Fixed: I had multiple routes behind a VPC and behind an elastic IP.  the Elastic IP handled incoming, but the outgoing went through an invisible nat outbound. The server would answer on the EIP, but the response was sent through a different public IP, AWS doesn't allow hard binding to the public IP< so that was out of the question.  I remove the ECS away from the VPC and assigned the EIP to itself, and gave it another interface for database access. Problem resolved.

@chris4916: 1 - Providing your WAN IP (furthermore this IP being in the RFC1918 range, meaning not being your real external IP) is useless and not required Very true. But be aware for that a new kind of user that exists: the one that checks Block private networks When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8).  You should generally leave this option turned on, unless your WAN network lies in such a private address space, too. and uses a IP WAN like 192.a.b.c (or 10.a.b.c) as WAN  ;D

CP + proxy -> completely broken. Plus, completely off-topic in this thread.

I removed the three installed packages ( freeradius2 , syslog-ng and vHosts ) and the error is gone. Then I installed the packages one at a time and restarted pfSense, after I installed the package vHosts (v. 0.7.5) the error reappeared. pfSense has detected a crash report or programming bug. Click here for more information. ... Crash report details: PHP Errors: [24-Apr-2015 16:21:22 Europe/Rome] PHP Strict Standards:  Non-static method PEAR::isError() should not be called statically in /etc/inc/captiveportal.inc on line 2216 [24-Apr-2015 16:21:28 Europe/Rome] PHP Strict Standards:  Non-static method PEAR::isError() should not be called statically in /etc/inc/captiveportal.inc on line 2229 Follow the lines of code in the file captiveportal.inc ( from 2216 to 2236 ) where the error occurs 2216    if (PEAR::isError($racct->start())) { $retvalue['acct_val'] = 1; $retvalue['error'] = $racct->getMessage(); // If we encounter an error immediately stop this function and go back $racct->close(); return $retvalue;         }         // Send request         $result = $racct->send();         // Evaluation of the response         // 5 -> Accounting-Response         // See RFC2866 for this. 2229 if (PEAR::isError($result)) {     $retvalue['acct_val'] = 1;     $retvalue['error'] = $result->getMessage();         } else if ($result === true) {     $retvalue['acct_val'] = 5 ;         } else {     $retvalue['acct_val'] = 1 ;       } I think the package VHosts ver. 0.7.5 must be updated to work with the new version of PHP 5.5.23

Writing a small PHP file that parses a CSV file, and imports it in local user manager. The CSV is the exported user list from your AD. Syncing password might be the only issue where one has to think.

I'm not sure this is the only way  although it does work. I don't really understand what the initial problem is neither what additional authentication will bring but if this is what you want to deploy, why not looking at reverse proxy  ??? I don't know what pfSense reverse proxy package provides (in term of feature) but the is a lot of reverse proxy implementations (Nginx, HAproxy Vulture) that may solve your problem, kind of  ;) Reverse proxy will prompt user for authentication. Most of then will allow you to select among various kind of authentication mechanisms and some will also add capability to create tunnelling and encryption  8) What I really mean here is that captive portal wording is meaningless here (to me) as there is nothing captive. User may decide to access or not your interface.

Create temporary a user+password using the Local User Manager (or use the admin account). Use the default html login page, where you can both enter a user+password or voucher code (both work at the same time). Login should work right away. A first attempt that doesn't work, and a second attempt that does work means that the voucher code is ok. There might be some 'html' or posting error. Mention what YOU changed from default … settings, etc. edit: You are aware that the current pfSEnse is 2.2.2 ? Using 2.1.4 means you are dealing with known bugs, and is normally reserved for experts who know how to deal with these.

Put rules blocking anything you don't want them to access before the pass rules on the interface captive portal is on.  This has nothing to do with the portal, but with your basic firewall rules.

Yes your DNS was wrong. Use pfSense as DNS server for your clients. For your current problem check your firewall logs.

Just this moment I tried to verify this with windows 8 and it works very well: As soon as i got connected to the pfsense-network, a Browser opens automatically with the Captive Portal site.

Strange ….. Looking at this forum : pfSense Forum » pfSense English Support » Captive Portal (that is the forum where you posted !) there is a post named PFsense 2.1 MultiCP and https with Windows Radius Guide  There is also this : https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Using_the_FreeRADIUS_2_Package:_Basics Even more : https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS More then enough to get you started. And when you install Google first, you even find more : Google : pfsense radius

The issue has been solved https://github.com/pfsense/pfsense/commit/ea6cbc390bba86336bf5a173922b20f0b3416c89

I don't know why but this doesn't seems to work for me. I don't see any answer from the CP (tcpdump on the network interface with port 8003 only shows clients requesting the vip).

Added to that: A Portal should be on its own interface. So, its has its own firewall - which should enable Internet access, and forbid any access the private lans or any  other interfaces.

Hi, i am seeking for the same solution too, can you find any solution for this? thanks serhan

Have you set your pfSense to act as DNS proxy/forwarder and are your clients using the pfSense's LAN address as their primary DNS? Unless your clients can resolve external addresses you won't be redirected to the CP landing page.

Hi, do you have any experience about reaching the captive portal through ipsec vpn? local - cyberoam –-----ipsec vpn----------------pfsense in cloud when an unauthenticated user wants to go to the internet, we want to pfsense's captive portal comes to this user, is it possible, how can i do this? i wrote a policy in cyberoam, which asked pfsense's radius the users credentials, in cyberoam's captive portal, which asked the credentials to the pfsense, the user can logon correctly, and internet opened, and than,  i tried to redirect pfsense's ghost's url instead of cyberoam's captive portal, but the user can not be authenticated with this way, the mechanism is not the same. i need a solution to popup the pfsense's captive portal in front of the unauthenticated users through ipsec vpn. Thanks serhan

There are 6 separate APs, spread around the two buildings.  I would not expect to see more than 20 or so users per unit (I have logged into them when busy).  I am generally not onsite when it's busy which is difficult.  2 APs are on one interface and 4 on the other. I am not fixated on the CP max users as such, I was just wondering what happens when several people try to connect at once, and the max is reached.  I understand it's not the amount of users that can pass through, just the amount that view the login screen, but at times, looking at the logs, several people do login in quick succession. iPhones recently do not seem to throw up the captive portal login when you connect the AP any longer.  They used to.  I wonder if this could be causing users problems, as they assume they are connected when they're not?  Many these days don't even open browsers, it's straight to FB, email, twit etc. Need to find some time to update to the latest version I guess, but will see how things go now squid is disabled. Ubiquiti AP's are supposed to be very good in terms of number of users?  I have used a few of them poreviously, and thinking of replacing with these.  They also allow roaming between APs, although I think this is software based, and not too sure how it works.  Need to have a closer look. Thanks.

Same problem on 2.2.2. Empty radacct table

@teekaypapa: i am using LAN for the Portal Good luck  ::) (P.S. DNS servers must be allowed through the CP or nothing works.)