@shood said in Captive Portal loss: Thanks for reply . The problem is as follows : when enabled HA sync captive portal : all users become after a peroid of time internet interrupting ,"you are already connected" ,..etc see here : https://forum.netgate.com/topic/139883/captive-portal-disconnect change between 8003 and 8005 8003 captive portal page on slave 8005 captive portal page on master That is another issue (which already has a fix. See https://forum.netgate.com/topic/137824/pfsense-no-internet-when-it-is-said-you-are-connected/13 ). I created an issue on the bug tracker about the zones getting removed: https://redmine.pfsense.org/issues/9303

@fadygh said in block websites to certain users: server and set dhcp relay on tplink routers Huh? So you have downstream wireless routers doing nat? Just use them as AP.. Not routers..

Going to need a better picture. Too much guessing about how things are configured. What are the different hosts behind the captive portal given as DNS servers to use? How is that DNS server configured if it is one you manage? You have 3 WAN interfaces in load balance? Are you policy routing all traffic from the captive portal hosts to the same load balance group?

You can disable the second authentication method by using Ctrl+Click (Or Command+Click on Mac OS) [image: 2fOco6ib] Unselecting all "Secondary authentication servers" in the GUI will result in the "second authentication method" part to disappear in the login page. Also, vouchers are not considered as an "authentication server". In order to enable them, you can go to the "voucher" page on your captive portal settings. Here : [image: 1548710947402-frame_00_delay-0.53s-resized.jpg] finally, if you want to create a custom captive portal HTML login page, you can tick "Enable to use a custom captive portal login page" in your settings.

Normally, @free4 will drop in shortly to post " https://forum.netgate.com/topic/139488/voucher-database-synchronization/2 " edit : ah, you are already aware of this.

@jimp Thanks, this reply helped a lot

Hi, I know, time is money. But if you have 5 minutes, this https://forum.netgate.com/topic/78016/captive-portal-manual-logout might work for you. If not, you should communicate the logout URL to the users. Forget about the popup-logout windows, most users will never see them. Did you saw it ? This page shows the url needed, and how it works.

Also : https://www.netgate.com/docs/pfsense/captiveportal/index.html for basic setup guide lines. Use the "make it work first" approach. This means : leave everything to default. Always. After installing pfSEnse, activate your WAN. Then activate captive portal on LAN. This takes 120 seconds max. If you really want to use your own ideas, ok, have them validated here : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html For example, most issues are just plain DNS issues (aka : not using the build in Resolver, which means they did change default settings) . What you should know : the captive portal ins't really a program or service. It's just : A web server serving a "login" page. Some nifty firewall rules (30 years old technic). And the big surprise : captive portal works, because support is included in the OS the visitor is using - support is included in the web browser the user is using. A captive portal needs a perfect network setup (relax : only IPv4 - things will get nasty when IPv6 comes along)

Yup I would concur - I mean if your going to be using firewall from 2014, your devices should be from that era as well ;)

Try this Video Jimp pfSense Captive Portal.

Hello, In short, High availability for captive portal is not working at all currently : The only part that is supposed to work is the synchronization of avaliable/used vouchers (meaning each node will be aware of which vouchers has been already used or not) Connected users syncronization is NOT working (meaning if one user connect on a node, he/she won't be considered as connected on the other node). This feature has not been implemented yet in pfSense. There is a feature request asking for it : https://redmine.pfsense.org/issues/97 For avaliable/used vouchers sync, only master->slave synchronization is working correctly. Backward sync (slave->Master) is not working correctly, even if it should (see https://redmine.pfsense.org/issues/7972#note-5 ) There is ongoing work for real captive portal High Avaliablilty implementation. No ETA or expected ready time however, that's just ongoing work and it may be avaliable in very long time...or maybe never. If you still want to configure vouchers synchronization despite these elements, here is how you can do it : You do need to configure both System -> High Availability Sync (on the master node) and Services -> Captive Portal -> NameZone -> Vouchers (on the slave node) The configuration area Services -> Captive Portal -> NameZone -> Vouchers has to be filled only in slave node (the purpose of this setting is to perform backward sync). Don't configure these settings on the master node. Voucher sync port in your config should be the port of the master node's web GUI (normally, 80 or 443. But not 8888).

this is a known issue. it happens because you re-configured your captive portal while you was connected to it. you should have a look to https://redmine.pfsense.org/issues/8616 and https://github.com/pfsense/pfsense/pull/4031

I hate it not having details when a solution is provided. I run into this same issue when I was trying to get captive portal to authenticate to an external freeradius server I had setup on a different lan and this is how I figured it out test the user/locally on your radius server and ensure you have the right user/pass combo first ensure that your client and your pfsense box is able to ping the external radius server. that's obvious. if having problems check your firewall logs, rules and if needed whitelist the radius server in your captive portal configuration. get freeradius started in debug mode on your external radius server a. first turn off the service and then start it backup again using either radiusd -x or freeradius -X on your external radius server and ensure you get the prompt to see the requests as they come in. try to authenticate to the server from the client.. I was using captive portal so I tried with a know good user check the console on your radius server to see where the request is coming and why is being ignored or rejected. my particular problem was that I set te client.conf file on the radius server with the ip address of the lan where I setup captive portal and I should've set up the ip address of interface facing the radius server instead. this was obvious once I saw the authentication request being ignored while in debug mod by the radius server as they were not coming from the ip I set up in the client.conf. Hope this helps some one

I would think by your own discovery it's designed to be non stop. Think about it like a internet cafe, and people are paying for a block of time. I'm sure there are more elaborate setups where you can get a report about how much time or data a user has consumed but I'm guessing this isn't what you are looking for in your home environment. Again I don't use CP that way so I may be speaking from a place of pure ignorance.

@gsa-tech Beautifully simple.. thank you.

Classic Although using the LAN interface as the captive portal interface isn't the best choice, it has something very important : a general pass rule. On a dedicated interface, you need to pass traffic that you would allow for your users. One of them should take care of "UDP traffic to any port 53". Simply copying the default rule from LAN will do the trick. Of course, you can narrow down your rules for captive portal users (actually, you should !) but again : do not forget to have DNS coming in. The default ipfw rule set adds the IP of the interface of the Captive portal as a accepted "all traffic" destination : this means that when you use the resolver unbound or forwarder dnsmasq on pfSense, you'll be fine without thinking about DNS issues or rules. When you want to communicate all DNS requests to some outsider then you have to deal with it. Consider this : no one ever asks about : what is needed for DHCP ? On any interface, LAN and others, the ip firewall does accept incoming broadcasts, and replies, all for port 69. Without these, even DHCP wouldn't work .... Hidden 'DHCP' rules are setup for evey LAN type interface. Remember : if no pass rules are triggered, the firewall blocks.

@fahad77678 said in Captive portal not redirecting on https requests. problem on every browser: @gertjan is it necessary to add captive portal ports add in firewall's wan and lan rules ? it it is? the which ports should i add to the rules ? Two cases : If you activate the portal on the LAN you have nothing to do : the default firewall rule is a pass-all, the portal will work right away. If you activate the captive portal on an extra interface (the best choice !), like OPT1, you have to, initially, add one firewall rule : the same one as you can find on the LAN interface. Like this : [image: 1547200713117-bf62f6c6-807f-413d-8f57-a02fd9357a26-image-resized.png] Never ever add firewall rules to the WAN interface. Rules for that interface belong to the experts.

Thank you for your answer. By the your second part, I think you misunderstood what the client want a little. The app itself is on the classic app store (google, apple), but the content is local (in the box). if the client is a museum for example, all the detail of the exposition are local. Like that, it can be change everytime an exposition change. The popup page is done by dev and already finish. I provide systems expertise, in that case pfsense. my client DONT want authentification. Like I say, I don't have all the technical detail but for the scenario would be (museum example) something like that: Visitor come to museum, buy a ticket Clerk sell ticket and say "You can have more info if you donwload the museum app" Visitor connect to museum wifi The popup pop up(?), with a link to the app stores (google or apple). The user choose to download or not. When he leave the front the front desk, he loose the wifi but the app with the museum info are in the phone so no 4G The issue is with the popup which doesn't pop or block the user. is it clearer? Frankly, I not sure I can do better because I don't have more information of the situation. Still thank you again for the reply

this is what I thought, I wiil try that thank you for the help

Typically, captive portals host only unknown, non trusted devices from unknown visitors. You should let them out to the Internet when they identify themself. You should even enforce the fact that they can't communicate with each other. This is what windows does when you indicate that the network is "public". You should put your AP's in client isolating mode. Best will be : put the captive portal on an OPTx or VLAN interface, dedicated for these visitors. Known and trusted devices could be on the LAN interface. Btw no iptables on FreeBSD. It's 'ip' and 'ipfw' here.