Thanks for both replies, that was what I was looking for (I know, next time look harder - lol).

Thank you very much for your suggestions. I'm going to take a close look onto your ideas. But first I have to give you my recent observation: As you can see in my logs, I logged every time onto the Pfsense-Server. I logged by klicking on the CP-Login-Page 192.168.123.1:8000 (using a SSH-tunnel to the Server). It resulted in a login in the auth.log. As you see, I was thrown out within 60 Sec. This was also mentioned in the log. Today I used the local computers. Result: Oct 28 08:00:02 pfsense logportalauth[723]: LOGIN: gd, 02:0f:b5:c8:2f:1f, 192.168.123.106 Oct 28 08:32:01 pfsense logportalauth[55266]: TIMEOUT: gd, 02:0f:b5:c8:2f:1f, 192.168.123.106 Oct 28 08:54:31 pfsense logportalauth[723]: Voucher login good for 269240 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 10:08:49 pfsense logportalauth[68280]: xyxyxy invalid: TYPO illegal character (U) found in 4U2RG8 !! Oct 28 10:08:49 pfsense logportalauth[68280]: FAILURE: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 10:09:18 pfsense logportalauth[68280]: Voucher login good for 269165 min.: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 10:20:36 pfsense logportalauth[7555]: Reconfiguring captive portal(Seminar). Oct 28 10:21:37 pfsense logportalauth[91985]: TIMEOUT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 10:54:43 pfsense logportalauth[81922]: TIMEOUT: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 11:19:44 pfsense logportalauth[23891]: Voucher login good for 269094 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 11:19:59 pfsense logportalauth[23891]: CONCURRENT LOGIN - REUSING OLD SESSION: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 11:19:59 pfsense logportalauth[23891]: Voucher login good for 269094 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 12:04:56 pfsense logportalauth[80944]: TIMEOUT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 12:37:36 pfsense logportalauth[97699]: Voucher login good for 269017 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 13:23:11 pfsense logportalauth[43792]: TIMEOUT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 13:28:47 pfsense logportalauth[43520]: Reconfiguring captive portal(Seminar). Oct 28 14:12:04 pfsense logportalauth[43039]: Voucher login good for 268922 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 14:13:46 pfsense logportalauth[43039]: Voucher login good for 268920 min.: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 15:05:51 pfsense logportalauth[43039]: DISCONNECT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 15:34:11 pfsense logportalauth[27574]: TIMEOUT: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 15:34:44 pfsense logportalauth[43301]: LOGIN: gd, f0:de:f1:be:6f:f1, 192.168.123.108 Oct 28 16:24:20 pfsense logportalauth[44795]: TIMEOUT: gd, f0:de:f1:be:6f:f1, 192.168.123.108 Unbelievable, isn't it? It seems to work! Everywhere - except on the Pf-machine! Well, I searched the responsible inc-File to learn, why it is so. But this is goint to take longer. In the moment I'm just happy, that it works (and possibly worked before). Michael

I want a voucher to be used by only one user and no one else. Is it Possible? Rogério Campinas, São Paulo, Brazil.

on my part. I'm using a 6 to 7 length in voucher using my mac terminal 1. openssl genrsa 31 > key.private 2. openssl rsa -pubout < key.private >key.public 3. cat key.private 3.1 copy the keys 4. cat key.public 4.1 copy the keys hope it helps,

He is probably using my software using his NAS as webspace and had difficulties finding the user frontend to request a code via SMS (which was my fault, I forgot to include it in the latest revision). I just realized that I answered his (quite more specific) question on administrator.de (or the same question from a user with the same username  ;) ).

hi again Derelict, thank you for the reply.. i already tried reverting the landing page to the default page.. however, it still producing the same error.. i already tried adding the privileges for the user, which is enable the captive portal login,but it still doesnt work..

The service status there is only for the web server process that serves the portal page. So the question is what's happening to the lighttpd instance that runs CP. There should be something about lighttpd in one of the logs (probably system) somewhere. It wouldn't be a captive portal related log.

thank you very much, i still need to modified my html page.. haha, and thanks for the link, i will check it out later ;)

Hi, I'm using the same version: 2.1.5-RELEASE (i386) Right now, I count 7 iDevices on my portal network. I asked, a,nd found 6 IOS 8 devices. Btw: using one myself right now. The only difference with my setup and yours: I do not use radius neither "squid3 as a transparent proxy and squidguard to filter urls". Be carefull with "extensions" they can make things better, or break it altogether.

@simply: What table are the user accounts supposed to be stored in ? My greatest desire to store all user info on the DB. Thanks for the reply. DB? Table? Yes, LDAP can use databases. It's up to you to configure a database backend for your LDAP Server! I use the OpenLDAP build in database, no fancy backends. Here are some relevant LDIF Files: dn: ou=users,dc=bewoelkt,dc=lan ou: users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=groups,dc=bewoelkt,dc=lan ou: groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: uid=jho,ou=users,dc=bewoelkt,dc=lan objectClass: top objectClass: radiusprofile objectClass: inetOrgPerson cn: jho sn: jho uid: jho description: Radius User Joerg Hochwald userPassword: PWhere radiusReplyItem: WISPr-Redirection-URL+='http://www.bewoelkt.net' radiusReplyItem: WISPr-Bandwidth-Max-Down+=1024 radiusReplyItem: WISPr-Bandwidth-Max-Up+=1024 radiusReplyItem: WISPr-Location-Name+="FFM01" radiusReplyItem: WISPr-Location-ID+="01" radiusReplyItem: WISPr-Max-Daily-Session+=3600 radiusReplyItem: Simultaneous-Use+="0" radiusReplyItem: Max-Daily-Session+='3600' radiusReplyItem: MHS-INT-Site+="Default" radiusReplyItem: myHotspot-Group+="Guest" radiusSessionTimeout: 7200 Just include the Radius Schema in /etc/ldap/slapd.conf: # Radius include include /etc/ldap/schema/radius.schema Now create a file (schema.conf below) with the following content: include /etc/ldap/schema/radius.schema And import the Schema to your LDAP Server: slaptest -f schema.conf -F testdir/ ldapadd -Y EXTERNAL -H ldapi:/// -f testdir/cn\=config/cn\=schema/cn\=\{0\}radius.ldif The Schema above works fine with pfSense. Just did some tests with 50k Users (imported via LDIF). There is only one problem: The RADIUS didn't return all radiusReplyItem configured in the example above. But I didn't find the time to dig into that issue. All relevant infos are parsed :) For mySQL: You will find a lot of good howtos via Google (Remember, this is your friend) ;-)

Not in the portal itself but probably in the firewall advanced rules for the rule that passes outbound sessions. In advanced options you have things like: Maximum state entries this rule can create Maximum number of unique source hosts Maximum number of established connections per host (TCP only) Maximum state entries per host No comment on whether this will enhance or degrade the user experience.

/var/etc

No.  The CP is a man in the middle.  HTTPS is designed to prevent the same.

I don;t have time to look at captiveportal.inc today.  Try it without vouchers.

Also if you are using a custom portal page try using $my_redirurl instead of $redirurl for redirection.

You probably need to make VLAN 10 a LAN on pfSense and put all the clients behind it.  To activate the captive portal requests to port 80 need to be sent to the pfSense interface.  This usually means it needs to be the default gateway of the clients. If you put the pfSense WAN on VLAN 1 and LAN on VLAN 10 and let pfSense handle all the DHCP for VLAN 10 it would get you there.  You should also be able to forward DHCP to another server if required. You'll also probably want to disable NAT in pfSense (switch to manual outbound and delete all the NAT rules.)

is there is any answer

@Gertjan: And, here it where it all starts: Look in this directory : /usr/local/captiveportal Even more important: Get yourself a decent editor like Notepad++ or even better: UltraEdit. A FTP client that supports SFTP. Activate SSH access to your pfsense box (if not already done). Most if not all files are pretty self documenting. pfsense itself (the GUI): /usr/local/www thanks! I'll be using vim-lite though.

@Derelict: Yes.  Users that don't need the captive portal on one interface, users that need to go through the portal on another interface with the portal enabled. Or you could put them all on one interface with passthrough MAC address entries for the NICs that don't need to go through the portal.  Two networks with different access policies is how I would go. Ok thank you very much for your sugesstion. I will try with with MAC address passthrough first, because it sound more fit-able to my network condition. If not work, i will try with the other solution 2 NIC.