robertolw

  12
  0
  Votes
  12
  Posts
  224
  Views

  R

  @magokbas Thanks, it worked!
• M

  Unable to login : loop
  • mike315

  7
  0
  Votes
  7
  Posts
  342
  Views

  

  Yep. At this moment, using the current version, you should stop editing the portals settings when you have put it online. This shouldn't be a big deal I guess, ones the settings are fine you're done with it anyway. https://github.com/pfsense/pfsense/pull/3640#discussion_r199824018 Augustin-FL 8 hours ago • For the main CP zone : Because currently when settings are saved, captiveportal rules are re-appplied unconditionally to the network interface, meaning all ipfw rules are unconditionally flushed. **This is a big problem when editing captive portal settings while some users are connected : When saving the settings, users go technically disconnected and are redirected to the login page (because ipfw rules are flushed), but they are still considered as connected and are unable to log-in again(because they are still present in the sqlite database).** I solved this issue by flushing SQLite DB when rules are re-generated, and i also added a warning "Some users are connected, they will get disconnected. Do you want to continue ?" on the GUI. For the RADIUS database : because this database is now obsolete, captiveportal don't use it anymore.)
• T

  Captive portal : cookie et Logout en 2.4.3.1
  • tom072

  2
  0
  Votes
  2
  Posts
  137
  Views

  

  Hi, The cookie solution isn't a perfect solution at all. Did you thread the entire https://forum.netgate.com/topic/69307/captive-portal-manual-logout-page-address ? Do so and you find out why.
• K

  captiveportal_disconnect_client() function
  • kairimishima

  2
  0
  Votes
  2
  Posts
  117
  Views

  

  Don't worry, that error was repaired. That's why new versions come / came out. So, you have a choice : upgrade if you don't want to repair the captive portal_disconnect_client () function yourself ^^ (btw : easy PHP code - you could even look into github to see what was edited when and why so the error was cleared).
• A

  Import Multiple Users Accounts CP + FreeRADIUS
  • asbonet

  5
  0
  Votes
  5
  Posts
  1120
  Views

  M

  @asbonet said in Import Multiple Users Accounts CP + FreeRADIUS: I have been able to add users now and authenticate them though mysql using the radcheck table but i can not figure out how to get the attributes such as Max-Daily-Session := 3600 to be linked with the Accounts that i add any help on where i need to be adding this attribute and how to link it with the user. Thanks   :) :) How did you import multiple users into pfSense? is there anyway to do that without sql?
• D

  [HOWTO] Captive portal + FreeRADIUS + local MySQL user friendly single step
  • deajan

  148
  0
  Votes
  148
  Posts
  56642
  Views

  C

  @srvrgt said in [HOWTO] Captive portal + FreeRADIUS + local MySQL user friendly single step: FOLLOWUP, in case anyone is hitting the same problem as me, the problem is with freeradius3, so first of all you need to change the attribute type on the file ozy-captive : From :    “INTO radcheck (username, attribute, value) VALUES (?, ‘Password’, ?)”)) " TO:  INTO radcheck (username, attribute, value) VALUES (?, ‘Cleartext-Password’, ?)")) And then you need to change the file    Schema.sql  BEFORE you add it to the radius database FROM: CREATE TABLE radcheck (   id int(11) unsigned NOT NULL auto_increment,   username varchar(64) NOT NULL default ‘’,   attribute varchar(64)  NOT NULL default ‘’,   op char(2) NOT NULL DEFAULT ‘==’,   value varchar(253) NOT NULL default ‘’,   PRIMARY KEY  (id),   KEY username (username(32)) ) ; TO: CREATE TABLE radcheck (   id int(11) unsigned NOT NULL auto_increment,   username varchar(64) NOT NULL default ‘’,   attribute varchar(64)  NOT NULL default ‘’,   op char(2) NOT NULL DEFAULT ‘:=’,   value varchar(253) NOT NULL default ‘’,   PRIMARY KEY  (id),   KEY username (username(32)) ) ; I hope this helps anyone  My problem was with pfsense 2.3.4  FRERADIUS 3 Hi, @deajan, hi @rudat . I can confirm @srvrgt post. I've used the base work to setup a small captive portal in a hotel. Everything used to worked great until I upgraded to the latest version of pfSense/OzyCaptive-single-step. It stopped working. After modifying the table structure as per srvrgt advice, everything works flawlessly again. I think you should update your code in the project repo, specifying that your latest version requires pfSense 2.4.3/freeradius3. Thanks everybody for the outstanding work! P.S.: Does anyone know a simple way to limit bandwidth on per-user basis? (something like this -obviously fictional - INSERT INTO radcheck (id, username, attribute, op, value) VALUES (NULL, ‘Eleonor’, ‘Max-Input-Bandwidth’, ‘<=’, ‘5242880’);
• S

  Windows 10 Voucher authentication page reappears after entering correct and valid voucher
  • Snailkhan

  7
  0
  Votes
  7
  Posts
  296
  Views

  S

  @gertjan Thanks sir, I have only on box running latest pfsense. Dhcp server is on this box. Android, ios, Windows 7/8/8.1. All get up from it and they get an ip, can access the cp authentication page and after entering a valid voucher connect to the internet. However in windows 10 machines they also get ip and upon on launching browser and accessing any non https site they are redirected to the cp authentication page so far so good. But the problem is that when they enter valid voucher and click submit same page cp page reappears. It's happening in Chrome, IE, edge, That is exact problem statement. I need general answer : is the cp of pfsense compatible with win 10? The field for redirect to specific page after authentication is blank in my configurations. And I windows 7/8/8.1/android/ios clients if they visit suppose Bing.com after authentication are automatically redirected back to Bing.com which is what we want and is normal behavior. Is this not compatible with windows 10 and as such we cannot leave that field blank and hence must redirect a user to any other site?
• Y

  how to lightsquid log captive portal radius username
  • yunusemreantalya

  1
  0
  Votes
  1
  Posts
  82
  Views

  No one has replied

• T

  Any issue with my setup of pfSense+FreeRadius+Captive Portal?
  • tjthomas101

  2
  0
  Votes
  2
  Posts
  125
  Views

  

  Why would you think that your wireless routers should send traffic to pfsense in the cloud? WTF is your IPs suppose to show us? 1 is for sure rfc1918 the 10.x and the other might be 172.x other is public I take it with 146.x It is much easier if you just attach your drawings to your post vs links to other sites - that may or may not be blocked dependng on the viewers connection.
• S

  This topic is deleted!
  • Snailkhan

  1
  0
  Votes
  1
  Posts
  1
  Views

  No one has replied