@assistenzanet95: @Derelict: So when LAN is disabled can CP clients resolve names? Can they ping OPT1 address? Do you have anything in Allowed IP addresses or Allowed Hostnames? What happens if you put http://10.10.10.10/ into a browser on a CP client? What version of pfSense is it? No when i disable LAN i can't resolv names on CP You have something hosed. You are going to have to post screenshots of all your interfaces, all your firewall rules, and all your CP settings. Could be one or more of of a 1000 different things. Yes i can ping the entire OPT1 network, but i can't open the  webpages oh the antennas. I presume antennas means access points. I don't know why you would want to be able to access your access point web interfaces from the portal network. Most people want the opposite. Yes in the allowed IP addresses i have about 70 antennas and about 20 Allowed Hostnames Again, no idea why you care about the access point web interfaces from the portal network. Nothing happens if i try to open http://10.10.10.10, my OPT1 address is 192.168.100/22 The point is to eliminate the need for working DNS to get the portal page. If it doesn't come up it's broken. Again, screenshots of everything. My version of pfSense is 2.1.1 Ancient. Upgrade. At least to 2.1.5 if you want to take small steps.

@strike101: the voucher is set to expire after 3 days i haven't checked the DHCP lease time.. it's on default AFAIK, Takes 3 seconds to check ….. and far less then 3 days by default .....

Going from the very old 2.2.3 to a beta version ….  :o What about the current 2.2.6 ? ( $PORTAL_ZONE$ already exists in the current version https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/captiveportal.inc#L60 )

@cmb: @dpacheco: The image show $PORTAL_ACTION$ no $PORTAL_ACTIONS$  (custom portal page have been working fine since 2 years and haven't been changed).  Don't know how this is treated by pfSense, but it seems that this is the normal behavior, at least for what is seen when everything works fine, client POST to /$PORTAL_ACTION$ and is redirected to the $PORTAL_REDIRURL$ I could have sworn it was typoed in one of those screenshots, but on second look, apparently not. It is still a problem that it's in there that way though, what are the contents of your portal page? Ok.  The actual login page is a PHP file that detects if browser is a desktop or mobile one and redirect to a HTML file, which is uploaded directly on pfsense box by the file manager tab. func_desktop.html.txt func_index.php.txt func_movil.html.txt

Hello, I've finally posted the how to that goes with my single step captive portal wrapper here https://forum.pfsense.org/index.php?topic=108493.msg604190#msg604190 If you find this useful, could you consider putting it as sticky post ? Regards, Ozy.

You're trying to route traffic from the WAN side of the PFS. This is completely wrong. You seem to be trying to use your firewall as an internal router. Any traffic passing through from the WAN side needs to be port forwarded, which isn't really what you want to do here. Set the captive portal on the LAN side and route your guest traffic through from LAN to WAN, using the WAN address for managing the PFS. It's how firewalls are supposed to work.

Hi, I create qrcode with this link : http://xxxxxxxx.fr/ubhZKcJbY6a3 (replace xxxxxxxx.fr with other website, ubhZKcJbY6a3 is a voucher code) When user scan qrcode, it will redirect to portal auth page and the voucher field will autofill. If a user is redirected with other url, the voucher field will empty and he could authentificate with his credentials. $URL = htmlspecialchars($_GET["redirurl"]); if (strpos($URL, 'http://xxxxxxxx.fr') !== false) { $Code = str_replace("http://xxxxxxxx.fr/", "", "$URL"); } else { $Code = ""; } ?>

The problem sounds like a DNS issue. As to why, you'll have to provide some more information first. Like what DNS server(s) are you clients using? And what tests have you run so far? Have you tried running a dig or nslookup against any of the problem sites from a client? If so, what response do you get?

Yes.  Actually @Gertjan was correct. I can now access the server by putting it in the allowed IP list. Thank you!

on your captive portal form you can use the macaddress through this codes: $arp=`arp $ipaddress`; #run the external command, break output into lines $lines = explode(" ", $arp); $macaddr = $lines[3]; #Actual code

Captive portal is a different from squid guard.  Captive portal prevent unauthenticated users from accessing the internet, squid guard is a list of blacklisted websites.  If you just want to block websites, use squid guard https://doc.pfsense.org/index.php/SquidGuard_package#Configure_the_squidGuard_Package

Thanks sebastiannielsen, but this solution wont let me change the voucher time so all vouchers will be expired after "Hard timeout" period i just wanted to make vouchers with various amount of times so isn't there any other solution ??

@advcorp: Today afternoon I installed, step by step, the various modules of pfsense, but the result is always the same. Ok, you installed step by step. So at what step did the captive portal fail? What tests did you run after each change you made? As Gertjan suggested, start with a plain install with no packages. Test you can get out to the internet using the basic installation. Then, add the captive portal to your OPT1 network. Test again. Does the captive portal work? If so, move onto the next part of your install, testing each time until it stops working. You will then know at what point in your installation process things start to break and you can diagnose the problem. You've said nothing about testing at each point in the installation, so nobody can assume anything else but that you didn't.

@ishtiaqaj: i had gone through the same probelm any find the solution?????????? ishtiaqaj, See if the proposed work around resolve your issue. https://forum.pfsense.org/index.php?topic=97457.msg543099#msg543099

I managed to get it all working, I had to use a combination of the two solutions I had found. Following the post found at:https://forum.pfsense.org/index.php?topic=80789.15 I used the two scripts which left me with this: To disable the captive portal, I made a script called rc.captiveportal_disable: #!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_disable(); function captiveportal_disable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { if (isset($cp['enable'])) { unset($cp['enable']); } captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?> And another disable script that I made to call the above script and unload all IPFW tables(called that one rc.captiveportaloff): /etc/rc.captiveportal_disable vouchers /sbin/kldunload ipfw.ko After doing this the captive portal will be disabled and allowing internet traffic through To re-enable I used the script to reconfigure the captive portal for the particular zone, named rc.captiveportal_enable: #!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_enable(); function captiveportal_enable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { $cp['enable']=true; captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?> Then another script to call the above script and reload all the IPFW tables, named rc.captiveportalon: /sbin/kldload ipfw.ko ipfw zone 2 create /sbin/ipfw -x 2 -q /tmp/ipfw_vouchers.cp.rules ipfw zone 2 madd hn1 /etc/rc.captiveportal_enable vouchers Then use a cron job to call rc.captiveportaloff and rc.captiveportalon whenever you like. Seems like a dirty way of getting this done, but it works for me. It would take a bit more code if your are dealing with multiple zones, but for a single zone this works. One other question, how does the tmp folder behave? I have my script using the ipfw rules found in /tmp/ipfw_vouchers.cp.rules, if I happen to reboot pfsense while CP is turned off, will it end up deleting that file thus breaking CP completely?

I would be very careful of offering this sort of speed service. What bandwidth does the hotel have to play with? What happens if 10 x people buy 15mbps internet? It's very difficult to explain to a paying customer why they're not getting 15mbps if they paid for it. I would look at running two CP's on VLAN's then using AP's that have multi vlan/ssid and call them - Hotel WiFi standard & Hotel WiFi premium, rather than tying yourself to a speed. You could then claim that premium WiFi is 3 x quicker without having to give any speed indications.

@sebastiannielsen: no, he isn't out to restrict to a specific OS. what he is out for, is, when a client authenticate correctly, the client's MAC, OS-fingerprint, and IP is saved in the firewall rule. So the OS-fingerprint must match whatever the user authenticated with, to prevent spoofing. Yes, that's precisely what I'm looking for. I wasn't aware that pf wasn't used for the Captive Portal. However, since pf is still available for filtering, I was thinking about something like this: Create a pf rule that logs the OS fingerprints of clients. After a successful login of a user, create a pf rule for the IP that the user got that only allows TCP traffic with the OS fingerprint that has been detected during login. After either a voluntary logout by the user herself or after the soft / hard timeout, remove the pf rule for the user's IP. This should add one more layer of security. Sure, it's not foolproof but certainly would add one more hurdle to abuse.