well I'll try IT thanks  for your help :)

@anatolidt: hadi, alan, do you experience this always or only sometimes, maybe when your box was running for a long time? What packages installed? On my testbox only pfblocker and pfflowd installed, squid-reverse removed. nothing special… Can't be hibernation mode that irretates pfsense... I"m using mac auth and noticed this with a fresh reboot setting the DL limit too 1 gb per month then after it lost connection from downloading a 1.2 GB file , all I had to do was refresh a page and I was back on the net. No other packages except freeraduis2. I figured i was setting something wrong.

I think you can install a local syslog server, but I would not play with this on a security appliance unless the core devs plan to implement writing logs to disk. But maybe this wouldn't be such a bad idea since pfs 2.0 was aimed for hdd install and you get plenty of space today at minimum which is totally unused. On the other hand, when switching to ssd this changes again…

I've been messing with this with two laptops wired too the lan /switch in line. The only way things sort of work is with these settings FreeRADIUS Plain-MAC-Auth as 802.1X request with Captive Portal FreeRADIUS configuration         Disable Plain-MAC-Auth on FreeRADIUS => Settings         Enter the MAC address of the host in the following format (11-22-a3-bb-44-af) in FreeRADIUS => Users         Enter the password for this MAC address. We will choose blaaa in this how-to. Read the following steps fo fully understanding! Captive Portal configuration         Enable RADIUS MAC authentication         Enter the same shared secret here you choose above in FreeRADIUS => Users. This field must not be empty! This is not the shared secret which is used for communication between NAS(CP) and the FreeRADIUS server. I used blaaa as I wrote above.         MAC address format. In general you can leave this on default or any other option because FreeRADIUS is converting the MAC address (Calling-Station-ID) into the correct format. To be 100% correct choose here ietf The one problem I seem to have noticed Is the speed limits .  Have to set this in CP , And in radius I set a different speed for each laptop. Both run at the same speed The default CP setting.  If I set this to 0 I get nothing. If I uncheck the box in CP I get nothing. As in no connection through the WAN. Another question With this setup on the LAN say I have an OPT1 interface with a static route too another lan . Does CP limit the connection speed through this connection as well? Thanks Allan

Are you asking "Can a web page distinguish a "public VLAN" user from a "802.1x allowed user" so that registration or authentication can be invoked? If that is the question then I suspect the answer will generally be "no". But there might be some specifics of your particular configuration that would allow that distinction to be made.

I'm sure it would be of interest to people, maybe not at this instant, but I would recommend posting it regardless as I'm sure someone will find this at some point and want to see it.

There are some APs out there that work in a bridge mode where they don't forward on the client's MAC. I have a couple of them, EDIMAX somethingorother model. It's impossible to use more than one client from behind it in AP client mode from what I could tell.

Yeah but you can 'implement' authentication with mac-address/ip of the device.

@canefield: Q1: lends Captive Portal itselfs to do this? Should I use another program/package? CP can be used in such a scenario, however if you expect this to be a permanent setup, you might also want to look into using PPPoE as alternative. Check the posts by luke240778 to see the kind of issues that you might encounter.

@cmb: that's not true, it means the system's routing table and will use its default gateway. Then my original question still stands. I have outbound NAT rules for both WAN and OPT. The OPT->* firewall rule allows Captive Portal users to access the internet. However Internet access only works if I set the rule to use the WAN gateway (or the failover gateway group). It does not work if the rule is set to use the default gateway. I must remove the BACKUP gateway from the OPT interface settings in order for Internet to work with the default gateway in the rule.

0 checksum would just be hardware checksum offloading. Can capture from the destination to get the checksum that's actually on the wire.

Oh I just noticed your captive portal is way over on the left side of that diagram, I assumed it would get dropped in where the AP is. That's not possible, it's not possible to use any CP when it isn't inline in the network path to the Internet.

@dhatz: Well, there has to be some in-line device that coordinates this type of functionality, unless the WAP itself has what's needed (e.g. some people do the CP functionality in Linux-based APs). If you really want this to be: Cisco LWAPs -> L2 switch -> DSL line, then you'd need to check what options those WAPs offer you. that's how I  have it .. they are not LWAPS thought not lightweight, cisco ap - l2- switch - dsl line … I just can't put a cp server in every location, cisco aps 1200 series don't offer hotspot. anyhow thank you for your help.

@mutheu: Thank you for your quick response. But I use external Freeradius server. Will this have any effect? Aahh, I am sorry. I talked from the pfsense freeradius2 package. But this confirms that it is a NAS problem and not a freeradius2 problem because the effect is the same with CP and freeradius2 package from pfsense :-) edit: ../raddb/sites-available/default go to "preacct" section and comment out "acct_unique". Then try again.

@Gertjan: you can get these for free these days. Well, i am currently living in a somehow very stingy part of our planet right now, so, nothing is free around here, sometime people even try to charge me for what i own! however that's a bit off topic  :D I choose the USB stick installation after having seen all the reports of people loosing all their files once PFSense was installed, and guess what? everything i had on the stick got erased, however they were just duplicate files, so not a problem. I got another spare old pc right here, i was hoping of being able to operate both PFSense and my webserver on the same pc, but once PFSense is running, doesn't look like i can do anything else on that pc…. :-\

@Nachtfalke: http://www.mhfoto.com/web/pfsense-traffic.jpg On the right you can see the IPs. But you are right. Not very comfortable. Ya that works but what I really want is a webpage like the captive portal how it shows logged in users and it would have speeds. That page u linked to flashes faster than a busy whore lol

@ermal: Its a patch to the OS so you need a new snapshot. Please advise how to apply new snapshot without losing everything. Thanks

The primary file is /etc/inc/captiveportal.inc pfsense creates and uses files under /var, e.g. /var/etc

@mutheu: For me, I think the best solution to your problem is to setup a Radius server and use a counter. Instead of specifying 5 days, you simply convert the 5 days to seconds : 5d x 24hrs x 60min x 60sec. Counter will keep on reducing time even if your server goes off, it will pick up on where it left - especially with re-auth every minute. The time counter module only works on "accounting stop" packets. The time value in Accounting stop packets from CP are not correct in 2.0.1. Ermal did some changes on this (redmine) and perhaps it will be implemented on 2.1. But I am not up-to-date with this problem. But if the NAS or the server reboot - the user has to re-login - and that's the problem and not the "time management". That's the way I understand qbik's posts.