OK. I think what must be happening is the user is not selecting the WiFi network on their iphone.  It is automatically connecting to the WiFi itself, as it remembers it, but doesn't pop the automatic captive portal browser using the http://captiveportal.apple.com, as the user isn't actively using their phone.  The user then opens a browser to do something, visiting a https page, causing the error? If the user connected to a http page, the portal would work correctly. I need to have a play to try to replicate the error, just seems odd that every user to report the problem has been using an iphone 6. [image: IMG_0652.PNG] [image: IMG_0652.PNG_thumb]

Try to make a new user with full access to this page like SuperUser grant all access to this user. then enable your captive portal. open web browser and go to address bar and type the pfsense ip with 8000 port. e.g. http://192.168.1.1:8000 login page will popup then use the new username & password that you created lately like the superuser. then done. Internet can pass tru your PC now.

@shaheed: …. 1. the ip is 192.168.0.1 as listening port for clients it is also the ip of pfsense lan interface. 2.  in Nas/client ip field i have entered the same 192,168,0,1 ip ?? 3.  Radius authentication is allowed in captive portal settings "192.168.0.1" is the pfSEnse LAN IP and the FreeRadius2 IP ? This means your FreeRadius2 is running on the same system as pfSense ?

On the login page, where the visitor-with-a-voucher enters the voucher code, add button that states : "I agree that my time is limited (see voucher), and I declare that I activated a count-down timer in my SmartPhone - or the device I use to connect to the portal". Done. You have a maintenance free and easy to understand 'count down timer'. Zero hassle guaranteed. If the visitor doesn't want the count down timer, well, in that case, maybe because he doesn't need one ;) A real win-win situation.

@bmginn and  @th112211 compare your pfSense version with the one mentioned in subject of this thread. I advise you to open a new thread and detail what you found out. Btw : I'm not using vouchers.

@Derelict: They display in Services > Captive Portal, Edit, MACs That's where I was looking. I cleared out most of my config and it started working properly. Specifically there was a problem with my freeradius config that I had changed manually. Even though I wasn't actively using freeradius at the time, that seems to be what caused the problem.

As you said : You should "code" this yourself. IF you know how PfSense 'works" AND you can fnd /etc/inc/captiveportal.inc AND you can read/write PHP THEN you are close to a solution ;) ELSE No.

Hi, That question is already being asked. About ones a week, in fact. The short answer is : No. A next best answer will be, knowing we all have a smartphone these days : On the login form, say to your clienst that they program a xx minuts timer.

you have to login on your captive portal that you made to gain access.

Hi, I advise you to read  https://doc.pfsense.org/index.php/Category:FAQ : check out Captive Portal Pre-authentication Redirect.

Well, you can use two separate, synced authentication systems, though it's a bit redundant. How many users are you going to have on each network?

I dont think it can be done easily. The SquidGuard Package allows you to: Limit the web access for some users to a list of accepted/well known web servers and/or URLs only. Block access to some listed or blacklisted web servers and/or URLs for some users. Block access to URLs matching a list of regular expressions or words for some users. Enforce the use of domain names/prohibit the use of IP addresses in URLs. Redirect blocked URLs to an info page. Redirect banners to an empty GIF. Have different access rules based on time of day, day of the week, date etc. Or just make two access codes. One that allows so little bandwidth 1-2 Mbps would pretty much allow just web browsing and email. Another access code with no bandwidth restrictions.

@Gertjan: @PeterITG: ….. With Pfsense the user has to connect then browse to a Http:// Site to get redirected. When launching a https://…. you will NOT get redirected. That's what https is all about. Modern OS's (Windows, iOS, MacOS, etc) launch a hidden http://portal.microsoft.com or http://portal.apple.com or ...) when a Wifi connection is established. When the reply is redirected, a browser will open that shows you the "reply" : the portal login page. I'm using pfSense in a hotel (read : NON-initiad clients end users). No one come down to the reception asking me why they can't acces sthe Internet. They will see the pfSense login page, they will hunt down the access password in mentioned on the papers present in their room, and they connect. I never used "Antlabs Inngate, Nomadix, ValuePoint, and Unifi Ubiquiti". These are also "free-ware" solution ? Yes I had allowed my DNS servers through the captive portal. So it was resolving the hidden OS checks so the captive portals weren't starting. So they weren't really being redirected till they tried a http site and most sites are https now. Our support know to have them try a http site but i knew something was wrong when it wasn't opening automatically. Also those other devices are hospitality gateways that have the splash page, Integrate with a PMS system. Charged Tiered Bandwidth.

Why not set the hard-timeout in your captive portal settings directly? It's under Services/Captive Portal, then choose the CP instance and set the Hard Timeout setting to whatever you like.

The default form of Captive Portal already input the username, so you only create $username=$_POST['auth_user'] then echo $username;  :)

Hi, Check out this page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting Execute the commands listed - and see the firewall rules numbers that ipfw is using. The "64500" is a limit, you can't go (much) above. Also note that " /var/db/captiveportaldn.rule" can not grow indefinitely. I guess it about 700 K when it starts, and depending on the length of the name(s) of your captive portal zone(s) is might double, maybe triple. You can 'read' this file to understand its structure. Its a serialized PHP array. The nasty thing : Every time a user connected and passes through (== authorized) "pass" rules are injected in the firewall ipfw AND the rule set (two: "the numbers" and the "portal zone name") are injected into this array (which becomes a file called /var/db/captiveportaldn.rule on disk). When the connections times out, the firewall rule is removed, and the corresponding entry  in to array is set to false (something like ""). All this reading and writing (updating) of this 1 (2 , 3 ?) MB file happens when users login AND are being thrown off the portal. function captiveportal_free_dnrules($rulenos_start = 2000, $rulenos_range_max = 64500) { Just one question : your system can keep up with it ?

OK. I've done the existing router setup before, so that's not difficult. I am going to do some reading up on the VLAN setup and test it out. Never done that before.

@johnpoz: IOS still fails with badly configured wifi all the time.. Just ran into this.. Yes it tries to get you to the login page once you connect.. But gets sent to 1.1.1.1 from default cisco configuration and invalid cert which ios fails at and no way to just accept the bad cert so you can get login in.. Hummm. That might be my saver over here : no Cisco devices or what so ever. Just tried it again (I could post a vidéo !) : I connected to one of my 4 portal Wifi radio networks. I accept on my device (iPhone). A couple of seconds, the (my) pfsense portal page pops up and I can login. @johnpoz: You would hope anyone that has ever used wifi would have the brains to figure out to go to http for portal auth, and or accept any cert errors when they are trying to auth, etc.  Your always going to run into that typical users that doesn't get it, never been to a hotel and used their wifi, etc.  So you can make it atleast less likely to cause problems. True. Except for the bad cert - I'm not using autosigned ones, but (free) certs from startssl, recognized by all browser as "ok". People/clients do login by themselves https://www.test-domaine.fr/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/portalusers.html  (noop, no doc in the building how to do so) and I'm not explaining them how to do so. It just works ….

Ok, so it is not an option in the default setup.  :-\ My hope that I could achieve this with freeradius or so. Thanks for the reply!