No. Not until someone writes proper hooks for ipfw to be used in packages. Cf. https://redmine.pfsense.org/issues/5594

Thanks will look into it

@doktornotor: CP and Squid in transparent mode will NOT work. Thank you very much!

FreeRADIUS on pfSense? You can't. If you use it externally, there might be a GUI that lets you do that somewhere, but it's not a pfSense feature, it would be some other bit of software.

When trying to connect to WIFI with mobile devices it just hangs in "Connecting WiFi" page and not get redirected to captive portal. During this time shouldn't I be able to connect to captive portal by manually typing the captive portal URL. When I do so on mobile, it says connection refused.

Not possible. Anyone with access to page-system-usermanager is effectively root.

No it didn't. It is simply not possible to get in the middle of an HTTPS connection and not generate a certificate error unless you can mint a certificate for the original destination signed by a CA trusted on the device. And even then you are hampered by certificate pinning, etc. I would love to see the certificate generated by the captive portal that was presented when you tried to go to a regular, global HTTPS site and got the portal instead without a cert error being presented.

in sys file there is a method like below, in it I set. That method produces nginx config file. function system_generate_nginx_config(…) .... events {     worker_connections  1024;   **  multi_accept on;** } …. When I set "multi_accept on;" will it cause any problem? NOTE: The web sites about nginx saying like below about "multi_accept on;": We've enabled multi_accept which causes nginx to attempt to immediately accept as many connections as it can. The option multi_accept makes the worker process accept all new connections instead of serving on at a time. If multi_accept is disabled, a worker process will accept one new connection at a time. Otherwise, a worker process will accept all new connections at a time.

@haydin81: Squid3-dev–->"non-transparent", Patch captive portal" checked, "authentication-captive portal" Captive Portal--> enabled, "authentication-radius" checked"disable mac filtering" while state that, 1. if a user open explorer without proxy settings, he can access captive portal login page(of course some firewall rule added) 2. if a user open explorer with proxy settings, he cant open access captive portal and no access to internet (why?) 3. if a user open explorer without proxy settings and login captive portal (note.1), he can access internet with proxy settings explorer. Help me!! Hi, I'm with the same problem. But, pfsense 2.3.2-RELEASE-p1, package squid 0.4.29_1. Has anyone made work non-transparent proxy + captive portal? –- edit I solved the problem editing the error page (/usr/local/etc/squid/errors/.../ERR_ACCESS_DENIED) to redirect to captive portal. But the user needs to access some http page, not https, because the browser blocks https redirection.

That is a problem in Android. After login  the redirect url will crash right? I have captive portal set on other gateways not pfsense and also do this on Android, It is a known problem.

hi there again, I played around with 2.3.2 in my lab and figured it out. The old cp portal works flawless by adding the allowed ip "192.168.0.0/16", of course the pfSense interface / LAN Subnet my clients are using is in this range. With 2.3.2 a client can access any ip without authentication as soon as the LAN subnet is added unter "allowed ip", which is used by the captive portal clients. in my case: setup all needed subnets manually, and add new one over time add all subnets manually in this range except the one of the captive portal clients

@sonidoP: Try URL: http://x.x.x.x:8002/index.php?zone=cp_guest (ref: https://forum.pfsense.org/index.php?topic=110073.30 ) with blank page result. Like that ? Your captive zone 'name' in question is really "cp_guest" ? The port used by pfSense is really "8002" (mine is 8003 for https and 8002 for http - you can't chose them, they are assigned by pfSense when creating portals) If "http://x.x.x.x:8002/index.php?zone=cp_guest" doesn't work, you have two possibilities : You portal doesn't work -> make it work first. Visiting "http://x.x.x.x" (your captive portal address) should redirect you to … as said here : https://forum.pfsense.org/index.php?topic=110073.msg679281#msg679281 Check your port number and zone name - it should be EXACT. @sonidoP: There is little documentation of the Pre-authentication procedure in version 2.3.2-RELEASE-p1, Someone could tell me if the process is correct? As said here https://doc.pfsense.org/index.php/Captive_Portal_Pre-authentication_Redirect and as you might guess, this page isn't really maintained, and rather tricky to use.

The file must somehow be listed multiple times in /usr/local/etc/php/extensions.ini

Don't put your wifi users behind routers. Put them behind access points (bridges) so the captive portal sees both the client MAC address and IP address.

@The: Just a quick warning about this… Apple in their wisdom, ..... .... see the "Success" page at Apple. Hummm. I remember. I tried to create a "logout URL", easy to remember for the visitor, so a "popup page" wasn't needed anymore. Juste type something like "logout.my-portal-pfsense.tld" and the user was logged out, no matter what. A very nice solution for those who like to $$ their connection. The "session ID" has to be stored using a Cookie …. or, as you said, Apple lauches a crippled Safari browser that discards all info (among them : Cookies). There is a huge thread somewhere in this part of the forum about this subject.