the answer is YES. im actually doing it. and also i use a wireless router after my pfsense and my devices redirects to captive portal (just not a dd-wrt tho) but still, i think pfsense will sill redirect devices to its captive portal. but to be sure, just turn off DHCP on your router then plug your pfsnse to one of your router's LAN ( again LAN not WAN) ports and you'll be good to go.

Using the default 'auto generated' certificate as an admin access, this is ok. You will see a big warning that the certificate isn't signed by a major 'certificate ware house', but, what the heck, you as an admin, you don't care. Using the same certificate for "guest access" (Captive portal) isn't ok. You will present these warnings to your guests , that's not good. You saw this https://forum.pfsense.org/index.php?topic=63791.0 - it will explain you how to get a REAL 'good' certificate for your Captive portal. If you're using https on captive portal, you do NOT want to use a self-signed certificate, but a real one. I'm using https login on my Captive portal for years now. Works great, and I use a certificate offered by StartSSL, costs 0 $ and just works (have to make a new one every year)

Well …. I guess you have your reasons to do so. /etc/inc/voucher.inc - look for "function voucher_write_used_db($roll, $vdb) {" and disable what it is doing ....

http://www.dmasoftlab.com/cont/home PS: Google is your friend.

@ssphoenix: The PFsense is providing the dhcp requests on the circuit routing all users through the 10.0.180.10 gateway (wan side). Eeeeeeeeeh?  :o :o :o

So I found that if you use allowed hostname instead of allowed IP, you can specify a direction for the exception. You can only do one host at a time, but I think that is OK for my purposes. Doing some further testing, then going to put it into production. Thanks all for your answers. I'll reply back if it doesn't work as expected.

There is no pfSense-API. There is the PHP script that you already use ….. so .... ;)

WAY too much emphasis in the pfSense world at getting one "box" (node) doing everything. 1 from for that. additional GRE tunnel over ipsec, that way you get an interface what should work. L2TP/IPSec would be the way to realize this. Internet –- pfSense(Voucher-CaPo) =====IPSec-Tunnel===== RemoteFirewall(nonPfSense) --- Guests 10.0.220.0/24 One Question from me onto this, why not both sides are using then a pfSense firewall with Captive Portal? A small PC Engines APU is really able to hold this pfSense based Captive Portal for many users.

Thank you Derelict, so simple, yet exactly what I was looking for. Works like a charm.

One user or multiple users.  There is no "limit a voucher to n users" other than n=1 or n=as-many-as-use-the-code. And even then it's a portal-specific setting, not a voucher-specific setting.  pfSense won't do what you want.

And many SMS and payment gateways must have been integrated too ? There is no payment gateway! We were talking about the following, "sending vouchers as SMS" to the clients, and nothing else. So, can I get the links, so I can simply see how its done and replace it with my API. The solution shown under this link is written in PHP and I really don´t know what you can do with it rewriting or what ever. The only thing is that many peoples inside of an german administrator forum are using this together with pfSense to send the vouchers as a SMS to the clients! Not more and not less. And I started the download, its an iso file of 108MB. ??? Hm, I really have downloaded it twice and it is only 1 Megabyte (MB) size! Voucher Generator So, it needs to be installed on a windows PC or Linux PC and the system needs to be always on to serve the hotspot ? Description The Software manages Voucher for the pfSense Captive Portal in a MySQL-Database

@NickM: Hi guys, Is there a way to make the vouchers expire automatically after a period i select instead of after the minutes assigned are used? Building up user groups and then set the lease time for each user group likes, Group 1 = 30 minutes Group 2 = 1 hour and so on so you can easily control the lease time of the vouchers.

@sunnynanade, the key is the "Amount of Bandwidth" section. Used reply-item attribute: count-attribute = WISPr-Bandwidth-Max-Down     count-attribute = WISPr-Bandwidth-Max-Up you need to set these attributes in the radius server for each user, and make the radius server reply different values for different users, I am not familiar with FreeRADIUS, but I think it is able to do this.

Do you mean DD-WRT is not stable/reliable? Or the Linksys EA2700? For sure DD-WRT & OpenWRT will be both stable and reliable and also routers from other vendors would be matching also fine! Buffalo, Netgear, TP-Link and some of them came with pre installed DD-WRT or OpenWRT firmware so you must not flash it alone. is still a home setup. There are also switches out there that can be done all things for less money, but but routing must be done then at the pfSense it selfs. Netgear GS105Ev2 Netgear GS108Ev2 Netgear GS108Tv3 TP-Link TL-SG105E Buy two of them and then replace the both you own, the TP-Link ones are able to get for cheap as ~25 € each and are capable of VLANs. Replacing my switched for managed switches will cost around 200 euro at least? One Cisco SG300-10 for ~180 € and one TP-Link TL-SG105E on top for ~25 € will do the job and routes the entire LAN by it selfs! I'm planning on buying a new wifi router/ap as well… Get a cheap used one with GB LAN Ports and if ac is not really urgent for you it will do the job also fine.

@Gertjan: @itchy: …. btw: your Log looks much sorted and cleand than my do. My formatting is total "ugly".  >:( Use the GUI to see them ;D To show them on the forum, use the # BB-code.

@GERTJAN, Thank you for the reply. I guess ill just have to configure something that wont make my access points act as routers… hmmmn another sleepless nights...

@doktornotor: @amiyou: So there is no way to create an offline captive portal? The only way to create "offline" CP (whatever that means) it to make your DNS server resolve everything to some bogus IP. https://doc.pfsense.org/index.php/Creating_a_DNS_Black_Hole_for_Captive_Portal_Clients#Create_the_configuration_file (If you want to run this on pfSense, do NOT follow the rest of the howto, use the Bind package and GUI instead.) Thanks. I will try the black hole. What will happen when the clients authenticate through the captive portal? My problem is that the internet is not stable with LTE, but the captive portal redirection to a landing page should still work, although the internet is not available.

@tommyverburgh: I wonder if it's possible to reinstall the captive portal service, maybe there's something wrong with the installation. I'm using the latest version on a brand new device made for pfsense. Sure. Reinstall latest pfSense update.

If RADIUS isn't your thing, then another possible route you could take would be to install a proxy on your pfSense and bind that to your AD domain. This would then require your users to authenticate through the proxy with their Windows credentials before accessing the internet. There are plenty of links showing how this is done. Here are a few: https://vicryhc.wordpress.com/2013/07/08/how-to-setting-squid-on-pfsense-with-authentiaction-ldap-windows/ https://forum.pfsense.org/index.php?topic=58700.0 http://blog.cadena-it.com/linux-tips-how-to/how-to-setting-squid-on-pfsense-with-authentiaction-ldap-windows/ There are many more to be found via Google, of course. You can assign group policies to AD groups via a Squid/Dansguardian combination (the way I've done it). Members of that AD group can then be assigned specific access or non-access through rules you can set up in Dansguardian. Again, you'll find quite a few examples of this on the internet already if you fire up Google.