So I found that if you use allowed hostname instead of allowed IP, you can specify a direction for the exception.

You can only do one host at a time, but I think that is OK for my purposes.

Doing some further testing, then going to put it into production.

Thanks all for your answers. I'll reply back if it doesn't work as expected.

There is no pfSense-API.
There is the PHP script that you already use ….. so .... ;)

WAY too much emphasis in the pfSense world at getting one "box" (node) doing everything.

1 from for that.

additional GRE tunnel over ipsec, that way you get an interface what should work.

L2TP/IPSec would be the way to realize this.

Internet –- pfSense(Voucher-CaPo) =====IPSec-Tunnel===== RemoteFirewall(nonPfSense) --- Guests 10.0.220.0/24

One Question from me onto this, why not both sides are using then a pfSense firewall with Captive Portal?
A small PC Engines APU is really able to hold this pfSense based Captive Portal for many users.

Thank you Derelict, so simple, yet exactly what I was looking for. Works like a charm.

One user or multiple users.  There is no "limit a voucher to n users" other than n=1 or n=as-many-as-use-the-code.

And even then it's a portal-specific setting, not a voucher-specific setting.  pfSense won't do what you want.

And many SMS and payment gateways must have been integrated too ?

There is no payment gateway! We were talking about the following, "sending vouchers as
SMS" to the clients, and nothing else.

So, can I get the links, so I can simply see how its done and replace it with my API.

The solution shown under this link is written in PHP and I really don´t know what you can do with it rewriting or what ever.

The only thing is that many peoples inside of an german administrator forum are using this together
with pfSense to send the vouchers as a SMS to the clients! Not more and not less.

And I started the download, its an iso file of 108MB.

??? Hm, I really have downloaded it twice and it is only 1 Megabyte (MB) size!
Voucher Generator

So, it needs to be installed on a windows PC or Linux PC and the system needs to be always on to serve the hotspot ?

Description
The Software manages Voucher for the pfSense Captive Portal in a MySQL-Database

@NickM:

Hi guys,
Is there a way to make the vouchers expire automatically after a period i select instead of after the minutes assigned are used?

Building up user groups and then set the lease time for each user group likes,
Group 1 = 30 minutes
Group 2 = 1 hour
and so on so you can easily control the lease time of the vouchers.

@sunnynanade, the key is the "Amount of Bandwidth" section.

Used reply-item attribute:

count-attribute = WISPr-Bandwidth-Max-Down
    count-attribute = WISPr-Bandwidth-Max-Up

you need to set these attributes in the radius server for each user, and make the radius server reply different values for different users, I am not familiar with FreeRADIUS, but I think it is able to do this.

Do you mean DD-WRT is not stable/reliable? Or the Linksys EA2700?

For sure DD-WRT & OpenWRT will be both stable and reliable and also routers from other vendors
would be matching also fine! Buffalo, Netgear, TP-Link and some of them came with pre installed
DD-WRT or OpenWRT firmware so you must not flash it alone.

is still a home setup.

There are also switches out there that can be done all things for less money, but but routing
must be done then at the pfSense it selfs.

Netgear GS105Ev2 Netgear GS108Ev2 Netgear GS108Tv3 TP-Link TL-SG105E

Buy two of them and then replace the both you own, the TP-Link ones are able to get for cheap
as ~25 € each and are capable of VLANs.

Replacing my switched for managed switches will cost around 200 euro at least?

One Cisco SG300-10 for ~180 € and one TP-Link TL-SG105E on top for ~25 € will do the job and
routes the entire LAN by it selfs!

I'm planning on buying a new wifi router/ap as well…

Get a cheap used one with GB LAN Ports and if ac is not really urgent
for you it will do the job also fine.

@Gertjan:

@itchy:

…. btw: your Log looks much sorted and cleand than my do. My formatting is total "ugly".  >:(

Use the GUI to see them ;D

To show them on the forum, use the # BB-code.

@GERTJAN,
Thank you for the reply. I guess ill just have to configure something that wont make my access points act as routers… hmmmn another sleepless nights...

@doktornotor:

@amiyou:

So there is no way to create an offline captive portal?

The only way to create "offline" CP (whatever that means) it to make your DNS server resolve everything to some bogus IP.

https://doc.pfsense.org/index.php/Creating_a_DNS_Black_Hole_for_Captive_Portal_Clients#Create_the_configuration_file

(If you want to run this on pfSense, do NOT follow the rest of the howto, use the Bind package and GUI instead.)

Thanks. I will try the black hole. What will happen when the clients authenticate through the captive portal?

My problem is that the internet is not stable with LTE, but the captive portal redirection to a landing page should still work, although the internet is not available.

@tommyverburgh:

I wonder if it's possible to reinstall the captive portal service, maybe there's something wrong with the installation. I'm using the latest version on a brand new device made for pfsense.

Sure. Reinstall latest pfSense update.

If RADIUS isn't your thing, then another possible route you could take would be to install a proxy on your pfSense and bind that to your AD domain. This would then require your users to authenticate through the proxy with their Windows credentials before accessing the internet. There are plenty of links showing how this is done. Here are a few:

https://vicryhc.wordpress.com/2013/07/08/how-to-setting-squid-on-pfsense-with-authentiaction-ldap-windows/

https://forum.pfsense.org/index.php?topic=58700.0

http://blog.cadena-it.com/linux-tips-how-to/how-to-setting-squid-on-pfsense-with-authentiaction-ldap-windows/

There are many more to be found via Google, of course.

You can assign group policies to AD groups via a Squid/Dansguardian combination (the way I've done it). Members of that AD group can then be assigned specific access or non-access through rules you can set up in Dansguardian. Again, you'll find quite a few examples of this on the internet already if you fire up Google.

I had this working with Squid installed for some time… until something happened no idea...

I had Squid uninstalled and did not worked, and now I have Squid running and is working so I don't blame Squid.

Maybe a bug if hard time expiration = voucher time ( I can test it but not now, I had enough ).

will see in time.

Well. Gertjan gave me the answer and a solution.

I understand what I have done wrong and know how to correct it.

Many thanks for the help!

See this message : https://forum.pfsense.org/index.php?topic=98324.msg548173#msg548173 - and just ask your : why did he asked if 'squid' is installed ?!

Re-install your pfSEnse - install ONLY ONE package at the time.
Do thorough testing …
Find out yourself when things break.
Now you know what package you should NOT install, because it break the captive portal  ;D

I'll give you a hint : https://forum.pfsense.org/index.php?topic=98324.msg548173#msg548173

Hi,

Here are some links I have bookmarked so you can read/study:

http://sourceforge.net/projects/captiveportalplus/
https://forum.pfsense.org/index.php?topic=91257.0
http://blog.stefcho.eu/tag/captive-portal/
http://blog.stefcho.eu/pfsense-2-0-rc1-configure-captive-portal-for-guests-with-local-user-management/
http://blog.stefcho.eu/pfsense-2-0-rc1-customize-captive-portal-pages-and-implement-https/
http://blog.stefcho.eu/pfsense-2-0-rc1-captive-portal-with-radius-authentication-and-vouchers/

Yeah, adding IPv6 is completely useless, CP doesn't work with IPv6 at all.