count me in for the same problem upgraded to most recent stable and installed freeradius pkg and it counts wayyyy to fast -Rich H.

This function I've placed in what I think you are recommending - however are these rule numbers the order they are performed in or basically arbitrary? ….... $cprules = "add 65291 allow pfsync from any to any\n"; $cprules .= "add 65292 allow carp from any to any\n"; $cprules .= <<<eod<br># layer 2: pass ARP add 65301 pass layer2 mac-type arp,rarp pfsense requires for WPA add 65302 pass layer2 mac-type 0x888e,0x88c7 PPP Over Ethernet Session Stage/Discovery Stage add 65303 pass layer2 mac-type 0x8863,0x8864 layer 2: block anything else non-IP(v4/v6) add 65307 deny layer2 not mac-type ip,ipv6 EOD; $rulenum = 65310; $ipcount = 0; $ips = ""; foreach ($cpips as $cpip) { if($ipcount == 0) { $ips = "{$cpip} "; } else { $ips .= "or {$cpip} "; } $ipcount++; } $ips = "{ 255.255.255.255 or {$ips} }"; $cprules .= "add {$rulenum} pass ip from any to {$ips} in\n"; $rulenum++; $cprules .= "add {$rulenum} pass ip from {$ips} to any out\n"; $rulenum++; $cprules .= "add {$rulenum} pass icmp from {$ips} to any out icmptype 0\n"; $rulenum++; $cprules .= "add {$rulenum} pass icmp from any to {$ips} in icmptype 8 \n"; $rulenum++; /* Allowed ips */ $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any out\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) out\n"; $rulenum++; /* Authenticated users rules. */ $cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n"; $rulenum++; $listenporthttp = $config['captiveportal'][$cpzone]['listenporthttp'] ? $config['captiveportal'][$cpzone]['listenporthttp'] : $config['captiveportal'][$cpzone]['zoneid']; if (isset($config['captiveportal'][$cpzone]['httpslogin'])) { $listenporthttps = $listenporthttp + 1; $cprules .= "add 65531 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n"; } $cprules .= << <eod<br>**# pass traffic not destined for protected subnet 1 add 65532 pass all from any to not 192.168.1.0/24 in redirect non-authenticated clients to captive portal add 65533 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in let the responses from the captive portal web server back out add 65534 pass tcp from any to any out block everything else add 65535 deny all from any to any EOD; /* generate passthru mac database */ $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n"; /* allowed ipfw rules to make allowed ip work */ $cprules .= captiveportal_allowedip_configure(); /* allowed ipfw rules to make allowed hostnames work */ $cprules .= captiveportal_allowedhostname_configure(); /* load rules */ $cprules = "flush\n{$cprules}"; file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", $cprules); mwexec("/sbin/ipfw -x {$cpzone} -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true); //@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules"); unset($cprules, $tmprules); if ($reinit == false) unlock($captiveportallck); } I'm thinking that this isn't going to pick up if i have multiple protected subnets - not a huge problem but would be nice to know / get the syntax for this correct to start with. **# pass traffic not destined for protected subnet 1 add 65532 pass all from any to not 192.168.1.0/24 in **# pass traffic not destined for protected subnet 2 add 65533 pass all from any to not 10.0.0.0/24 in Sorry only saw this today - must have missed the notification! Will try it tomorrow (Australia time)******</eod<br></eod<br>

mdmogreen solved this very problem and it worked perfectly for me. @mdmogren: I came up with this to use an external splash page: Make sure to add the host where you're going to host your page to Allowed Hostnames Use this code to redirect and pass the variables, (I only passed a few here that I needed, you can add more using the same method) the only downside is that if a user has JavaScript disabled in their browser they will have to click a button to load the page… Make you you replace "http://www.myserver.com/splashpage.php" with the URL you want to redirect to. <form action="http://www.myserver.com/splashpage.php" method="post" id="redirectform"> Javascript is disabled, click to </form> You'll then be able to pull on the variables from $_POST on your new page. Example code for your external page: Source: https://forum.pfsense.org/index.php?topic=46015.0

Hi I have a similar problem. I'm using captive portal with an external radius server. The radius is running ZeroShell. I was previously using only ZS on this particular installation but now I have the need to incorporate pfSense. The two machine are talking to each other without a hassle. Problem is that when I use ZS captive portal it will deny access to a user with no credit but when pfSense is that captive portal there is no denail of service, the ZS user account runs well into the negative. I've tried data limits, time limits and cost limits, non of them seem to make a difference to pfSense. I'm using the default login page, could it be the way that pfsense authenticates? in that it submits credentials and only queries of they are correct? I have interum updates on, re-authenticate every minute, and use radius session time out. None of this is making a difference to the access of "unusable" accounts. Perhaps I should replace the pfsense login page with the ZS one? the form submission is very different. Help with this will be greatly appreciated.

Those pushing for a higher timeout know they're talking about absolutely zero internet traffic for 16 hours right?  It means the device is either powered off or is off the property.  All it takes is one internet packet to reset the 16-hour timer. Oh, I see how I was not clear enough. I meant the management. That setting should allow the VAST majority of multi-day guests to only have to navigate the portal once during their stay.  And, worst case, they have to navigate it again. Yes, this was what I was aiming for. I see a lot less logins during the morning period. Everyone is satisfied.

Your only other option is redirecting https to the portal and generating a certificate error on the client.  If their default home page is their bank, and they do the wrong thing and save the cert you present permanently, you can now MITM their bank.  No bueno.

I have built the computer and I am now running pfSense with the above setup and one interface for LAN and the other for WAN. The remaining NIC will not be supported until pfSense 2.2 comes around. I do have a bit of an issue with DHCP leases/timeouts and Captive Portal timeouts , but it's somewhat fixed: https://forum.pfsense.org/index.php?topic=80255.0.

Are you sure that roll was generated and nothing has changed with the captive portal since? If you generate a new roll do those vouchers work?

Thanks for the reply

@buntha: …. how to Customize Captive Portal Page using php Fatal error: Call to undefined function mysql_connect() in /var/etc/captiveportal_nbc.html on line 6 Customize the PHP server first :) pfSense does NOT contain a PHP setup with mysql functions activated - because his PHP doesn't need mysql (neither mssql) functions. So, the function mysql_connect() is flagged as absent. Use the search function on this forum, use intelligent keywords like "mysql_connect" and you will find messages on this forum that explain you how to activate the mysql functions.

Hi. Use a NIC (OPT2) with a portal acces for your 'guests'. Put a AP in your LAN with WPA2 activatred. YOur emplyee uses this AP to connect to your LAN, no pfsense needed for that. And: he will be in the same subnet, so shareing rescources (Windows PCs, others) work straight away. Or, share the same captive portal, bind the MAC of the PC of your employee to a reserved IP, and use firewall rules so that he can access local resources. Btw: your portal interface is running on your LAN ? OPT1 ? Be careful: if your portal interface is on your LAN (bas idea) and your Office network is also on the LAN, then 'guests' can easily access office network resources, because traffic doesn't flow through the pfsense firewall. They do not need to be connected to the portal Interface to access the local network segment.

@GruensFroeschli: For such a setup you need to add these domains to the whitelist of the CP. –> "Allowed Hostnames" Thank you. Issue has been resolved.

Not missing the point, its just that setting traffic quotas is rarely called for. As an alternative, you could flash a suitable wifi router with Gargoyle firmware, it has this feature built in. Much simpler than trying to set up Radius for domestic use.

Adapted from http://davidwalsh.name/disable-autocorrect

Same problem only when wan connection failed

I have it working. Thanks!

Ok I think I solved it by simply disabeling all captive portals, restarting and enable them one by one so that the ports wouldnt overlap as they restarted. I also got a feeling that the problem itself could have been an issue where the non-encrypted site took the port and that it kept it while I enabled https so that when using https the port was already taken by the same captive portal site but the non-encrypted version so to speak. Anyway, I noticed another problem that I seem to have in this version and that is that every time I rebbot the firewall I have to readd the .html sites for the captive portals. The files get deleted on a reboot. Anyway thats another problem for another day.