OK, thanks for replies. I was thinking about this option - to generate new keys. I already tried to change the magic number - I ended up with "Services : Captive portal : Vouchers" page all greyed out, "add voucher" icon (plus sign) disappeared, page reload didn't help, so warning to everyone, this is most likely not the way to go in RC1!

Assuming the CP users are on a different subnet, on a separate interface or VLAN, you can do that just with firewall rules (with or without CP).

Without DNS, the hostname never resolves to an IP, if the IP doesn't resolve, the client never makes a request, and pfSense can't redirect to a page if the client never makes the request. Only possible way around that might be if you have some kind of default DNS response. I don't think the DNS forwarder in pfSense supports that, something like the ISP DNS setups that send you to a search page when they don't get a valid DNS response. If your clients were pointed at a local/internal DNS server that would return a response even on failure, it should work.

Ah, then it might be something to do with the expiration bit. I didn't try that, just a normal login. Not sure how much can be done about that since it's browser specific…

It's by MAC and IP (CP enforces the association between them). IP and MAC passthroughs have no limits in 1.2.3, they have per-entry limits in 2.0.

this is a good idea! keep us posted on your progress if i get soem time at work tomorrow i will play with this a little as well

I left my global DNS setting as provided from my ISP.  And leave the local OPT interface DNS config for the CP interface.  And I pipe OPT/CP traffic only through Squid.  Inside Squid I set the DNS provided by client.  This does a real nice job.  This solves your need, as it does mine.  And provides a real nice feature, even if the clients DNS servers entry is statically set, it will still resolve names from OpenDNS servers, transparent to the user, reducing the ability to get around my OpenDNS content filtering rules.

Captive portal works at layer 2 (read: MAC address), so unless your clients are bridged to the same layer 2 network as pfSense, and pfSense can see the client MAC addresses directly, then it will not do what you are after. We have a feature request open (not sure if it's on redmine or elsewhere) for a layer 3 captive portal that would work by IP, but it's something that requires quite a lot of time toward (and funding…) in order for it to happen.

i have add on Cp a idle timeout (30 min) and it seems to be fonctionnal …

That's up to your AP's configuration. Nothing pfSense can do about that, and Captive Portal only works at Layer 2 so there isn't a workaround at the firewall level.

If you were coming from an older snapshot then you might be seeing this: https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/2d4003aab1d969ed9ba3e52f2fe3ec083e4bef8c We were not calculating the bandwidth received from RADIUS according to the standard. You'll probably have to fix your bandwidth values in your RADIUS server.

Maybe a CAPTCHA on the landing page?

No, that isn't possible to do with the code as it is. It could probably be modified to do that, but it would be a bit of work to pull off. 2.0 can't do that either.

Many thanks for your response. There is a work around for this scenario - and that is to NAT into the existing LAN and 1:1 NAT from one subnet to the other. Hopefully the pfSense will provide firewall logs of translations so we can match user's traffic on the Internet to authenticated traffic on wireless LAN. I don't know of another distribution that supports this feature, maybe ZeroShell? - so we may just build one! Thanks Rob

Cool, thanks a bunch!

You probably want to upload your own error page in section "Authentication error page contents" (right below "Portal page contents"). That's what I did and my portal login and error pages are of the same style and look. Logout pop-up doesn't work, you're right. I guess it is a bug.

@ermal: You need a radius server to do this for you. Hi ermal, I've managed to make CP + Active Directory (through RADIUS in Win2k8 R2) work for my RC1 2.0 box. But i'm not sure where should I create groups for limiting bandwidth?