Hi,

Check out this page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
Execute the commands listed - and see the firewall rules numbers that ipfw is using.
The "64500" is a limit, you can't go (much) above.

Also note that " /var/db/captiveportaldn.rule" can not grow indefinitely. I guess it about 700 K when it starts, and depending on the length of the name(s) of your captive portal zone(s) is might double, maybe triple.

You can 'read' this file to understand its structure. Its a serialized PHP array.

The nasty thing :
Every time a user connected and passes through (== authorized) "pass" rules are injected in the firewall ipfw AND the rule set (two: "the numbers" and the "portal zone name") are injected into this array (which becomes a file called /var/db/captiveportaldn.rule on disk).
When the connections times out, the firewall rule is removed, and the corresponding entry  in to array is set to false (something like "").

All this reading and writing (updating) of this 1 (2 , 3 ?) MB file happens when users login AND are being thrown off the portal.

function captiveportal_free_dnrules($rulenos_start = 2000, $rulenos_range_max = 64500) {

Just one question : your system can keep up with it ?

OK. I've done the existing router setup before, so that's not difficult. I am going to do some reading up on the VLAN setup and test it out. Never done that before.

@johnpoz:

IOS still fails with badly configured wifi all the time.. Just ran into this.. Yes it tries to get you to the login page once you connect.. But gets sent to 1.1.1.1 from default cisco configuration and invalid cert which ios fails at and no way to just accept the bad cert so you can get login in..

Hummm.
That might be my saver over here : no Cisco devices or what so ever.
Just tried it again (I could post a vidéo !) :
I connected to one of my 4 portal Wifi radio networks.
I accept on my device (iPhone).
A couple of seconds, the (my) pfsense portal page pops up and I can login.

@johnpoz:

You would hope anyone that has ever used wifi would have the brains to figure out to go to http for portal auth, and or accept any cert errors when they are trying to auth, etc.  Your always going to run into that typical users that doesn't get it, never been to a hotel and used their wifi, etc.  So you can make it atleast less likely to cause problems.

True.
Except for the bad cert - I'm not using autosigned ones, but (free) certs from startssl, recognized by all browser as "ok".

People/clients do login by themselves https://www.test-domaine.fr/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/portalusers.html  (noop, no doc in the building how to do so) and I'm not explaining them how to do so. It just works ….

Ok, so it is not an option in the default setup.  :-\ My hope that I could achieve this with freeradius or so.

Thanks for the reply!

I think you've had your answer already. Either post a bounty and wait for someone to pick it up, or just create a welcome page with the overall time available to your users posted there at the outset.

You could limit access to just a handful of sites by setting their client machines to a static address (or setting their DHCP server to assign a pre-assigned address) and setting an internal firewall rule. The more elegant solution would be to use a proxy server.

No.  Not it.  Because I have 4 boxes and they all experienced the same thing when I turned it on.  The 4 boxes are in different vlans.

Irritating!

@deltix:

Basically still doesn't work as intended. Correct? I can just forget I guess.

Define your 'intended'.
According to RFC and family, all is ok.
But, breaking https (SSL) connections isn't easy - but it can be done.
Like : a visitor is hitting the (your) portal with https://www.google.com - You generate a certificate (on the fly) that says your portal IS "google.com", and you better assure that a major certificate broker says that google.com is YOU (your portal). Then, the visitor's browser will be happy …. and your visitor can log in (would he really think he IS visiting google.com at that moment ?  ;)). When done, you portal will redirect the visitor the other, real google.com https site.
Can you pull this one off ?

Personally I think there's already enough + buttons on there and the added complexity of having to pick which portal it gets added to makes it even less desirable.

Hi,

That's where the hard- and soft timeout is all about  :)

You can manually query the users in the mysql. refer to this link :  http://www.serveradminblog.com/2011/12/freeradius-install-howto-4-populating-tables/

hope this make sense. :)

@RadoXX:

Hello! can i build simmilar system to FOn using pfsense?

The common answer is : yes, of course.
Because YOU are asking the question, I tend to say that YOU won't pull it off.

Isn't it not far more easy, if you want something similar to X, to just use X ?

@iNCONIX:

mrbrax

Please post .ZIP file again

action.js is 0k

Do not login

tks

How am i supposed to post it if i'm not allowed to log in? ;)

It is supposed to be empty, yes. Not sure why i provided it at all.

Sorry, can't make anything from what you say.

Thanks for the reply and advise.

Will check on the assigned IP addresses as suggested.

Thanks a lot.

Reconsider your solution.
As you already said :
@carzin:

If they go to google or any other http site, it works just fine.  The redirect happens immediately.

So why adding google.com to the 'allowed site' list ?

Check this https://forum.pfsense.org/index.php?topic=115338.msg644308#msg644308
Most OS's will open a navigator by default "automatically" when a Wifi connections comes UP (obtained an IP, gateway, DNS, etc) and the direct "Internet connections" (with a test http call). No end user interaction needed.

Check this :
@carzin:

For whatever reason, if they type wifi.sitex.edu, the browser will spin and spin and will not connect them to the authentication portal.

Where is "wifi.sitex.edu" ? Is it the URL being served by pfSense or elsewhere ?  If it's the latter, it should be added to the 'allowed site' list.
Check also if "wifi.sitex.edu" is including pages from other locations (Google analytics, etc) because this will block the loading of the page (your "spinning around").

Yes sometime i have the same thoughts, i should just quit replying, but i am kind of addicted  ;D

I understand your problem, that why my previous reply to you was mentioning to "remove any previosly granted authorization", the person which can get access with all its machines, can do that because before you gave him that privilege, so, to fix that, you now have to remove those rights from its account(s), blocking them again, and only insert the MAC address you would like to allow on that list.
If you can't find them, i would suggest to start blocking everything again,  then only make change on the MAC addresses's list.
I hope that's clear enough.