It's already been reported here: http://redmine.pfsense.org/issues/1974 Not sure what the ETA is on a fix for that, it seems to be a bug in ipfw

Perfect tons of help thanks!

thanks for reply gertjan. yes i put this file  ::) soapclient php command,  get address and contents . but dont work in pfsense. 1- I think I have to enable soapclinet for php. but I do not know how to do in pfsense. 2- How to run a phpservice service in command-line ps:I'm sorry my bad english skill

Hi sekult, I banged my head against this issue for quite a while. I found that in a flat network (where the client ip was on the same subnet as the LAN interface) everything worked fine, but when we changed our network topology to use vlans (and vlan routing), pfsense decided that it would remap requests to the pfsense box to use the ip address of the requested external site. While this works for login purposes (I guess there is some kind of ip masq going on), it fails epically for the the logout button (because by the time the user clicks on the logout button, the ip-masq is no longer in place, so the request tries to go to the actual external site ip. Trawling through the code (in /etc/inc/captiveportal.inc), I found references to portal_ip_from_client_ip(), which tries to match the client ip to one of the pfsense interface ips. But because your client ip does not match any of the interface ips, it fails. I found that commenting out the guts of this function, leaving only "return false;" worked for me. In this case, the code that calls portal_ip_from_client_ip(), uses the host name of the pfsense box. (for me this is 'pfsense'). /etc/inc/captiveportal.inc ----------------------------- function portal_ip_from_client_ip($cliip) {         global $config; /*         $interfaces = explode(",", $config['captiveportal']['interface']);         foreach ($interfaces as $cpif) {                 $ip = get_interface_ip($cpif);                 $sn = get_interface_subnet($cpif);                 if (ip_in_subnet($cliip, "{$ip}/{$sn}"))                         return $ip;         }         // doesn't match up to any particular interface         // so let's set the portal IP to what PHP says         // the server IP issuing the request is.         // allows same behavior as 1.2.x where IP isn't         // in the subnet of any CP interface (static routes, etc.)         // rather than forcing to DNS hostname resolution         $ip = $_SERVER['SERVER_ADDR'];         if (is_ipaddr($ip))                 return $ip; */         return false; } At this point, the login/logout pages are accessed from http://pfsense:8000/  and worked fine. Note: I assume that you have solved the routing and firewall issues, ie; Added Gateway (for your LAN interface) in System | Routing | Gateways Added Route (to your client subnet, via your LAN interface) in System | Routing | Routes Added Firewall Rule (same as for "Default allow LAN to any rule", but changing 'LAN net' to your client subnet/mask)  in Firewall | Rules | LAN Hope this helps. Cheers, Jon

Hi ! Here it is: /etc/inc/captiveportal.inc - lines 299->332. As you can see in the code, the info stored in $config['captiveportal']['page']['errtext'] will be used as the logout windows. If not defined, a hard coded popup windows will be used. Your page can be defind by filling in " $config['captiveportal']['page']['errtext'] ", this can be done by supplying a file with the code on the Services => Captive portal page, you will find "Logout page contents" at the bottom. Btw: sending code for a (default) popup logout window or opening another browser tab (another page) will often treated equally.

Thanks! haha I'll look in that direction!

You probably need an external RADIUS server for this. The way we solve the problem here is that internal users are going directly through pfSense with its own page, guests use a DD-WRT enabled WiFI router with chillispot. Both pfSense and Chilli authenticate against a Freeradius server (that runs the portal pages for Chilli as well). Radius is managed through the free Daloradius web interface.

While looking at the code I see that PF uses the PEAR radius library to respond to talk to the radius server. While some attributes have been ported to this library, we need to port ChilliSpot-Max-Total-Octets, can this be configured or does the captive portal module would need major modifications? Thanks

OK Deactivated CP, restarted the box, activated again on both interfaces….same result. LAN address pfsense is 172.16.100.4  (static users on cable) LAN2 address pfsense is 172.16.101.1 (dhcp enabled users on wifi) I have also noticed the url on ethernet http://172.16.100.4:8000/index.php?redirurl=http%3A%2F%2F_172.16.101.1_%3A8000http%3A%2F%2Fwww.google.com%2F when accessed by LAN. Please suggest what to do. Regards

I'm using a StartSSL free SSL certificate on my home PFsense portal. I noticed it doesn't play nice with Firefox, but IE authenticates to it fine. I would highly suggest a paid SSL certificate for a business environment. http://www.cheapssls.com/ Comodo is $8 a year and RapidSSL is $9. I'd go with RapidSSL, Comodo's CEO is an idiot.

Thanks , I'll give it a go.

@dhatz: How would the DHCP lease time need to be configured when using vouchers? (e.g. would a 2 day voucher require a 2+ day DHCP lease?) AFAIK, if a client's MAC address is recorded in the …/var/db/dhcpd.leases file, this client should get the same IP address next time. That's not specific to using vouchers, or RADIUS, or no authentication, just make sure your DHCP lease lifetime is equal to or greater than your CP hard timeout in all cases. Clients will be re-assigned the same IP in most cases, but commonly not in environments like larger hotels where lots of devices come and go and you have a relatively small DHCP pool for the number of devices, so it has to reassign IPs whose leases have recently expired.

Thanks for the reply! I managed to get around this by doing some fancy php code What I did was create a simple redirect page for the captive portal to redirect to an external auth server, which will then ask the user to login and record the information that way. The only reason I'm using an external server is that pfsense doesnt support the mysql extension for php which is what I'm using to record some of the information. So i managed to work around it but if any body has any idea how to enable mysql support for php in pfsense that would be great! (i did do some reading and posted in the documentation section of this forums but so far now luck) Anyway for now I'm happy with the redirect its doing everything i need at the moment :) cheers! @Gertjan: Hi ! "usernames" are captive portal login names ? or The names of the PC's connected ? (have a look at the DHCP lease table from the server that runs on the captive portal interface). or The "Full name" you entered in the User manager of pfSense ?

You might want to check the discussion in the captiveportal max users thread. If it's going to be a public hotspot, one should also think about ways to mitigate possible abuse (either unintentional due to malware-infected PCs, or even intentional e.g. roaming spammers), how to deal with possible dhcp DoS attacks, rogue APs for mitm attacks, DoS attacks against the CP itself etc. The underlying tools in pfsense (pf+ipfw) offer some relevant features, but afaik those aren't yet available from the webGUI. A city-wide public Wifi for 30.000 active devices is a very big project that will require a great deal of work in design. You might want to read the material at http://www.muniwireless.com/category/city-county-wifi-networks/