@duke: …. Any idea to fix this bug? Anyone can contact the maintainer of this package to report the problem? You can do so  ;) If … one still exists.

Where "disable concurrent logins" is checked and you're using vouchers, you'll see something like this in your portal auth log when connecting a second machine. Jun 8 21:25:08 logportalauth[72742]: Zone: zone1 - CONCURRENT LOGIN - TERMINATING OLD SESSION: BvCaK7yXvRa3, 00:50:56:a7:5a:58, 192.168.155.101 Jun 8 21:25:08 logportalauth[72742]: Zone: zone1 - Voucher login good for 5 min.: BvCaK7yXvRa3, 00:0c:29:cc:8c:a3, 192.168.155.102 That removes the original session and adds a new one for the new MAC. It works, I just ran through testing of it again on 2.2.2.

Thanks, I had figured that out earlier.  Seemed to fix that.  Merci!

I think that's only if Concurrent user logins is disabled. Regarding the voucher length, getting down to 4 or 5 characters is going to be hard.  The smallest I could manage was this: 31-bit RSA key Character set: 2345678abcdefhijkmnpqrstuvwxyz # of Roll Bits: 12 # of Ticket Bits: 12 # of Checksum Bits: 8 That yields 7-8 characters.  You can get fewer characters by adding capital letters to the character set, but that really doesn't make it any easier for users to enter on their phones. No, you won't clobber the default page.  It's included in the captiveportal.inc php page. As far as going back to defaults you have to upload a 0-length file.  On unix you could: cp /dev/null captive_portal_reset.html Then upload that as the page content file.

@rossmat: ….. Regarding the portal index.php code, it should be the first one. Regarding the authentification method setting in WebGui, it should be the second one (option "Local User Manager / Vouchers", local auth method). I guess you're right. Keep in mind that it will be valid if you are using the default login page (which gives the user the possibility to enter a user+password, or voucher code). Adapt this login page (throw out the voucher-part) and voucher are useless even if they exists and activated: no one could enter a voucher code.

Thanks for tracking that down further. Check "ipfw zone list" to find your zone number. Mine's 2. Then check all the table contents with "ipfw -x 2 table all list". I have pfsense.org in as an allowed hostname, and correctly get: ipfw -x 2 table all list ---table(0)--- 0.0.0.0/0 49 ---table(3)--- 208.123.73.69/32 2090 ---table(4)--- 208.123.73.69/32 2091 But it's not there after a reboot. Edit and save one of the allowed hostnames and it populates them correctly. https://redmine.pfsense.org/issues/4746 Should work now if you just edit and save one of the entries after booting up. That works for me with one or multiple hostnames.

Hi, Same reply as here : https://forum.pfsense.org/index.php?topic=94711.0

@muneebkalathil: Hi , I want to create a 2 way authentication for the captive portal. I prefer Sms Authentication. Any one can help me ?? … please :( Or Is there any other way similar to this ?. Thank You This means some serious coding is needed. Ask your question here https://forum.pfsense.org/index.php?board=34.0 and start talking about € or $. No one can help you to learn this doing it yourself. Learning is an individual thing.

I think the last suggestion would probably work. I'll look into setting it up that way. Thanks.

In my experience, with 8GB RAM, some number of thousands or 10s of thousands.  Enough to worry about your subnet sizes and DHCP leases more than the number of portal users.

I'm running PFsense on a pfsense built device, not sure, possibly I can install mysl or something … this has to be robust as it's going to the south pole.

We had exact the same problem. Restoring an older (working) backup configuration doesn't fix the problem, a factory reset doesn't fix the problem, a fresh install and everything is working again. Really strange…

I have and idea but you need one additional equipment. Your exiting environment WAN/Internet                                                 |                             Pfsense with captive portal                                           |        |                                       LAN1    LAN2                                         |              |                             Client LAN1    Client LAN2 I propose for you solution add L2/L3 Switch or addition Pfsense server for (Inter-LAN Communication) New enviroment WAN/Internet                                                 |                             Pfsense with captive portal                                                 |                                                 |                             L2/L3 Switch with Routing/ACL (Inter-LAN Comm)                                         |              |                                       LAN1    LAN2                                         |              |                             Client LAN1    Client LAN2 Hope this help.

Perfect.  Thanks. I'm already using a custom portal_reply_page() and index.php.  Ought to be a piece of cake.

I would suggest showing us these rules and captive portal settings..  Because to be honest this is really click and it works. I enabled a captive portal on my dmz interface, just accepted defaults and get this page when try to google - click continue and there is google. Running 2.2.2-RELEASE (amd64) built on Mon Apr 13 20:10:22 CDT 2015 FreeBSD 10.1-RELEASE-p9 Without some info to work with it is impossible to even guess where your problem is.  And that is with my dmz rules being pretty much locked down..  Not your typical any any rule say on your lan. [image: cp.png] [image: cp.png_thumb] [image: onlythingtouchedcp.png] [image: onlythingtouchedcp.png_thumb] [image: dmzrulescp.png] [image: dmzrulescp.png_thumb] [image: cpstatus.png] [image: cpstatus.png_thumb]

I was planning to implement similar functionality, but decided for a different approach in the end. What I can say from my tests: you can create an "intermediate" PHP file that receives the form input, proccesses it in the may you want (send to syslog, send to database, etc.), and then calls the actual CP login page, passing the necessary fileds for a login (user/password, voucher code, etc.). AFAIK, the PHP MySQL module on pfSense is disabled by default, but can be enabled via some shell commands. I was planning to send the data to a syslog-ng instance installed on the pfSense machine, which would have spared me the hassle of setting up a database, connecting to it, etc. .

@Gertjan: The current version of pfSEnse (2.2.2) using its Squid package Squid doesn't work (when a captive portal is used). Many people - check out this forum for that - have signaled problems. Well, it's working fine for me. What I can see in the forums is some people having trouble with CP, but that seems to be because they didn't configure it correctly, or have other config problems. My guess is that this is where OP's problem is coming from. comeback1106, I think you're trying to solve the "users can access internet without being logged on" problem from your other thread, right? Maybe you should review/redo your confguration, using one of the many How-To's as a guide. Try to setup CP without Squid first, then test, then add Squid, and test again. This will probably give you more useful data than asking for a logging function that probably won't reveal anything useful anyway. @Gertjan: elaborate please. Without password etc, that what it does, you can't pass by it. Logged in users can bypass. Or do you mean that when you use Squid you can't bypass, whatever you do ? Something else ? CP with Squid works fine for me. I was assuming that doktornotor meant "can be bypassed" by "doesn't work", but reading his message again, this was a misinterpretation.

@chowtamah: …. if I run this code it gives error; Failed setsockopt. Somewhere, deep down in /etc/inc/captiveportal.inc, the global variable "$cpzoneid" needs to have a valid value - related and like "$cpzone". This part is handling that one: // also surface the global $cpzoneid $cpzoneid = $captiveportalzone['zoneid'];

I'm sure there are packages available for apache, maybe nginx.  You can probably use the lighttpd that runs the webgui and captive portal interfaces. I've never done it.  I only described how I would do it. I mistakenly implied the server has to be local. It doesn't have to be.  All that has to happen is all port 80 requests get redirected and there's no captive portal or anything blocking their access to the target site.  Maintaining one external web server for all the sites probably makes sense.  My post forwarded to localhost but that's just what I chose as an example. You can NAT the destination address to your deadbeat page (happens on LAN in) then outbound NAT can translate the source address (happens on WAN out).  All you would lose is the ability to see what source address hit your web server but who really cares.  You're just trying to make them call you, pay you, and get you to turn it back on.