@marcosm Applied

Just been looking into other ways I could solve this issue. Could PPSK and RADIUS be the answer? Has anyone set up a RADIUS system on pfSense with PPSK codes that can act like a pre made voucher codes? e.g., I make a list of PPSK codes that my OpenWRT access points use from my pfsense router to get the user on the wifi. I could then also use RADIUS for my long-term users and add MAC addresses for seasonal and TV, but temp users will just work; no web page needed. Any help or pointer would be greatly appreciated.

@Gertjan We are now at Version 26

Got it, thank you for the response. I added the feature request #16734.

@scilek said in Is it possible to create a multi-page custom captive portal?: However, there's a missing component: the PHP PDO library, which I believe should be included in the default installation A 'default pfSense' doesn't use SQL. If you need SQL yourself, all you have to do is : said in Is it possible to create a multi-page custom captive portal?: Note : Just install (don't need to set it up) the pfSense FreeRadius package, and you have the MySQL client PHP part installed as a bonus. @scilek said in Is it possible to create a multi-page custom captive portal?: the person that asked me to concoct the custom CP to obtain a DNS name I have the PHP PDO library : [image: 1770622043000-9f66c3f2-fb12-4d0a-bbc8-ff1878fc65f2-image.png] If you recap everything I've said above : There is an investment to make : a portal network which includes dedicated switch(es) and access points, and a domain name to rent. @scilek said in Is it possible to create a multi-page custom captive portal?: Also, the only information that is asked is the mobile phone number, which I think shouldn't be an issue. I agree with you. A potential portal visitor has now the choice : He uses its own phone's monthly 'data' from his phone company. Or, against the phone number, (so, example, she/he can receive an SMS with an portal access 'user and password ?!) he can use the portal.

Thank you for all these answers. We will look into this more closely.

@Gertjan ah so that's why mine won't work... I haven't found any solution yet... whereas with the old versions it worked...

@mpeterson0418 Be assured : my pfSense GUI is also only accessible from only the 'main' LAN, and not from the other non-trusted LANs which is a captive portal (I've a hotel here, that's worlds most none-trusted collection of network users ^^) and another LAN with 'other' stuff I don't trust like cameras and other "worse then Temu and Aliexpress"' combined stuff.

@Dmc it doesn't have to be easy then...

Ok, I fixed it out using my old test VM. Seems, that I am getting old . Yes, it was mandatory to write the voucher code first to a csv file. Then, only then, the qrcodes can be printed out. Regards

The pfctl error is already resolved upstream (and in 26.03).

@_malek said in I cannot used google analytics for captive portal: I know DNS and DHCP work as expected, but standard GA scripts seem completely blocked in this pre-auth phase. The device using the GA (?) script, or the GA script isn't portal aware. Be aware : most of the portal support isn't what pfSense does. The actual portal support must be build into the device you use. Most recent OS's are portal aware, but there can still be 'programs' (processes) that 'see' the Ethernet interface is 'up' so a 'Internet' connection' must be there. This is a wrong assumption. You don't do "Google Analytics" or anything else for that matter before the user has been authenticated on the portal. Like unlocking your phone before using it, or leaving the toilet before unlocking the door. @_malek said in I cannot used google analytics for captive portal: or is it technically impossible due to browser/portal restrictions? A good browser is portal aware by itself. Stupid browser plugins might exists that break this. That's not new. @_malek said in I cannot used google analytics for captive portal: or is it technically impossible The portal can have "Allowed IPs" and "allowed host names" lists : these two destinations types - both are eventually the same : a list with IPs - will pass through the portal firewall even when the user (device) hasn't been granted portal access yet. So it's a matter of 'find all the IPs' and your done. The thing is : you want to use services from the "big ones" (Meta, Google, Microsoft, Apple, etc) and that is hard. These guys have thousands of IPs, entire AS sections, and they swap them in and out all the time. Basically, what you are trying to do isn't the correct way. If you have to use "Google Analytics" because, for example, you sold your user's device Internet usage to Google, don't put these devices behind a portal. Or tell the users that they should connect first, and then and only then they can do what they have to do. Like : before driving a car, they have to start it first. They'll understand. The portal is just a concept that gives you the control "who us using your Internet resources". For example, I have a hotel, so I want to offer an Internet connection to my hotel clients as an extra service. Not everybody surrounding the hotel. After all, I am still somewhat (more or less) responsable for what these stranger 'do' with 'my' connection. Ones connected, the entire 'Internet' opens up for them. They can even launch nukes if they have the credentials to do so. What they are doing isn't my business. If needed, I can route all portal traffic out over a VPN connection, so my hotel visitors , who use my ISP WAN IP (!) won't blacklist my (static) WAN IP. This rarely happens though, as the portal ads - I think - a strange effect to them : they think they are watched ^^

@_malek said in Tracking User Interactions in Google Analytics for a Website Opened via an iFrame from a Captive Portal: I added all required URLs (including google-analytics.com) to the Allowed Hostnames, Google Analytics still doesn't record any events When you add "Allowed Hostname" to the portal, a DNS lookup is performed and an ( 1 !! ) IPv4 is rteurn so the pf firewall can filter to 'allow'. Remember : a firewall can ='can't filter hos names. Just "IP addresses" (see for yourself : [what is in an Ethernet packet header]( what is in an Ethernet packet header)). Gues what : "Google Analytics" isn't one IPv4 - it changes all the time, as that site (service) is used by billions any moment thousands of times per second (everybody want to do Google Analytics for some reason) so the load is DNS pre distributed / balanced over a lot of (major understatement) IPv4 addresses. https://docs.netgate.com/pfsense/en/latest/captiveportal/allowed-hostnames.html : [image: 1763986053001-41301874-d0e5-4a18-a5fe-8d55e22431f6-image.png] If you manage to get them all, and you add all the possible IPv4s to the "Allowed IP Addresses" list, it might work.

@paulatz said in Skip captive portal for static ARP: some documentation Euh, it's open source. So everything you need to know is already there. No one ever wrote a book, guide or manual about these millions of lines of 'script'. If you know what 'PHP' is : ssh into your pfSense and start to discover. this will take you some time ;) If you want write scripts for a system, you have to know (some what) that system.

@EDaleH Thanks for your input on this matter. This issue is not related to the DHCP server, especially KEA DHCP. We are still on pfSense 2.6 as mentioned, so ISC DHCP is in use, and there are no lease problems. Lease times are already configured correctly. The core reason that @Gertjan pointed out is correct and seems to be the right direction to get this resolved. It doesn’t affect everyone, but systems under heavy load during peak hours are the ones that usually run into it. The issue is a race condition under load. If the pruning process takes a long time to enumerate and remove old entries, and a new session or disconnection occurs, or if the process is interrupted or times out, the lock file may remain or the process might not finish its database write cleanly. This can leave the system in a partial state where the voucher record is removed but the session is still present. I also believe this issue also exists in pfSense+ since the captive portal code is same in the areas related to this behavior.

@Leksandr hi hope you are doing well.i read your post.pkease can you share your work as i have one such requirement. We will ask some info and use that . To give a demo I am ok if the information gathered from user is stored in the local file in pfsense. Much appreciated it

@Gertjan Thanks for taking the time to respond here For some context: I manage the gateway/firewall remotely for an IT admin who reports the issues to me. Not really sure what was going on at the time. The fact that the portal landing page was not appearing across the entire network but then would appear again after I would login to pfSense and hit 'save/Apply Changes' in the captive portal settings, remains a mystery to me. At the time the version was 2.8.0 but I upgraded to 2.8.1 as soon as I could. It seems stable now but will report if the issue comes back.

@Gertjan said in IPv6 support for Captive Portal planned?: @anakha32 said in IPv6 support for Captive Portal planned?: have multiple routed subnets behind our captive portal. KIS : keep it simple => make it more simple : one portal interface with one big switch and loads of APs all over the place and no more routers. If that's possible for you of cours. Btw : for my own curiosity : why placing routers on the portal network ? I'm part of a team that runs the network for a large university. The core of the network is all routed to limit the blast radius of problems. Each building has its own router with various networks on, including the guest wireless. But it makes sense just to have one captive portal box (pair), so all 300ish building subnets are routed through that. Perhaps one day there will also only be one wireless system in the university. At which point tunnelling all the guest wireless traffic back to one point might be feasible and the guest wireless could become one big subnet.

@Balooshy said in captive portal page with only voucher login: there is any way to make the page with only voucher authentication without using custom portal page? Short answer : no. You don't want this : [image: 1762158273441-57565a19-49ba-4083-b5cc-0c267c6de242-image.png] You don't want the User and Password fields to be shown. Info : I use Firefox. When I see this page, I hit Ctrl-U and then I see the 'source' of the page : [image: 1762158477799-3bb1e934-bf62-443f-8361-4b6e6c173c0b-image.png] Copy paste this file in an editor like Notepad++. Remove these two lines : <input type="text" name="auth_user" placeholder="User" id="auth_user"> and <input type="password" name="auth_pass" placeholder="Password" id="auth_pass"> <br /> Save the 'html' file. In pfSense, check this button : [image: 1762158665190-ebb231af-8803-4798-9a54-89eb058ad92b-image.png] and upload your file here : [image: 1762158695260-d86d5757-b891-46d4-8505-7ac0a39e1871-image.png] and Save.

@leonida368 pfSense has a captive portal which allows you to control who and how a pfSense LAN (the portal network) is accessed. This can be done with or without login credentials. A LDAP or (Free)Radius access, or ordinary pfSense users can be used. pfSense has no notion what so ever of what "Google Workspace" is. Look at these forum messages. Btw : IP addresses : these are the logged in devices. As pfSense gave these RFC1918, they are known. Device MAC addresses, these are know and logged by pfSense, but are normally randomized by every device. Traffic - Ethernet packets, can be logged, so you'll know the destination IP, the web site the portal user have visited. You will not be able to see 'what they did there'. You could use Traffic Monitoring tools, or IDS/IPS although the latter won't show much, as all traffic is encrypted (remember : https = TLS) these days.