Use some javascript to change it in the HTML on submission, it won't require any changes to pfSense code, just the portal page you upload.

Hi, Without telling more about your setup ? Well …. euh ..... no. When a user logged in, check using this doc page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and double check that you can find the user's IP and MAC in related tables. Is their a reason for the fact your are using an (very) old pfSense version ?? You shouldn't - and if you do, do not ask for help, people that know or knew 2.2.4 upgraded for very logic reasons. No one knows what issued 2.2.4 had back then ....

nah no IPs. I allowed these hostnames: ajax.googleapis.com fonts.googleapis.com maxcdn.bootstrapcdn.com The thing that I can't wrap my head around is that it works in the browser but not this app that pops up "Captive Network Assistant". I also tried allowing the captive.apple.com hostname so device thinks it's got Internet access and there is no more of this pop up but that makes it really inconvenient to authenticate on mobile devices. I guess I am going to have to try and make pure html and css page and see if that does the trick.

Yeah cookbook is well a cookbook and nothing more. I am glad you suggested the other book so I ended up getting Pfsense: The Definitive Guide and The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall 3rd Edition. I'll be away for a while now hh ;D

@BGS: The "bits and bytes" solution : Nail down the place where the test is made if a MAC address should be added to the MAC pass-through list. Add your own test that skips the "MAC pass-through" adding part IF the login was done with a "voucher". I don't get this. I'm new at pfsense … sorry ...-.- pfSense is a software product. You actually have 99,99% of the source code at your disposal. So the possibilities are unlimited. I advise you to look for a 4 NIC box.

@johnpoz: ….   I think its http://captive.apple.com/ but not 100% on that - I believe it looks to see if it can get back a 200 from there, if it doesn't than it assumes its behind a cp or something like. I disconnected form an AP on the LAN (192.168.1.1/24 - my iPhone was using 192.168.1.25) It obtains a 192.168.2.139 (my Captive portal is 192.168.2.1/24) Some non-important local IPv6 hanshaking is also present. 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Reply NA: address 2001:470:1f13:5c0:2::c6 to client with duid 00:01:00:01:14:20:18:e3:b8:ac:6f:47:2c:77 iaid = 246983791 static 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Renew message from fe80::75cd:7073:d0a4:bc7c port 546, transaction ID 0x1239AA00 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Sending Reply to fe80::75cd:7073:d0a4:bc7c port 546 10-06-2016 10:03:21 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: DHCPREQUEST for 192.168.1.25 from 90:b9:31:77:5e:26 via fxp0: unknown lease 192.168.1.25. 10-06-2016 10:03:22 Local7.Info 192.168.1.1 Oct  6 10:03:25 dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 via sis0 10-06-2016 10:03:23 Local7.Info 192.168.1.1 Oct  6 10:03:26 dhcpd: DHCPOFFER on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPREQUEST for 192.168.2.139 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPACK on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 Note : the DHCP server on pfSense tells my iPhone that DNS, Gateway, etc etc == 192.168.2.1 == the Captive portal 'pfsense' interface IP. I'm still figuring out why I should use the DNS from "Google". Upfront, my FAI proposes two DNS's when pfSense opens a WAN connection. They always worked fine. It's imprtant to understand that my visitors devices on the Captive portal have only 'pfsense' as a DNS server. pfSense itself uses the DNS that came with the WAN connection. That is the default setup. Works fine for a decade now. As soon as the link goes up (wifi in this case) the iOS launches a http request to http://captive.apple.com/hotspot-detect.html  : 10-06-2016 10:03:26 Local5.Info 192.168.1.1 Oct  6 10:03:29 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:29 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:27 Local5.Info 192.168.1.1 Oct  6 10:03:30 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:30 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:28 Local5.Info 192.168.1.1 Oct  6 10:03:31 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:31 +0200] "GET /hotspot-detect.html HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.1" 200 849 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /captiveportal-style.css HTTP/1.1" 200 836 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "POST /index.php?zone=cpzone1 HTTP/1.1" 200 635 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:36 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" Btw : I'm using https portal authentication. This is just a detail.

I was able to get this resolved.  It turned out to be a problem with my switch.  I backed it up, defaulted it and restored the config and everything started working.

@itchy: Can you provide some more details? This has been taken care of a long time ago. https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting The firewall rules "ipfw" redirect all http requests to the internal web sever that displays the login page IF the user's device hasn't been granted access already. If a user's device has been granted access, the firewall rules accessible in the GUI determine what happens. edit : great : I'm actually saying the same thing as Derelict.

You would have to create another pool for your dhcp server on your cisco. http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html

https://redmine.pfsense.org/issues/6421

Hi. First of all thanks for your responde I used 1 minute idle time just as an example, but I have done much more testing with differents time and same result. When authenticated MAC is not present on Captive Portal / ZONE /MACs because I'm not ussing MAC passthrough. I'm asking to see if anyone have found a way to get it working because it become a problem for us. I have worked with other WiFi system (much more complex) like Aruba and I have never have this problem with MAC auth and Radius server. We don't want to use MAC passthrough because we lost, for example, accounting information. Regards,

Hi Gertrjan thank you for replying, what you suggest would work i'm sure, but we have a policy where management of all assets is done on a specific Vlan (Vlan 20). Unfortunately, I am unable to change that, policy, but as it happens, I resolved the issue earlier today, only just got home to update with the soultion. I actually had done everythig correctly in pfSense, the problem was the guy who had set up the Cisco 3560, had applied all the three vlans to the trunk port as I had requested him to do, but he also had in the Cisco interface config the line 'switchport native vlan 20'. I got him to remove this line and everything now works, so i've spent this afternoon setting up firewall rules blocking access to the and from the opt 1 vlan from the lan and wan for security, and blocking access to the management interface from the WAN and LAN interfaces too. Tomorrow will be the big test day, but I quickly checked everything before I left and it seems to work perfectly, only access the webgui and ssh from vlan 20 and nowhere else. Thank you again for the suggestion Regards Tony.

Hi, Why ? Your captive portal is on a boat or plane ?  :) I advise you to check it out with a host name that changes often (some kind of DDNS host). You'll be in for a surprise. (you can see it in action here : enter SSH, and type ps aux | grep 'filter' You will find : root      16520  0.0  0.1  23096  2708  -  Is    2Aug16      0:18.58 /usr/local/sbin/filterdns -p /var/run/filterdns-[ZONE]-cpah.pid -i 300 -c /var/etc/filterdns-cpzone1-captiveportal.conf -y 2 -d 1 which means : Every 5 minutes, resolve all host names from the file "/var/etc/filterdns-[ZONE]-captiveportal.conf" and writes (changes) the IP's into the captive portal's "ipfw" (the captive portal firewall). Also, check out this file cat /var/etc/filterdns-[ZONE]-captiveportal.conf (change [ZONE] for your zone name) this is the list with the host names you entered into the list used by your captive portal. So, the final answer to the question "How can I refresh the CP Allowed Hostnames IPs table" is : you don't, it already been take care off.

Have you tried to add the VPNs DNS IPs to the Allowed IP Addresses? If that works then you may request a feature to pfsense CP for having a per MAC address Allowed IP Addresses.

I realize that the CP can not be active for the DC/DNS.  The DNS needs continues and full access to the internet to be able to resolve the addresses. If CP were active the DNS will fail and therefore every machine pointing to that DNS will fail. So not working CP in this DC/DNS is probably an intentional design in pfsense. I guess that if I want to control some bandwidth in this server I will have to add its MAC address in the CP and some how hardwired the MAC to freeradius.  That is for another thread.

So the problem solved itself. Propably it needed a while to let the changes take effect at all clients. Some web pahes still didn't redirect to cp login, but it showed up it's because of https…

First all thank you for your answer, To start it's good to know its a normal behaviour of pfsense that you need to use http, just what can i do that when some login to the network they get the inlog page first before typing a http page? use http connection with a certificate? Just need to find a way so when opening a page it gets redirected to login page, any idea's? To give some more info on everything. i tested mostly on a wired connection to see if CP would work. while this would not be my setup later and guest can ONLY connect through WIFI i am using my mobile and laptop to test the rest. 1: my mobile, when wifi is off and I enable it I will be redirected to the CP inlog page, this works even when there is a timeout in the connection a refesh page or new page will redirect to login page. just my own phone it stopped working while my tablet doesn't 2: on my laptop when i connect it gives me a dns that i dont have listed in pfsense anywhere. when i manually enter the correct DNS and then use a http site i get the inlog page as well. only this is not the way i need it. for some reason i do not get it configured that when i enable wifi on the laptop it gets the rigth DNS. enabled DNS forwarder and enterd the DNS that shows on the first page of pfsense in CP and in DCHP but no luck on that yet, it still gives the same DNS 192.168.3.100 while it should be 192.168.3.254 to get the internet working. I did a complete reinstall for some reasons because i had also some packages installed like squid proxy and other stuff, after the reinstall wireless gets a proper DNS without having DNS forwarder enabled for the 404 page, when you enter the user and pass you get a redirect page only it does not redirect, after login i get IP:8002/www.domainname.com and i use the original login page from pfsense. normally it should redirect to the domain but it isnt. found the solution that it redirects to the proper page, i had www.domainname.com but it has to be http://www.domainname.com so it will be redirected