Thanks for pointing me in the right direction.  However my knowledge of this area is not sufficient to be able to work how to do it.  The reason the links mentioned earlier do not work is, apparently, the post was taken down by the user. If anyone has a saved copy of the Tutorial I would appreciate it if they reposted it. Also where does the CP store user credentials? Jodel

@ermal: No one has really pushed this to be implemented and is tedious. Its not supported but if you want to have this done you can go through portal.pfsense.org Could you give me a rough idea how much it would cost to implement functionality like this? (I have no idea whether it is 500€ or 5000€?) I could provide a printer like the SP-300e for free, although it would make much more sense to implement this feature using more open hardware.

The only thing I know is this: http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#CaptivePortal_Self-Registration:FreeRADIUS.2B_MySQL

@Metu69salemi: they need to be hosted on the cloud because I have several boxes over a large geographic area and need to change those fields periodically. @islandwifibill: great! Thanks! I will try that and come back if I have any issues.

@-mike-: what I'd like to do is remove this speed limit for any files that are already stored within squid. Is this possible? Check ZPH (Zero Penalty Hit) http://wiki.squid-cache.org/Features/QualityOfService

The problem solved.  My fault.  I had set up networking on my client computer to get the IP only from dhcp and I had given it the dns ip specifically to be the ip of the broadband router/modem. Thanks for all the help.  The more I look at pfSense, the better it looks! Jodel

Hi, thank oyu for your feedback. I will of course update to 2.0.3 if it is released. I know that there were many fixes. @dhatz I thought that Hard Timeout is an independent CP feature. Re-authenticate users every minute will spam my RADIUS even if its possible that it will work. What do you think - could Session-Timeout enabled on CP and set on RADIUS solve this problem ? Thanks

for 1:1 NAT configuration I tried to use as a type Internal IP = WAN address, I do not have an alias for this value (only "single host IP" or "WAN address") but I still have the same problem on the server pfSesne backup (GW unreachable "Offline"). It looks like a bug in pfSense synchronization between the primary and backup configuration CARP / VIPs or 1:1 NAT Everything works if I use "NAT Outbound" with: Interface = WAN Protocol = UDP Source Type = Network Source Address = 62.xxx.xxx.96/28 Destination = any Translation = 62.xxx.xxx.100 (CARP WAN) I run other tests

about freeradius you can use freeTDS libraries to connect to ms-sql. you can enable radius accounting to know when users disconnects as well as session informations such as time spent online or data transferred.

The image is being pulled from a host which is accessible from behind the captive portal?  I would double check this.  Also, you might want to tail your web server log file while you load the page and see if you get any error messages associated with the request.

I am querying a mysql server that is NOT running on the pfsense machine.  Pretty straightforward stuff.

hum.. looks like your "variable name"``` JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA can be split in lines after the dots "." JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl. MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl. MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx. I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk. MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm. JyUkJCQxI1cxI1d9YA excluding the dots the line is 76 chars long (RFC 1521 states it have to be the length of base64 output stream). delete dots and pad it with "=" JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm JyUkJCQxI1cxI1d9YA== base64 decode and see what 'file' magic looks like: echo -n "JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiElMSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1clMSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cxI1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQkMSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEmJyUkJCQxI1cxI1d9YA==" | base64 -d | file - /dev/stdin: Sendmail frozen configuration  - version ' 1'U !1#W1#W#&%%"&# $,&",$"$"# So it's not an attacker but maybe some users with the mail client hitting the Captive Portal.

When running a -PRERELEASE, -BETA, -RC, etc, it is always best practice to update to the latest available version before posting/reporting issues.

My guess is that it is telling you 20034 and 20035 are not MAC addresses. What are you trying to do and why aren't you using the GUI to do it? (Changes made outside the GUI will not be preserved across reboot.)

You were right wallabybob, I wasn't using the correct image. SOLVED

Thanks for your reply. Both pfsense and the radius server itself are managed by ntp (pfsense relies on 2 external servers and the radius server on the ntp server of pfsense). The radius database server runs on a different machine. The database server's time keeping is less accurate, but I guess this is less relevant. Or is this a wrong assumption? Jan

CP is blocking access to the port forward – it blocks inbound and outbound. You could add an "allowed IP address" entry for it but using only the "to" direction, then things can reach it from outside, but it can't get out itself.

where did you add this script? minicron says nothing to me.. i only know cron.

This setting limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in to the captive portal, but rather how many users can load the portal page or authenticate at the same time! Default is 4 connections per client IP address, with a total maximum of 16 connections. I my system (2.0.1-RELEASE & 1.2.3-RC1 ) default is 4 and 1.2.3-RC1 i can chaged it to below 4. do i miss something?

Yea the more I think about it that is the only way I am going to get it to work.  I already have the radius server setup doing authentication for my wireless and it was my intent to use it for this as well.  Just thought captive portal may have been easier but I can't think of a way to do it since I can't have multiple trunks to the firewall with the same VLANs them.