I've found some workaround solution. Since my pfSense enabled both CP and transparent Proxy. I just go to Skype -> Option -> Connection. empty all check boxes. Choose proxy type as HTTPS and fill in my pfSense LAN IP and Squid listening port (I've change to something other than 8080 or 3128) and Skype can successfully connected.  ;D This is not a good solution since some user may notice and try these IP/port on IE proxy setting. I'm now thinking about having the other dedicated proxy server to take care all of skype connection and control the HTTP filtering there. The problem is how to indicate which traffic is from skype. May be regex on MIME type should work.  8) PS. I've try this on MSN but MSN allow proxy setting through IE only. There is SOCKS5 option which I never try yet.

Up please

Dear Briantist, I´m so thankfully .. maybe I forgot this option "File Manager", such as the same thing that I tried before. File Manager input files in /var/cb/cpelements, but when I tried to refresh login page simply Images aren´t work. But finally everything works =) really really thanks. Now CP works w/ images and css. Closed case. Regards, Heitor Lessa

We do something similar at my university.  However, for security I'd try a different approach: LAN - Wireless AP's WAN - Actual connection out through modem OPT1 - Internal network. This is what I use at this school and it works great.  Just set up a RADIUS server on any machine on the internal network and point the captive portal at it for RADIUS auth.  Setting up IAS is pretty easy, and NPS is even easier if you feel like moving to Server 2008. Quick note - double check your ports that you're using in IAS.  W2k3 doesn't use the same ports that pfSense does by default and that messed me up for a bit on my first setup. Combine it with decent traffic shaping and consider Snort to fulfill your "we tried to stop them" legal requirements for p2p prevention.

If you don't need squid on that interface, just disable it from listening on that interface. If you do need squid, but it's running transparently, try blocking access on that interface to port 3128. Of course in both cases I'm assuming you're running CP on an OPT and that it would be feasible to block only those users on that interface.

You create an alias containing all the IPs of your "internal" users. Then create an alias containing the IP-range of your "external" users. Set the DHCP to assign unknown users an IP out of the "external users" range. All your internal users are configured on the DHCP server to always get the same IP. When creating a firewall rule you can define to which gateway you want to send traffic. Now create two rules. One for the internal users and one for the external users. Of course if an external user assigns manually an IP out of the "internal users" range he can use the other WAN. But from the way you describe it (since you allow guests on the same network than employees) security isn't that much of a concern for you.

Opt1 shouldn't be bridged with the LAN nic. Opt1 shoul dhave its own DHCP server. If using an AP, it should be in real 'AP mode' - shut down natting, firewall, dhcp. It should behave like a switch.

@rhy7s: @Heitor: Periko, I´m running squid (transparent) w/ squidGuard and CP w/ Radius too, everything works fine. Att. Heitor Lessa Blog -> http://tinodiaadia.wordpress.com This happened w/ I was using 1.2.2 Version.. but when I upgrade to 1.2.3-RELEASE works fine. But.. I use CP + RADIUS w/ proxy transparent, following this tutorial -> http://files.pfsense.org/tutorials/cp_config/radius_win2k3.htm Att. Heitor Lessa Blog -> http://tinodiaadia.wordpress.com That's cool, you haven't noticed any delays like http://forum.pfsense.org/index.php/topic,11105.0.html?

@Glennbones: Hi All I have a very strange problem with captive portal. I had a running Pfsense with captive portal and radius autenticate to an windows 2003 server, and no problem what so ever, then yesterday the captive portal stop working and not presenting the log on page. I went to the pfsense webconfigurator and see if something was wrong, nothing seemed wrong, but then i disabled captive portal but then the webconfigurator part froze, i went to an SSH login and tryet to restart the webconfigurator but no luck, then i rebooted the pfsense and then i could configure it again, i tryet to enable captive portal again, and it went ok, but again the logon page didnt display, i went to webconfigurator again and disabled the captive portal and again the webconfigurator part froze op, again i logged in with ssh and tryet to restart the webconfigurator same problem, it will not restart the webconfigurator i again restarted the pfsense firewall. This problem is still the same, i can't get it to display the logon page, and if i do and people try to logon they do not get redirected thru, as the pfsense frezze up, and only thing to do now is reboot the server and disable the captive portal and then people can get on the internet, but i need the captive portal so i can control the login for the users. I have heard that there should be problem with squid and captive portal and i am using squid to block several internet pages and see what users are going in on, and it is setup as transparent proxy, but i dont know if this are part of that problem. But strange that a running captive portal suddently stop working and dont display the logon page, and i can't restart the webconfigurator and do anything in the webconfigurator if i touch the captive portal part, if i enable that, i hope some here can help. If need additional info please let me know in maybe could addresse my problem. When WebGUI frozen, have you ever tried to kill lighttpd process via SSH and start again? Looking for anything on System logs or log message on system by SSH and post it again, pls. Att. Heitor Lessa Blog -> http://tinodiaadia.wordpress.com

I believe that isn´t possible… but I hope that one moderator or another person have a response about it. Att. Heitor Lessa Blog -> http://tinodiaadia.wordpress.com

Nomadix handles this in an interesting way. Their gateway does arp spoofing for every address it hears a arp request for or broadcast for. Wonder if this can be done with ebtables as well at the gateway. OR a rewrite of proxyarp.

well that´s a way of doing it ofcourse, it´s cinda complicated setup just because it doesent support secure auth. Besides i dont think captive portal supports authentication check against 2 active directorys(if it´s not in the first then it checks the second one), or does it? I´d really wouldent mind swapping out the astaro but it seem hard to do atm :/ /F

@denis31: Same problem here. Captive Portal doesn't work on OPT* interfaces (unless I call http://<pfsenseip>:8000 ) It only works on LAN interface.</pfsenseip> See http://doc.pfsense.org/index.php/Captive_Portal_and_VLANs

You have to put in an Allowed IP entry for that host.

Embedded does automount r/w when doing stuff like uploading a CP file. Other than that, mounting a CD for read & WRITE is sub optimal.