I belive it's not IP range issue because the DHCP range contain more that 200 IP to use and I adjusted the lease time to 1 hour. What are your LAN firewall rules ? I didn't configure any firewall rules on em0 (LAN), only the default rules (Anti-Lockout Rule & Default allow LAN to any rule). What did you removed from default after you installed pfSense ? Nothing! can you use the Captive Portal "as it should be used" : on a dedicated, NOT LAN, but OPTx interface ? is it mandatory to add OPTx interface for Captive Portal ? -pfSEnse runs in a VM ? (and guess what, when it is NOT running in a VM, but running in its own box, the errors disappear ;) ?) Not VM, I installed pfSense directly on PC. Finlay, after along time search in google I found that may be the problem occurred because of network memory buffer, so I am tried to increase the buffer size by adding some buffer tuning settings in "System Tunables" and "loader.conf.local"  , it helps some how as the error didn't occurred again but I got some delay on network. I don't know it's solved permanently or it will occurred again but for 2 days now it's not occurred. before the tuning settings it was occurred one or two times every day

Vouchers are the key to the (your) access to Internet. If someone looses his key, well, this should be his problem, not yours. The "use only ones to gain access" has an nasty side affect. Let say : you hand out vouchers that last 24 hours. The guy logs in, all is well. Then, he goes of site, his IP in the lease table will get removed eventually. Another guy logs in with his voucher, and obtains the IP the first guy was using. Our first guy comes in, and want to connect. Ok, the MAC address is (could be) known, but he will be using another IP => he will NOT having access anymore. A captive portal session is based on : the IP and the MAC address. If the voucher code come in again, and their is still time left, old sessions are removed, as you saw, and a new one is created. Inform your voucher user that he should consider this voucher as a 100 $ paper, a credit card or his house keys. That will do the job. If he calls in and say "I lost it !!" and you have a copy of the voucher code, you can declare it "used". Then you yell at him - sell him a new voucher, or keep him out because he proved he couldn't take care of his stuff (or whatever ;)) The same way : what you are asking for, is that a voucher user can only use his voucher for ONE device - but many users have also a smartphone, an iPad, notepad, whatever. Using a voucher on ONE device will lock the usage to that device, as long as he keeps the same IP (that pfSense gave him). Your question concerns a household-with-kids situation, right ? In this case I can imagine why you asked. Btw : I do think it's possible what you are asking. You will have to change the code (PHP) somewhat.

The way captive portal works in many cases it has to reauthenticate users to make sure their login is still valid. For example, to enforce time or data limits. If you limit a user to one login, this reauthentication fails since they are currently online when the reauth happens. So for one user to connect from one device the limit has to be at least 2. So to allow them to login twice, it would have to be set for 4+. Kind of ugly, though. Using multiple logins so they have one unique login per device is cleaner and more secure.

You can't edit the vouchers and make your own codes. The codes are computed mathematically based on the keys and other info stored in the roll. There isn't a way to change any attributes that are not shown in the GUI already. If you want to allow people to login using a "code" that lets them on indefinitely, create users instead. You can change the usernames to whatever you liked to stop an old "code" from working for new logins.

@Gertjan: @bishoptf: Running 2.2.6 and having issues with …. What about leaving this old version, and upgrade ? I didn't heard about android users complaining that 2.3.2 isn't working well for them. Take note : who remembers issues and bugs present in 2.2.6 ? Yeah understand, it's in the plan and will be taking place hopefully shortly but was hoping to tweak and keep things working.  I finally had to turn the portal off and just leave it running without the TOS, its not working for anything including PC browser.  Source looks correct with a URL in the redirect value but nothing I tried got it working.  It redirects to the portal page and when you select continue it just reloads the portal page and adds your MAC address to the passthrough list but thats about it, each time you do your MAC address gets added to the list. Hopefully I can get it working when I upgrade, I have new hardware so I will be able to test it and make sure its working before going live.

I put together a one-time-password radius server using this: http://motp.sourceforge.net/ Not Google, I know, but as Gertjan says, this takes a bit of coding. Alternately, you might be able to write an interface between your radius server and Google, but the details are up to you to find.

Use some javascript to change it in the HTML on submission, it won't require any changes to pfSense code, just the portal page you upload.

Hi, Without telling more about your setup ? Well …. euh ..... no. When a user logged in, check using this doc page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and double check that you can find the user's IP and MAC in related tables. Is their a reason for the fact your are using an (very) old pfSense version ?? You shouldn't - and if you do, do not ask for help, people that know or knew 2.2.4 upgraded for very logic reasons. No one knows what issued 2.2.4 had back then ....

nah no IPs. I allowed these hostnames: ajax.googleapis.com fonts.googleapis.com maxcdn.bootstrapcdn.com The thing that I can't wrap my head around is that it works in the browser but not this app that pops up "Captive Network Assistant". I also tried allowing the captive.apple.com hostname so device thinks it's got Internet access and there is no more of this pop up but that makes it really inconvenient to authenticate on mobile devices. I guess I am going to have to try and make pure html and css page and see if that does the trick.

Yeah cookbook is well a cookbook and nothing more. I am glad you suggested the other book so I ended up getting Pfsense: The Definitive Guide and The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall 3rd Edition. I'll be away for a while now hh ;D

@BGS: The "bits and bytes" solution : Nail down the place where the test is made if a MAC address should be added to the MAC pass-through list. Add your own test that skips the "MAC pass-through" adding part IF the login was done with a "voucher". I don't get this. I'm new at pfsense … sorry ...-.- pfSense is a software product. You actually have 99,99% of the source code at your disposal. So the possibilities are unlimited. I advise you to look for a 4 NIC box.

@johnpoz: ….   I think its http://captive.apple.com/ but not 100% on that - I believe it looks to see if it can get back a 200 from there, if it doesn't than it assumes its behind a cp or something like. I disconnected form an AP on the LAN (192.168.1.1/24 - my iPhone was using 192.168.1.25) It obtains a 192.168.2.139 (my Captive portal is 192.168.2.1/24) Some non-important local IPv6 hanshaking is also present. 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Reply NA: address 2001:470:1f13:5c0:2::c6 to client with duid 00:01:00:01:14:20:18:e3:b8:ac:6f:47:2c:77 iaid = 246983791 static 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Renew message from fe80::75cd:7073:d0a4:bc7c port 546, transaction ID 0x1239AA00 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Sending Reply to fe80::75cd:7073:d0a4:bc7c port 546 10-06-2016 10:03:21 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: DHCPREQUEST for 192.168.1.25 from 90:b9:31:77:5e:26 via fxp0: unknown lease 192.168.1.25. 10-06-2016 10:03:22 Local7.Info 192.168.1.1 Oct  6 10:03:25 dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 via sis0 10-06-2016 10:03:23 Local7.Info 192.168.1.1 Oct  6 10:03:26 dhcpd: DHCPOFFER on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPREQUEST for 192.168.2.139 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPACK on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 Note : the DHCP server on pfSense tells my iPhone that DNS, Gateway, etc etc == 192.168.2.1 == the Captive portal 'pfsense' interface IP. I'm still figuring out why I should use the DNS from "Google". Upfront, my FAI proposes two DNS's when pfSense opens a WAN connection. They always worked fine. It's imprtant to understand that my visitors devices on the Captive portal have only 'pfsense' as a DNS server. pfSense itself uses the DNS that came with the WAN connection. That is the default setup. Works fine for a decade now. As soon as the link goes up (wifi in this case) the iOS launches a http request to http://captive.apple.com/hotspot-detect.html  : 10-06-2016 10:03:26 Local5.Info 192.168.1.1 Oct  6 10:03:29 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:29 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:27 Local5.Info 192.168.1.1 Oct  6 10:03:30 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:30 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:28 Local5.Info 192.168.1.1 Oct  6 10:03:31 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:31 +0200] "GET /hotspot-detect.html HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.1" 200 849 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /captiveportal-style.css HTTP/1.1" 200 836 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "POST /index.php?zone=cpzone1 HTTP/1.1" 200 635 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:36 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" Btw : I'm using https portal authentication. This is just a detail.

I was able to get this resolved.  It turned out to be a problem with my switch.  I backed it up, defaulted it and restored the config and everything started working.

@itchy: Can you provide some more details? This has been taken care of a long time ago. https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting The firewall rules "ipfw" redirect all http requests to the internal web sever that displays the login page IF the user's device hasn't been granted access already. If a user's device has been granted access, the firewall rules accessible in the GUI determine what happens. edit : great : I'm actually saying the same thing as Derelict.

You would have to create another pool for your dhcp server on your cisco. http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html

https://redmine.pfsense.org/issues/6421

Hi. First of all thanks for your responde I used 1 minute idle time just as an example, but I have done much more testing with differents time and same result. When authenticated MAC is not present on Captive Portal / ZONE /MACs because I'm not ussing MAC passthrough. I'm asking to see if anyone have found a way to get it working because it become a problem for us. I have worked with other WiFi system (much more complex) like Aruba and I have never have this problem with MAC auth and Radius server. We don't want to use MAC passthrough because we lost, for example, accounting information. Regards,

Hi Gertrjan thank you for replying, what you suggest would work i'm sure, but we have a policy where management of all assets is done on a specific Vlan (Vlan 20). Unfortunately, I am unable to change that, policy, but as it happens, I resolved the issue earlier today, only just got home to update with the soultion. I actually had done everythig correctly in pfSense, the problem was the guy who had set up the Cisco 3560, had applied all the three vlans to the trunk port as I had requested him to do, but he also had in the Cisco interface config the line 'switchport native vlan 20'. I got him to remove this line and everything now works, so i've spent this afternoon setting up firewall rules blocking access to the and from the opt 1 vlan from the lan and wan for security, and blocking access to the management interface from the WAN and LAN interfaces too. Tomorrow will be the big test day, but I quickly checked everything before I left and it seems to work perfectly, only access the webgui and ssh from vlan 20 and nowhere else. Thank you again for the suggestion Regards Tony.