ah I found this Feature Request http://redmine.pfsense.org/issues/2152 that reflects exactly what I have been asking.

Most commonly that's because you're not using the DNS forwarder as your clients' DNS server and don't have a passthrough for the DNS servers so you're blocking DNS.

afaik you can intercept the traffic using a transparent squid instance and use squidguard for black/whitelisting URLs

Just a reminder, inbound states are not indicative of traffic but the presence of outbound traffic. It wasn't until I started pulling captures that I started seeing the lack of return traffic. We have put bypasses in our Websense system for the WAN ip of pfSense and amazingly it started working. Thanks to those that replied. I am looking forward to the next version of the pfsense definitive guide. I hope that it reaches into the technical depths a little more than the first one. Best Regards, Mac

Sorry for getting back late, thanks a lot for your help :D But I end up digging those default files from a new install on virtual machines ;D Here are the files I have got finally: https://docs.google.com/open?id=0ByIVqCZFmC_2akhnUTdmQUhEN3c

I suspect the OP is referring to something like a MS Terminal Server where dozens or more users can be logged into the same machine simultaneously.

Portal authentications do not sync at this time.

Right you are:  http://redmine.pfsense.org/issues/2378 Fixed as of 6 days ago. Looking forward to it rolling out in 2.0.2.

No, I have about 100-200 concurrent users. 40K users are in Radius database.

@marcelloc: Are you using squid in transparent mode? yes i use it in transparent  ;D

@cmb: don't put it in there, you can use port forwards to redirect DNS. Would you provide an example please?

Don't mess with repeaters of any type. Not a good idea, and except for some proprietary solutions, not layer 2 transparent like you need. Install more hard-wired access points. I really like EnGenius in terms of value for money. Get a bunch of EnGenius EAP350's for indoors and ENH202's for outdoors. The ENH202 comes with a proprietary power injector. The EAP350 requires an 802.3af power injector or switch. Hook these units up to a switch off your pfSense box. Make sure to use only channels 1, 6, and 11 and keep overlap to a minimum (with n=3 reuse, you WILL have overlap. Ignore the people who propose using 1, 4, 8, 11 or 1, 4, 7, 11 to reduce overlap. Even Cisco once recommended that in the early days of Wi-Fi. Real world experience has shown even these minimally overlapping channels dramatically reduce throughput - far more than co-channel interference will. If you're outside North America, use 1,5,9,13 as long as you're okay with some devices not being able to connect on channel 13. 1,5,9,13 are non-overlapping for 802.11g and 802.11n and almost non-overlapping for 802.11b). I really love the EnGenius product line, and their customer support is great. They don't do everything, but for the money, they're excellent and have good range - great stability - and support up to 4 VLAN-isolated VAPs and VLAN management. My second choice would be anything that can run DD-WRT. MUCH harder to use and configure, less stable unless you play with finding the right build, but has a ton of capabilities. I'm using some Buffalo WHR-HP-G300N's as AP's in various installs. DD-WRT 18777 is stable on these, though most other build's (INCLUDING BUFFALO'S OFFICIAL BUILDS) are horrifically unstable. Like them a lot for the money (about $40 a piece). No Power over Ethernet, desktop style box. But cheap and capable. I'm also really interested in trying the MikroTik product, but this adds even more complexity. Great prices though. EnGenius/Senao is easy to use, has great range/stability, great customer service, and works very well. I have no affiliation with any of these companies, just saying what I use and am satisfied with!

thanks for this

Try if this will help you: http://redmine.pfsense.org/issues/2164 If not it would be probably the best to post this in the "Post a bounty" section. http://forum.pfsense.org/index.php/board,34.0.html

when i tried to run the page to stop service from console via php /usr/local/www/status_services.php mode=stopservice service=captiveportal I got error : i got Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname. Can you suggest me a way to do it? Thanks

Thx you all for the help. I've got it working. I create a 31 bit key with openssl I found a youtube tutorial: http://www.youtube.com/watch?v=aO0KxzigeLY&feature=endscreen&NR=1 Part 1 and 2 did it for me. i copied: 1. openssl genrsa -out private.key 31 2. openssl rsa -in private.key -out public.key -pubout -outform PEM It took me a while to figure this out but it works. I only copied and pasted the key's and left everything as it was. Result: 6 chars Thx

Yeah i thought about a hard timeout,  Our users don't pre-buy time,  it's done on a per minute basis,  and i could see them getting annoyed if they are on skype and get disconnected every 30,  For now i'm just going to continue to operate on the honor system,  tell the 30 min users that they have 30 minutes, and to please watch their own time,  if they go slightly over the 30 I won't charge them extra,  but if they go too much over, heck it's only $2.50 for another 30 mins. But i'd love to find a workaround.

Just found this, it seems to require much more efforts than just inserting the address as in the post auth…. http://forum.pfsense.org/index.php/topic,34148.0.html :o

I'm connected by cable to try (I'm configuring the server), but the disconnect and connect, and still the same. Thanks.