@ermal: Now you can allow by dns name access in CP. This is on 2.0 latest snapshots. I tried the snapshot of 23 Feb 2011 on a Dell GX620 with one additional card (standard stock) and 1 Gig of ram. the software loaded without a hitch. I configured the captive portal (no users) and checked if it was possible to get to the internet and the answer was : display of the login to the captive portal (good) nothing configured in the captive portal –> no email in thunderbird going in or sending out (using imap.gmail.com and smtp.gmail.com) configured the captive portal --> allow host names and configured in one direction (from ) to allow the imap and smtp service on gmail thunderbird was able to receive and send emails while internet was still blocked –--------> success story!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! next question : how far are we from a release of the version 2 as I want to install this as soon as possible. I probably will install the snapshot already at the factory hoping it is stable enough? I normally have squid running and litesquid for reporting and a cron task to rotate the log files 15 users with no internet but email 10 users on captive portal 10 users not going through the proxy Philip

I know that the solution is not going to be that easy for you to do via pfsense.  Another solution which might help you would be something like http://www.hotspotsystem.com/.  You load the firmware up on your wireless access point and then set up the account.  Lots of solutions for CP pay for services, just search around.

@cmb: It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control. +1 - Get better switches

hi there. i am on pfSense 2.0-BETA5-pfSense (i386)  still the same the voucher time does not stop even the user has logout. A user with 30 minutes voucher time and logout after 10 minutes, when the user comes back after 20 minutes the account is already expired. It is supposed to be the user still can login because it has a 20 minutes remaining. Hope this feature would be included in the next or future release. regards, sarhento

Thank you, muchly appreciated  ;D

If CP doesn't redirect it's one of two things, you either aren't allowing the initial HTTP request in your firewall rules on that interface, or your DNS isn't functional.

Man, almost a whole day of messing with this and it turns out that the CA/chain file I downloaded was in DOS format (CRLF rather than just CR).  I ran it through "dos2unix" and re-copied it and all is well.  cat -v is your friend!

wow this is great and is a much needed feature captive portal cannot do without however – doing this for like 100 or so users is very tedious.  >:(

I run a captive portal with HTTPS auth that handles about 150 concurrent users on version 1.2.3.  If you can get it to run in 2.0 I would recommend it only because most certificate authorities use intermediate certs that you would need to put in the chained certs field.  In my case that meant patching the GUI because the webserver supports it but the GUI did not.  If you can't use 2.0, here's the link for the patch. http://forum.pfsense.org/index.php?topic=10888.0 Worked great, now I can use the Comodo wildcard cert we bought for our domain.  Good luck.

This does not work… if ($_POST['logout_id']) {    echo << <eod<br><title>Disconnecting…</title> You have been disconnected. EOD;    register_shutdown_function(disconnect_client,$_POST['logout_id']);    exit; –- As stated before the only thing that I have been able to make work is this... --- index.php 2011-02-06 16:24:13.000000000 +0000 +++ index.php.new 2011-02-06 16:16:27.000000000 +0000 @@ -412,29 +412,7 @@  */ function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1) { global $g, $config; $cplock = lock('captiveportal'); /* read database */ $cpdb = captiveportal_read_db(); $radiusservers = captiveportal_get_radius_servers(); /* find entry */ for ($i = 0; $i < count($cpdb); $i++) { if ($cpdb[$i][5] == $sessionid) { captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause); captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason); unset($cpdb[$i]); break; } } /* write database */ captiveportal_write_db($cpdb); unlock($cplock); mwexec_bg("/usr/local/captiveportal/captiveportal-disconnect.php $sessionid $logoutReason $term_cause"); } Where /usr/local/www/captiveportal/captiveportal-disconnect.php contains the following –- #!/usr/local/bin/php -f require_once("functions.inc"); global $g, $config; $sessionid = $argv[1]; $logoutReason = $argv[2]; $term_cause = $argv[3]; if ( $argc != 4 ||  $sessionid == "" || logoutReason == "" || $term_cause == "" )    exit; echo "$sessionid $logoutReason $term_cause"; $cplock = lock('captiveportal'); /* read database */ $cpdb = captiveportal_read_db(); $radiusservers = captiveportal_get_radius_servers(); /* find entry */ for ($i = 0; $i < count($cpdb); $i++) {    if ($cpdb[$i][5] == $sessionid) {        captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause);        captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);        unset($cpdb[$i]);        break;    } } /* write database */ captiveportal_write_db($cpdb); unlock($cplock); ?> –-</eod<br>

this sounds like what we are after.  If you've got this working any chance of a walkthrough?

If i'm not mistaken, you can run PHP code in your CP login page.. so your CP login page can have a php code to check user_agent / browser  and redirect user to another CP login page based on that.. if you can only run 1 page for CP (as i see in pFSense) then you can try embedded iframe for that CP page and load pages from external (but still on the PFsense publicly accessible folder www/)

seems to be a little un-understandable if the users do not buy a voucher, they may use the wlan for free to see only one Domain. Nothing else but one single Homepage (and the login…) If someone is buying a voucher, he is allowed to access all the www... and sorry: My linux-knowledge and also my english is really not perfect...

I lowered the MTU enough but now CP will not even show the login screen. Something happened though because I lost the ability to surf to any webmail sites. I had to reboot to regain access to any webmail. I was planning on waiting til 2.0 is ready for production.

I dont know if its possible with the actual system of vouchers, because if u change the  key al the roll mess up. The easy way (but not full automatic) its generate a lot of rolls of what u need and put the csv in the system of sales, and comment line to line when a voucher its sold.

Hi, I do this with a small Routerboard and a Monowall in VM, just Captive Portal without Authentication and as landing Page: PAY YOUR BILL OR …........ RB450G, one firewall mangle rule: chain prerouting, source address (ip of the not paying guy), action: mark routing, new routing mark "payurbill", one ip-route (new route, 0.0.0.0/0,  mono-VM as gateway, routing mark="payurbill" --> voila I use m0n0 as it only uses 64 MB RAM in VM, 50% RAM free, no noticeable cpu requirements, should work with PFSENSE too, but 128 MB RAM. Or try the 2.0 BETA (!) with multiple captive portals, only one other interface or VLAN (Not tried the VLAN thing) for another captive portal (I do not know if you can have differenet landing pages for different CP'S on different Interfaces though...) If you dont like VM, a alix board (150$) with 3 lan interfaces, even the smaller one with 433 MHz Geode and 128 MB RAM is sufficiant for >10 Mbit/s throughput with either PFSENSE or m0n0. Uses around 5 W of power, very small footprint, rackmounts available....