I was able to get this resolved.  It turned out to be a problem with my switch.  I backed it up, defaulted it and restored the config and everything started working.

@itchy: Can you provide some more details? This has been taken care of a long time ago. https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting The firewall rules "ipfw" redirect all http requests to the internal web sever that displays the login page IF the user's device hasn't been granted access already. If a user's device has been granted access, the firewall rules accessible in the GUI determine what happens. edit : great : I'm actually saying the same thing as Derelict.

You would have to create another pool for your dhcp server on your cisco. http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html

https://redmine.pfsense.org/issues/6421

Hi. First of all thanks for your responde I used 1 minute idle time just as an example, but I have done much more testing with differents time and same result. When authenticated MAC is not present on Captive Portal / ZONE /MACs because I'm not ussing MAC passthrough. I'm asking to see if anyone have found a way to get it working because it become a problem for us. I have worked with other WiFi system (much more complex) like Aruba and I have never have this problem with MAC auth and Radius server. We don't want to use MAC passthrough because we lost, for example, accounting information. Regards,

Hi Gertrjan thank you for replying, what you suggest would work i'm sure, but we have a policy where management of all assets is done on a specific Vlan (Vlan 20). Unfortunately, I am unable to change that, policy, but as it happens, I resolved the issue earlier today, only just got home to update with the soultion. I actually had done everythig correctly in pfSense, the problem was the guy who had set up the Cisco 3560, had applied all the three vlans to the trunk port as I had requested him to do, but he also had in the Cisco interface config the line 'switchport native vlan 20'. I got him to remove this line and everything now works, so i've spent this afternoon setting up firewall rules blocking access to the and from the opt 1 vlan from the lan and wan for security, and blocking access to the management interface from the WAN and LAN interfaces too. Tomorrow will be the big test day, but I quickly checked everything before I left and it seems to work perfectly, only access the webgui and ssh from vlan 20 and nowhere else. Thank you again for the suggestion Regards Tony.

Hi, Why ? Your captive portal is on a boat or plane ?  :) I advise you to check it out with a host name that changes often (some kind of DDNS host). You'll be in for a surprise. (you can see it in action here : enter SSH, and type ps aux | grep 'filter' You will find : root      16520  0.0  0.1  23096  2708  -  Is    2Aug16      0:18.58 /usr/local/sbin/filterdns -p /var/run/filterdns-[ZONE]-cpah.pid -i 300 -c /var/etc/filterdns-cpzone1-captiveportal.conf -y 2 -d 1 which means : Every 5 minutes, resolve all host names from the file "/var/etc/filterdns-[ZONE]-captiveportal.conf" and writes (changes) the IP's into the captive portal's "ipfw" (the captive portal firewall). Also, check out this file cat /var/etc/filterdns-[ZONE]-captiveportal.conf (change [ZONE] for your zone name) this is the list with the host names you entered into the list used by your captive portal. So, the final answer to the question "How can I refresh the CP Allowed Hostnames IPs table" is : you don't, it already been take care off.

Have you tried to add the VPNs DNS IPs to the Allowed IP Addresses? If that works then you may request a feature to pfsense CP for having a per MAC address Allowed IP Addresses.

I realize that the CP can not be active for the DC/DNS.  The DNS needs continues and full access to the internet to be able to resolve the addresses. If CP were active the DNS will fail and therefore every machine pointing to that DNS will fail. So not working CP in this DC/DNS is probably an intentional design in pfsense. I guess that if I want to control some bandwidth in this server I will have to add its MAC address in the CP and some how hardwired the MAC to freeradius.  That is for another thread.

So the problem solved itself. Propably it needed a while to let the changes take effect at all clients. Some web pahes still didn't redirect to cp login, but it showed up it's because of https…

First all thank you for your answer, To start it's good to know its a normal behaviour of pfsense that you need to use http, just what can i do that when some login to the network they get the inlog page first before typing a http page? use http connection with a certificate? Just need to find a way so when opening a page it gets redirected to login page, any idea's? To give some more info on everything. i tested mostly on a wired connection to see if CP would work. while this would not be my setup later and guest can ONLY connect through WIFI i am using my mobile and laptop to test the rest. 1: my mobile, when wifi is off and I enable it I will be redirected to the CP inlog page, this works even when there is a timeout in the connection a refesh page or new page will redirect to login page. just my own phone it stopped working while my tablet doesn't 2: on my laptop when i connect it gives me a dns that i dont have listed in pfsense anywhere. when i manually enter the correct DNS and then use a http site i get the inlog page as well. only this is not the way i need it. for some reason i do not get it configured that when i enable wifi on the laptop it gets the rigth DNS. enabled DNS forwarder and enterd the DNS that shows on the first page of pfsense in CP and in DCHP but no luck on that yet, it still gives the same DNS 192.168.3.100 while it should be 192.168.3.254 to get the internet working. I did a complete reinstall for some reasons because i had also some packages installed like squid proxy and other stuff, after the reinstall wireless gets a proper DNS without having DNS forwarder enabled for the 404 page, when you enter the user and pass you get a redirect page only it does not redirect, after login i get IP:8002/www.domainname.com and i use the original login page from pfsense. normally it should redirect to the domain but it isnt. found the solution that it redirects to the proper page, i had www.domainname.com but it has to be http://www.domainname.com so it will be redirected

Hi ! First things first. What pfSense version ? To install pfSense - and activate the CP, a max of 10 settings are needed. After that, it works as advertised. What did you do to make it work ? Check all, say : latest 10 threads in this part of the forum. All kind of "special case" DNS issues might arrive - the most strange "never seen before network setups" are being constructed. So, understand that I want to know what's so special about yours. The I tell you what up ;)

Some advise : @gmendoza: That was my code: This is better. Condition : Your DNS should work. Your should set  as instructed when installing, a domaine like "mylocalpfsense.tld" and a host name like "pfsense". Also - if your portal is running on a separate interface (it real should) - a host name for your portal's gateway should be set Do NOT hard code something like "zone=cpzone". Include the new : do not hard code like New stuff might appear when upgrading - even if your settings are maintained, sometime you will have to 'retouch' something. This is why the CP didn't seem to work when you upgraded from ancient pfSense versions. ( => never keep old software except when you are an expert. - Note : experts never keep old versions around, the do not have time for that  ;))

@jetberrocal: @trainey927: Ok, I've started from scratch and gotten the CP to work on macs and windows without squidguard. So it seems squidguard was causing the trouble on OSx.  sounds like I'll need to do more research on squidguard.  I'll try playing with the configuration of squidguard to get the captive portal and blacklist filter to work at the same time with OSx.  It should be possible Thanks for the reply :) I know this thread is a bit old, and you were asking for help. But I will like to know if your Windows Computers are Domain Attached or Stand alone? If they are Domain Attached I will like your help with your configuration. I solved my problem with CP.  It was failing because the DNS server was blocked by the CP.  Only one glitch remains but that is another thread.  Clients work but not on the Server.

OK. I think what must be happening is the user is not selecting the WiFi network on their iphone.  It is automatically connecting to the WiFi itself, as it remembers it, but doesn't pop the automatic captive portal browser using the http://captiveportal.apple.com, as the user isn't actively using their phone.  The user then opens a browser to do something, visiting a https page, causing the error? If the user connected to a http page, the portal would work correctly. I need to have a play to try to replicate the error, just seems odd that every user to report the problem has been using an iphone 6. [image: IMG_0652.PNG] [image: IMG_0652.PNG_thumb]

Try to make a new user with full access to this page like SuperUser grant all access to this user. then enable your captive portal. open web browser and go to address bar and type the pfsense ip with 8000 port. e.g. http://192.168.1.1:8000 login page will popup then use the new username & password that you created lately like the superuser. then done. Internet can pass tru your PC now.

@shaheed: …. 1. the ip is 192.168.0.1 as listening port for clients it is also the ip of pfsense lan interface. 2.  in Nas/client ip field i have entered the same 192,168,0,1 ip ?? 3.  Radius authentication is allowed in captive portal settings "192.168.0.1" is the pfSEnse LAN IP and the FreeRadius2 IP ? This means your FreeRadius2 is running on the same system as pfSense ?

On the login page, where the visitor-with-a-voucher enters the voucher code, add button that states : "I agree that my time is limited (see voucher), and I declare that I activated a count-down timer in my SmartPhone - or the device I use to connect to the portal". Done. You have a maintenance free and easy to understand 'count down timer'. Zero hassle guaranteed. If the visitor doesn't want the count down timer, well, in that case, maybe because he doesn't need one ;) A real win-win situation.