Dont do this. U will get asymetric routing problems.

Well - I supposed I'd recommend going with a /24 (because I'm simple minded mostly), unless there is a reason not to.

Sure I can work with /16 and /8s and I do when I have to.  Does he have to?

@zoro_2009:

…. the Squid caching mechanism for the simple HTTP is doing wonders in our LAN, and I was really impatient doing the same for HTTPS as more and more sites goind pure SSL !

Negatif.
SSL connections are (normally) setup to guarantee "what the servers ouput, is what is being received by the 'client'".
A server that throws out SSL connections will indicate in the http headers that "this file should NOT be cached" because the 'client wants to see "really real time info" - even if this means that things come over slower. SSL means "You to me and no-one between us". Otherwise, a basic TCP connection will do.
A classic (non coded TCP) connection can be 'read' by a caching system, can be intercepted, cached (and translated, mangled, rerouted, whatever).
Think about this: your browser will NOT cache any information in receives when info came in by SSL.
A "cache" like squid will not 'cache' anything because it can't see what coming in (SSL, like VPN == just a random bitstream) - SSL is all about that. The cache can only 'just forward' because no caching is possible. A cache will actually just delay instead of accelerate SSL connections.

Caching SSL will be something like asking for a private 1 to 1 communication with a translator between the two of you. Fine, but you agree that the word 'private' should be redefined ;)

1/ Disable DHCP on the WRT320N and connect it via the LAN port.
2/ Absolutely no interest in proxies, sorry. Maybe someone else. (You will save yourself a lot of trouble by reconsidering what your really NEED.)

Thanks for the reply. I will just forget about it for now. I figured it was just a google calling home thing. Thanks again.

@-flo-:

…..
For sake of user’s saved login credentials I would prefer to have my single existing zone use ID 0 so the login page is still to be found on port 8000 as before. Is this possible, if so how?

"Login credentials" are not related to "using port x to authenticate" - "what is the zone ID (because many can exist)".
So, in case of doubt, just wipe all portal settings.
(go even to ssh, start viconfig - wipe everything between <captiveportal>and</captiveportal> , save back, reboot pfsense and set up portal up again.
(or export config - edit file with good editor like notepad++, and import back in - and then setup your portal again.)

The fact that it uses a port like 8001, or 8002 (https) or whatever is just a "behind the screen pfSense" thing.

@dylanh724:

….. can anyone give me a small guide to whitelist jquery?

Easy.
The answer is in front of you  ;)
Have a look at the source code of your page, and with-list all needed URLS's (or IP's) that are outside of your LAN.

'jquery' does not have its own 'fire wall rules'.
Its just a script that needs certain URL's - so white list these URL's.
Now you understand why you should consider putting these scripts locally (but then you keep in mind: if they are updated, you should update your local copies).

It might be easier to let the user first authenticate, and then let him use all the fancy stuff ….

MSCHAPv2 uses a server side digital certificate. With this certificate it creates a secure tunnel. Inside this tunnel it uses CHAP or even PAP authentication.

Hopes this helps. Otherwise google RADIUS + MSCHAPv2. There is alot of information about it.

config.xml, as everything else. Do NOT mess with stuff via command line, everything will get lost on reboot. Backup the config, edit and restore.

The more characters in your character set the more bits are represented by each character.  If you reduce the character set to just 0-9 and leave everything the same, your voucher codes will be a lot longer since each character only represents just over 3 bits.

These are the codes generated with a 31-bit RSA key and just characters 0-9:

9767485071
4491872511
4010085371
7614876371
0462301741
5243682381
3307579181
5803371332
513190794
634302458

Same settings, same 31-bit key but with the following character set: 23456789abcdefghijkmnpqrstuvwxyz

wzig7z3
zamms3
qap4t54
nkrxf8
8mm4iw3
6hkyas3
saz7xh
zsinyi3
bybac33
ks7uzq

Now we'll include capitals: 23456789abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ

57TnR
tuWwW5
Lc4N93
L9cXZ
n39mK5
QEuvD5
2ugKX5
5WYvL3
ppmEr5
Mtmab

I, personally, don't think capitals are worth going from a maximum of 7 characters to a maximum of 6.

Helps to read the nifty release notes and fix your CP pages code…

https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes#Captive_Portal

It'll do just fine.  Overkill is a matter of opinion.

You want a rule allowing access from LAN net  to "any" not the gateway IP.

Of course, you want to block access from LAN to anything you don't want your guests to have access to.

Having access to free software like pfSense, I can't imagine why anyone would want to run the "firewall" built into a DSL modem, but that too is probably a matter of opinion.

Sorry for the noobness, but I'm trying and the documentation references here are minimal, most to buy the book if you want anything detailed(which I don't like)…

Hmm.  There are plenty of Captive Portal setup walkthroughs available.  From what you've described so far, it's a simple firewall rule problem.

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

doc.pfsense.org.  Charge: $0.00

As noted above, there is no IPv6 support in CP. (Also, I don't create any "default" any->any IPv6 rule on CP interfaces, so the traffic will get blocked by pf no matter what ipfw does.)

@Ferry:

….
i disabled dhcp in my linksys router

It's not an idea. It was the only solution.

If the DHCP server on AP was running then your clients could get a IP that the portal didn't assign. That is NOT good. But, never ever the client can pass the portal interface. It would mean that a client could assign himself an IP (static IP) in the net mask of the portal interface, and he would have a free ride.
No way.

If a second clients can pass through  the portal right away after a first client did login (with a password, voucher, whatever) then all your visitors are using the same IP and MAC. This means that your AP is in router mode.

You probably deactivated the "router-mode" of you AP.
That's why every thing works now as advertised  ;)

Thanks a lot.How can I use radius proxy?I did not find any instruction.

Thanks @Gertjan for that.  I'm actually using the stable version of squid.  I think squid3 beta is the best option for me now though I would prefer the stable version.  I actually need captive portal users to use the proxy server which we heavily do caching.  Thank you everyone!