I've modified the setup so we now use 2 VM's; 1 for the setup of VPN, and 1 with a LAN interface to run CaptivePortal on:

Will this setup still work? It seems the MAC addresses from the client devices (10.30.0.0/16) are dropped for the traffic that flows through the VPN tunnel. The DHCP requests however are still done with correct source MAC.

A followup question; the traffic flows through both VM's, ping works correctly:

[2.2.6-RELEASE][admin@HopprVPN.trin-it.nl]/root: tcpdump -netti le1 host tweakers.net tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on le1, link-type EN10MB (Ethernet), capture size 65535 bytes capability mode sandbox enabled 1451471556.841142 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 74: 10.30.0.10 > 213.239.154.20: ICMP echo request, id 1, seq 1127, length 40 1451471556.842799 00:50:56:01:27:ca > 00:50:56:01:26:5e, ethertype IPv4 (0x0800), length 74: 213.239.154.20 > 10.30.0.10: ICMP echo reply, id 1, seq 1127, length 40 1451471557.850062 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 74: 10.30.0.10 > 213.239.154.20: ICMP echo request, id 1, seq 1128, length 40 1451471557.851729 00:50:56:01:27:ca > 00:50:56:01:26:5e, ethertype IPv4 (0x0800), length 74: 213.239.154.20 > 10.30.0.10: ICMP echo reply, id 1, seq 1128, length 40 1451471559.059122 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 74: 10.30.0.10 > 213.239.154.20: ICMP echo request, id 1, seq 1129, length 40 1451471559.060913 00:50:56:01:27:ca > 00:50:56:01:26:5e, ethertype IPv4 (0x0800), length 74: 213.239.154.20 > 10.30.0.10: ICMP echo reply, id 1, seq 1129, length 40 1451471559.999093 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 74: 10.30.0.10 > 213.239.154.20: ICMP echo request, id 1, seq 1130, length 40 1451471560.000694 00:50:56:01:27:ca > 00:50:56:01:26:5e, ethertype IPv4 (0x0800), length 74: 213.239.154.20 > 10.30.0.10: ICMP echo reply, id 1, seq 1130, length 40

But on return for TCP traffic the LAN interface on the first VM returns 'host unreachable' for the client device (and TCP traffic is never returned to the client device):

1451471585.431692 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 66: 10.30.0.10.61580 > 213.239.154.20.80: Flags [s], seq 4232436194, win 8192, options [mss 1160,nop,wscale 8,nop,nop,sackOK], length 0 1451471585.433843 00:50:56:01:27:ca > 00:50:56:01:26:5e, ethertype IPv4 (0x0800), length 66: 213.239.154.20.80 > 10.30.0.10.61580: Flags [S.], seq 2346278513, ack 4232436195, win 28960, options [mss 1160,nop,wscale 0,nop,nop,sackOK], length 0 1451471585.433878 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 94: 10.20.0.48 > 213.239.154.20: ICMP host 10.30.0.10 unreachable, length 60 1451471588.467043 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 66: 10.30.0.10.61580 > 213.239.154.20.80: Flags [s], seq 4232436194, win 8192, options [mss 1160,nop,wscale 8,nop,nop,sackOK], length 0 1451471588.468891 00:50:56:01:27:ca > 00:50:56:01:26:5e, ethertype IPv4 (0x0800), length 66: 213.239.154.20.80 > 10.30.0.10.61580: Flags [S.], seq 2346278513, ack 4232436195, win 28960, options [mss 1160,nop,wscale 0,nop,nop,sackOK], length 0 1451471588.468918 00:50:56:01:26:5e > 00:50:56:01:27:ca, ethertype IPv4 (0x0800), length 94: 10.20.0.48 > 213.239.154.20: ICMP host 10.30.0.10 unreachable, length 60 I think this is because the LAN interface has no knowledge of the traffic that's being returned, so it blocks the Syn/Ack packets. See also firewall logs: [img]http://www2.trin-it.nl/download/tweakers_syn_ack.png[/img] How can I solve this? Thanks for any help.[/s][/s]

@muswellhillbilly:

I think you might have better luck if you ask in your own language on one of the foreign forum pages.

Perdona por nuestro ingles  :-[.

Necesitamos que puedan funcionar un numero especifico de dispositivos simultaneamente con el mismo usuario, pero que no sea necesario hacer "logout" para expulsar a uno de ellos y que pueda entrar el siguiente. Queremos que funcione como si estuviese la opción  "Disable concurrent logins" activa, la cual expulsa automáticamente el primer dispositivo autentificado, pero usando un mismo usuario en 2,3 o 4 dispositivos a la vez.

Gracias!

Short answer: Post your firewall rules and maybe someone can help.

hahaha, i updated 2.2.6 and OK. tks for help

Hi,

First things first : The visitor, the client, can - and they often do - block popup windows.

If this wasn't the case:
The default setup contains the possibility to have a popup opened when the visitor / clients logins in. See here : https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/captiveportal.inc#L286
What need to be done : adding Javascript code that shows a count down code (you'll find many examples on the net). When this popup windows is created, it should be 'started' a variable (which exists) that contains the initial value : the "hard time out".

But, as said above : most clients / visitors will never see this windows, because they do as you and I : blocking popups.

An idea might be : redirected people to a web page (on pfsense) after login.
This page contains the counter. On the page, advise people to keep the window open …

Or : advise them to set an alarm on their watch when they logged in .... ;) (easy, no coding needed).

For info : the new version (2.2.6) has a new httpd version which includes bug fixes.

You probably hit this bug

https://redmine.pfsense.org/issues/5622

You can search your log files for the respective message:

logportalauth[63045]: Zone: main_zone - Successfully reinitialized
tables for main_zone – database has been reset. logportalauth[63045]: Zone: main_zone - Error during table main_zone
creation. Error message: database is locked. Resetting and trying again.

With some luck its resolved in 2.2.6, the workaround is pretty simple.

Yes. Good access to global DNS prior to punching through the portal is a requirement for CP to function.

Well, DNS queries have to return some IP address for the client to try to connect to.

I could solve the problem by adjusting the MTU on the wanted Interface to be around 1400 Bytes . thanks for your trying to help

The limit's 1 Gb per pipe, which would be per-customer in that kind of scenario, so that shouldn't pose any issues for you unless/until you want to offer >1Gb per customer.

You can restart the lighttpd instance associated with a captive portal at the CLI, but it's different than actually saving on the CP settings to reinitialize the portal:

: ps uxawww | grep "[l]ight.*testz" root    54907  0.0  2.4  46636  5472  -  S    2:03PM    0:00.00 /usr/local/sbin/lighttpd -f /var/etc/lighty-testzone-CaptivePortal.conf : pfSsh.php playback svc restart captiveportal testzone Starting the pfSense developer shell.... Attempting to issue restart to captiveportal service... captiveportal has been restarted. : ps uxawww | grep "[l]ight.*testz" root    58835  1.0  2.4  46636  5472  -  S    2:04PM    0:00.00 /usr/local/sbin/lighttpd -f /var/etc/lighty-testzone-CaptivePortal.conf

First - I am NOT a windows person (I work mostly with networks and Linux/Unix).  Our Windows server person set up what I think you are looking for.

They set up their domain controller to provide a Radius server.  Then depending on the settings in the domain controller, users could also be in the radius listings.  The radius listings contained user names and passwords.  Then when somebody was to authenticate by VPN on a PfSense box, the PfSense box would perform a radius lookup and those in the radius server would then authenticate in the VPN on PfSense.

I hope this helps some…

North Idaho Tom Jones

You can only have a single CP instance on a given broadcast domain. There are a lot more complications to it than CP itself, for instance your clients would have to be on a different DHCP scope, which isn't possible unless you have DHCP reservations defined for every device on the non-default subnet.

In that type of network environment, if you're not isolating broadcast domains between different customers (I presume the use case there, not sure why else you'd want diff domains), your network design is fundamentally wrong.

@FeierAll:

….
Do i miss something?

MAC addresses that are added to the MAC tab are not considered as "Logged in" anymore. They have gained permanent CP access.
Just check that that they are added to the MAC list (portal setup page) when they loggin once. The MAC tab (pages) is stored in config,  so will last after a reboot.

Hello.
I believe that the error is in the custom file that I created.

When I put the url field after authentication it works perfectly, I would like to turn this option off if I leave blank post authentication field simply nothing happens after authentication.
I would have to change these file lines?

Either that, or set your PFS as a DNS forwarder and set the firewall as your clients' primary DNS referrer in your DHCP configuration.

Strange…

some hours later everything just worked fine on the new Machine... Until now there are no more problems.

I have multiple Nets...

Opt1, Opt2, Opt3, WAN -> Wan Connections
LAN -> Management Interface 192.168.30.0/24
Opt4 -> VLAN Interface for:
VLAN 31 -> WLAN 192.168.31.0/24
VLAN 32-36 -> Different LAN Vlans 192.168.32-36.0/24

I think that there was a Problem with the Multi WAN and the configured DHCP Servers...

Thanks @ all for the support ;) Hope that everything works now as expected.

Cheers