Thanks for tracking that down further.

Check "ipfw zone list" to find your zone number. Mine's 2. Then check all the table contents with "ipfw -x 2 table all list". I have pfsense.org in as an allowed hostname, and correctly get:

ipfw -x 2 table all list ---table(0)--- 0.0.0.0/0 49 ---table(3)--- 208.123.73.69/32 2090 ---table(4)--- 208.123.73.69/32 2091

But it's not there after a reboot. Edit and save one of the allowed hostnames and it populates them correctly.
https://redmine.pfsense.org/issues/4746

Should work now if you just edit and save one of the entries after booting up. That works for me with one or multiple hostnames.

Hi,

Same reply as here : https://forum.pfsense.org/index.php?topic=94711.0

@muneebkalathil:

Hi ,

I want to create a 2 way authentication for the captive portal.
I prefer Sms Authentication. Any one can help me ?? … please :(

Or Is there any other way similar to this ?.

Thank You

This means some serious coding is needed.
Ask your question here https://forum.pfsense.org/index.php?board=34.0 and start talking about € or $.
No one can help you to learn this doing it yourself. Learning is an individual thing.

I think the last suggestion would probably work. I'll look into setting it up that way. Thanks.

In my experience, with 8GB RAM, some number of thousands or 10s of thousands.  Enough to worry about your subnet sizes and DHCP leases more than the number of portal users.

I'm running PFsense on a pfsense built device, not sure, possibly I can install mysl or something … this has to be robust as it's going to the south pole.

We had exact the same problem. Restoring an older (working) backup configuration doesn't fix the problem, a factory reset doesn't fix the problem, a fresh install and everything is working again. Really strange…

I have and idea but you need one additional equipment.
Your exiting environment

WAN/Internet
                                                |
                            Pfsense with captive portal
                                          |        |
                                      LAN1    LAN2
                                        |              |
                            Client LAN1    Client LAN2

I propose for you solution add L2/L3 Switch or addition Pfsense server for (Inter-LAN Communication)
New enviroment

WAN/Internet
                                                |
                            Pfsense with captive portal
                                                |
                                                |
                            L2/L3 Switch with Routing/ACL (Inter-LAN Comm)
                                        |              |
                                      LAN1    LAN2
                                        |              |
                            Client LAN1    Client LAN2

Hope this help.

Perfect.  Thanks.

I'm already using a custom portal_reply_page() and index.php.  Ought to be a piece of cake.

I would suggest showing us these rules and captive portal settings..  Because to be honest this is really click and it works.

I enabled a captive portal on my dmz interface, just accepted defaults and get this page when try to google - click continue and there is google.

Running
2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9

Without some info to work with it is impossible to even guess where your problem is.  And that is with my dmz rules being pretty much locked down..  Not your typical any any rule say on your lan.

cp.png
cp.png_thumb
onlythingtouchedcp.png
onlythingtouchedcp.png_thumb
dmzrulescp.png
dmzrulescp.png_thumb
cpstatus.png
cpstatus.png_thumb

I was planning to implement similar functionality, but decided for a different approach in the end.

What I can say from my tests: you can create an "intermediate" PHP file that receives the form input, proccesses it in the may you want (send to syslog, send to database, etc.), and then calls the actual CP login page, passing the necessary fileds for a login (user/password, voucher code, etc.). AFAIK, the PHP MySQL module on pfSense is disabled by default, but can be enabled via some shell commands. I was planning to send the data to a syslog-ng instance installed on the pfSense machine, which would have spared me the hassle of setting up a database, connecting to it, etc. .

@Gertjan:

The current version of pfSEnse (2.2.2) using its Squid package Squid doesn't work (when a captive portal is used).
Many people - check out this forum for that - have signaled problems.

Well, it's working fine for me. What I can see in the forums is some people having trouble with CP, but that seems to be because they didn't configure it correctly, or have other config problems. My guess is that this is where OP's problem is coming from.

comeback1106, I think you're trying to solve the "users can access internet without being logged on" problem from your other thread, right? Maybe you should review/redo your confguration, using one of the many How-To's as a guide. Try to setup CP without Squid first, then test, then add Squid, and test again. This will probably give you more useful data than asking for a logging function that probably won't reveal anything useful anyway.

@Gertjan:

elaborate please.
Without password etc, that what it does, you can't pass by it.
Logged in users can bypass.
Or do you mean that when you use Squid you can't bypass, whatever you do ?
Something else ?

CP with Squid works fine for me. I was assuming that doktornotor meant "can be bypassed" by "doesn't work", but reading his message again, this was a misinterpretation.

@chowtamah:

….
if I run this code it gives error; Failed setsockopt.

Somewhere, deep down in /etc/inc/captiveportal.inc, the global variable "$cpzoneid" needs to have a valid value - related and like "$cpzone".
This part is handling that one:

// also surface the global $cpzoneid $cpzoneid = $captiveportalzone['zoneid'];

I'm sure there are packages available for apache, maybe nginx.  You can probably use the lighttpd that runs the webgui and captive portal interfaces.

I've never done it.  I only described how I would do it.

I mistakenly implied the server has to be local. It doesn't have to be.  All that has to happen is all port 80 requests get redirected and there's no captive portal or anything blocking their access to the target site.  Maintaining one external web server for all the sites probably makes sense.  My post forwarded to localhost but that's just what I chose as an example.

You can NAT the destination address to your deadbeat page (happens on LAN in) then outbound NAT can translate the source address (happens on WAN out).  All you would lose is the ability to see what source address hit your web server but who really cares.  You're just trying to make them call you, pay you, and get you to turn it back on.

In the first place, stop sticking your CP on LAN where things like domain controllers reside. Putting CP on trusted LAN is just bad idea (TM).

The DC should be connected to the same switch like everything else on the LAN and the switch goes to pfSense LAN interface. While the DC is routing and NATing, this will never work.

CP goes to dedicated interface.

You are indeed a hero member added the mine type and worked straight away  :)

Thanks Demco.

That does indeed fit the issue so I will try this out and see if it helps.

@Derelict:

Note that if you have more than one AP or wired + wireless clients you need isolation in the switch.  Asymmetric VLANs can do this.  Cisco PVLAN edge is even better (easier to configure).

Another solution exists, while still using 'no-brain' (non-expensive) switches.
I (still) use inexpensive Linksys (Cisco now) AP's - ejected the original firmware and installed DD-WRT.

The secret is : use 'ebtables' (yep, that not iptables.)

#!/bin/ash insmod ebtables insmod ebtable_filter ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT ebtables -t filter -A FORWARD -j DROP

00:0f:b5:fe:4e:e7  = The MAC of my Portal Interface NIC
(DHCP) broadcasts are permitted.
Traffic TO and FROM the portal NIC are permitted.

These rules enforce:
A client who is connected by Wifi on AP "1" cannot not communicate with any other clients that are connected on other AP's (AP "2", "3", etc).
All connections are only permitted TO the gateway, the pfSense Portal Interface NIC.