I think you've had your answer already. Either post a bounty and wait for someone to pick it up, or just create a welcome page with the overall time available to your users posted there at the outset.

You could limit access to just a handful of sites by setting their client machines to a static address (or setting their DHCP server to assign a pre-assigned address) and setting an internal firewall rule. The more elegant solution would be to use a proxy server.

No.  Not it.  Because I have 4 boxes and they all experienced the same thing when I turned it on.  The 4 boxes are in different vlans. Irritating!

@deltix: Basically still doesn't work as intended. Correct? I can just forget I guess. Define your 'intended'. According to RFC and family, all is ok. But, breaking https (SSL) connections isn't easy - but it can be done. Like : a visitor is hitting the (your) portal with https://www.google.com - You generate a certificate (on the fly) that says your portal IS "google.com", and you better assure that a major certificate broker says that google.com is YOU (your portal). Then, the visitor's browser will be happy …. and your visitor can log in (would he really think he IS visiting google.com at that moment ?  ;)). When done, you portal will redirect the visitor the other, real google.com https site. Can you pull this one off ?

Personally I think there's already enough + buttons on there and the added complexity of having to pick which portal it gets added to makes it even less desirable.

Hi, That's where the hard- and soft timeout is all about  :)

You can manually query the users in the mysql. refer to this link :  http://www.serveradminblog.com/2011/12/freeradius-install-howto-4-populating-tables/ hope this make sense. :)

@RadoXX: Hello! can i build simmilar system to FOn using pfsense? The common answer is : yes, of course. Because YOU are asking the question, I tend to say that YOU won't pull it off. Isn't it not far more easy, if you want something similar to X, to just use X ?

@iNCONIX: mrbrax Please post .ZIP file again action.js is 0k Do not login tks How am i supposed to post it if i'm not allowed to log in? ;) It is supposed to be empty, yes. Not sure why i provided it at all.

Sorry, can't make anything from what you say.

Thanks for the reply and advise. Will check on the assigned IP addresses as suggested.

Thanks a lot.

Reconsider your solution. As you already said : @carzin: If they go to google or any other http site, it works just fine.  The redirect happens immediately. So why adding google.com to the 'allowed site' list ? Check this https://forum.pfsense.org/index.php?topic=115338.msg644308#msg644308 Most OS's will open a navigator by default "automatically" when a Wifi connections comes UP (obtained an IP, gateway, DNS, etc) and the direct "Internet connections" (with a test http call). No end user interaction needed. Check this : @carzin: For whatever reason, if they type wifi.sitex.edu, the browser will spin and spin and will not connect them to the authentication portal. Where is "wifi.sitex.edu" ? Is it the URL being served by pfSense or elsewhere ?  If it's the latter, it should be added to the 'allowed site' list. Check also if "wifi.sitex.edu" is including pages from other locations (Google analytics, etc) because this will block the loading of the page (your "spinning around").

Yes sometime i have the same thoughts, i should just quit replying, but i am kind of addicted  ;D I understand your problem, that why my previous reply to you was mentioning to "remove any previosly granted authorization", the person which can get access with all its machines, can do that because before you gave him that privilege, so, to fix that, you now have to remove those rights from its account(s), blocking them again, and only insert the MAC address you would like to allow on that list. If you can't find them, i would suggest to start blocking everything again,  then only make change on the MAC addresses's list. I hope that's clear enough.

Modify the 'my.cnf' (de main MySQL config file) so it accepts not only connection from localhost (127.0.0.1) but also the 'external' IP  that the other pfSense would use to connect to the server. This is well described in the MySQL doc. You need to locate the file, and change it. Restart MySQL. [ check if the firewall on the IP/NIC isn't blocking incoming connections on the MySQL port ] Done.

Throw them away, take the build in pages. Done  ;)

Thanks, Web Spider. I am trying to mimic the captive portal of Mikrotik router. Unfortunately, I am having a hard time figuring out how to do it on Cisco devices. That's is why I am thinking of using Pfsense. We are managing multiple networks, and it is not good to install Pfsense on each network because it 's hard to troubleshoot it when there is an issue with it. That's why I think it is better to host the Pfsense captive portal on AWS and let them connect to it, so we can easily access it and manage them properly. I have read about pfSense Security Gateway Appliance which is available on Pfsense store. Do you think this is better than having a PFsense on AWS? Please advise. Thanks

@cs1: That's possible with RADIUS authentication. E. g. with FreeRADIUS you can store a custom RADIUS attribute like "Allowed-NAS" with each user and during the authorization phase you can use FreeRADIUS's "unlang" to compare the NAS-Identifier (which should be different for each of your zones) with the Allowed-NAS attribute and reject a user straightaway if they don't match. You can even update the Reply-Message attribute with something like "You're not allowed to log into this zone!" which will be displayed as the error message on the Captive Portal page so that the user immediately knows what went wrong. The manpage of unlang should give you a pretty good idea how to write the comparison code. True. I resolved using external Freeradius, Huntgroups, Groups and unlang. I will update you if I can integrate solution on pfSense Freeradius :)