At this times the two proxy are working. The proxy on pfsense sent all request to the squid/dansguardian proxy on dmz…. Only if i put the squid icp port... But my trouble now, sometimes I am filtered by dansguardian, sometimes no... I have dansguardian log, and squid too... I think sometimes the request go to dansguardian via tcp port, sometimes directly to squid by icp. Someone can help me?

ีuse ipaddress  lan interface :8000 to login again  http:\192.168.1.1:8000 enabled  logout popup on brower

hi I'm setting my captive portal but I have some problems on freeradius server it was 2 errors on make and make install and I try to test it and I found that it doesn't even exist on processus, please help me

yep that is the best thing to do… well the only problem is that I still have to go to that basement :(

then I modified the /usr/local/captiveportal/index.php file with: LogoutWin.document.write('');     LogoutWin.document.write('') ;     LogoutWin.document.write('<title>Logout</title>') ;     LogoutWin.document.write(' ');     LogoutWin.document.write('') ;     LogoutWin.document.write(' ');     LogoutWin.document.write('') ;     LogoutWin.document.write('Click the button below to disconnect ');     LogoutWin.document.write(' <form id="dologout" name="dologout" method="POST" action="{$logouturl}">');     LogoutWin.document.write('');     LogoutWin.document.write('');     LogoutWin.document.write('</form> ');     LogoutWin.document.write('');     LogoutWin.document.write('');     LogoutWin.document.close(); /********************/ I am sure 100%

Someone mentioned in the Untangle forums that captive portal is done with a proxy. In pfsense and m0n0 it is actually done with firewall rules. If Untangle passed client mac addresses on to pfSense then your setup would work. But from what I saw on their forum the bridge is working that transparent.

@http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43: Captive Portal Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal. * Maximum concurrent connections - Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.     * Idle timeout - Disconnect clients who are idle for more than the defined number of minutes.     * Hard timeout - Force a disconnect of all clients after the defined number of minutes.     * Logon pop up window - Option to pop up a window with a log off button.     * URL Redirection - after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.     * MAC filtering - by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.     * Authentication options - There are three authentication options available.           o No authentication - This means the user just clicks through your portal page without entering credentials.           o Local user manager - A local user database can be configured and used for authentication.           o RADIUS authentication - This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.     * RADIUS capabilities           o Forced re-authentication           o Able to send Accounting updates           o RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client's MAC address as the user name and password.           o Allows configuration of redundant RADIUS servers.     * HTTP or HTTPS - The portal page can be configured to use either HTTP or HTTPS.     * Pass-through MAC and IP addresses - MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal. You may wish to exclude some machines for other reasons.     * File Manager - This allows you to upload images for use in your portal pages. **Limitations * Can only run on one interface simultaneously.     * "Reverse" portal, i.e. capturing traffic originating from the Internet and entering your network, is not possible.     * Only entire IP and MAC addresses can be excluded from the portal, not individual protocols and ports.     * Currently not compatible with multi-WAN rules (will be fixed in the next release)** I think the 1.3 version will be able to run on multiple interfaces.

I was in an accident and have been in the hospital for a while. I haven't got the time now to create a package. In a few weeks, i think i'm starting to work again, and hope to pick up on things like this. If there are people who are interested. I hope you understand. In the mean time i can give you my notes to get it all working manually. -install p0f -install shttpd -create a webpage for blocked clients. << create script for adding blocked ip's in /usr/local/bin/p0fcron.sh First flush the table of blocked clients. pfctl -t p0f -Tflush Then add new detected clients to the table. awk < /var/log/p0f.txt '{gsub(/[:]/, ""); printf"\n" $9}' | awk '! a[$0]++' |while read data; do pfctl -t p0f -Tadd $data done Last flush the p0f created file. cat /dev/null > /var/log/p0f.txt << add cronjob to /conf/config.xml adding and deleting ip's every 10 minutes <task_name>p0f</task_name> <minute>/10</minute> <hour></hour> <mday></mday> <month></month> <wday>*</wday> <who>root</who> <command></command>/usr/local/bin/p0fcron.sh << filter: add rederict rule for blocked ip's in /etc/inc/filter.inc $natrules .= "# p0f\n"; $natrules .= "table <p0f>persist\n"; $natrules .= "rdr on xl1 proto tcp from <p0f>to any -> 10.20.7.1 port 81\n"; << create startup script /usr/local/etc/rc.d/p0f.sh << -i xl1 is the interface to listen on << -T is the threshold chmod 0755 #!/bin/sh echo -n ' p0f ' case "$1" in start)         /usr/local/bin/p0f -i xl1 -MKU -T 33 -d -o /var/log/p0f.txt         ;; stop)         kill -9 cat /var/run/p0f.pid         ;; *) esac exit 0 << create startup script /usr/local/etc/rc.d/p0f.sh chmod 0755 #!/bin/sh echo -n ' shttpd ' case "$1" in start)         /usr/local/bin/shttpd -p 81 -d /usr/local/www/p0f -l /var/log/shttpd.log         ;; stop)         kill -9 cat /var/run/shttpd.pid         ;; *) esac exit 0</p0f></p0f>

Since you cannot bridge the Zyxel router, set it so that it only routes and doesnt perfom NAT. Then create a static route for the subnet behind the Zyxel-router pointing to the Zyxel IP. Like this traffic no longer seems to come always from the same IP.

@Gertjan: So, your CP is running from LAN. What are the LAN firewall rules ? Is it possible that you run CP from it's own OPT1 interface ? (another thread is going on right now about troubles running CP from LAN ….) I would say : CP is meant to be running from OPTx, not from the network card 'LAN'. I'm using the CP now for 3 years (LAN = compagny, CP = non trusted clients - I use pfsense for a hotel, with the classic setup) ok.i'm let enable CP on OPT1 interface it's work. ;) thank you for advance

Yes, you're right, it's all what I want. But, I would like to be assured in it, that the traffic from/to "ip list" hosts doesn't accounts with Radius at all. p.s. as I know, for example, mikrotik radius clients always counts "walled garden" traffic.

@MoRoZ: thanx. I think this topic migth be post to FAQ When the pfsense is equiped with wifi-card, this Wiki is valid : http://doc.m0n0.ch/handbook/wireless.html - an OPT1 interface IS implied. But : The CP-wiki itself from here http://doc.m0n0.ch/handbook/captiveportal.html indicated that the LAN port CAN be used. Now, who am I to say that's logic that LAN isn't the good one for mounting CP on it, but one of the present OPTx should do the job. @lwaldo: my cp no funtion with windows vista or windows mobile? Don't know. I can connect very well with my 1.2.1-RC1 built on Sun Aug 31 06:26:57 EDT 2008 using Vista Pro, or a IPhone II for that matter. Please note that your question / remark contains no details at all, and might as well not be related to this thread.

I believe that with 'new traffic shaper' in the 1.3 release it will be able to dynamically changing user's bandwidth settings.

Ok, answering my own question here. This is the code I added to my PHP login page to make it work function returnmacAddress() { // This code is under the GNU Public Licence // Written by michael_stankiewicz {don't spam} at yahoo {no spam} dot com // Get the arp executable path $location = `which arp`; $location = rtrim($location); // Execute the arp command and store the output in $arpTable $arpTable = `$location -a`; // Split the output so every line is an entry of the $arpSplitted array $arpSplitted = split("\n",$arpTable); // Get the remote ip address (the ip address of the client, the browser) $remoteIp = $GLOBALS['REMOTE_ADDR']; $remoteIp = str_replace(".", "\\.", $remoteIp); // Cycle the array to find the match with the remote ip address foreach ($arpSplitted as $value) { // Split every arp line, this is done in case the format of the arp // command output is a bit different than expected $valueSplitted = split(" ",$value); foreach ($valueSplitted as $spLine) { if (preg_match("/$remoteIp/",$spLine)) { $ipFound = true; } // The ip address has been found, now rescan all the string // to get the mac address if ($ipFound) { // Rescan all the string, in case the mac address, in the string // returned by arp, comes before the ip address // (you know, Murphy's laws) reset($valueSplitted); foreach ($valueSplitted as $spLine) { if (preg_match("/[0-9a-f][0-9a-f][:-]"."[0-9a-f][0-9a-f][:-]"."[0-9a-f][0-9a-f][:-]"."[0-9a-f][0-9a-f][:-]"."[0-9a-f][0-9a-f][:-]"."[0-9a-f][0-9a-f]/i",$spLine)) { return $spLine; } } } $ipFound = false; } } return false; } ?> And then where I want to display the MAC address we put:

Since no one seems to bother with documenting this, and I just finished banging my head against this issue where the redirect just keeps reloading itself and not going to the page specified. To fix it you MUST do the quotation marks in the META HTTP-EQUIV line correctly: Bad Good Hope this saves other people torment anguish and wasted time Googling. @Gertjan: @alexander007: I found the problem ;D What was it  ? :D Do we have to supose that somethings is wrong with your posts ?

Awesome!  That worked.  I had turned on Advanced before, but had not deleted the rule.  Many thanks!!