Hello, I've finally posted the how to that goes with my single step captive portal wrapper here https://forum.pfsense.org/index.php?topic=108493.msg604190#msg604190 If you find this useful, could you consider putting it as sticky post ? Regards, Ozy.

You're trying to route traffic from the WAN side of the PFS. This is completely wrong. You seem to be trying to use your firewall as an internal router. Any traffic passing through from the WAN side needs to be port forwarded, which isn't really what you want to do here. Set the captive portal on the LAN side and route your guest traffic through from LAN to WAN, using the WAN address for managing the PFS. It's how firewalls are supposed to work.

Hi, I create qrcode with this link : http://xxxxxxxx.fr/ubhZKcJbY6a3 (replace xxxxxxxx.fr with other website, ubhZKcJbY6a3 is a voucher code) When user scan qrcode, it will redirect to portal auth page and the voucher field will autofill. If a user is redirected with other url, the voucher field will empty and he could authentificate with his credentials. $URL = htmlspecialchars($_GET["redirurl"]); if (strpos($URL, 'http://xxxxxxxx.fr') !== false) { $Code = str_replace("http://xxxxxxxx.fr/", "", "$URL"); } else { $Code = ""; } ?>

The problem sounds like a DNS issue. As to why, you'll have to provide some more information first. Like what DNS server(s) are you clients using? And what tests have you run so far? Have you tried running a dig or nslookup against any of the problem sites from a client? If so, what response do you get?

Yes.  Actually @Gertjan was correct. I can now access the server by putting it in the allowed IP list. Thank you!

on your captive portal form you can use the macaddress through this codes: $arp=`arp $ipaddress`; #run the external command, break output into lines $lines = explode(" ", $arp); $macaddr = $lines[3]; #Actual code

Captive portal is a different from squid guard.  Captive portal prevent unauthenticated users from accessing the internet, squid guard is a list of blacklisted websites.  If you just want to block websites, use squid guard https://doc.pfsense.org/index.php/SquidGuard_package#Configure_the_squidGuard_Package

Thanks sebastiannielsen, but this solution wont let me change the voucher time so all vouchers will be expired after "Hard timeout" period i just wanted to make vouchers with various amount of times so isn't there any other solution ??

@advcorp: Today afternoon I installed, step by step, the various modules of pfsense, but the result is always the same. Ok, you installed step by step. So at what step did the captive portal fail? What tests did you run after each change you made? As Gertjan suggested, start with a plain install with no packages. Test you can get out to the internet using the basic installation. Then, add the captive portal to your OPT1 network. Test again. Does the captive portal work? If so, move onto the next part of your install, testing each time until it stops working. You will then know at what point in your installation process things start to break and you can diagnose the problem. You've said nothing about testing at each point in the installation, so nobody can assume anything else but that you didn't.

@ishtiaqaj: i had gone through the same probelm any find the solution?????????? ishtiaqaj, See if the proposed work around resolve your issue. https://forum.pfsense.org/index.php?topic=97457.msg543099#msg543099

I managed to get it all working, I had to use a combination of the two solutions I had found. Following the post found at:https://forum.pfsense.org/index.php?topic=80789.15 I used the two scripts which left me with this: To disable the captive portal, I made a script called rc.captiveportal_disable: #!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_disable(); function captiveportal_disable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { if (isset($cp['enable'])) { unset($cp['enable']); } captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?> And another disable script that I made to call the above script and unload all IPFW tables(called that one rc.captiveportaloff): /etc/rc.captiveportal_disable vouchers /sbin/kldunload ipfw.ko After doing this the captive portal will be disabled and allowing internet traffic through To re-enable I used the script to reconfigure the captive portal for the particular zone, named rc.captiveportal_enable: #!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_enable(); function captiveportal_enable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { $cp['enable']=true; captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?> Then another script to call the above script and reload all the IPFW tables, named rc.captiveportalon: /sbin/kldload ipfw.ko ipfw zone 2 create /sbin/ipfw -x 2 -q /tmp/ipfw_vouchers.cp.rules ipfw zone 2 madd hn1 /etc/rc.captiveportal_enable vouchers Then use a cron job to call rc.captiveportaloff and rc.captiveportalon whenever you like. Seems like a dirty way of getting this done, but it works for me. It would take a bit more code if your are dealing with multiple zones, but for a single zone this works. One other question, how does the tmp folder behave? I have my script using the ipfw rules found in /tmp/ipfw_vouchers.cp.rules, if I happen to reboot pfsense while CP is turned off, will it end up deleting that file thus breaking CP completely?

I would be very careful of offering this sort of speed service. What bandwidth does the hotel have to play with? What happens if 10 x people buy 15mbps internet? It's very difficult to explain to a paying customer why they're not getting 15mbps if they paid for it. I would look at running two CP's on VLAN's then using AP's that have multi vlan/ssid and call them - Hotel WiFi standard & Hotel WiFi premium, rather than tying yourself to a speed. You could then claim that premium WiFi is 3 x quicker without having to give any speed indications.

@sebastiannielsen: no, he isn't out to restrict to a specific OS. what he is out for, is, when a client authenticate correctly, the client's MAC, OS-fingerprint, and IP is saved in the firewall rule. So the OS-fingerprint must match whatever the user authenticated with, to prevent spoofing. Yes, that's precisely what I'm looking for. I wasn't aware that pf wasn't used for the Captive Portal. However, since pf is still available for filtering, I was thinking about something like this: Create a pf rule that logs the OS fingerprints of clients. After a successful login of a user, create a pf rule for the IP that the user got that only allows TCP traffic with the OS fingerprint that has been detected during login. After either a voluntary logout by the user herself or after the soft / hard timeout, remove the pf rule for the user's IP. This should add one more layer of security. Sure, it's not foolproof but certainly would add one more hurdle to abuse.

Ok, i understand ! it's logic. i will see if it's possible whith a proxy… Thanks you to all.

To solve this issue forever you must add the CA cert to Pfsense GUI and restart the Captive Portal Services Step: Cert Manager –> CAs Tab --> Create a new records --> fill up "Certificate data" with CA Cert --> use IE or FireFox to test https url Note: don't use Chrome because it can handle this case

@Derelict: If you do not get an address it's DHCP - nothing to do with captive portal If you cannot resolve names, this might be because you are not passing through necessary name servers in captive portal. hosts need to be able to resolve names if you want browsers going to www.domain.com to bring up the portal. I have probably 8000-15000 different devices going through Captive Portal every week. It works fine if configured correctly. You are going to have to systematically go through the steps necessary for CP to function and find the specific failure before we (or at least I) can help you. Thanks Derelict I have found the problem and it was the Wan and the Lan had some checks that should not have been checked and it was the bottom 2 that refuses bogons and the other above it. I unchecked them and then all went well quick and hope it helps someone else if they have the same problem. I can now type in password only on the custom page and no more hanging and timing out off to the world web. Thanks for your patience with me even though I know I didn't explain very well but like I told yawl I'm totally new to pfsense. I did go back and use the default pfsense portal page like you ask me to and was still no good until I unchecked them boxes.