hi there. i am on pfSense 2.0-BETA5-pfSense (i386)  still the same the voucher time does not stop even the user has logout. A user with 30 minutes voucher time and logout after 10 minutes, when the user comes back after 20 minutes the account is already expired. It is supposed to be the user still can login because it has a 20 minutes remaining. Hope this feature would be included in the next or future release. regards, sarhento

Thank you, muchly appreciated  ;D

If CP doesn't redirect it's one of two things, you either aren't allowing the initial HTTP request in your firewall rules on that interface, or your DNS isn't functional.

Man, almost a whole day of messing with this and it turns out that the CA/chain file I downloaded was in DOS format (CRLF rather than just CR).  I ran it through "dos2unix" and re-copied it and all is well.  cat -v is your friend!

wow this is great and is a much needed feature captive portal cannot do without however – doing this for like 100 or so users is very tedious.  >:(

I run a captive portal with HTTPS auth that handles about 150 concurrent users on version 1.2.3.  If you can get it to run in 2.0 I would recommend it only because most certificate authorities use intermediate certs that you would need to put in the chained certs field.  In my case that meant patching the GUI because the webserver supports it but the GUI did not.  If you can't use 2.0, here's the link for the patch. http://forum.pfsense.org/index.php?topic=10888.0 Worked great, now I can use the Comodo wildcard cert we bought for our domain.  Good luck.

This does not work… if ($_POST['logout_id']) {    echo << <eod<br><title>Disconnecting…</title> You have been disconnected. EOD;    register_shutdown_function(disconnect_client,$_POST['logout_id']);    exit; –- As stated before the only thing that I have been able to make work is this... --- index.php 2011-02-06 16:24:13.000000000 +0000 +++ index.php.new 2011-02-06 16:16:27.000000000 +0000 @@ -412,29 +412,7 @@  */ function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1) { global $g, $config; $cplock = lock('captiveportal'); /* read database */ $cpdb = captiveportal_read_db(); $radiusservers = captiveportal_get_radius_servers(); /* find entry */ for ($i = 0; $i < count($cpdb); $i++) { if ($cpdb[$i][5] == $sessionid) { captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause); captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason); unset($cpdb[$i]); break; } } /* write database */ captiveportal_write_db($cpdb); unlock($cplock); mwexec_bg("/usr/local/captiveportal/captiveportal-disconnect.php $sessionid $logoutReason $term_cause"); } Where /usr/local/www/captiveportal/captiveportal-disconnect.php contains the following –- #!/usr/local/bin/php -f require_once("functions.inc"); global $g, $config; $sessionid = $argv[1]; $logoutReason = $argv[2]; $term_cause = $argv[3]; if ( $argc != 4 ||  $sessionid == "" || logoutReason == "" || $term_cause == "" )    exit; echo "$sessionid $logoutReason $term_cause"; $cplock = lock('captiveportal'); /* read database */ $cpdb = captiveportal_read_db(); $radiusservers = captiveportal_get_radius_servers(); /* find entry */ for ($i = 0; $i < count($cpdb); $i++) {    if ($cpdb[$i][5] == $sessionid) {        captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause);        captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);        unset($cpdb[$i]);        break;    } } /* write database */ captiveportal_write_db($cpdb); unlock($cplock); ?> –-</eod<br>

this sounds like what we are after.  If you've got this working any chance of a walkthrough?

If i'm not mistaken, you can run PHP code in your CP login page.. so your CP login page can have a php code to check user_agent / browser  and redirect user to another CP login page based on that.. if you can only run 1 page for CP (as i see in pFSense) then you can try embedded iframe for that CP page and load pages from external (but still on the PFsense publicly accessible folder www/)

seems to be a little un-understandable if the users do not buy a voucher, they may use the wlan for free to see only one Domain. Nothing else but one single Homepage (and the login…) If someone is buying a voucher, he is allowed to access all the www... and sorry: My linux-knowledge and also my english is really not perfect...

I lowered the MTU enough but now CP will not even show the login screen. Something happened though because I lost the ability to surf to any webmail sites. I had to reboot to regain access to any webmail. I was planning on waiting til 2.0 is ready for production.

I dont know if its possible with the actual system of vouchers, because if u change the  key al the roll mess up. The easy way (but not full automatic) its generate a lot of rolls of what u need and put the csv in the system of sales, and comment line to line when a voucher its sold.

Hi, I do this with a small Routerboard and a Monowall in VM, just Captive Portal without Authentication and as landing Page: PAY YOUR BILL OR …........ RB450G, one firewall mangle rule: chain prerouting, source address (ip of the not paying guy), action: mark routing, new routing mark "payurbill", one ip-route (new route, 0.0.0.0/0,  mono-VM as gateway, routing mark="payurbill" --> voila I use m0n0 as it only uses 64 MB RAM in VM, 50% RAM free, no noticeable cpu requirements, should work with PFSENSE too, but 128 MB RAM. Or try the 2.0 BETA (!) with multiple captive portals, only one other interface or VLAN (Not tried the VLAN thing) for another captive portal (I do not know if you can have differenet landing pages for different CP'S on different Interfaces though...) If you dont like VM, a alix board (150$) with 3 lan interfaces, even the smaller one with 433 MHz Geode and 128 MB RAM is sufficiant for >10 Mbit/s throughput with either PFSENSE or m0n0. Uses around 5 W of power, very small footprint, rackmounts available....

Can you provide screenshots of your Captive Portal settings, your OPT4 firewall rules and the Traffic Shaper setup.

What do you have selected on the CP config under "Authentication"? If it's set to "No Authentication" then people can click through. It should be set for the local user manager, I think.

Hi.  So having issues.  Not as easy as I was hoping… Configured Virtual pfSense. Left WAN rules open for testing. Installed Radius On Virtual pfSense with Radius installed. Added Client: Client IP: (My WAN on Home_pfSense) Shortname: MHDHOME Shared password: abc123 Desc: Test 3. On pfSense Firewall at Datacenter Add port forwarding to port TCP 1812 to pfSense Virtual WAN port 10.20.30.210 from external IP Add port forwarding to port TCP 80 (HTTP) to pfSense Virtual WAN port 10.20.30.210 from external IP Successfully connected to port 80 via public IP confirming access. 4. On Home_pfSense. Assigned OPT1 10.20.10.1/24 Enabled DHCP and set dns to 10.20.10.1 Enabled Captive Portal on OPT1 Selected radius Primary RADIUS server: entered public IP assigned to virtual pfSense for ports 1812 and 80. Entered shared password: abc123 Created custom pages. When logging on I am redirected to portal page.  After entering username and password for user I get: http://10.20.10.1:8000/ 500 - Internal Server Error When I look at the logs for radius: Tue Jan  4 05:01:08 2011 : Info: Using deprecated naslist file.  Support for this will go away soon. Tue Jan  4 05:01:08 2011 : Info: Using deprecated naslist file.  Support for this will go away soon. Tue Jan  4 05:01:08 2011 : Error: There appears to be another RADIUS server running on the authentication port 1812 Tue Jan  4 05:01:08 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Jan  4 04:57:23 2011 : Info: Ready to process requests. Tue Jan  4 07:48:29 2011 : Info: Using deprecated naslist file.  Support for this will go away soon. Tue Jan  4 07:48:29 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Jan  4 07:48:29 2011 : Info: Ready to process requests. Tue Jan  4 07:49:32 2011 : Info: Using deprecated naslist file.  Support for this will go away soon. Tue Jan  4 07:49:32 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Jan  4 07:49:32 2011 : Info: Ready to process requests. Tue Jan  4 07:58:16 2011 : Info: Using deprecated naslist file.  Support for this will go away soon. Tue Jan  4 07:58:16 2011 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Jan  4 07:58:16 2011 : Info: Ready to process requests.

Thanks.  I am going to try it…