Maybe I didn't explain correctly the problem. I have enabled every minute reauthentication in the captive portal page. It happens that when I shutdown the radius server (simulating a failure of the server) people who are logged on can continue surfing the web while people that are not logged cannot logon. The problem is that people should be logged off automatically when the radius server isn't available preventing them from surfing the web without their activity beeing accounted. Maybe it could be solved if, when enabling "reauthenticate every minute" captive portal disconnects clients not only when it receives an ACCES-REJECT from the radius but also when the radius doesn't answer the ACCES-REQUEST by the router. Thanks

@namezero: Looks like m0n0wall's beta 1.23b1 has improvement on that issue: hanges in captive portal (jdegraeve) * fixed a bug in the way we handle authentication mechanisms (potentially allowing double logins and faulty locking)     * add support for different MAC address formatting styles     * add support for per-user bandwidth limitation (using well-known WISPr RADIUS attributes) http://m0n0.ch/wall/beta.php So if you're really stuck, you might want to take a look at m0n0wall for the mean time. We have already backported this code to HEAD but it will not appear in 1.0.  I agree with namezero, if this is such a big issue then please run m0n0wall.

You have to use the dns-forwarder of the pfsense for the wireless clients. Otherwise it can't redirect to the captive portal page. Set up your LAN DNS server at system>general and assign the wireless clients the pfsense wlan IP (done by default). Also uncheck "block private IP ranges" at interfaces>wan.

Got it.  I've sent it to the m0n0wall Captive portal author.

Thanks!  It can definately be taxing at times.  And the amount of grey hairs on my head seem to be multiplying *4 very rapidly :P

You have the portal set to be enabled on the opt1 interface?    Did you add a rule to allow that subnet out of the firewall?  By default it won't allow traffic on that interface to pass.  You need to add an allow rule under Firewall -> Rules -> opt1 Have you tried removing the 2wire device and testing with just a wired connection either directly into the pfsense box or through just a hub or switch?  I had nothing but bad luck with those 2wire devices 3-4 years ago when I tested them as DSL CPE. Something else to try, can you go to http://192.168.1.1:8000 ? (assuming that the opt1 address is 192.168.1.1) I just set this up to test and it works fine for me (minus the 2wire device).  I'll wager you just need a pass rule for that subnet on that interface.

Thats great to hear!!

Okay I tested this again and found some minor errors… png wasn't working. Anything upper or mixed case wouldnt have worked: ie: Jpg If you are running a full installation do a cvs_sync.sh releng_1 && shutdown -r now If not, Diagnostics, Edit file and overwrite the code with this: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/system.inc?rev=1.79.2.38;content-type=text%2Fplain;only_with_tag=RELENG_1

@clamothe: It seems like that would be true, since I doubt the computers will be talking through the router to get to another computer on the LAN. True. @clamothe: Another thing that I'd like to do is open up ports UDP 27000 to 27015 and TCP 27020 to 27050 for Steam.  Open them up so that all internal users (including non-authenticated) can access WAN servers via those ports.  Is there some way I can bypass the portal for this? You can't open up single ports but you can specify passthrough IPs as destination that are always allowed. So add the Steam IPs there and you are fine. For everything else the clients have to authenticate then.

No.

Send it over to the m0ther too  ;D

i will try tomorrow…very good job .... :) ...i'll become after

I can't speak to the status of the package but the RADIUS auth should work fine with an external RADIUS server (except for the 16 character password limit).  I use RADIATOR personally but it's a payware perl based solution.  It should work fine with any compliant RADIUS server.

You want the radius client on the pfsense box to use the MAC as the username?  Or is it that you want the box to just allow a set of known MACs?

I agree - 'solved'. See other post concerning same mather.

@rexster: i didnt think it's problem with wds. coz, i just try out a friend's engenius wsr3800 wireless with built in authentication (captive portal) and using same wds with linksys wrt54g/gs all clients can successfully login, even those clients connected to the furthest repeater can still login with no problems. Checked that. Have a [ADSL modem] <–-> [pfSense Box {=>OPT1 interface}] <–--> [switch] <–-> [WRT54GS as AP+WDS] <–--- radio link ----> [WRT54GS as AP+WDS] <–- radio link ----> [Client PC]. The Client PC can login to the captive portal on the pfSense box, and then has access to the net. The question is: what firmware (in your AP's) are you using  ;) Linksys routers are as PC's: depends on what software you're using to make them fly…  :D

Captive portal doesn't work on a bridged interface. It has to be a seperate subnet and the clients of this subnet have to use the pfsense dnsforwarder as dns.