Looking at theese two log entries…. "attached below"

one of them says the voucher is alredy used and expired... and the other only says... invalid!!!, that followed by a session termination..

that made me think about the public and private keys...
I went there on the gui...

"-----BEGIN RSA PRIVATE KEY-----
MDECAQACBgDG9Vr4pQIDAQABAgYArr0AE+ECAw8vLQIDDRpZAgMJXYkCAwo8SQIDBnzA
-----END RSA PRIVATE KEY-----"

"-----BEGIN PUBLIC KEY-----
MCEwDQYJKoZIhvcNAQEBBQADEAAwDQIGAMb1WvilAgMBAAE=
-----END PUBLIC KEY-----"

"as you can see...  I have a shorter key.... that was no problem before"...

I found that there were spaces at the end of each key... I deleted them (spaces)
I also found that on the private key it was like this :

"-----BEGIN RSA PRIVATE KEY-----
MDECAQACBgDG9Vr4pQIDAQABAgYArr0AE+ECAw8vLQIDDRpZAgMJXYkCAwo8SQI
DBnzA
-----END RSA PRIVATE KEY-----"

there is a  "RETURN" difference with this private key... and the one above.... It was like this... and I deleted the "return" and saved voucher settings... vouchers are still working after the changes, I rebooted the firewall... it seems no session was expired other that the ones that were supposed to...

I have a good feeling about this being the problem.... what do you think?

I also want to mention Issue number two.... which I'll have to wait for another hard reboot to see if it's still happening (I don't want to cause a hard reboot manually) Id rather wait...
thanks again


Never heard that solution.
As far as I know (which ain't that much) : the captive portal part isn't written so it permit you to put in a 'load balancer' option.
Faster, easier scalable is : more pfSEnse boxes and thus more separated "hotspot" zones.

With some 'correct' hardware pfSense can handle several thousand of logged in users - that has been seen before. Ones logged in, the load is close to nothing, the only issue will be 'how big is your WAN'.
Keep your login html simple.

Another issue : very recently (a couple of weeks ago), pfSense started to use a new web server : nginx. Captive portal settings for this server are pretty basic, and not much is know (yet) about optimizing etc.

Tomhas - your original post also reveals the quality of the questions on this forum - namely that they're being posted by some people who haven't wit enough to provide even the most elementary information for anyone to help them. Saying "my firewall is broke" is going to get you nowhere in a hurry, nor will insulting anyone who even responds to ridiculous posts like these. My point was to highlight the fact that you have to provide at least a tiny amount of information if you want help. You now can count on at least one less person who might be able to offer you any assistance. Well done.

Hi!!!
What is your Captive portal set up___???

if you want all users to be disconnected after 120 minutes… I think you should go like this...

reauthenticate users every minute should be disabled (that's below radius options), and set the hard time out to 120 minutes...

120.JPG
120.JPG_thumb

No. The vouchers are generated mathematically based on a cryptographic algorithm.

You might be able to do what you want by rigging up something with RADIUS authentication pulled from a database like you want, but that's outside the scope of pfSense.

You can select 'Host name' from the drop-down list marked 'Display' in the traffic graph. User names, no.

Or 8.8.8.8 not being passed by the captive portal config.

Hi Dereclict

Thank you very much for your answer :-)

I'll disable Captive Portal on the Passive node.

Have a nice day :-)

It will be keepalive_timeout 0 in 2.3.1_2.

https://redmine.pfsense.org/issues/6421

I have this implemented in my network.
You will have WAN connected in your internal network and will have the same settings as any other pc in your network (DHCP or static).
Assign Wireless card to WLAN Interface (name it WLAN) & Configure WLAN Interface.
Create Captive portal for that interface.
Stop DNS Server and start DNS Forwarder.
Configure DHCP Server for WLAN Interface.
Connect device on wireless from Pfsense and see if the redirect works when trying to access a webpage.

@DanieleIT:

Hello,
Yes, once the roll is "finished" you will have to recreate it.

Ok, I thought it will be intelligent enough to output only unused voucher and recreate new vouchers when necessary  ::)

Thank you!

Ok thanks for your feedback, I will continue to search how it's working with an external database

@Gertjan:

Deactivate the "internal dns forwarder" for your Captive Portal.
Instruct the DHCP server that serves the Captive Portal with your (example) ISP DNS servers, or Google DNS servers, or whatever.

Like this, portal visitors can not resolve your internal LAN FQDN's anymore.

[…]Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work.

Not possible, because the unauthenticated clients can never resolve a dns.
@Gertjan:

BUT : why do you care anyway ? Normally, portal visitors can go (only !) "out" to the net, and your firewall rules for the captive portal interface won't let them into your LAN …. so even if they 'know' that a FQDN exists on your ... what ? LAN ? they can't do nothing with it.

Yes, you are right my visitors can only go out into the internet.

Thank you guys for quick response. I've been playing with the options for a while and it kinda works.

I've added my domain to the allowed hostnames. The website has links to google map and restaurants facebook page but I cannot allow those two or else I will be giving them access to surf either of these freely (right?).

So the part that is not working is redirection to the restaurant website before CP page. I would like to redirect guests to my website right away and only if they want to leave my garden I would present them with the CP page asking them to input their voucher. I set the Pre-authentication redirection url to http://www.salas-ostrazica.com and it doesn't work. At the moment I am still using the default pfsense captive portal page tho. Furthermore I also tried to upload my own html page changing $PORTAL_REDIRURL$ to www.salas-ostrazica.com and it didn't work. I got redirected to www.salas-ostrazica.com after the authentication.

However the after authentication redirection url works perfectly with the default CP page. What variable holds the value for redirection before authentication?