@-mike-: what I'd like to do is remove this speed limit for any files that are already stored within squid. Is this possible? Check ZPH (Zero Penalty Hit) http://wiki.squid-cache.org/Features/QualityOfService

The problem solved.  My fault.  I had set up networking on my client computer to get the IP only from dhcp and I had given it the dns ip specifically to be the ip of the broadband router/modem. Thanks for all the help.  The more I look at pfSense, the better it looks! Jodel

Hi, thank oyu for your feedback. I will of course update to 2.0.3 if it is released. I know that there were many fixes. @dhatz I thought that Hard Timeout is an independent CP feature. Re-authenticate users every minute will spam my RADIUS even if its possible that it will work. What do you think - could Session-Timeout enabled on CP and set on RADIUS solve this problem ? Thanks

for 1:1 NAT configuration I tried to use as a type Internal IP = WAN address, I do not have an alias for this value (only "single host IP" or "WAN address") but I still have the same problem on the server pfSesne backup (GW unreachable "Offline"). It looks like a bug in pfSense synchronization between the primary and backup configuration CARP / VIPs or 1:1 NAT Everything works if I use "NAT Outbound" with: Interface = WAN Protocol = UDP Source Type = Network Source Address = 62.xxx.xxx.96/28 Destination = any Translation = 62.xxx.xxx.100 (CARP WAN) I run other tests

about freeradius you can use freeTDS libraries to connect to ms-sql. you can enable radius accounting to know when users disconnects as well as session informations such as time spent online or data transferred.

The image is being pulled from a host which is accessible from behind the captive portal?  I would double check this.  Also, you might want to tail your web server log file while you load the page and see if you get any error messages associated with the request.

I am querying a mysql server that is NOT running on the pfsense machine.  Pretty straightforward stuff.

hum.. looks like your "variable name"``` JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA can be split in lines after the dots "." JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl. MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl. MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx. I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk. MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm. JyUkJCQxI1cxI1d9YA excluding the dots the line is 76 chars long (RFC 1521 states it have to be the length of base64 output stream). delete dots and pad it with "=" JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm JyUkJCQxI1cxI1d9YA== base64 decode and see what 'file' magic looks like: echo -n "JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiElMSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1clMSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cxI1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQkMSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEmJyUkJCQxI1cxI1d9YA==" | base64 -d | file - /dev/stdin: Sendmail frozen configuration  - version ' 1'U !1#W1#W#&%%"&# $,&",$"$"# So it's not an attacker but maybe some users with the mail client hitting the Captive Portal.

When running a -PRERELEASE, -BETA, -RC, etc, it is always best practice to update to the latest available version before posting/reporting issues.

My guess is that it is telling you 20034 and 20035 are not MAC addresses. What are you trying to do and why aren't you using the GUI to do it? (Changes made outside the GUI will not be preserved across reboot.)

You were right wallabybob, I wasn't using the correct image. SOLVED

Thanks for your reply. Both pfsense and the radius server itself are managed by ntp (pfsense relies on 2 external servers and the radius server on the ntp server of pfsense). The radius database server runs on a different machine. The database server's time keeping is less accurate, but I guess this is less relevant. Or is this a wrong assumption? Jan

CP is blocking access to the port forward – it blocks inbound and outbound. You could add an "allowed IP address" entry for it but using only the "to" direction, then things can reach it from outside, but it can't get out itself.

where did you add this script? minicron says nothing to me.. i only know cron.

This setting limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in to the captive portal, but rather how many users can load the portal page or authenticate at the same time! Default is 4 connections per client IP address, with a total maximum of 16 connections. I my system (2.0.1-RELEASE & 1.2.3-RC1 ) default is 4 and 1.2.3-RC1 i can chaged it to below 4. do i miss something?

Yea the more I think about it that is the only way I am going to get it to work.  I already have the radius server setup doing authentication for my wireless and it was my intent to use it for this as well.  Just thought captive portal may have been easier but I can't think of a way to do it since I can't have multiple trunks to the firewall with the same VLANs them.

Well, we have several different set ups and scenarios. Not all of the locations require a Terms of Service and sometimes they do not want one! They just want the user to be directed to their website when they first connect to the wireless, but that's it. They want to advertise their website to the end users- not to create any sort of binding contract. While I do not recommend modifying pfSense unless you know what you're doing- and always recommend creating a backup before modifying any file(s), I'll share my personal work around: OPEN "/usr/local/captiveportal/index.php" FIND: LINE 228 } else { PASTE ABOVE THIS LINE: } else if (strpos($_GET['redirurl'], 'accept=yes') !== false && $clientip && $config['captiveportal']['auth_method'] == "none") {     captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");     portal_allow($clientip, $clientmac, "unauthenticated"); SAVE THE FILE Now change your captive portal page to this: if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { $url = "https://{$_SERVER['SERVER_ADDR']}:" . $_SERVER['SERVER_PORT'] . "/index.php?accept=yes"; } else { $url = "http://{$_SERVER['SERVER_ADDR']}:" . $_SERVER['SERVER_PORT'] . "/index.php?accept=yes"; } header("Location: $url"); ?> Then with Captive Portal enabled and "No Authentication" selected, the end user is authenticated and redirected to the "After authentication Redirection URL" just like I want! :)

Do not use mac address filtering and only base it on ip.

You are trying to redirect https connection to http server of pfsense. That is just an encrypted session trying to be forwarded by pfSense. Just ignore it for the moment since there is nothing to do about it.

@wallabybob: @ellors: How do I change the thread title so it could say "[SOLVED]" ? I believe if the post is not "too old" you can modify it through the Modify menu item Mmmmm too bad that the first post does not show a Modify menu. Thank you for your suggestion.