@blsevidal: what could be the problem.. Can't tell. Can not see your setup. Have no idea how your network is interconnected. Don't know what this has to doe with your captive portal.

@liver007: Purpose: we wan't to create AP in our friendly company but have AUTH/ Captive Portal setup at our location. Possible ways to connect are VLAN/VPN. Is there an option to not pass all that traffic after auth thru our pfSense server? Captive portal authorized traffic has to go through pfSense (a firewall), that's how the captive portal works. A switch, even one with VLAN capabilities, can't handle that (it isn't a firewall)

@AYSMAN: ….. I've noticed in pFsense version 2.4.2 the Portal URL is https://guestportal.net:8003/?zone=guestportal on earlier pfsense version it was only like https://guestportal.net:8003 Yep, that's normal. pfSense supports more then one captive portal, each being called a "zone". This was implemented a couple of versions ago (2 years or so). @AYSMAN: The problem is when a client wants to log out and they typed into the browser address bar guestportal.net instead of being redirected to the log out page of the captive portal, the browser gets redirected instead to pfsense log in page on that interface. Did I miss something in the set up? Yep. People should not have type in the address. To complicated - they WILL make errors. They should "accept" a popup windows (they actually never allow pop up in there browsers …. as you already know). The logout popup is send to the client when connecting, and if they really have a good reason to disconnect "by hand" they shouldn't close this window (and logically, accepts popup from your portal interface : so what about telling them when they login ?  ;)) - and they could use it when needed.

One Captive portal per interface or VLAN. These can't, of course, have no overlapping networks addresses. Editing files like "nginx-zone103-CaptivePortal.conf" is useless, they are created on the fly when the service starts or restart. All info is stored and use from /conf/config.xml (which, also, should NOT be edited by hand, but by the GUI).

Well, you're operating a firewall, right ?! What about disabling the default auto-lockout rule - and activate a hand made firewall rule on the LAN interface ?! I never used a VLAN-aware switch, but I assume that if you setup your switch correctly, people can even use the LAN network, thus connecting to the GUI. Others interfaces : a firewall rule.

Added to that, a captive portal should be run on its dedicated interface (VLAN, or more simpler : OPT1). The hostname is communicated by the device when DHCP handshaking takes place, but know that a device doesn't have to communicate one. Also note that IP's, MAC's and host names can be fakes because user (== read : visitor) editable.

The rules set for ipfw (ipfw is only use for the captive portal) is hard coded into the captive portal software. These rules are non-user editable and normally you don't need to change them except if a total breakage is what is wanted. YOUR rules should be put in with "pf" and this one can be edited with the GUI - just select the interface that the captive portal is using. Best is that you use a dedicated interface (OPT1) for the captive portal - leaving the LAN for trusted devices only. By very nature, a captive portal network IS for non-trusted devices (visitors). Said that, know that when you add IP's and MAC's that should pass through without hitting the captive portal, their rules are added to ipfw. Se the help page mentioned above, you can see all the ipfw rules and tables.

and also, kindly provide a sample schema where the vouchers will be uploaded. Thanks in advance

Hi, The 'captive portal login page', as the 'error page' and the 'logout page' are stored in this file : /conf/config.xml All the other "user files" are also stored in /conf/config.xml When the captive portal starts, a working copy is extracted here : /var/etc/ You will find files like captiveportal_your-zone.html captiveportal_your-zone-error.html captiveportal_your-zone-logout.html User files (working copies) are stored here : /var/db/cpelements/ and sym linked from the web root dir : /usr/local/captiveportal

@bulgurcu: Yes. radacct add columns acctupdatetime datetime DEFAULT NULL,   acctinterval varchar(255) DEFAULT NULL, Hi. Thanks again. I got freeradius3 to send accouting data to MySQL. May I ask if you have any idea why my simultaneous use attribute is being ignored by freeradius3?

:o Captive portal traffic flows through the firewall (pfSense) - an interface and then to the WAN, and back. No way you can have what you ask (implies also the changing the gateway the visiting device that it became from pfSense, etc).

If you update the pfSense FreeRADIUS 3.x package now (To 0.15.3) it will calculate the bandwidth values the same as Captive Portal so it will not trigger the issue

Need a lot more detail here. Is the RADIUS server on pfSense? Or somewhere else? If it's on pfSense, did you complete the transition to FreeRADIUS 3.x? Is the RADIUS server process running? Any errors in the logs? If it's on another system, how do you reach it? Locally or over a VPN? Is that connection still working?

Great. Thank you!

Yeah, while the Mac filtering worked fine, we ended up moving all the infrastructure items to a different, private subnet.  Not only was remote access made easier, bandwidth was improved.

@awahbi: How can I get rid of the old versions? How ? An update overwrite all old files - removes stales (unused files). It's like a Windows PC : when upgrading from Windos 7 to 10, nothings is left from "7". @awahbi: Shall I make a fresh installation of 2.4.1 then restore the configuration? Think about this : YOUR copy of pfSense - and mine, are THE SAME. The only thing that is different is … the setup (and of course, packages that can break native behavior). I'm using a plain vanilla setup, my MAC limiter for the captive portal works. I'm using the built in User Manger - no Radius, No squid - no nothing else. You can try this : Re install. Make the captive portal work with built in login page and a User Manger user. Set the MAC limiter on the captive portal setup page. Test - login and see that it works. Now, add you other settings one by one. As soon as the MAC limiting doesn't work anymore you know where you can find the issue  - and report back.

By posting those keys, anyone can generate valid vouchers and connect to your portal. Now generate some new keys.