I submitted a fix for this last year some time where it wouldn't delete the fields if you configured and then unconfigured it. Glad your browser cache fixed it.

Thanks GeertJan, i also aggree, that is a useful scenario, for hotels too most guest have multible devices, for eg. a laptop, an ipad, or a smartphone. i suggest an option: max concurrent connection per voucher/session/whatever: <number>so you can open a time window for a limited range of devices and doesn't loose all the security…</number>

I see you are using a "Beta" release, wouldn't be better to go for a "Stable" version which are supposedly free from bugs/errors ???

http://forum.pfsense.org/index.php/topic,34148.0.html

@electric34: I dont know htlml coding, and this url pre-auth redirect is throwing me off. What do i redirect to for users to sign in? For each user i have to setup a account for? if i do local user authentication. I have a terms and conditions policy i need to upload. You don't need the "pre-auth redirect", as the words say, that can be a page that users can see before they reach the login's page. The problem with this option, is that any page you want to use, will need some code on it to send back the user to the login's page, i hope the developers will find a more user's friendly option at some point, as the "After authentication Redirection URL" option. Here is a usefull link to read:    http://forum.pfsense.org/index.php/topic,34148.0.html

I changed my tact completely on this, as I struggled to get it working firing the data to a different server as javascript doesn't like posting between domains. I altered the index.php file that resides in the captiveportal folder (using the package 'filemanager' is ideal). I then use PHP to recieve the form fields, turn them into a line of data "timestamp|name given|email given|postcode given|ip address";  (something like that).  This is then appended/written to a file, one entry per line, a new file being created each day.  The file is available to view via a web browser (see screen shot). The green 0's shows there has been no warnings given for dodgy details. If I click the 0, that mac address is added to an associative array and that user booted off the captive portal.  They then have to fill in the form again, but a red warning appears on the form too.  The green 0 then becomes a red 1.  If they log back in, the red 1 turns blue.  You can then click this again to ban once more, you then get a red 2 which turns to blue when they log back in.  3 warnings and the warning message they then see is titled "LAST WARNING".  If they get warned once again, they are banned for three days (they just recieve a page explaining why they have been banned when they try to login. Sounds complicated, but it works really well. If I knew anything about creating packages, I would consider it.  I would like to integrate the log viewer into the pfsense template, at the moment it is accessed seperately via http://pfsenseIP/wifilogs/wifilogs.php (with a php sessions password). This can be used in conjunction with the Squid Proxy and Sarg Reports to see what websites were accessed by the users. [image: untitled.PNG] [image: untitled.PNG_thumb]

Sorry but cannot understand your post!

As previously stated, Captive Portal is implemented on pfSense using ipfw. I believe ipfw will handle input traffic before pf (the standard pfSense firewall) and output traffic after pf. The log extract you posted shows traffic from port 80 on a server at 174.35.67.7. This is traffic passed by pf which is independent of captive portal. It doesn't mean ipfw will also pass the traffic. (I don't know whether ipfw passes or blocks such traffic when there are no active users.) @AudiAddict: I am somewhat "scared" that it's allowing traffic on this interface even when users are not logged in? That log is showing traffic allowed by pf, not traffic allowed by ipfw. The traffic is mostly TCP from a HTTP server. It is quite possible this traffic is the server probing a previously established TCP connection to see if the client is still "listening". I don't know if there is any mechanism for ipfw to notify pf that pf should now block traffic on particular flows because the user is now "logged out". @AudiAddict: Also I'm seeing traffic inbound and not outbound when I look at the logs? How is this possible? Please provide a specific example of your concern if you are not satisfied by the previous explanation. Note that firewalls can't stop "inbound" traffic (that is they can't stop another computer sending traffic to them). In short, you haven't provided any evidence that anything is "broken". I understand your concern. A packet capture on the interface is a far more reliable way of seeing traffic that is actually sent and received but a capture doesn't tell you what the firewall does with the traffic.

You are saying that there is a chance to obtain this wispr compliance without asking help to pfsense developers? If yes do you have a suggest for me?

Thank very much. This seemed to be the solution.

Hello Board, We've got it working as intended! On Pfsense 2.1 beta we have now 3 OpenVPN services running connected to 3 different Captive Portals. De virtual interfaces have each a DCHP range and also the squid proxy is listening. The downsides are; RRD graphs are not there (yet) for providing statistical Information. shaper isn't working on de openvpn interfaces. IPv6 isn't working in conjuction with openvpn and / or captive portal. I'm sure this is only a matter of time! Thanks for delivering and stable box of pandora!

Ok, I have this bit of code which works to turn a MAC into the ID, and assume there wont be issues in using that to get the ID? //error_reporting(0); $ourmac = $_GET["mac"]; $oursid = ""; require("captiveportal.inc"); if (file_exists("{$g['vardb_path']}/captiveportal.db")) { $captiveportallck = lock('captiveportaldb'); $cpcontents = file("/var/db/captiveportal.db", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); unlock($captiveportallck); } foreach ($cpcontents as $cpcontent) { $cpent = explode(",", $cpcontent); if($cpent[3] == $ourmac){  $oursid = $cpent[5];  break; } } echo "The SID is: $oursid"; exit; ?> And I can then use: captiveportal_disconnect_client($oursid); to kick a client?

@dhatz: @Lee: It gets to be real fun when some antivirus link checker tries to check the database for the captive portal link and fails…  ::) Is this behavior common among AV software? (I've never actually used a AV …). And if it is relatively common, is there a "best practice" for dealing with that? Perhaps a list of URLs used by popular antivirus programs, so one can white-list them ? It seems to be in the hotels we support.  And they keep moving the servers!

ok, don't really know what happened, but even though I put the shared secret into the CP interface correctly, the capitalization of one of the characters was wrong in the clients.conf file.  That seems to have fixed it.  Thanks for the input folks.

Ok this problem has been fixed. Was not depending from the CP but from my Xampp/Apache configuration. On the 'index.php' inside \xampp\htdocs i had to change the word "xampp" with the folder's name of where my local site is located (and to where my CP is pointing to). if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {       $uri = 'https://';   } else {       $uri = 'http://';   }   $uri .= $_SERVER['HTTP_HOST'];   header('Location: '.$uri.'/xampp/');   exit; ?>

I have something similar happening to me, everytime i try to login to FaceBook, the connection get refused…..i allowed the https port too but nothing to do (using Squid). :-\

What do you mean exactly with "get redirected on their first access" ?? Do you want people to bypass the login page and go to the first page they have accessed after their first login (looks strange to me, as people wouldn't want to always return to a page that maybe have randomly visited on that specific occasion) or the homepage they set on their browser, or maybe a landing page you have created ??

Here is the output of top -SH  from a few hours before heavy utilization.  I will post another during peak utilization $ top -SH last pid: 26657;  load averages:  0.06,  0.04,  0.01  up 27+06:26:31    14:14:06 105 processes: 3 running, 85 sleeping, 17 waiting Mem: 434M Active, 36M Inact, 123M Wired, 972K Cache, 46M Buf, 2393M Free Swap: 8192M Total, 8192M Free PID USERNAME PRI NICE  SIZE    RES STATE  C  TIME  WCPU COMMAND   11 root    171 ki31    0K    16K CPU1    1 624.4H 99.37% {idle: cpu1}   11 root    171 ki31    0K    16K RUN    0 616.4H 98.97% {idle: cpu0}   12 root    -68    -    0K  136K WAIT    1 409:29  0.88% {irq257: bce1}   12 root    -68    -    0K  136K WAIT    0 470:10  0.59% {irq256: bce0} 7255 root      56    0 54764K 17504K accept  0  0:04  0.10% php     0 root    -68    0    0K    56K -      1 302:02  0.00% {dummynet}   12 root    -32    -    0K  136K WAIT    0 142:51  0.00% {swi4: clock} 15569 root      44    0  308M  305M bpf    0  76:24  0.00% tcpdump   14 root      44    -    0K    8K -      0  43:31  0.00% yarrow 20782 root      44    0  5116K  3236K select  0  32:01  0.00% openvpn 40867 nobody    44    0  6580K  3764K select  1  27:08  0.00% dnsmasq 15406 root      44    0  4948K  2540K select  1  24:32  0.00% syslogd 37705 root      44    0 62920K 56756K kqread  0  18:44  0.00% lighttpd 15721 root      44    0  3316K  924K piperd  0  12:15  0.00% logger 34014 root      64  20  3316K  1348K select  1  7:58  0.00% apinger     8 root      44    -    0K    8K pftm    0  5:43  0.00% pfpurge 39181 dhcpd    44    0  8436K  5796K select  0  3:57  0.00% dhcpd 17116 root      76  20  3656K  1464K wait    1  2:24  0.00% sh

Not at all, I think it has something to do with the buggy wireless interface (run0). Like i said it was "gone", had to reboot to get it to work again and then captive portal was broken (it showed errors that interface was missing etc) and now I'm unable to start it. It seems one-time interface errors causes it to break completely. How would I go about and fix this? The last time I had to do a complete reinstall :( The packages I'm running are : squid3, vnstat , lightsquid, nmap and mailreport. So nothing out of the ordinary. @cmb: You can just apply the update for the version you're running to replace that. What do you mean by applying a update? for the file?

Thank you very much for your ideas.