@Metu69salemi: Haven't done by myself so i can't answer Captive Portal does not work in transparent mode (layer2 bridge), you have to setup pfsense as a gateway & use pfsense DNS forwarding for Captive Portal to work. ~ Dave ~

Yes, WISPr attributes are supposed to be specified in bps, we originally incorrectly had it as Kbps early on in 2.0, it's been correct for the RCs and release.

IP to MAC associations would no longer be enforced, and it's just ugly to have everything upstream on your network showing a single MAC for all those clients if it's in any way avoidable.

Users get added to one of the tables, they no longer get their own ipfw rules. List the tables to see what's permitted.

Thank you for your answer. I will get back if further assistance is needed. Best regards Kostas

I'm happy with my HP/Procurve 1700-8 (7x 10/100 ports, 1x10/100/1000 port). Other cheap VLAN capable switches I know of (but no experience with) are Mikrotik RB250GS (5 x 10/100/1000 ports), TP-Link TL-SL2210WEB (8 x 10/100 ports, 1 x 10/100/1000 port, 1 SPF port).

FIG 2  

Ermal, Thanks for your help! Yes, it just my own mistakes. Accidentally put the ip address in the "Allowed IP Addresses". Regards, Rimbb

how can  permanently modify php.ini.??? At every restart pfsense put a fresh copy of  the php.ini files with default configuration.

Hi, Im also looking near the same approach. I want to allowed everybody using wifi with 'No Authentication' but only after submission of email address.

@wallabybob: What authentication method? (user name and password? voucher? radius?) What timeout? Username and password.  No voucher or radius.  No idle timeout.  Hard timeout set to 60 mins.  The default settings. @miles267: However on day 2, the same client connects to the access point (open, no encryption), but is not prompted to authenticate through the captive portal.  As a result, they cannot browse the web at all. Did the client attempt to browse the web and fail OR did they not see the authentication page and conclude they wouldn't be able to browse the web? The client closed their browser, went to sleep then powered back on and re-launched browser.  Was never prompted to re-login to captive portal and was unable to browse any web page.  Tried to ipconfig /release and ipconfig /renew and browse again without success.  Then, rebooted the client PC and was once against prompted for captive portal login. @miles267: I've tried to ipconfig /release and /renew on the problematic machine without success.  Even tried to flush the temporary internet cache files on the problematic PC and it still didn't work.  What causes this? Maybe the client needs to get a new IP address to be forced to authenticate and the DHCP server just renewed the old address. I suspect the client didn't logout and just reconnected before the captive portal session timed out. I typically do not manually logout of the captive portal.  Just assumed the captive portal would handle the logout and prompting for credential when appropriate.  In the event users neglect to click a logout option. I've been using CP for some months now and not seen any problem with vouchers not timing out. (I've been testing with 5 hour voucher timeout.) When I haven't had my voucher codes handy I have logged in with (local) username and password and that definitely times out after a while. I didn't set a timeout for local username and password and haven't looked at the setting but I would guess that the timeout period is more than a day. Are there any recommended parameters for username/password authentication?  as far as idle and hard timeouts, etc.?  Thanks.

Yep  :D I think i remember reading somewhere that its possible in the underlying software but just not in the GUI. So maybe ina future version.

@wallabybob: I don't know if GRE tunnels are supported on your APs; they are on pfSense. See pfSense man page on gre - http://www.freebsd.org/cgi/man.cgi?query=gre&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html GRE tunnels apparently don't use encryption so should be a lighter load on AP CPU and pfSense server CPU than a VPN. Well..dd-wrt doesn't support it on the webgui, however it's linux, so it's probably possible. But looks like the newer firmwares doing it differently (2.4 vs 2.6 kernel). I don't feel the power in me to do it by hand… i'm sure it gets worse eventually :) thx

Thanks for the confirmation. (looks like I'll have to do some convincing to get some $$$ allocated).

@broncoBrad: Is there any way to combine it into one login maintaining that level of encryption/security? I don't really want to be giving my wireless AP password out. I mean it's not that big of a deal, but if I'm going to give out the AP password I mind as well just use captive portal as a bandwidth limiter instead of user login. Thoughts? I think you can still have WPA encryption without having to have an AP password. Some wireless hardware support 1 or more AP's, so you can have a guest AP with the captive portal and segregate that from your LAN. So in essence it doesn't matter if you have to give out your guest AP password.