you have to allow Internet traffic below blocking everything to the interface IP.

Please post the output of pfSense shell command top -S -H so we can see which processes are the major CPU users.

Ok, I made some changes over the configuration and until this moment is working: No timeouts (idle or hard) DHCP to /22 DHCP Lease to 48 hours For now, the DHCP server assigns new ips always, and still don´t assign a lease with a previous session opened in Captive Portal, then, all the sessions of old users are open yet. I´m waiting that when DHCP assign an ip previously used, and the users try to login in the CP, system automatically close the old session and open a new one. Are this a correct assumption? Thanks for your help.

@krot: I can't find how to get this to work: In my system users should be able to choose either to enter a voucher or to enter their username/password. Cause i have two kind of users: Residents with an own username/login Guests however should be able to use the vouchers-system. If i enable vouchers in my CP users cant login with their usernames any more. Is there a possibility to have both at the same time? Yes, put the code of the voucher page and the username/password page together.

You additionally have to put your wpad.dat on your Captive Portal Login Page as the first code. If someone opens a browser it asks for the wpad.dat file, witch can not be accessed because of the CP-Page. But if the wpad code is on yout CP-Login page it will be recognized as your wad.dat code.

Thanks again for sharing your ideas. Yes, there are lot of alternatives. Considering WPA2-PSK, it seems that long and random enaugh PSK is practically impossible to break. So, the simplest solution will be to have two SSIDs, connected to two VLANs - first for guests, opened at AP (no keys), and controlled by pfSense CP (vouchers), another one for employees with WPA2-PSK. Only problem is possibility that one employee gives key to others, but I think we can live with that. Another approach will be to have all traffic going via CP. On that way, only one SSID/VLAN would be sufficient. I don't know exactly how CP is working, but probably it stores IP/MAC of user which successfully authenticated by vouchers or user/pwd. If this is correct, then it seems to me that it will be easier to sniff IP/MAC combination, and possibly misuse it, then to break WPA2-PSK. But I'm just guessing, I'm really not security expert. Also, if using plain http for CP where users enter their username/passwords, I think that credentials can be sniffed quite easy if using http. If, on the other side, I force https at CP, then I will probably have some issues about deploying root certificate, especially on some smartphones, etc. I know that same applies to vouchers for guests, but vouchers validity is measured in hours, so if attacker even succeed to grab the voucher code, he can use it same day only. Credentials for employees should be valid for much longer time. So, these were just my ideas about various alternatives. At the moment, consdering all above, it seems to me that first alternative might be easier to configure and maintain, and "good enaugh" in my current scenario.

@wallabybob: It is not clear to me how the captive portal can determine the voucher is no longer in use (as distinct from 'the user is taking a snack break'). The only ways that CP recognizes that a voucher isn't online anymore is: 1.) The voucher runs into a timeout (Idle Timeout or Hard Timeout). 2.) You disconnect the voucher manually by hand using the GUI (Diagnostics -> Captive Portal) 3.) The user clicks the "logout" window. If you like that users will be disconnected when taking a break for lunch or something else set the idle timeout to 10 minutes. If you want to make sure that everybody gets disconnected one (or several) times a day choose hard timeout 180 minutes.

Check out this https://redmine.pfsense.org/issues/2164.

Try this out https://redmine.pfsense.org/issues/2164 and let me know.

@wallabybob: Does the SQL server need to be configured to allow access from the firewall? That was it. I needed to type this command when logged in to the MySQL server: GRANT ALL ON radius.* TO pfsense@'pfsenseIPADDRESS' IDENTIFIED BY "PASSWORD"; Thanks for the help! Also the test connection script need to be: mysql_connect("192.168.1.100","pfsense","PASSWORD") or die(mysql_error()); echo "Connected to MySQL "; mysql_select_db("radius") or die(mysql_error()); echo "Connected to database"; It couldn't find the hostname but works with the IP address instead.

@hendasa: Thanks for your help; I installed FreeRadius 1.1.8 package, I set up the online time for a  test  like ! "WK1200-1300", when I tested, I remarked that access to Internet is only allowed betwen 12h00 and 13h00, but if a user validated his access during that time, he can continue access to internet even after 13h00. Is there any solution to cut the access at 13h00 thanks. Hi, first you should use freeradius2 package instead because it is actively maintained and it supports much more features than freeradius1. second if you choose "Wk" then this is from monday till friday. Try with "Al1200-1300" which as far as I know means "every day". third: If you do not want to disable CP but blocking internet is enough the just create a shedule and set this shedule for a firewall rule which blocks/allows traffic.

Just what I was looking for! I want to protect the network at the WPA level (to completely keep out the curious) and use the captive portal for TOS. This isn't a public network, but it isn't entirely private, either. The idea is for contractors and consultants and such to be able to get internet access. They get the password from us, then have to agree to the TOS before continuing. I was thinking it'd be nice to have somebody enter their name before clicking "Agree and Continue", but it didn't show up the logs. This patch fixes that! Thanks so much! It would be nice to prevent them from leaving it blank, too. Maybe an option in the UI for "No authentication but still require (and log) a username"? :)

I mentioned problems when I enter on CP page as redirection URL jus: www.google.com I need to enter: http://www.google.de Then the redirection is working - if without http:// I got a loop. Not sure, if this is related to your problem.

Last time I used captive portal (pfSense 2.0, before release of 2.0.1) the browser went to the login page on the access after the voucher expired. Are you expecting the browser to go immediately to the login page ON voucher expiry?

Hi, I am developing freeradius2 package and I tested with CP. Take a look at my documentation - there I tested some features/attributes with CP: http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Accounting_with_Captive_Portal Acct-Input-Gigawords Acct-Output-Gigawords should be supported by CP - if I remember correct I found this somewhere in the pfsense code. But accounting isn't working correct at the moment. 1MB traffic in reality gets counted 6 times higher from CP. But this seems to be a problem of ipfw and not RADIUS. So 1MB in realy = 6MB on pfsense ;) That's easy to calculate I think ;)

Hmm…it is working but only without Simultaneous-Use in FreeRADIUS. Just leave the field empty. Then there is still the error in syslog but then there is no disconnection. But I am pretty sure that the problem is CP because I tried with another NAS (AP with DD-WRT) and there isn't such a problem/error. I posted this issue on pfsense mail list but we didn't find a solution. We discussed several problems there. Take a look at the conversation. http://lists.pfsense.org/pipermail/dev/2012-January/000118.html Why it isn't working with your VM environment...puh...I don't know. If I find a solution I will fix it. If someone tells me the solution, I will fix it. But at the moment I am out of ideas. First I would like to appreciate your great help. If I have money I will put a bounty on this, I am afraid I can't afford it.. I noticed that PF 2.1 is now running snapshot, I will give a try later. maybe there is some lucky? Anyway, thanks a lot ~~

@stramato: guys this happened to me and i don't know how to fix it. Mine was working perfect (CP + Active Directory authentication through RADIUS) then my local DNS server (another physical computer) hung one time. After restarting my local DNS server, when I use Captive Portal, the clients seem to have messed up DNS or something. I tried pinging internet addresses from the client and they seem to resolve DNS, but when using a browser, they can't seem to resolve DNS. I can't really use another DNS server, as my local DNS server hosts a bunch of intranet websites. Did you tried to reboot pfsense?

Ok thank you for your advice, I will look into a procedure for setting up vouchers this week hopefully. I saw some good procedures googling around. That is something I was concerned about, was free loaders in the parking lot or nearby areas, the wifi is up high with a antenna I custom made and the signal goes a good about 75 - 100 yards on a wifi test using airmagnet. So I will definitely look into locking it down some more. You will hear from me later this week I am sure.