First all thank you for your answer,

To start it's good to know its a normal behaviour of pfsense that you need to use http, just what can i do that when some login to the network they get the inlog page first before typing a http page?
use http connection with a certificate?
Just need to find a way so when opening a page it gets redirected to login page, any idea's?

To give some more info on everything. i tested mostly on a wired connection to see if CP would work.
while this would not be my setup later and guest can ONLY connect through WIFI i am using my mobile and laptop to test the rest.

1: my mobile, when wifi is off and I enable it I will be redirected to the CP inlog page, this works
even when there is a timeout in the connection a refesh page or new page will redirect to login page.
just my own phone it stopped working while my tablet doesn't

2: on my laptop when i connect it gives me a dns that i dont have listed in pfsense anywhere. when i manually enter the correct DNS and then use a http site i get the inlog page as well. only this is not the way i need it.
for some reason i do not get it configured that when i enable wifi on the laptop it gets the rigth DNS.
enabled DNS forwarder and enterd the DNS that shows on the first page of pfsense in CP and in DCHP but no luck on that yet, it still gives the same DNS 192.168.3.100 while it should be 192.168.3.254 to get the internet working.
I did a complete reinstall for some reasons because i had also some packages installed like squid proxy and other stuff, after the reinstall wireless gets a proper DNS without having DNS forwarder enabled

for the 404 page, when you enter the user and pass you get a redirect page only it does not redirect, after login i get IP:8002/www.domainname.com and i use the original login page from pfsense.
normally it should redirect to the domain but it isnt.
found the solution that it redirects to the proper page, i had www.domainname.com but it has to be http://www.domainname.com so it will be redirected

Hi !

First things first.
What pfSense version ?

To install pfSense - and activate the CP, a max of 10 settings are needed. After that, it works as advertised.
What did you do to make it work ?

Check all, say : latest 10 threads in this part of the forum. All kind of "special case" DNS issues might arrive - the most strange "never seen before network setups" are being constructed. So, understand that I want to know what's so special about yours.
The I tell you what up ;)

Some advise :
@gmendoza:

That was my code:

This

is better.

Condition : Your DNS should work. Your should set  as instructed when installing, a domaine like "mylocalpfsense.tld" and a host name like "pfsense".
Also - if your portal is running on a separate interface (it real should) - a host name for your portal's gateway should be set

Do NOT hard code something like "zone=cpzone".

Include the new :

do not hard code like

New stuff might appear when upgrading - even if your settings are maintained, sometime you will have to 'retouch' something.
This is why the CP didn't seem to work when you upgraded from ancient pfSense versions.

( => never keep old software except when you are an expert. - Note : experts never keep old versions around, the do not have time for that  ;))

@jetberrocal:

@trainey927:

Ok, I've started from scratch and gotten the CP to work on macs and windows without squidguard.

So it seems squidguard was causing the trouble on OSx.  sounds like I'll need to do more research on squidguard.  I'll try playing with the configuration of squidguard to get the captive portal and blacklist filter to work at the same time with OSx.  It should be possible

Thanks for the reply :)

I know this thread is a bit old, and you were asking for help. But I will like to know if your Windows Computers are Domain Attached or Stand alone?

If they are Domain Attached I will like your help with your configuration.

I solved my problem with CP.  It was failing because the DNS server was blocked by the CP.  Only one glitch remains but that is another thread.  Clients work but not on the Server.

OK.

I think what must be happening is the user is not selecting the WiFi network on their iphone.  It is automatically connecting to the WiFi itself, as it remembers it, but doesn't pop the automatic captive portal browser using the http://captiveportal.apple.com, as the user isn't actively using their phone.  The user then opens a browser to do something, visiting a https page, causing the error?

If the user connected to a http page, the portal would work correctly.

I need to have a play to try to replicate the error, just seems odd that every user to report the problem has been using an iphone 6.

IMG_0652.PNG
IMG_0652.PNG_thumb

Try to make a new user with full access to this page like SuperUser grant all access to this user.
then enable your captive portal.
open web browser and go to address bar and type the pfsense ip with 8000 port. e.g. http://192.168.1.1:8000
login page will popup then use the new username & password that you created lately like the superuser.
then done.
Internet can pass tru your PC now.

@shaheed:

….
1. the ip is 192.168.0.1 as listening port for clients it is also the ip of pfsense lan interface.
2.  in Nas/client ip field i have entered the same 192,168,0,1 ip ??
3.  Radius authentication is allowed in captive portal settings

"192.168.0.1" is the pfSEnse LAN IP and the FreeRadius2 IP ?
This means your FreeRadius2 is running on the same system as pfSense ?

On the login page, where the visitor-with-a-voucher enters the voucher code, add button that states :

"I agree that my time is limited (see voucher), and I declare that I activated a count-down timer in my SmartPhone - or the device I use to connect to the portal".

Done.

You have a maintenance free and easy to understand 'count down timer'.
Zero hassle guaranteed.
If the visitor doesn't want the count down timer, well, in that case, maybe because he doesn't need one ;)

A real win-win situation.

@bmginn and  @th112211 compare your pfSense version with the one mentioned in subject of this thread.

I advise you to open a new thread and detail what you found out.

Btw : I'm not using vouchers.

@Derelict:

They display in Services > Captive Portal, Edit, MACs

That's where I was looking. I cleared out most of my config and it started working properly. Specifically there was a problem with my freeradius config that I had changed manually. Even though I wasn't actively using freeradius at the time, that seems to be what caused the problem.

As you said :
You should "code" this yourself.

IF
you know how PfSense 'works"
AND
you can fnd /etc/inc/captiveportal.inc
AND
you can read/write PHP
THEN
you are close to a solution ;)
ELSE
No.

Hi,

That question is already being asked. About ones a week, in fact.

The short answer is : No.
A next best answer will be, knowing we all have a smartphone these days : On the login form, say to your clienst that they program a xx minuts timer.

you have to login on your captive portal that you made to gain access.

Hi,

I advise you to read  https://doc.pfsense.org/index.php/Category:FAQ : check out Captive Portal Pre-authentication Redirect.

Well, you can use two separate, synced authentication systems, though it's a bit redundant. How many users are you going to have on each network?

I dont think it can be done easily.

The SquidGuard Package allows you to:

Limit the web access for some users to a list of accepted/well known web servers and/or URLs only.
Block access to some listed or blacklisted web servers and/or URLs for some users.
Block access to URLs matching a list of regular expressions or words for some users.
Enforce the use of domain names/prohibit the use of IP addresses in URLs.
Redirect blocked URLs to an info page.
Redirect banners to an empty GIF.
Have different access rules based on time of day, day of the week, date etc.

Or just make two access codes. One that allows so little bandwidth 1-2 Mbps would pretty much allow just web browsing and email. Another access code with no bandwidth restrictions.

@Gertjan:

@PeterITG:

…..
With Pfsense the user has to connect then browse to a Http:// Site to get redirected.

When launching a https://…. you will NOT get redirected.
That's what https is all about.

Modern OS's (Windows, iOS, MacOS, etc) launch a hidden http://portal.microsoft.com or http://portal.apple.com or ...) when a Wifi connection is established. When the reply is redirected, a browser will open that shows you the "reply" : the portal login page.

I'm using pfSense in a hotel (read : NON-initiad clients end users). No one come down to the reception asking me why they can't acces sthe Internet. They will see the pfSense login page, they will hunt down the access password in mentioned on the papers present in their room, and they connect.

I never used "Antlabs Inngate, Nomadix, ValuePoint, and Unifi Ubiquiti". These are also "free-ware" solution ?

Yes I had allowed my DNS servers through the captive portal. So it was resolving the hidden OS checks so the captive portals weren't starting. So they weren't really being redirected till they tried a http site and most sites are https now. Our support know to have them try a http site but i knew something was wrong when it wasn't opening automatically.

Also those other devices are hospitality gateways that have the splash page, Integrate with a PMS system. Charged Tiered Bandwidth.

Why not set the hard-timeout in your captive portal settings directly? It's under Services/Captive Portal, then choose the CP instance and set the Hard Timeout setting to whatever you like.

The default form of Captive Portal already input the username, so you only create $username=$_POST['auth_user'] then echo $username;  :)