@darnoldvcs said in Captive Portal Pass-through MAC Auto Entry is registering unauthenticated users: I have tested this on 22.05 & 23.01. What is / Is there a reason not to test de the current version - 23.05 ? For good manners : I use 23.05, as it removes issues present in 23.01 ;) With only this option checked : @darnoldvcs said in Captive Portal Pass-through MAC Auto Entry is registering unauthenticated users: Pass-through MAC Auto Entry: Checked/Enabled I had to identify with valid credentials, and then the MAC was added to the MACs table. These two : [image: 1686651040350-54a7c9c3-d164-4e80-b6eb-4253f72705bb-image.png] I have never tested these . But setting them to "1" both does expose what you've mentioned above. I still don't know what "Pass-through credits per MAC address" actually is. 1 hour ? or 1 "something" ? But, I've seen the same thing : with these to set to "1", the MAC address of my device was added right away in the MAC table, granting me indefinite access from that moment. That behavior doesn't match with the description When enabled, a MAC passthrough entry is automatically added after the user has successfully authenticated. edit : I've been looking around in the documentation. In the captive portal /usr/local/captiveportal/index.php file, around line 192 : [image: 1686655255382-8bf8f900-5314-4f43-ad58-f51ce72ea634-image.png] The function "portal_consume_passthrough_credit($clientmac)" return 'true' if these 2 : [image: 1686651040350-54a7c9c3-d164-4e80-b6eb-4253f72705bb-image.png] are set (bigger then 0). The if statement is true, so a log line is add to the captive portal log : captiveportal_logportalauth("unauthenticated", $clientmac, $clientip, "ACCEPT"); which means a user with MAC '$clientmac' and "unauthenticated" is added. Like : [image: 1686655542397-08c5ad14-4c20-4d73-bcd5-26b19c42f723-image.png] and then the mighty portal_allow( ....... ) is called. This isn't a real login, an "unauthenticated", is more a "temporarily accepted auto login". Nevertheless, because this is a new session, and "passthrumacadd" is set/checked (around line 2075 /etc/inc/captiveportal.inc) is now unconditionally added. Easy way out : these options are somewhat 'mutually exclusive'. The thing is : the captive portal logistics is ..... messy (I'm still looking for a better word) or somewhat what could be called as 'spaghetti code'. The main settings page makes the portal admin think that all kind of option can me used together. This is a typical case of : no way. edit : Change /etc/inc/captiveportal.inc : https://github.com/pfsense/pfsense/blob/5e92d678f642277642acb7f471cd430ed53aae16/src/etc/inc/captiveportal.inc#L2075 I tried to play with : if (isset($config['captiveportal'][$cpzone]['passthrumacadd']) && empty($config['captiveportal'][$cpzone]['freelogins_count']) && empty($config['captiveportal'][$cpzone]['freelogins_resettimeout'])) { which stands for If ("passthrumacadd" == checked) and both 'freelogins_count' and 'freelogins_resettimeout' are not set, then do the MAC add passtrough. But this was not a solution. There need to be a test to see if the MAC in case is in the grace ( freelogins_resettimeout ) period. This could be done by checking /var/db/captiveportal_usedmacs_cpzone1.db (cpzone1 is my captive portal zone name) ... My first advise still stands : @darnoldvcs please keep it simple(r). If possible, ditch the "passthrumacadd" option - and say sorry to your visitors : after a while (hard reset or IP change) : they have to login again. If these people are really, or more or less trusted users : give them another, more trusted network that doesn't use the captive portal.

@darnoldvcs If pfSense have native saml support,the user can make the most of captive portal with other 2FA,such as casdoor and other SSO solution. The pfSense can be the NAC.

@Gertjan Thank you for your response and effort, it all makes sense then.. I will try out the different DNS overrides and see how that will go.

@Gertjan Thanks

@johnpoz Thanks, I will do some more exploration today. I know that in the downloaded zip of the certs there is the: cert1.pem chain1.pem fullchain1.pem privkey1.pem The import into I pfSense only asked for the cert and private key. When I import into other applications like Synolgoy they ask for private key, certificate, and intermediate key chain. More fun on a Saturday... Solved it. Needed to use "fullchain1.pem" for the certificate field. Problem went away. It was your detailed walk though example that lead me to think to this. Thanks again @johnpoz

Hi, After few days of tests, the firewall's solution works. I'm still searching of to do that with FreeRadius and Groups.

Not exactly, I mean you connect using OpenVPN, so you did the first authentication user+password against a freeradius. That is what I'm doing now, an external freeradius authenticates "password+OTP" with a freeradius perl module. OpenVPN clients can connect to vpn server and when they are connected a captive portal asks for the second authentication factor. The main problem is that the openvpn client won't asks for a second auth, it only accepts user+password, so the workaround is use a "password+OTP" string on the password field. That can be done beause you know Google Auth OTP before the auth process, but with a SMS, email, ... sent you won't know that second "password" unless you did the first auth. BTW, I managed to connect to a captive portal disabling MAC filtering. @Gertjan said in Captive portal for OpenVPN clients to implement a MFA: @elbuit Isn't this a chicken and egg problem ? If you want to connect to the captive portal, your VPN client has to connect first. For the VPN client to be able to connect, you have to connect to the captive portal first. OpenVPN : if you want several choices to identify, you could consider using Freeradius as an authentication service for the OpenVPN server. Not the client btw. The OpenVPN client can only connect to a OpenVPN server. See here : Authenticating OpenVPN Users with FreeRADIUS LDAP can also be used.

@gertjan Thank you! That was the answer! I set the hard tie out to 30 minutes, 1 passthrough credit per mac address, and a 24 hour waiting period before they get another free credit.

@kabeda said in Is voucher in url still available?: I still don't know So you know what you're looking for. $_GET['voucher'] Open source ... heard about that one ? So, go here : https://github.com/pfsense/pfsense/tree/RELENG_2_6_0 Then click you way to /src/usr/local/captiveportal/index.php Look for, search, Ctrl-f "$_GET['voucher']" on that page. It's there Next test : on your pfSense, you have the console access. Use it. Use option 8. grep "GET\['voucher'\]" /usr/local/captiveportal/index.php You'll find the same thing. Btw : when you use vouchers, it's important that you have this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L156 in your own portal (html) page. You can add PHP into your html portal page. [image: 1684144832255-7ddeeee5-e9a5-49bd-ba4e-c955e20eab41-image.png]

Hi, I think I finally found how to do it. first, in /user/local/www/services-captiveportal.php find and add what are in remarks if ($a_cp[$cpzone]) { $cpzoneid = $pconfig['zoneid'] = $a_cp[$cpzone]['zoneid']; $pconfig['descr'] = $a_cp[$cpzone]['descr']; $pconfig['cinterface'] = $a_cp[$cpzone]['interface']; $pconfig['language_cp'] = $a_cp[$cpzone]['language_cp']; // get the language from the config // Check if is not set then get the global language if (!isset($pconfig['language_cp'])) { $pconfig['language_cp'] = $g['language']; } // Check if is not set then get the global language $pconfig['maxproc'] = $a_cp[$cpzone]['maxproc']; $pconfig['maxprocperip'] = $a_cp[$cpzone]['maxprocperip']; and $newcp['descr'] = $_POST['descr']; $newcp['language_cp']=$_POST['language_cp']; // get the language from the post variables $newcp['maxproc'] = $_POST['maxproc']; and $section->addInput(new Form_Select( 'cinterface', '*Interfaces', explode(",", $pconfig['cinterface']), get_configured_interface_with_descr(), true ))->addClass('general')->setHelp('Select the interface(s) to enable for captive portal.'); // add the input in the form $section->addInput(new Form_Select( 'language_cp', '*Language', $pconfig['language_cp'], get_locale_list() ))->setHelp('Choose a language for the Captive portal'); // add the input in the form $section->addInput(new Form_Input( 'maxprocperip', 'Maximum concurrent connections', 'number', $pconfig['maxprocperip'], ['min' => '0', 'max' => '100'] ))->setHelp('Limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in ' . 'to the captive portal, but rather how many connections a single IP can establish to the portal web server.'); then in /usr/local/captiveportal/index.php after header("Expires: 0"); header("Cache-Control: no-cache, no-store, must-revalidate"); header("Pragma: no-cache"); header("Connection: close"); global $cpzone, $cpzoneid; $cpzone = strtolower($_REQUEST['zone']); $cpcfg = $config['captiveportal'][$cpzone]; add $lang = $config['captiveportal'][$cpzone]['language_cp']; // get the language from the config putenv("LANG={$lang}"); setlocale(LC_ALL, $lang); textdomain("pfSense"); bindtextdomain("pfSense", "/usr/local/share/locale"); bind_textdomain_codeset("pfSense", $lang); // apply like done by pfsense That's all it works for me, I don't know how to show the changes with github.

@gertjan btw, I change mode to "last login" in the captive portal setting then it work fine for me, clients should re-enter the code at the time DHCP lease.

@gertjan said in OpenVPN in captive portal: Btw : what is your pfSense version ? edit : Who/where is the VPN server ? @andoniar78 said in OpenVPN in captive portal: Pass-through MAC [image: 1683114642750-e55af6a3-4fb1-4801-bcb5-2fa953527897-image.png] If you have a device with aa:bb:cc:dd:ee:ff, then there won't be any captive portal login page, the connection will be transparent, like if there was no captive portal at all.

@gertjan said in My captive portal: @bamb If you enable the logout page in pfSEnse, you are only half way. The browser on the device should also accept and show the popup window. Guess what : most users disable them ;) A good plan B is : have the users auto logged out if they don't use the connection any more. Set the soft time out to 15 minutes or so. Indeed, that is a good plan B.

@vanlier said in Captive portal shows blank page: Here is the situation before activating captive portal: clients connect to wifi they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254 they can browse the internet (dns resolution and internet access are working) Important test ! Good to know. @vanlier said in Captive portal shows blank page: Here is the situation after activating captive portal: clients connect to wifi they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254 nothing happens Using the 'default' build in login page, right ? You can't say that 'nothing happens' : you can't 'see it', but something happened. Every OS on planet earth will throw out a http:// request as soon as it obtained a DHCP lease. Check here : Status > System Logs > System > GUI Service Every OS using it own http request. For my iPhone it's : [image: 1682693584691-7e36196f-217b-4a17-9877-daf6a1b8770f-image.png] This is the page that it want to download : http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html Better known as : http://captive.apple.com/hotspot-detect.html Click on it and you'll see what happens. You should see this : [image: 1682693699106-001ff859-b0db-45f1-9b9e-0bc6908dd1b0-image.png] If the html page doesn't contain "Success" then the device start to presume a captive portal is might be present. Now, the OS launches a stripped down web browser, bot the full fledged IE, Chrome, Edge, Firefox, but a small bare bone browser. It's launched with the same web destination : http://captive.apple.com/hotspot-detect.html First, again, "captive.apple.com" will get resolved (was already found during the same test, some ms before). Then the browser connects to the IP on port 80 (remember : http), and asks for the page /hotspot-detect.html On the pfSense side, this "some destination IP : port 80 " request gets redirected to the internal login portal web page server on port 800x" with the help if a firewall rule (pfSense 2.6.0 : ipfw rules - the newer pfSense uses pf now). The portal page web browser does just one thing : it redirect the requesting browser to (your case) http://192.168.50.254/index.php?zone..... [image: 1682694179643-2f7a3e58-2899-4c32-9b94-f94427ceeef0-image.png] It also adds a 'zone' parameter, and 'redirect' parameter. The result will be of course : the captive portal login page shows up. So : to make this work, one thing needs to work for sure : DNS. The captive portal firewall rule works, that is for sure. If not, Netgate and FreeBSD will go out of business tomorrow. [https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html](link url) Btw : you already know that the 'default' pfSense 2.6.0 needs portal patches, right ? @vanlier said in Captive portal shows blank page: Disable mac filtering That's of if you want to 'break' things. @vanlier said in Captive portal shows blank page: Set various redirect urls https://www.google.com works fine. @vanlier said in Captive portal shows blank page: add firewall rule allow any any on interface "guest" The GUI firewall rues ? None is needed (I guess ?), the authentication will still work. But as soon as authenticated, yoy can go no where. Use the default LAN pass all TCPv4* rule to begin with. @vanlier said in Captive portal shows blank page: However when opening the same page with the pfsense ip in the guest subnet (http://192.168.50.254:8002 Invalid request. The ?zone=xxxx parameters needs to be present. These : [image: 1682694908331-7e93c7cc-43b6-4993-b5b5-f95007ac3f26-image.png] don't work for you ?

@ertegun You just allowed (white listed) all the IP addresses, starting from 192.168.60.1 to 192168.60.254, or, the entire /24 network. Your entire captive portal network ? All these devices that get an IP in that network assigned, will pass through the portal without seeing any login page or what so ever. You might as well shut down the captive portal completely : that works also great. The issue (if I recall well - 2.6.0 is a long time in the past for me) was : pfSense 2.6.0 only passes TCP traffic, not ICMP, neither UDP. That was a big bug, and breaked a lot. As said on the first line, above : @moelharrak said in Captive portal block whatsup: After upgrade to 2.6 captive portal is blocking whatsup (audio and video, chat works fine), I did test other app like instagram and it's works fine. when I disable the captive portal, whatsup goes back to work normal. See also : UDP/ICMP is not working after upgrade to 2.6.0 I guess it's still a question of : install the System patches package, then apply all the patches listed in this package. Done.

@gertjan I understand. When I mentioned that I preferred a minimum downtime of 15 days, it is because I see no sense in users logging in daily, since they already belong to the institution. In the case of a hotel it is different, because people stay for a few days and leave. In my case, I wanted sessions to be disconnected only when users took vacations or I no longer belong to the institution. Anyway, now I understand the process. Now I'm just going to decide which way to go. Thank you very much for the clarification !!!

@cxcx_avjj Hummm. After a success login, I simply redirect the user to the known : [image: 1680679212827-95300287-8e35-4a7f-823b-a26585729c92-image.png] as that would make the user understand he is 'online'. But I could also redirect to a "home made", locally available web page, like the portal login page. This file should be uploaded with the Services>Captive Portal>CPZONE>File Manager Be aware : the prefix "captiveporal-" will get prefixed. Take a look at what this button shows you : [image: 1680679588280-c3c27d9a-d1d4-4fb1-9c2d-c7c7bc0515fc-image.png] You will see the login page. And more important : the URL used, with the port number, as it is not port 80 (http) or 443 (https). Probably a 800x port. And the zone ID used with a parameter called 'zone'. So, this is posisbile : [image: 1680679841607-ec125b9e-23a2-4703-86f7-640e3760853a-image.png] Where : https://portal.yourzone.tld = your captive portal URL - I'm a https access :8003/ The port of this 'cpzone1 ID access captiveportal-recap.html My home made file called 'recap.html' ?zone=cpzone1 My zone ID of this portal zone The "recap.html" html can have use PHP ! And because you can use PHP, and the recap.html is called with the "?zone=cpzone" parameter, you can now access whatever you want ! Take /usr/local/captiveportal/index.php as an example. You'll see how it extract the zone argument. If, for example, you use vouchers, you can test vouchers for time left : Status > Captive Portal > CPZONE > Test Vouchers Just take a look at /usr/local/www/status_captiveportal_test.php and you'll know how to extract the time from a given voucher. How do you know what voucher is used ? Well, your 'recap.html' can obtain the IP your device is using. With this IP, and the "connected users database" (see /etc/inc/captiveportal.inc - this file is a must-read-and-understand) you can get the user login code, which is the voucher code. With the voucher code you can obtain the time left. Want to know what the default popup logout window does - or how to log out a user? Again, go have a look at /etc/inc/captiveportal.inc So, yes, the sky is the limit. An yes, this goes beyond what you can find in the GUI.

@timboau-0 said in Traffic Quota reset period (Caravan park use): Each 'site/user' can login using their site number and a password Probably better to use a unique number like a reservation number. If you use a "site" (place) then you have to deal with overlapping between clients. Freeradius makes it possible to put a "Expiration Date" on every created user so you don't have logout ueser yourself. You can clean up the 'users' list at the end of the season, and enter new ones when reservations come in. A reservation number would be unique, and will be invalidated when the client leaves, as arrive and leave dates are known upfront. This will also take care of traffic quota per user : everybody uses it's own traffic quota counter Daily traffic quotas can be reset 'every day' : [image: 1680678551810-24409d3c-c3a3-4145-912c-81d6067f78c1-image.png] I have a cron task that reset the daily 'used' counter every day at noon : [image: 1680678950927-8ce20f01-a374-4ca9-97cd-86af32cd6180-image.png]

I may have resolved this. I had the captive-portal zone configured as [image: 1680301806015-captive-portal-page-head.png] [image: 1680301805947-captive-portal-accounting-start-stop.png] I changed Send accounting updates [image: 1680301805997-captive-portal-accounting.png] Now, when I submit the SQL query, SELECT radacctid,username,acctstarttime,acctupdatetime,acctstoptime,acctinterval,acctinputoctets,acctoutputoctets FROM radacct multiple times, I see ( in long format again ) query name value <int> <chr> <chr> 1 1 radacctid 1 2 1 username ec:92:de:1b:16:4d 3 1 acctstarttime 2023-03-31 15:07:43 4 1 acctupdatetime 2023-03-31 15:10:55 5 1 acctstoptime NULL 6 1 acctinterval 60 7 1 acctinputoctets 257562 8 1 acctoutputoctets 10413921 9 2 radacctid 1 10 2 username ec:92:de:1b:16:4d 11 2 acctstarttime 2023-03-31 15:07:43 12 2 acctupdatetime 2023-03-31 15:11:56 13 2 acctstoptime NULL 14 2 acctinterval 61 15 2 acctinputoctets 283941 16 2 acctoutputoctets 11085058 17 3 radacctid 1 18 3 username ec:92:de:1b:16:4d 19 3 acctstarttime 2023-03-31 15:07:43 20 3 acctupdatetime 2023-03-31 15:12:57 21 3 acctstoptime NULL 22 3 acctinterval 61 23 3 acctinputoctets 530469 24 3 acctoutputoctets 20836789 25 4 radacctid 1 26 4 username ec:92:de:1b:16:4d 27 4 acctstarttime 2023-03-31 15:07:43 28 4 acctupdatetime 2023-03-31 15:24:06 29 4 acctstoptime NULL 30 4 acctinterval 60 31 4 acctinputoctets 530469 32 4 acctoutputoctets 20838821 The accountupdatetime value increases across the 4 queries and the acctstoptime is NULL ( the session is still active ). The values of acctinputoctets and acctoutputoctets are ( monotonically ) increasing.

@turntheterribletank said in maximum daily usage time error following update to 23.01: You're setting Accounting Interim Interval to 600 AFAIK : because I'm using accounting with my captive portal settings : [image: 1680240062828-58b2ae93-2be5-4e23-9630-566a7e5921bf-image.png] Strange that you have these fields set to "0" when the same fields are empty on your FreeRadius user settings page. I don't have these "0" parameters. The presence of the Exec-Program-Wait = "/bin/sh /user/local/etc/radbb/scripts/datacounter_auth.sh Test daily" doesn't look good at all. See what the script does. Check for yourself if a file like /var/log/radacct/datacounter/daily/max-octets-Test exists. If that's so, and it contains '0' then yeah, when the user logs in he will already have generated more then "0" bytes so he'll be logged out right away.