@msalavee

It's always a language issue ;) See your other post.

After two years of work, I was able to create a captive portal system on IPv6.

installation guide on YouTube:

https://youtu.be/iNjzQ0beCaA?si=6PNOC3vEFhUfPJe4

Download link for the trial version:

https://drive.google.com/file/d/1cbmzbUVbu6Wg_kWNLfXjOb7QZB8LlZFS/view

Best regards

@Intone said in Relationship between uploaded HTML and index.php in Captive portal.:

the relationship

When the device hits the captive portal's web server at @IP-Portal:800x the index.php is used.
"index.php" because : see the nginx main configuration file - one for http and one for https.

9c814fc8-8d56-4bad-acdb-fc7a62a19dc5-image.png

If the user isn't already logged in, the index.php doesn't do match and falls trough the index.php up until this point.

The function portal_reply_page is called with $type set "login" so the main 'html' login page is sourced (line 1835), this is your uploaded html file, variables are put in place, stuff like #PORTAL_ZONE#, and then the magic happens at line 1868.

echo $htmltext;

and done.

When you hit "Connect", now your 'posting', the same index file is used, and you reach the most common point where user and password entries are tested, and if ok, access is granted.

short survey : You can use php in your self made 'html' page. edit : go for the easy mode : create a link text (URL) that links to another web page that you upload into pfSense. You will have to write some back end code (script) to handle the user input.
Get a copy of the default build in login page (you can see it here) for an example.

@andreychernik999

Not something you can do on pfSense.
And not an issue neither.

As soon as devices are connected and authenticated against the captive portal, everything works as if there was no captive portal.
So gmail, whatsapp, telegram and everything else just plain works.

I saw your network diagram.

Normally, afaik, captive portal users are non-trusted users.
Cameras, normally should be made accessible for trusted users.

Try this : declare every camera as a host in one of these :

ed7ad9c0-9cb4-4c65-bc6b-dfc9b835370c-image.png

so no portal access rule (and counters) are used to access the cameras ?
(I'm not sure but easy to try out )

@dimsum said in How can I get a user sent/received size:

idea

Like this ?

@Gertjan Yes but it didn't work, the problem was still there

Using SQL and chosing for SQLight ?
Didn't know that was possible / was an option.
I use FreeRadius, but use a 'SQL' server (MariaDB on my NAS).

"SELECT value FROM radcheck WHERE username = '$username' AND attribute = 'Max-Monthly-Data'");

Did you modify the FreeRadius config files manyally so it adds "attribute" in the radcheck table ?
I see just this :

2540284a-b474-4dd1-95de-9b8bb8b373c9-image.png

= the user name and password. No other colums.

edit : wait : by default, this table is empty as pfSense uses the GUI to create a file ( this file : /usr/local/etc/raddb/mods-config/files/authorize ) that contains the users, passwords and some other stuff.

Be ware : FreeRadius can have thousands of options, pfSense uses (enables) just a few of them.
The rest is hard coded / not used.

@fakearia said in pfSense Captive Portal + FreeRADIUS + SQLite Configuration Issues:

Why is this happening, and how can I prevent it?

pfSense controls the construction of config files of every and any process on the system.
The the core essence of what is pfSense all about.
If you want to have your own config files, you should modify the files that create these files (modifying pfSense, itself)

@ricardocasagrande said in Captive Portal + freeradius + LightSquid:

so, maybe you have a better solution for my problem.

Normally, there is the concept of being responsible for what is done with your Internet connection.
So when I set up a captive portal for a hotel somewhere in 2006 using m0n0wall, pfSense was forked from it, I was looking for securing what portal clients could access.

Today, I'm using pfBlockerng to block the most obvious host names (DNSBL) and if I suspect something, I can route all portal traffic over a VPN connection.

Never had any issues with my ISP, knowing that I know they are looking, as I saw the warnings they send out when they detect something : a couple of my friends / neighbors were 'caught' while streaming and or sharing "Disney content".

The real streamer / downloader uses a VPN anyway. Or is just to scared to connect to a network he doesn't know/trust.

And, IMHO, all this has nothing to do with pfSense.
If you want to use a proxy so you can analyze content, you need to know :
What the "Internet" actually is, down to the packet.
You need to know how proxies are set up and maintained.
You need to have a good list with rules so you can actually detect something.
You have to stay on to it permanently, as handling false positives will happen all the time.
More and more sites just can't be proxied anyway.

I've decided already a long time ago : it's not worth it.

I already host my own web servers on my own dedicated Debian 12 dedicated server, a "big iron" device. I'm doing my own DNS domain name zone hosting using bind. When that was running, I've added DNSSEC everywhere, added my own postfix mail server for all my domains, fully compliant with all the modern mail constraints. No GUI what so ever to maintain all this, everything is set up the old way.
All this to say : I've started to know what 'Internet' is, and I know also I still don't know enough.

@brunow said in Captive portal is not displayed in Windows 10:

Could the request be stopping at the switch?

if it has broken ports, or you are using bad (broken) cables, then yes ;)

A switch, a non-administered switch, can't block anything.
If the switch is manageable, then call the admin of the switch. Let him solve the issue, or fire him.

Your image is a physical setup of your network, with some details about how the "Virtual" part is assigned. I've never used the devices you use, except pfSense. So all I can say is "... ok ...."
I don't use VLAN at all, as I have to apply the rule "keep it simple" as this implies "nothing to learn".

Btw : Why would you keep a Mikrotik in place if you have a pfSense ;)

My advise : use a router, and this could be any PC you find out there, add an extra 5 $ network card into it, or better : a quad NIC if you want more interfaces (and wind up with a situation where you don't need VLAN, so one big can of worms less) and you have the perfect setup to test about everything, captive portal included.
Later on, with the acquired experience, you can go wild with convoluted setups but I'll bet you'll say : "no-way ..."

Many thanks!

@Gertjan Thanks, man. You really help me

@publictoiletbowl

Normally, I would tell you : upgrade, and see what new development offers you.
24.03 is out there for months now, and rock solid.

But .... when upgrading, everything goes up, and old stuff 'that used to work just fine' disappears. Old security issues also.
Like the openssl libraries and the functionalities it offers. Everybody want 4096 ... no 8192 bits (size !!) RSA encryption these days.

Your question is : you want the "10 bit" encryption ... euh, yeah, sorry, that was probably ditched for 'security' reasons.
After all, who (go count them) use openssl to make 'voucher' codes, and tries to make them as small as possible ?
I don't say it isn't possible anymore, but you have to dive into the open ssl doc to see what is possible.
To get the OMG experience, type :

opensll help

edit : so, for ones : downgrade way back to the version of pfSense that had the possibility to make 'small vouchers' 😊

@Gertjan thanks for reply, it works now
Screenshot_20240806_160208_com.android.captiveportallogin.jpg

@colleytech you could use say snort for example

As i said 2 years ago.

Other option might be doing something with IPS package..

https://docs.snort.org/rules/options/non_payload/ttl

But different OSes can use different default TTLs, so you would most likely need multiple rules with different values. Unless you knew all the devices on your network used a specific ttl. Which is unlikely in a scenario where such detection would make sense. I could see it as a way to detect users using multiple devices behind another device to circumvent a captive portal for example.

Where they have to pay for access or something. Keep in mind - that it is possible for the natting device to manipulate the traffic so the drop in ttl is not done.. Which would defeat this detection method.

@EDaleH
Same screen, alternate route to it in the menu. The Gateways must match the one(s) set in Interfaces, Wan. when changing the Gateway. I do this all the time when I restore a Production Server to the Lab setup, the gatweay setup always changes. Lately I have gotten lazy and edit the config.xml file before restoring it, as follows:

<interfaces>
<wan>
<enable></enable>
<if>igc0</if>
<blockpriv></blockpriv>
<blockbogons></blockbogons>
<descr><![CDATA[WAN]]></descr>
<ipaddr>192.168.123.111</ipaddr>
<subnet>24</subnet>
<gateway>WANGW</gateway>
<spoofmac></spoofmac>
</wan>
and:
<defaultgw4>WANGW</defaultgw4>
<defaultgw6>-</defaultgw6>
</gateways>

By editing config first, it enables internet access sooner for the package installs and that is less likely to time out during the restore if you don't edit it fast enough. I do go an get a coffee though so it has the side effect of more coffee consumption.

@Gertjan said in Help with CP on OPT1:

Looks like it's working now ?

It seems so, just a mystery as to why? My test methodology is typically to change something, test and restore if it doesn't work.

Perhaps it was just the devices acting out of sorts. (We have a lot of Chromebooks come through here)

I will try and get the prod setup working...

@rsumook
Follow Gertjan's advice but it might help if I provide a step by step overview perspective:

If you have multiple captive portals on VLans, you likely have a LAN on 192.168.1.1, an OPT(X) interface with those VLANs utilizing it. Check Interface, Assignments and verify you have at least WAN, LAN and an OPT(X) interface defined. (Note on Netgate appliances with the Marvel switch, you can associate the VLan witout the using a physical interface as the interface is a "logical" one.)

Now check Interfaces, Assignments, VLANs and make sure all of your VLans are there, typically listing association with OPT(X) in the interface column. Note: it is not unusual for them to be associated with the wrong interface, particularly after a restore to a different pfSense computer.

Next go back to Interface Assignments and make sure you have an Interface also listed for each VLan. If not, define/associate them to match the above configuration.

At this time, think about the way the data flows to and from your Access Point. The Access Point needs to have a station ID with a VLan enabled and the VLan Tag must match the Tag of the VLan definition in pfSense. Think of that data passing through the AP, getting "tagged" with the VLan ID (10,20 or 30 in your example). Your switch must use L2 routing to ensure that "tagged" data packet can flow from the port the AP is plugged into and be routed by the switch to the port the OPT(X) cable is plugged into. (note: it is common, but not necessary, to have the switch route everything to every port, just enable/associate the specific VLans tags you need with the Port(s)). This will ensure that pfSense receives you tagged data and can decode it correctly for routing to the Captive Portal.

Go to Services, Captive Portal and you will see the defined Captive Portals and note that the interface column value matches the Interfaces, Assignments value. Click on each Captive Portal and make sure it is enabled and associated with that same interface. If you want a login page instead of a simple "acccept" prompt, also make sure an authentication server is assigned and that you have credentials there for testing (note, for local database, the user needs Effective Privileges, PortalLogins).

Next check the Firewall, Rules and make sure your data can get to/from the WAN for each and every VLan. The easiest way is to setup a default any to any rule and restrict it further as necessary after you get it working. Note: once debugged, you may want to restrict all VLans so they can't load webconfig on 192.168.1.1 or communicate with the other VLans. This will make your setup more secure for your users.

In order to work, the device connecting to the Captive Portal needs an IP address and that address must be in the range of addresses assigned to that VLan,. That is done by assigning a DHCP Server to the Interface associated with the Captive Portal/Vlan Tag. (Note: if you are using RFC8910, you must setup a DHCP option 114 and that requires ICE as KEA does not yet support options). Check that all of your Captive Portals have DCHP setup.

Whew,,,, Now you can test your portal(s). First connect a device to the WiFi Station ID associated with the VLan Tag, Captive Portal Interface. If you do not see the default login screen you need to start by ensuring you have an IP address so check Status, DHCP Leases and you should see that your device got a lease and what the IP is. If not, you have a problem with the AP communication with pfSense, check the switch setup and Interface the VLan is on.

If you are missing a login screen and have no Internet access, but do have a valid IP, then perhaps you have not triggered the Login. That must be done through an http://domain.ext. I use neverssl.com to see if it will trigger the login page but that is mostly applicable to desktop and laptop computers. With Phones/Tablets they often will not allow http:// traffic through and have to be told how to load the Captive Portal login page directly as Captive Portal can not decode https traffic to be "aware" of a desire to use the WAN, thus no login page is sent in lieu of the requested url. That is where DHCP option 114, or RFC8910 comes in. See "captive portal is not working on mobiles" topic in this forum. https://forum.netgate.com/topic/184936/captive-portal-is-not-working-on-mobiles/37.

I hope that helps.

@zwo said in Captive portal:

Dlink Dir 851

A router.

@zwo said in Captive portal:

tp link APS

Google doesn't know what that is. That's ... strange.

@zwo said in Captive portal:

cumbiam force 200

? > cambium force 200 ! ... that's ... dono ...

An example : I've a some 'routers with Wifi' that I've downgraded to 'dumb' access points : the good old famous WRT54GS (was linksys before, now Cisco - or something else) :

My pfSense captive portal network uses a dedicated NIC : 192.168.2.1/24. I've set up a DHCPv4 server for this portal interface :

22989722-0c5a-42ac-921a-50eb8b2319e2-image.png

I've activated the pfSense captive portal on my 192.168.2.1/24 interface, mostly with default settings.

I've reset my WRT54GS device.
Then :

fb8d5a9e-1776-4f23-8772-bc2e2ec621c8-image.png

and the Wifi part :

2934709e-f25c-4556-bd48-77754d748f01-image.png

save - reboot and nearly done.

Hook up the router .. sorry - now access point using one of these 4 plugs :

0cb56cf8-7e2f-4528-a20f-b40e27d67498-image.png

and your online !

Btw : the same scenario (setup) is valid for nearly every device you can find out there.