@simply: What table are the user accounts supposed to be stored in ? My greatest desire to store all user info on the DB. Thanks for the reply. DB? Table? Yes, LDAP can use databases. It's up to you to configure a database backend for your LDAP Server! I use the OpenLDAP build in database, no fancy backends. Here are some relevant LDIF Files: dn: ou=users,dc=bewoelkt,dc=lan ou: users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=groups,dc=bewoelkt,dc=lan ou: groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: uid=jho,ou=users,dc=bewoelkt,dc=lan objectClass: top objectClass: radiusprofile objectClass: inetOrgPerson cn: jho sn: jho uid: jho description: Radius User Joerg Hochwald userPassword: PWhere radiusReplyItem: WISPr-Redirection-URL+='http://www.bewoelkt.net' radiusReplyItem: WISPr-Bandwidth-Max-Down+=1024 radiusReplyItem: WISPr-Bandwidth-Max-Up+=1024 radiusReplyItem: WISPr-Location-Name+="FFM01" radiusReplyItem: WISPr-Location-ID+="01" radiusReplyItem: WISPr-Max-Daily-Session+=3600 radiusReplyItem: Simultaneous-Use+="0" radiusReplyItem: Max-Daily-Session+='3600' radiusReplyItem: MHS-INT-Site+="Default" radiusReplyItem: myHotspot-Group+="Guest" radiusSessionTimeout: 7200 Just include the Radius Schema in /etc/ldap/slapd.conf: # Radius include include /etc/ldap/schema/radius.schema Now create a file (schema.conf below) with the following content: include /etc/ldap/schema/radius.schema And import the Schema to your LDAP Server: slaptest -f schema.conf -F testdir/ ldapadd -Y EXTERNAL -H ldapi:/// -f testdir/cn\=config/cn\=schema/cn\=\{0\}radius.ldif The Schema above works fine with pfSense. Just did some tests with 50k Users (imported via LDIF). There is only one problem: The RADIUS didn't return all radiusReplyItem configured in the example above. But I didn't find the time to dig into that issue. All relevant infos are parsed :) For mySQL: You will find a lot of good howtos via Google (Remember, this is your friend) ;-)

Not in the portal itself but probably in the firewall advanced rules for the rule that passes outbound sessions. In advanced options you have things like: Maximum state entries this rule can create Maximum number of unique source hosts Maximum number of established connections per host (TCP only) Maximum state entries per host No comment on whether this will enhance or degrade the user experience.

/var/etc

No.  The CP is a man in the middle.  HTTPS is designed to prevent the same.

I don;t have time to look at captiveportal.inc today.  Try it without vouchers.

Also if you are using a custom portal page try using $my_redirurl instead of $redirurl for redirection.

You probably need to make VLAN 10 a LAN on pfSense and put all the clients behind it.  To activate the captive portal requests to port 80 need to be sent to the pfSense interface.  This usually means it needs to be the default gateway of the clients. If you put the pfSense WAN on VLAN 1 and LAN on VLAN 10 and let pfSense handle all the DHCP for VLAN 10 it would get you there.  You should also be able to forward DHCP to another server if required. You'll also probably want to disable NAT in pfSense (switch to manual outbound and delete all the NAT rules.)

is there is any answer

@Gertjan: And, here it where it all starts: Look in this directory : /usr/local/captiveportal Even more important: Get yourself a decent editor like Notepad++ or even better: UltraEdit. A FTP client that supports SFTP. Activate SSH access to your pfsense box (if not already done). Most if not all files are pretty self documenting. pfsense itself (the GUI): /usr/local/www thanks! I'll be using vim-lite though.

@Derelict: Yes.  Users that don't need the captive portal on one interface, users that need to go through the portal on another interface with the portal enabled. Or you could put them all on one interface with passthrough MAC address entries for the NICs that don't need to go through the portal.  Two networks with different access policies is how I would go. Ok thank you very much for your sugesstion. I will try with with MAC address passthrough first, because it sound more fit-able to my network condition. If not work, i will try with the other solution 2 NIC.

What was the configuration issue?  Can you post the resolution?  I am also having a problem with 2.1.5

@Derelict: Static DNS on the clients perhaps? YES!!! That was the problem!!! Static DNS entries in client machines! After I removed them, CP starts working! Great! THANK YOU!!

@kapara: …. iphone will not redirect at all! Strange. iDevices are always the fastest devices that show up the portal authentication page (I use a local user setup). Using 2.0, 2.1.1 up until 2.1.5 Never ever had any problems with those, because they will, as soon as the Wifi connection is up, throw out an Apple test URL that provokes the auth page being showed. The "help - I can not connect" question is very rare at our local reception desk (Hotel). People just connect. Then, often, they can't login because it asks for a 3 digit "room number" (remember, this concerns a hotel - with doors and key the mention this number) like "202". They phone the redeption …. The password is being indicated on the login screen ( !! ) they should retype or copy it. It's 'climat' btw. They can't find it ...... (I guess intelligence dropped heavily last years in France ... I think .... I still don't get it ;) ) On the other hand, I know some setup have difficulties to show the portal page, which is normal as client lauch their conection with an initial https://….  request. This is normal.

any idea please ? :'(

The pfSense captive portal is pretty much time-based, not usage-based.  I think making it do that would be a great deal of work.

As said, this isn't a pfsense issues, but an error in the design of the network hooked up to the portal interface. When using more then ONE AP - and these AP's works like switches, this kind of trouble pops up. We are in 2014 now, so some OS's that clients use have this famous question: Is this a private or Company network ? Or a public network ? (I guess we all know now which OS this is  :) ) If the clients choses "public", then their PC can communicate ONLY with the gateway, and block ALL other incoming/outgoing connections. Problems solved, the pfsense portal network engineer can go the bed again. But, of course, there are clients that consider the portal Wifi network as their home network - and they share all their holiday photos on the network ("because then it works at home"). They just hit 'Home network' when their OS says "This is a new network, please chose …". The same clients (our Wifi portal network clients) start to yell when they discover that pure strangers are 'surfing' their PC ... ad all their holiday photos are indexed by Google Images a couple of days later on. (You better get a lawyer when you get home, your wife isn't gona like this one) Anyway: I present https://forum.pfsense.org/index.php?topic=66368.msg365658#msg365658 It started here https://forum.pfsense.org/index.php?topic=1268.msg7542#msg7542 (even Sullrich was surprised  ;)) It all boils down to: activate AP isolation - and route all trafic from clients to gateway - and back. NO CLIENT TO CLIENT communication. The rule to be enforced is "You, as an pfSense operator, do NOT OFFER A LAN PARTY, but Internet Access only".

@xamber: ….. Well i get the following error "Fatal error: Call to undefined function mysqli_connect()" .... Troubleshooting wouldn't take long if you called this function: phpinfo(); You will discover that PHP as it executes on pfSEnse, has NOT, by default, MySQL (client) support activated. I don't recall how, but there is a trick to activate it. (it's on this forum).