As jimp already explained (implicit), you should intercept all DNS requests, and match them with the with listed domain names. If you have a match, the resulting IP should be fed into the allowed IP list of the portal page. You probably have to issue en redirect to your client. Some caching will needed, otherwise portal access will slow down as easy DNS request has to be filtered. This is what I should call a "bounty project".

Gertjan: I've got a baby on the way and have been pretty busy as of late, so it could take me a while to get back to testing this and provide the results of your posted commands. I've also got a buddy down the street from me who will assist in setting up a remote iodine server so we can test the tunneling techniques against pfSense. cmb: You're correct about the packet capture not showing any dns tunneling results. I must have attached the wrong capture that day. I was running late for meeting at work and had about 10 tabs open with various packet captures. I did have one that showed more details about the initial connection, but I apparently attached the wrong capture. I'm not the only one that has had this issue though –> https://forum.pfsense.org/index.php?topic=65739.0 Digging more into the location requests, I believe this could be hardware fallback technique done by dish network for subscribers to properly pay for their pay-per-view purchases. Search results over the net show all kinds of results with people noticing that certain Dish devices are establishing a lot of DNS connections back to homebase. I'll post back on this thread later after my buddy gets his side of the iodine setup and I have some more detailed packet captures to provide. For right now, packetfence is fitting the bill and I don't show any established connections to 67.148.153.116 in the table states anymore. And he's still hanging off my guest vlan.

@hardy_rafael17: So newbie question is…  Is there any way.. to direct or redirect trafic to port 80 from unauthenticated IPs to the captive portal... That's precisely how captive portal works. The problem is those apps aren't web browsers so when you intercept their traffic and serve them a portal page, the app just flakes out. Have to open a browser. People should be used to that. Gertjan's explanation provides more detail.

I AM a newb.  I had never actually entered invalid credentials.  I would click the 'View current page" and when it worked for the portal page contents and not for the authentication error page contents, I assumed it wasn't working.  When I actually try to log in and deliberately enter bad credentials, it notifies me… with the logo and all.  Thanks everyone for the help.

Thanks for the info Gertjan!  I will give it a go. Pulling the plug would be the ultimate solution; unfortunatly they are home while I am at work.  This should be good incentive to get them to help out around the house a bit. The plan is: Give each of them a chore or two to do each day Once they have completed said chore, the can text me with photo evidence I will then text them the appropriate voucher number to allow them access to the internet Is there any way to schedule the portal to be active only during specific hours of the day?  All other hours are free for all use?

Ditch Radius. Get Vouchers. Done  ;) (Or: try to put vouchers into Radius) (Or: Radius hasn't the possibility to give a account xx seconds 'usage' ?)

@ptt: You can start with this guide https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#HOW-TO_-_Multimedia_Tutorials thanks with this, but my main prob is may radius cant start eventhought i delete and reinstall it it wont run what is the fixed?

Well, If the popup doesn't show up, don't worry. As soon as the user becomes idle (and set an idle timeout on the captive portal interface to make this happen) because he's out of the network, shuts down its PC, or whatever, the connection is disconnected. Stuff get serious if you "sell" Wifi portal time. That why some of us invented this, a rock solid "check-out" disconnect procedure.

hello. pfSense program database server pull data out of the computer, the data is pulled username and password I need something to distribute. Is there anyone that can help? "server program on the computer that will receive the passport number and room number, they will give you the username and password assigned as the internet."

Ubiquity bridges its interfaces  in three modes , is it in router mode ? if so then change it to bridged. ofcourse DHCP, DNS etc … as Gertjan seas must be handled by pfsense.

@insurin: …..I think it was more to do with pfsense/captive portal already having a connection on that IP address with another user and when this new user tried to authenticate with the same IP address it caused CP to error. I rephrase. A user (with an IP obtained from your DHCP server) has a device with a MAC address. He connects to the portal interface, a session is opened with its IP MAC Start time End time (the End time will be 'Start time' + 'hard time out') Session-ID Etc. This user will NOT be redirected to the portal login web interface anymore. This user should manually LOGOUT (using the popup, so the session will be portal will be destroyed) if he want to see the portal login web interface again. His IP stays the same all this time. If another user connects, it should NOT obtain the same IP (IP conflict ! - note that user CAN hard code the IP, you better ignore these users  ;)). This other user has of course another MAC …. I cannot imagine how is could be possible that two users have the SAME IP ..... your DHCP will never allow that. A unique user with its unique MAC will receive a unique IP. This is how thing work in DHCP land  :)

@lsense: my plan is to use $config['captiveportal']['httpsname'] …... this should be the same as  $cpcfg = $config['captiveportal'][$cpzone]['httpsname'] (see function portal_hostname_from_client_ip($cliip) in /etc/inc/captiveportal.inc - pfSense 2.1.3) @lsense: that is "HTTPS server name" in web gui to configure what clients see in the address bar even if we are not using https. Well, this is where I need to explain: "Works for me" $cpcfg['httpsname'] is only set when you activate (ones) the "activate https authentication on the captive portal settings page. This will be done if you put in valid certificates … Not very difficult, its explaine here: https://forum.pfsense.org/index.php?board=2.0 The very first subject PFsense 2.1 MultiCP and https with Windows Radius Guide. As soon as "https" is setup and valid, de-activate it. The tric is: the $cpcfg['httpsname'] will be grayed out, but remains set and valid (so, you can use it as I did above  ;)). Exemple: My domaine is brit-hotel-fumel.net (to be set on the General setup page). The portal 'host' = 'portal' (IP 192.168.2.1, as set on the DNS Forwarder page) So, my 'httpsname' will be portal.brit-hotel-fumel.net When people connect to my Wifi network they will get an IP (they don't connect yet). They can ping at that very moment alreay portal.brit-hotel-fumel.net - this MUST give back a reply. This means the host name is resolved. This means that host name can be used instead of 192.168.2.1 And that's what the subject is all about. @lsense: portal_ip_from_client_ip($clientip)  is not called at all. For me, this is correct, because I'm using https login. For non-https login, this function will be called: (see function portal_hostname_from_client_ip($cliip) in /etc/inc/captiveportal.inc - pfSense 2.1.3)

Anything that speaks SFTP should work.  Just know that uploading directly doesn't put the files in the XML config and might not survive a reboot.

Not just www.apple.com See Using Apple Products with Captive Portal iOS 6 issues Not getting a "captive portal detected" message on iOS devices  etc. IOS devices have a boatload of URLs to test if the Internet is reachable.

If you have your user list in an Excel sheet, you could export it into a "easy to parse" format, like CSV, or even dot-comma separated lines. You need some lines of PHP that should do this: Remove all current user that are member of the group that are allowed to login to the portal: this is mine: http://pastebin.com/uQ6Ry4h0 You should remove all <user>…..</user> that have a that belongs to this group. Now, Rebuild the group, and insert all users. You will have to encode the password (3 formats). Any of this can be looked up in the pfSense portal PPHP code, so the bigger part of the code is just 'copying' what already exists. Note that, when a user is present in the User Database (managed by pfSense) their is no need to deleted it, you could also just 'deactivate' the account and reactivate when the "rent comes in". You could also add MySQL or MSSQL support to the PHP engine of pfSEnse, and use a separated SQL server that will do the authentication (better check how to generate the passwords then ...)

oh I think its a different topic …. well problem solved.. I need to authenticated to the portal before i can have net access... Thanks please close sir moderator. thank you

I activated the Portal Interface on the my LAN - I merely activated Local User Manager, not touching any other settings. This means I had two portal interfaces, one on OPT1, and one on the LAN. Just to be sure, I added the MAC of my PC to the MACC pass through page. I switch on another PC on the LAN and launched a navigator. Guess what popup up ? this one: http://www.test-domaine.fr/Capture-portal.PNG I had access to the net after authentication … I didn't really tested it for a long time, but a Portal Interface on LAN, it seems to work.

Hi Gertjan I am looking at the logs and I can now see what's happening as you have pointed out already logportalauth[83783]: CONCURRENT LOGIN - REUSING IP 172.110.14.67 WITH DIFFERENT MAC ADDRESS 18:20:32:27:17:b3: username timestamp cheers