Captive portal is a different from squid guard.  Captive portal prevent unauthenticated users from accessing the internet, squid guard is a list of blacklisted websites.  If you just want to block websites, use squid guard https://doc.pfsense.org/index.php/SquidGuard_package#Configure_the_squidGuard_Package

Thanks sebastiannielsen, but this solution wont let me change the voucher time so all vouchers will be expired after "Hard timeout" period i just wanted to make vouchers with various amount of times
so isn't there any other solution ??

@advcorp:

Today afternoon I installed, step by step, the various modules of pfsense, but the result is always the same.

Ok, you installed step by step. So at what step did the captive portal fail? What tests did you run after each change you made? As Gertjan suggested, start with a plain install with no packages. Test you can get out to the internet using the basic installation. Then, add the captive portal to your OPT1 network. Test again. Does the captive portal work? If so, move onto the next part of your install, testing each time until it stops working. You will then know at what point in your installation process things start to break and you can diagnose the problem. You've said nothing about testing at each point in the installation, so nobody can assume anything else but that you didn't.

@ishtiaqaj:

i had gone through the same probelm any find the solution??????????

ishtiaqaj,

See if the proposed work around resolve your issue.

https://forum.pfsense.org/index.php?topic=97457.msg543099#msg543099

I managed to get it all working, I had to use a combination of the two solutions I had found. Following the post found at:https://forum.pfsense.org/index.php?topic=80789.15 I used the two scripts which left me with this:

To disable the captive portal, I made a script called rc.captiveportal_disable:

#!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_disable(); function captiveportal_disable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { if (isset($cp['enable'])) { unset($cp['enable']); } captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?>

And another disable script that I made to call the above script and unload all IPFW tables(called that one rc.captiveportaloff):

/etc/rc.captiveportal_disable vouchers /sbin/kldunload ipfw.ko

After doing this the captive portal will be disabled and allowing internet traffic through

To re-enable I used the script to reconfigure the captive portal for the particular zone, named rc.captiveportal_enable:

#!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_enable(); function captiveportal_enable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { $cp['enable']=true; captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?>

Then another script to call the above script and reload all the IPFW tables, named rc.captiveportalon:

/sbin/kldload ipfw.ko ipfw zone 2 create /sbin/ipfw -x 2 -q /tmp/ipfw_vouchers.cp.rules ipfw zone 2 madd hn1 /etc/rc.captiveportal_enable vouchers

Then use a cron job to call rc.captiveportaloff and rc.captiveportalon whenever you like. Seems like a dirty way of getting this done, but it works for me. It would take a bit more code if your are dealing with multiple zones, but for a single zone this works.

One other question, how does the tmp folder behave? I have my script using the ipfw rules found in /tmp/ipfw_vouchers.cp.rules, if I happen to reboot pfsense while CP is turned off, will it end up deleting that file thus breaking CP completely?

I would be very careful of offering this sort of speed service. What bandwidth does the hotel have to play with? What happens if 10 x people buy 15mbps internet? It's very difficult to explain to a paying customer why they're not getting 15mbps if they paid for it.

I would look at running two CP's on VLAN's then using AP's that have multi vlan/ssid and call them -

Hotel WiFi standard & Hotel WiFi premium, rather than tying yourself to a speed. You could then claim that premium WiFi is 3 x quicker without having to give any speed indications.

@sebastiannielsen:

no, he isn't out to restrict to a specific OS.

what he is out for, is, when a client authenticate correctly, the client's MAC, OS-fingerprint, and IP is saved in the firewall rule.
So the OS-fingerprint must match whatever the user authenticated with, to prevent spoofing.

Yes, that's precisely what I'm looking for. I wasn't aware that pf wasn't used for the Captive Portal. However, since pf is still available for filtering, I was thinking about something like this:

Create a pf rule that logs the OS fingerprints of clients.

After a successful login of a user, create a pf rule for the IP that the user got that only allows TCP traffic with the OS fingerprint that has been detected during login.

After either a voluntary logout by the user herself or after the soft / hard timeout, remove the pf rule for the user's IP.

This should add one more layer of security. Sure, it's not foolproof but certainly would add one more hurdle to abuse.

Ok, i understand ! it's logic.
i will see if it's possible whith a proxy…
Thanks you to all.

To solve this issue forever you must add the CA cert to Pfsense GUI and restart the Captive Portal Services

Step: Cert Manager –> CAs Tab --> Create a new records --> fill up "Certificate data" with CA Cert --> use IE or FireFox to test https url

Note: don't use Chrome because it can handle this case

@Derelict:

If you do not get an address it's DHCP - nothing to do with captive portal

If you cannot resolve names, this might be because you are not passing through necessary name servers in captive portal. hosts need to be able to resolve names if you want browsers going to www.domain.com to bring up the portal.

I have probably 8000-15000 different devices going through Captive Portal every week. It works fine if configured correctly.

You are going to have to systematically go through the steps necessary for CP to function and find the specific failure before we (or at least I) can help you.

Thanks Derelict I have found the problem and it was the Wan and the Lan had some checks that should not have been checked and it was the bottom 2 that refuses bogons and the other above it. I unchecked them and then all went well quick and hope it helps someone else if they have the same problem. I can now type in password only on the custom page and no more hanging and timing out off to the world web. Thanks for your patience with me even though I know I didn't explain very well but like I told yawl I'm totally new to pfsense. I did go back and use the default pfsense portal page like you ask me to and was still no good until I unchecked them boxes.

Hi all,

Seems I fixed it after upgrading lighttpd.

Thanks

I would start by comparing the DNS settings on the machines which work against those that don't. If they're using different DNS servers then that could possibly account for the conflicting behaviour. Check the routing, too.

NAS IP and VLAN ID in the user config aren't the same thing. You'll need to configure freeradius accordingly to use the NAS IP you're sending it. I'm not sure offhand how to accomplish that in freeradius but that's where you'll need to look.

The CP simply handles authentication, not proxying. What you're asking for is a proxy solution that shows sites visited. Hence I would suggest either Squid/Lightsquid bound to AD to map usernames to sites visited, either running on the PFS directly or running as a standalone proxy.

Or use standard limiters. If you're on 2.2.X YMMV.