@07stuntar1

The 'portal' should have access to the clients IP and MAC as these two determine what client has access. So L2 ok, not L3, as a down stream router would hide the IP and MAC.
The client should use the DNS of pfSense.

@07stuntar1 said in Captive Portal over L3 link:

Currently when enabled the captive portal cuts off network access to the client.

That's what a portal does.
A portal interface is typically a second or third LAN type network to which non trusted devices can connect. Most, if not all, devices these days detect the portal, and the login page will auto load. DNS should work to make this happen. https access is advised.

@esojmc https://docs.netgate.com/pfsense/en/latest/captiveportal/index.html#not-capable-of-reverse-portal

A reverse portal, requiring authentication for traffic coming into a local network from the Internet, is not possible.

@Gertjan @free4

The radius server is served via the internet. Its not LAN based. Does that matter? Re authentication does not take that long at normal operation.

@sujith34 said in Captive Portal Voucher PDF & QRCode Generator webservice:

knobelbecher.net

has already site issues to works on ....

Solutions that 'hook' into pfSense directly are always doomed to be abandoned.

@amitaussie any solution ?

@mohamed-elkhateeb

Has been published here on the (this) forum.
Sorry, my search button is out for the day.

edit : and repaired.
Here it is :

#!/usr/local/bin/php -q <?php /* Disconnect all clients on all captive portal instances */ require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/captiveportal.inc"); global $g, $config, $cpzone, $cpzoneid; /* Are there any portals ? */ if (is_array($config['captiveportal'])) { /* For every portal (cpzone), do */ foreach ($config['captiveportal'] as $cpkey => $cp) /* Sanity check */ if (is_array($config['captiveportal'][$cpkey])) /* Is zone enabled ? */ if (array_key_exists('enable', $config['captiveportal'][$cpkey])) { $cpzone = $cpkey; $cpzoneid = $cp['zoneid']; captiveportal_disconnect_all(); } } ?>

Place the file with extension php in, for example, /root/

Make a cron entry like

59ff7d41-7aca-437c-82ac-c241dfa27e20-image.png

Pick time entries as you wish.
"pkg_check.php" must be the name of the file you created above.

Start by installing the pfSense cron package.

@gertjan said in Pfsense captive portal does not show on IPhone !!:

They don't care about de local castle from the 14 century.

heheh - I don't know when I was on business trips my favorite part was taking in the local history and stuff to do. This was mostly the local tavern ;) But still - hehehe

I spent a bit of time in Tulle on multiple occasions.. I had a couple of fav watering holes there.. One of my favorite spots was a little place tucked away on a side street, loved to sit outside and just watch the people going about their business and enjoy a few beers..

It was across from the cathedral there, and believe that was from the 14th century ;)

@gertjan

I have ssl certificate as https
I tried my login page with domain name
but i had ssl problem on phones, login page did not come on some outdated phones
Can't bring login page with domain name as http ?

@gertjan thank u man, for your reply...i'll see with dev team if we can work on it beacause i´m just the infra guy and maybe i´m doing the wrong questions...🤣

Xiami devices ?

You mean Xiaomi devices ? These are based on the Android OS, right ? So, they should work. I see the connected don my captive portal.

@kelvinmurik

Correct. "mysqli" requires "mysqli" support, which is different from the older "mysql" (-connect) library.

@gertjan Thank you, that's good info, ill see what I can get figured out. I really do need to upgrade all my routers, definitely worth a try to see if it fixes it.

What I understood :
Initially, everybody can obtain a free voucher, good for 12 hours.

@zuzu-0 said in Captive Portal Free Wifi with Hard Timeout & Vouchers:

no matter if you have a voucher or not

What do you mean by "voucher or not' ? People can connect without a voucher ?

The duration of a voucher can't be changed after creation.
When users switch from the "12 hours" to a "21 days", they switch vouchers, right ?

It is - in theory - possible to reset the "moment of first usage" of a voucher but this needs coding.

@zuzu-0 said in Captive Portal Free Wifi with Hard Timeout & Vouchers:

everyone who buys the Wi-Fi gets to type in the code every 12 hours

The "hard time" out will throw out any connection. Users that use vouchers that are still valid can / have to reconnect, that's correct. Probably not convenient for you, I understand.
You've tried a "hard time" out of "20 days" ?

@barrio603 said in Is letsencrypt.Org an option for https captive portal?:

would be

Your "would be" became a "must have" half a decade or so.
It's 6 years later now. The acme.sh pfSense package took care of things.

@papdee Nope, never used Traffic Shaper. you might be right but how can I verify that which config is overriding ?

@galacticfreez said in Captive portal and DNS Redirection:

I thought Apple Devices had different DNS configured and that it would avoid the captive portale to open. But it isn't the case (it seems this could help : https://developer.apple.com/news/?id=q78sq5rv)

That link shows what the future might look like. It's, at best, RFC draft today.
This solution only needs a working DHCP server, and some json/webserver support.
Initial DNS functionality becomes irrelevant, as captive portal interaction becomes possible as soon as the IP link is established.

iDevices - and all the others - work just fine with the current way of doing things.
I'm using myself the captive portal for a hotel.
It works.

@gertjan
No router, all my users on the server have the my server's ip adress .
For exemple, baracuda firewall install a program on the server whish link the sender's port with the user and send it to the Firewall.
https://campus.barracuda.com/product/cloudgenfirewall/doc/95259264/how-to-configure-ts-agent-authentication/

@gertjan Thank you👍 👍

@robinwright said in Apple devices not automatically opening CP Login:

Do use any filtering?

I'm not filtering, caching or whatever on my captive portal.
I use the captive portal so I can offer an controlled access to the Internet.
I'm not controlling content, as I think I have no right doing that. And I don't care.
If these people (adults) want to visit "the-worst-site-on-the-web.tld" than that is in their right. They want to look at all the publicity ? Perfect to me.
I offer internet "as it is", and not looking to store traffic they generated, or sites they visited.

Ok, true, I use pfBlockerNG (latest) and ones in a while I have pfBlockerNG also filter the clients on the captive portal interface. More for testing purposes, actually.
The film "Ready player one" (and Facebook themselves) gave me a good idea recently : No FB Fridays and Sundays.

[ I'm joking ]

Clients that use my captive portal and try to launch nukes from their hotel room using our Internet access, they will use a VPN - which makes any filtering on my side useless.
The good old 'http' only days are over.

@madmax1234

Yeah, there was something .... I've been using a patch for the captive portal back then.
I'm not sure it was disconnecting clients, though.
I've been using 2.4.5-p1 for months if not a year, way back then (2 years ago ?).

2.5.0 was better - 2.5.1 even better and 2.5.2 is just great : set it and forget it.

The real issue is : why do you chose to use a version that has already has ameliorations and bugs fixes for it ? true, they are all documented and discussed in the forum : 2 years ago.
I can't actually list up anymore aspects of 2.5.0 or even 2.5.1 ;)

edit : Coffee got my memory back : for 2.4.5-p1 there is are two rules that you have to apply :
Rule 1) Never change the portal settings when user are connected.
Rule 2) If you have to, go to Status > Captive Portal> ZONE and use the red button.

The same configuration on 2.4.5-RELEASE-p1 works without issue.
the issue on 2.5.x

@seekerman found somewere in the forum that this is a bug on version 2.5 fixed in development version.. ill try and let you guys know

@dwolfix wondering if you had this issue, when using radius mac authentication i get the hostname instead of the ip address in post action. if mac authentication disable y get the ipaddress and it woks fine

@gertjan Thanks for helping with this.
This is my first chance to get back on this. Everything works correctly now. I posted the wrong url- the one I posted was for the captive portal page and not the page that is re-directed to. Your last sentence was the clue I needed.
I used the CP page URL for the first part then added "/captiveportal-SH.html" on the end. That works perfectly. It passes the valid URL test and allows saving the config and then it works to redirect to the correct page.

For anyone reading this for help. If SH.html is the name of the file, file manager saves it as captiveportal-SH.html.
Then use the live view to open the CP page and note the URL. In my case the URL was http:/192.168.100.1:8002 and I added this before the file name.
Final result is http://192.168.100.1:8002/captiveportal-SH.html.
Thanks also to Jimp.

@robinwright said in Enabling HTTPS login certificate errors on http redirects:

they want MITM logging for public devices

Have the word 'public' removed.
MITM can work with devices you control and most probably own.
So you will know what happens on devices you control ... quiet logic as it would probably be 'yourself' operating these devices.
Or it could be devices that are given to employees. These are also under your control.
But there is no need to use a captive portals for these devices.

A captive portal is meant to be used for unknown - untrusted devices, belong to unknown people, and you want to 'offer' them a Internet connection. These people / devices do not use any local services / resources, just the connection.

@robinwright said in Enabling HTTPS login certificate errors on http redirects:

saying this just won't happen

Well ... he paying your hours, right ?
This isn't like "installing yet another Windows PC". Not the same 'qualification', neither ... ;)
Still : good luck ^^

Btw :
Look at https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security most 'big' sites use these HSTS certs these days.
When the device visit ones one of these HSTS sites, the cert is stored for a year or so. A later MITM type of connection gets detected and refused.
MITM is a 24/24 H job, new exceptions will constantly pop up and have to be deal with.

@tseip I have the same issue you describe. No portal offered to the clients.
I'm using 2.5.2 version in two different sites with HA on each.
It just stops working after some days on both sites (2 failures in 15 days) and the temporary solution is "edit and save".
I don't think the secondary IP is the reason, it's the standby and it's not used by the clients.
I looked at the logs but I don't find anything that looks interesting.

I had to install an old version of OpenSSL to get this to work. I did the following under Ubuntu WSL:

# (Install compiling library Make) sudo apt-get install make # (Download the latest OpenSSL 1.0.2g binaries) wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz # (Extract the tar ball to the local directory) tar -xzvf openssl-1.0.2l.tar.gz # (Enter extracted OpenSSL directory) cd openssl-1.0.2l # (Configure binaries for compiling) ./config # (install configured binaries) make cd apps ./openssl genrsa 31 > key.private ./openssl rsa -pubout < key.private > key.public cat key.private cat key.public

@gertjan I have 3 different pfsense instances and I tested this on all 3 of them. After log out from captive portal, any HTTP request to allowed hostnames or ip address, fails. Making the functionality I described in my original post impossible to implement. I had to resort to an arbitrary sleep time of several seconds and a "please wait" message.

@jimp
The captiveportal- prefix is there.
In Captive portal file manager is named captiveportal-SH.html
The file uploaded was SH.html and the upload process renames it to captiveportal-SH.html
That is the name typed in the redirect URL box that causes the error. The name includes the captiveportal- prefix
Edit:
The full name in the redirect box is "captiveportal-SH.html".
Is that all that should be required?
Edit: Should it be http://192.168.100.1/captiveportal-SH.html

@ahmetakkaya said in Captive Portal Last Activity:

@gertjan

I already have my settings as in the picture

How can I query the last activity information on the accounting side or on the sql side?

I doubt the If the result of "captiveportal_get_last_activity()" is actually stored in the SQL database.
The 'acctupdatetime' (updated every 'actinterval' = env 600 seconds) together with acctinputoctets and acctoutputoctets could used to see if there was any activity during the last 'actinterval' seconds.

The radpostauth table contains an every minute a recheck of the login (if you enabled that feature).

A real time updating of the results of the "ipfw" can't be transmitted to Freeradius. Run radius -X for your self to see what is send between the pfSense captive portal and Freeradius.