Just make sure they can't just "choose" to be elected your spanning tree root or something stupid like that. Are your wired and wireless networks on the same layer 2? You might consider separating them else someone who connects wired and wireless at the same time with something like an Airport express in "join a wireless network" mode will create a bridging loop. probably many ways to accomplish that with two ports to the same layer 2 in the same location. (one wireless, one wired). You ought to be able to just use the same CP on both networks.

No. Not until someone writes proper hooks for ipfw to be used in packages. Cf. https://redmine.pfsense.org/issues/5594

Thanks will look into it

@doktornotor: CP and Squid in transparent mode will NOT work. Thank you very much!

FreeRADIUS on pfSense? You can't. If you use it externally, there might be a GUI that lets you do that somewhere, but it's not a pfSense feature, it would be some other bit of software.

When trying to connect to WIFI with mobile devices it just hangs in "Connecting WiFi" page and not get redirected to captive portal. During this time shouldn't I be able to connect to captive portal by manually typing the captive portal URL. When I do so on mobile, it says connection refused.

Not possible. Anyone with access to page-system-usermanager is effectively root.

No it didn't. It is simply not possible to get in the middle of an HTTPS connection and not generate a certificate error unless you can mint a certificate for the original destination signed by a CA trusted on the device. And even then you are hampered by certificate pinning, etc. I would love to see the certificate generated by the captive portal that was presented when you tried to go to a regular, global HTTPS site and got the portal instead without a cert error being presented.

in sys file there is a method like below, in it I set. That method produces nginx config file. function system_generate_nginx_config(…) .... events {     worker_connections  1024;   **  multi_accept on;** } …. When I set "multi_accept on;" will it cause any problem? NOTE: The web sites about nginx saying like below about "multi_accept on;": We've enabled multi_accept which causes nginx to attempt to immediately accept as many connections as it can. The option multi_accept makes the worker process accept all new connections instead of serving on at a time. If multi_accept is disabled, a worker process will accept one new connection at a time. Otherwise, a worker process will accept all new connections at a time.

@haydin81: Squid3-dev–->"non-transparent", Patch captive portal" checked, "authentication-captive portal" Captive Portal--> enabled, "authentication-radius" checked"disable mac filtering" while state that, 1. if a user open explorer without proxy settings, he can access captive portal login page(of course some firewall rule added) 2. if a user open explorer with proxy settings, he cant open access captive portal and no access to internet (why?) 3. if a user open explorer without proxy settings and login captive portal (note.1), he can access internet with proxy settings explorer. Help me!! Hi, I'm with the same problem. But, pfsense 2.3.2-RELEASE-p1, package squid 0.4.29_1. Has anyone made work non-transparent proxy + captive portal? –- edit I solved the problem editing the error page (/usr/local/etc/squid/errors/.../ERR_ACCESS_DENIED) to redirect to captive portal. But the user needs to access some http page, not https, because the browser blocks https redirection.

That is a problem in Android. After login  the redirect url will crash right? I have captive portal set on other gateways not pfsense and also do this on Android, It is a known problem.

hi there again, I played around with 2.3.2 in my lab and figured it out. The old cp portal works flawless by adding the allowed ip "192.168.0.0/16", of course the pfSense interface / LAN Subnet my clients are using is in this range. With 2.3.2 a client can access any ip without authentication as soon as the LAN subnet is added unter "allowed ip", which is used by the captive portal clients. in my case: setup all needed subnets manually, and add new one over time add all subnets manually in this range except the one of the captive portal clients

@sonidoP: Try URL: http://x.x.x.x:8002/index.php?zone=cp_guest (ref: https://forum.pfsense.org/index.php?topic=110073.30 ) with blank page result. Like that ? Your captive zone 'name' in question is really "cp_guest" ? The port used by pfSense is really "8002" (mine is 8003 for https and 8002 for http - you can't chose them, they are assigned by pfSense when creating portals) If "http://x.x.x.x:8002/index.php?zone=cp_guest" doesn't work, you have two possibilities : You portal doesn't work -> make it work first. Visiting "http://x.x.x.x" (your captive portal address) should redirect you to … as said here : https://forum.pfsense.org/index.php?topic=110073.msg679281#msg679281 Check your port number and zone name - it should be EXACT. @sonidoP: There is little documentation of the Pre-authentication procedure in version 2.3.2-RELEASE-p1, Someone could tell me if the process is correct? As said here https://doc.pfsense.org/index.php/Captive_Portal_Pre-authentication_Redirect and as you might guess, this page isn't really maintained, and rather tricky to use.

The file must somehow be listed multiple times in /usr/local/etc/php/extensions.ini

Don't put your wifi users behind routers. Put them behind access points (bridges) so the captive portal sees both the client MAC address and IP address.