Thanks for reply. I was kind of hoping that the voucher would take precedence, but we will deal!

No, because those are hostnames that must resolve via DNS.

Is your network setup like: Client PC > Portal/pfSense > Proxy > Internet? Does it require authentication from users, or is your portal doing that (at least for the people who will be using it)?  I'm thinking the easiest way is just to add an exception to the proxy or router.  If I'm missing something, you'll have to forgive me.  It's been a few years since I've done anything with a proxy so "how a proxy works" isn't fresh in my mind.

I believe you could do this with a cron job.  You'd setup the job to copy that log file to an area on the drive every so often.  I don't see a way to setup cron through the WebGUI, so you'll probably need to SSH in or try the Diagnostics > Command Prompt (unsupported, release 2.0-RC1) method. I've never setup a cron job myself, but I have run across plenty of tutorials online that tell you how.

Pre-authentication redirect URL = http://firewallIP:8000/

As far as I know, this isn't working "out of the box". I am not sure, but I think there was a similar question in this forum and a workaround.

Depending on your firewall rules there, you probably need to have a pass rule for tcp/udp port 53 to the firewall's IP on that network, and you probably need to add 8.8.8.8 to the captive portal IP bypass if that DNS server is being directly assigned to clients.

Nope. It needs some effort nobody is willing or even thought to put towards this. You can contact pfSense support and see if this goes somewhere through that channel.

I too would be interested in such a feature. Perhaps it could be done using RAIDUS as the authentication method for both Squid and CP? Then have a PHP page coded to auth on both? I have no experience in setting up auth in either case.

Got to the bottom of it: It was a problem with the (cheap) CF card the pfSense was installed on and the Realtek NICs doing the watchdog timeout thing - basically, made a mess of the whole CP behaviour.  Have moved to new hardware and all is fine.

Nothing saying you have to remake them weekly, just make a bunch of rolls at a time. Individual vouchers are tracked, as they are no longer considered valid once they expired (if they have a time value).

I am using lightsquid for the reporting and it allows me to see and actually go to the sites where the users are going … the reporting is nice as it shows the users with the biggest usage etc and it has a daily and weekly overview Philip Van Cleven

@ermal: Now you can allow by dns name access in CP. This is on 2.0 latest snapshots. I tried the snapshot of 23 Feb 2011 on a Dell GX620 with one additional card (standard stock) and 1 Gig of ram. the software loaded without a hitch. I configured the captive portal (no users) and checked if it was possible to get to the internet and the answer was : display of the login to the captive portal (good) nothing configured in the captive portal –> no email in thunderbird going in or sending out (using imap.gmail.com and smtp.gmail.com) configured the captive portal --> allow host names and configured in one direction (from ) to allow the imap and smtp service on gmail thunderbird was able to receive and send emails while internet was still blocked –--------> success story!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! next question : how far are we from a release of the version 2 as I want to install this as soon as possible. I probably will install the snapshot already at the factory hoping it is stable enough? I normally have squid running and litesquid for reporting and a cron task to rotate the log files 15 users with no internet but email 10 users on captive portal 10 users not going through the proxy Philip

I know that the solution is not going to be that easy for you to do via pfsense.  Another solution which might help you would be something like http://www.hotspotsystem.com/.  You load the firmware up on your wireless access point and then set up the account.  Lots of solutions for CP pay for services, just search around.

@cmb: It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control. +1 - Get better switches