Hi, Authentication conditions are on an or basis - not and. I mean : one of the conditions is used, not both. Added to that, if a user could enter credentials and a voucher, only the credentials (user name and password) are used - not the voucher code. Btw, I didn't actually test to prove my 'right' or 'wrong', I took my conclusions from the code.

I tested this : replace : if (platform_booting()) { echo "Starting captive portal({$cpcfg['zone']})... "; /* remove old information */ unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db"); } else { captiveportal_syslog("Reconfiguring captive portal({$cpcfg['zone']})."); } /* init ipfw rules */ for this :``` if (platform_booting()) { echo "Starting captive portal({$cpcfg['zone']})... "; /* remove old information */ unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db"); } else { captiveportal_syslog("Reconfiguring captive portal({$cpcfg['zone']})."); /* remove users from the database */ $unsetindexes = array(); $cpdb = captiveportal_read_db(); $unsetindexes = array_column($cpdb,5); if (!empty($unsetindexes)) { captiveportal_remove_entries($unsetindexes); } captiveportal_syslog("Reconfiguring : database emptied ({$cpcfg['zone']})."); } /* init ipfw rules */ What happens is that when **booting**, de database file is just deleted - that's ok, the system is booting, so no ipfw rules, neither logged in user are present anyway. If not, when enabling or reconfiguring, the database file is emptied. True, a simple unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db"); does the job also. All this : if (platform_booting()) { echo "Starting captive portal({$cpcfg['zone']})... "; /* remove old information */ unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db"); } else { captiveportal_syslog("Reconfiguring captive portal({$cpcfg['zone']})."); } /* init ipfw rules */ ...... could be replace by a mere (no more if statement) : echo "Starting captive portal({$cpcfg['zone']})... "; /* remove old information */ unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db"); /* init ipfw rules */ ..... captiveportal_init_rules(true); that follows just after these lines finishes the job. Remember : every time you (re) configure the Captive Portal instance, all user on that instance** get thrown out. This is definitely not a good thing when you are running a very busy captive portal. ** Looking through the code, only the reconfigured instance is concerned. Other instances are not touched,  I have tested this with a second captive portal instance.

Look in forum for pfsense+cp+freeradius some guy has built exactly what you are looking for https://forum.pfsense.org/index.php?topic=108493.0

Like to propose an even more simpler solution as https://forum.pfsense.org/index.php?topic=144430.msg786296#msg786296 - what jhonpoz said. Do what he said, but do not use LAN, use a dedicated interface, like OPT1 - that's where a captive portal really belongs (like trusted devices belong on LAN, non trusted on other interfaces) Activate OPT1 - assign it a pass-all rule for TCPv4 (because are no default rules on OPTx interface) - and of you go. If that doesn't work, then "some" settings you made are conflicting.

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting tells you what happens. Execute ipfw table all list half a minute before hard time out, and one again after time out. The user's devices IP and MAC are removed from the tables after time out. (and I guess the related states are reset) The device will not be able to "pass through" pfSense anymore. A re-authentication is needed. At least, this is what I see what happens (been trying for the last nearly 10 years now). DHCP should be set much longer as 6 minutes. If your free IP pool gets empty, you could play (= lower) with the DHCP lease time. If not, leave to default. Anyway, as you can see when executing ipfw table all list the DHCP protocol always passes.

This seems very unintuitive I would expect there to be a global list of vouchers ad whe one is used it is removed from the list. The session for that MAC would then continue until it timed out, at which time a new voucher (or a login) would have to be used. If this si not what happens , then, what DOES it do? and what value is it? If my kids can share vouchers then I might as well turn off he whole feature.. the aim is to have them separate..

Checkout pfSense Forum » pfSense English Support » Captive Portal » [Captive Portal] Blocking a Previously White-listed MAC Doesn't Work Right.

Hi i will make the same thing. Did your config work?

Good day sir??? is this already marked as functioning??  :)  I want to have this set up on my site … thanks

update to a current stable release. (try it on a testbed first)

perhaps ntop ? https://github.com/ntop/ntopng/wiki/03-MySQL-FAQ will probably needs some tweaking to get it to work

@simone: ….     https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id .... So, before accessing your network that support this User-ID, the user should have this User-Id …. I guess I place my bets on an alias that lists all Facebook IP's (IPv4 at least, and with IPv6 at best) - a list that would refresh every xx hours or so. Just some script file and the the cron package. Or, this one : https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158 - I'm sure it could block all DNS resolving easily by returning 127.0.0.1 or ::1 if a "facebook.com" passes by.

OHH the forum isn't showing the imgur images!!

I figured a solution to take the MAC address from the DHCP lease and somehow give to the Captive Portal to authenticate through Freeradius. I still don't know how to do it but I'm walking on this way.

Hi, No, people always enter wrong passwords first, nothing wrong with that, it seems normal. Never had to restart something or pfSense for that matter afterwards. Are you using the default "login" and default "error" page ? Both default pages are identical, only the "error" page shows a message, if one is present. Like "User or password is wrong". So, good news, all is well, but it seems something is wrong in your setup. You are using the latest version, right ?

It depends on the Switch or Access Point you have in your LAN if you have an Access Point that can do Multiple SSID's , VLAN's and Routing Capability then its possible

Wifi is connected ? Run this on you PC: ipconfig /all When you disable the Captive portal, you have a connection to the net ? What firewall rules on OPT ?