@kapara: I use it for a customer with 8 offices.  I host it in vmware environment in a datacenter since availability is crucial.  there are also hosted solutions which would cost about $50 per month…... Hey Kapara, Are you using it along with pfsense CP?  I am finding that it seems pfSense sends wrong data to the radius.  I guess a flaw in pfSense.  After a days usage and testing my user in radius manager shows traffic usage about 10 times higher that what the acutal usage was.  I had a traffic analysis software running on the machine.  I dont want to have to switch to mikrotik as i like pfsense, but i really need that pfsense sends correct accounting info to the radius.

Going back to the subject of protecting the CP against abuse, I noticed the "Maximum concurrent connections per client IP address" ($maxprocperip) setting. A quick look at the source code (captiveportal.inc and system.inc) suggests it sets lighttpd's  evasive.max-conns-per-ip directive. However, if the $maxprocperip "Maximum concurrent connections" field is left empty in webGUI config, it doesn't create a lighty evasive.* directive at all in /var/etc/lighty-Captive*. I can't find any other way to enforce the "Default 4 connections per client IP, with a max of 16" so it seems like a small bug to me (either fix the comment in the webGUI, or put a value in $captive_portal_mod_evasive in system.inc)

I'll do more tests here and feedback when possible.

In that case you suggest cp or firewall rules?

Looks that way, perhaps even if just its root directory was named captiveportal-something (then it would be in every URL regardless of the end name)

@dhatz: AFAIK on a CP-enabled interface all external traffic is refused by default (before successful login), except those IPs and hostnames which are explicitly allowed (aka "walled garden"). Taking a quick look at the source code, it seems to me that in the hypothetical scenario you describe, access to both sites would be allowed. of course. hostname  resolve to ip and add to access

I figured out why it isn't working - iOS doesn't look for captive portals when you connect to a secure network. As soon as I made a virtual WAP with no encryption needed, the login page popped right up. I'm not sure whether I want to think of this as a "feature" or not since I'd like to see our iOS devices be able to use "auto-login". Looks like this is definitely more of an apple issue.

If your DHCP configuration doesn't set your pfsense box as a DNS server then captive portal won't work.

thanks @cmb

Thank You.. I feel like a total idiot. I thought all along I had the DNS forwarder on but I had disabled it earlier as it wasn't needed before bringing up the CP. I also forgot that it is needed for the CP for obvious reasons URGH! Works great.. This thing (PFSense) is awesome we are starting to get some paid jobs because of how well done this is and how reliable it is and how impressive the user interface is. It's seriously the ONLY web interface I have ever used that I'd say was done right. I plan to be rolling in a year of PAID support with our next big job even if I could get away without it.

You can't make it resolve differently, it should work if you just add one of the internal interface IPs of the firewall as an allowed IP entry in CP and leave the DNS pointed to that.

I don't usually post but I know this forum can occasionally be idle when you have an urgent need. How are you authenticating users?  Our users were skipping the authentication page until we found that PFSense was not authenticating with our RADIUS server. We are a Medical University using PFSense (2 NICS) with multiple AD servers configured to work with RADIUS.  We do not have any VLANS set for the traffic since our wired traffic is on a different network.  PFSense is also acting as the DHCP server.

I've specified the remote Nework 192.168.1.0/24 in the "Allowed IP Address" tab in the Captive Portal. Thank you so much. Luca

You can make a user in the User Manager, and if they only have the permission to "WebCfg - System: User Password Manager Page" then when they login to the GUI they only see a page to change their own password. You could make a group, add that permission to the group, and then for users you want to be able to change their own password, add them to that group.

For now there is no other way supported. There were some fixes related to this in latest 2.0 branch of pfSense.

@cmb: You can use any DHCP server with captive portal. You do need to make sure you don't block your DNS server with captive portal, using the firewall's DNS forwarder will automatically work, but you'll need an IP passthrough in CP for the Windows server if you're using it for DNS and not having it forward its requests to the DNS forwarder. Many thanks for your suggestions ; I will try. What about the possibility of PFSense DHCP server to Update MS DNS Sever Records ? What do You think about it?