Users get added to one of the tables, they no longer get their own ipfw rules. List the tables to see what's permitted.

Thank you for your answer. I will get back if further assistance is needed. Best regards Kostas

I'm happy with my HP/Procurve 1700-8 (7x 10/100 ports, 1x10/100/1000 port). Other cheap VLAN capable switches I know of (but no experience with) are Mikrotik RB250GS (5 x 10/100/1000 ports), TP-Link TL-SL2210WEB (8 x 10/100 ports, 1 x 10/100/1000 port, 1 SPF port).

FIG 2  

Ermal, Thanks for your help! Yes, it just my own mistakes. Accidentally put the ip address in the "Allowed IP Addresses". Regards, Rimbb

how can  permanently modify php.ini.??? At every restart pfsense put a fresh copy of  the php.ini files with default configuration.

Hi, Im also looking near the same approach. I want to allowed everybody using wifi with 'No Authentication' but only after submission of email address.

@wallabybob: What authentication method? (user name and password? voucher? radius?) What timeout? Username and password.  No voucher or radius.  No idle timeout.  Hard timeout set to 60 mins.  The default settings. @miles267: However on day 2, the same client connects to the access point (open, no encryption), but is not prompted to authenticate through the captive portal.  As a result, they cannot browse the web at all. Did the client attempt to browse the web and fail OR did they not see the authentication page and conclude they wouldn't be able to browse the web? The client closed their browser, went to sleep then powered back on and re-launched browser.  Was never prompted to re-login to captive portal and was unable to browse any web page.  Tried to ipconfig /release and ipconfig /renew and browse again without success.  Then, rebooted the client PC and was once against prompted for captive portal login. @miles267: I've tried to ipconfig /release and /renew on the problematic machine without success.  Even tried to flush the temporary internet cache files on the problematic PC and it still didn't work.  What causes this? Maybe the client needs to get a new IP address to be forced to authenticate and the DHCP server just renewed the old address. I suspect the client didn't logout and just reconnected before the captive portal session timed out. I typically do not manually logout of the captive portal.  Just assumed the captive portal would handle the logout and prompting for credential when appropriate.  In the event users neglect to click a logout option. I've been using CP for some months now and not seen any problem with vouchers not timing out. (I've been testing with 5 hour voucher timeout.) When I haven't had my voucher codes handy I have logged in with (local) username and password and that definitely times out after a while. I didn't set a timeout for local username and password and haven't looked at the setting but I would guess that the timeout period is more than a day. Are there any recommended parameters for username/password authentication?  as far as idle and hard timeouts, etc.?  Thanks.

Yep  :D I think i remember reading somewhere that its possible in the underlying software but just not in the GUI. So maybe ina future version.

@wallabybob: I don't know if GRE tunnels are supported on your APs; they are on pfSense. See pfSense man page on gre - http://www.freebsd.org/cgi/man.cgi?query=gre&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html GRE tunnels apparently don't use encryption so should be a lighter load on AP CPU and pfSense server CPU than a VPN. Well..dd-wrt doesn't support it on the webgui, however it's linux, so it's probably possible. But looks like the newer firmwares doing it differently (2.4 vs 2.6 kernel). I don't feel the power in me to do it by hand… i'm sure it gets worse eventually :) thx

Thanks for the confirmation. (looks like I'll have to do some convincing to get some $$$ allocated).

@broncoBrad: Is there any way to combine it into one login maintaining that level of encryption/security? I don't really want to be giving my wireless AP password out. I mean it's not that big of a deal, but if I'm going to give out the AP password I mind as well just use captive portal as a bandwidth limiter instead of user login. Thoughts? I think you can still have WPA encryption without having to have an AP password. Some wireless hardware support 1 or more AP's, so you can have a guest AP with the captive portal and segregate that from your LAN. So in essence it doesn't matter if you have to give out your guest AP password.

Hi, I have been used an Ipad 2 (iOs 4.3.5) with the CP and everything worked fine. @puka1: When you connect to your wireless network on your ipad it automatically brings up a splash screen to sign in. I then enter my password (my user is set by default in the splash page). This didn't happen to me with pfsense CP, but with other CP it happens. When i attempt to navigate in safari, I became redirected to the CP page and after loggin I can navigate without problems.

this can be marked as solved, I did some further digging and what I found was that the mac address of the user that was logged in DID NOT match my laptop wireless adapter MAC address, it matched the WAP instead, so I had to use the option "DISABLE MAC FILTERING", which for me is ok as I won't be using "PASS-THROUGH MAC"

Basically, I have a guest user that has a userid of 2001.  I put this script in the /etc folder as rc.password.guest and made a cron job to execute it weekly.  I have added a little bit to the end of the script that emails this guest password to a distribution list, so our conference room admins have the password every week.  They give it out to vendors and guests so they can use wireless in the conference rooms.

Did u try the proxy server Squid?