My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page… Yes I did fear that…... if this php script does, which function actually reloads the config file? Well I guees require_once('guiconfig.inc'); could be replaced with require_once("config.inc"); require_once("functions.inc"); But then everyone can read it. Different account's and email service afaik will be in pfSense 2.0 edit (After a good night sleep): /var/run/clear.ip could be created in /usr/local/www/clear.ip so your intranet can access it's If the intranet ain't on the lan side a simple password can be used to read /var/run/clear.ip

You could make the VLAN separation on the switch itself. –> You have a single untagged interface to the switch. Traffic from the pfSense is allowed to both groups (wired, wireless). Traffic from the groups is only allowed to the pfSense and not to the other group.

As ipnet said : bind the Captive Portal to OPT1 (or whatever you named it), that's were it belongs anyway. I'm using pfSense with the CP on OPT1 (which is btw 192.168.2.1) and people do not need to type in this IP to get the portal login page. A simple www.i-wana-go-womewhere.com will do the job - and that what's it is all about. They will see my logging portal, if they want it or not. Ducktn, goto the Captive Portal settings page "services_captiveportal.php" and have a look at the bottom of that page : see the red note ! "Changing any settings on this page will disconnect all clients! Don't forget to enable the DHCP server on your captive portal interface! Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page. Also, the DNS forwarder needs to be enabled for DNS lookups by unauthenticated clients to work." You should know what to check now  :)

i've seen that if i enable dhcp server and i use it this problem disappear, however it doesn't really make much sense :\

This is fixed in 1.2.3 it seems, others have confirmed it. This thread is locked because it's old, but wanted to post here to notify those who may be following this thread. You can post your experiences in the 1.2.3 board.

No, I do not lock myself out because I've already added a rule to be able to access the WAN side before any changes I make.  I did run a few more installs and test.  got it to work essentially.  The steps are all the same but one key item I have not heard or seen is that during the time I am configuring the Wireless side (AP mode, Infrastructure Mode, Ad-Hoc), it asks for authentication method.  Well, I left it at NO AUTHNETICATION and then completed by pressing SAVE.  Well once you press SAVE that's it!  It doesn't work if you go back and want to use Local User Manager.  I tried this out on multiple new installs.  Same effect.  So the effect is this - BEFORE you hit that save button, make sure it is the settings you will be using or you WILL have to reinstall…I repeated this process so that's my conclusion.  If you have another fix which is faster, please tell me. Not sure if this was also part of it, but on the General Setup Page of this AP mode of pfSense, make sure you have the DNS also pointing to the DNS of your network segment and not one on the Internet like OpenDNS.  I made a clean install and change the DNS on an internal DNS which already has external DNS for referral, and the settings above I discussed pertaining to autneication and everything works fine.... with problems I had previously with FTP and now Captive Portal, I can concur and honestly say pf Sense works but if you do not choose the correct settings at first and go back to change them....you might as well reinstall to have correct settings at first!!  Just because you can change settings doesn't mean it will correctly do so in pfSense.

You can find the original CP file here : Open etc/inc/captiveportal.inc Look for lines 91 up untill 116 - everything including and between the html tags. You'll find the same concept for the default error page : line 134 - 147.

Yes that's the point of a captive portal. You need first to authenticate before you can browse the internet. Make sure you dont have an adblocker enabled that blocks the authentication popup.

you can try install freeradius package and set the captive portal to authenticate user using that radius server. Freeradius package has Expiration-date module.

@Docwyatt2001: A combination if RADIUS and vendor specific entries can do this… VLAN's based on SSID.. Then have them come into an intermediate network where they can access the portal. Cisco definately can. Linksys can't as far as I know. Its more a dot1x thing than pfSense. By choosing the SSID paired with AD credentials (PEAP), you can have it forced into the network you need, otherwise no access. Then give your users the private SSID, and the guests/visitors/etc the public SSID. Thanks for this..  I know my ASA can't help with this..

Can the 2k server resolve addresses?  You can have dhcp and dns managed elsewhere without problem, but the proper holes need to be poked to allow for it.  You could always try another DNS server like opendns, poke a hole through for it and see how that works to take 2k out of the equation. nb

or you can add his mac address in Services > Pass-through MAC, i am doing this and working fine with me, especially for the TV satellite receivers that clients uses.

I thought at first as well that you need to have the local DNS forwarder for the CP to work. You dont. You can use any DNS server you want. The client just has to be able to resolve names even if not authenticated.