@mhmd said in How can I allow the subdomains of one hostname in Captive Portal?: My exact problem is that the domain IP is different from the subdomains it has. And what is these 2 fqdn exactly? https://docs.netgate.com/pfsense/en/latest/captiveportal/allowed-hostnames.html#allowed-hostnames A daemon periodically resolves the hostnames to IP address(es) and allows them through the portal without authentication in this zone.

@LadiesMan217 https://docs.netgate.com/pfsense/en/latest/captiveportal/allowed-hostnames.html#allowed-hostnames

@Gertjan It is exactly like that When I first started CP, we had a virtual machine that everyone called Remote Desktop and used it for Internet-related matters, and when one of the users authenticated, the rest of the users also authenticated in CP without needing to authenticate. CP was passing and it was very funny.

Thank you very much for this detailed answer. I appreciated very much your explanation of the redirecting technique. @Gertjan said in Captive Portal redirect does not work for a few clients: First things first : you have this package installed, and activated the patches : [image: 1686729786540-05481e7a-0815-410a-93dd-d28cd13e58ed-image.png] Btw : you might want to use 2.7.0-beta, is close to release. This package indeed needs an update. Will do so this evening. We won't use a beta version in this production environment. But we have a Dev cluster and will check this on that. The solution is always the same : Delete the wifi profile on the phone - it doesn't contain any user settings as a password (portal networks don't use password - they use a TLS connection to authentify against the portal web server, and from then on all connection are TLS anyway[ok, except DNS]) - and re connect. It always works for me. Yes, this also worked for our test client! You mean pfSense can't see the MAC addresses of the connected captive portal users ? Exactly You didn't mention the most important criteria of a portal : DNS. A connecting device should obtain an IP, network, gateway and DNS. Then it throws out a hidden http request (see above) and for that to work, DNS should work. Not some "8.8.8.8" DNS, as all non local DNS are not accessible at this moment. By default, the DNS will work on the pfSense portal interface. Did you test that ? Yes, DNS works good on the inside interface of the pfsense, with host override for the portal page redirect. In the past, this page Troubleshooting Captive Portal was mandatory. It still is, but these days it talk about the new firewall 'pf', as Netgate made 'pf' MAC aware. 2.6.0. uses ipfw, which was ditched after 2.6.0. I am aware of this page, thank you. The problem is also with troubleshooting in the Prod environment. I cannot change some settings just to test if it works. There would be the risk to interrupt the connectivity of the 300-400 working clients. I have to do non-invasive things like packet capture and log examination. If this issue remains or even spreads to more clients or the "Wifi forget" on the phone won't help anymore we would need to reproduce the setting in a testing environment. Again thank you R.

@darnoldvcs said in Captive Portal Pass-through MAC Auto Entry is registering unauthenticated users: I have tested this on 22.05 & 23.01. What is / Is there a reason not to test de the current version - 23.05 ? For good manners : I use 23.05, as it removes issues present in 23.01 ;) With only this option checked : @darnoldvcs said in Captive Portal Pass-through MAC Auto Entry is registering unauthenticated users: Pass-through MAC Auto Entry: Checked/Enabled I had to identify with valid credentials, and then the MAC was added to the MACs table. These two : [image: 1686651040350-54a7c9c3-d164-4e80-b6eb-4253f72705bb-image.png] I have never tested these . But setting them to "1" both does expose what you've mentioned above. I still don't know what "Pass-through credits per MAC address" actually is. 1 hour ? or 1 "something" ? But, I've seen the same thing : with these to set to "1", the MAC address of my device was added right away in the MAC table, granting me indefinite access from that moment. That behavior doesn't match with the description When enabled, a MAC passthrough entry is automatically added after the user has successfully authenticated. edit : I've been looking around in the documentation. In the captive portal /usr/local/captiveportal/index.php file, around line 192 : [image: 1686655255382-8bf8f900-5314-4f43-ad58-f51ce72ea634-image.png] The function "portal_consume_passthrough_credit($clientmac)" return 'true' if these 2 : [image: 1686651040350-54a7c9c3-d164-4e80-b6eb-4253f72705bb-image.png] are set (bigger then 0). The if statement is true, so a log line is add to the captive portal log : captiveportal_logportalauth("unauthenticated", $clientmac, $clientip, "ACCEPT"); which means a user with MAC '$clientmac' and "unauthenticated" is added. Like : [image: 1686655542397-08c5ad14-4c20-4d73-bcd5-26b19c42f723-image.png] and then the mighty portal_allow( ....... ) is called. This isn't a real login, an "unauthenticated", is more a "temporarily accepted auto login". Nevertheless, because this is a new session, and "passthrumacadd" is set/checked (around line 2075 /etc/inc/captiveportal.inc) is now unconditionally added. Easy way out : these options are somewhat 'mutually exclusive'. The thing is : the captive portal logistics is ..... messy (I'm still looking for a better word) or somewhat what could be called as 'spaghetti code'. The main settings page makes the portal admin think that all kind of option can me used together. This is a typical case of : no way. edit : Change /etc/inc/captiveportal.inc : https://github.com/pfsense/pfsense/blob/5e92d678f642277642acb7f471cd430ed53aae16/src/etc/inc/captiveportal.inc#L2075 I tried to play with : if (isset($config['captiveportal'][$cpzone]['passthrumacadd']) && empty($config['captiveportal'][$cpzone]['freelogins_count']) && empty($config['captiveportal'][$cpzone]['freelogins_resettimeout'])) { which stands for If ("passthrumacadd" == checked) and both 'freelogins_count' and 'freelogins_resettimeout' are not set, then do the MAC add passtrough. But this was not a solution. There need to be a test to see if the MAC in case is in the grace ( freelogins_resettimeout ) period. This could be done by checking /var/db/captiveportal_usedmacs_cpzone1.db (cpzone1 is my captive portal zone name) ... My first advise still stands : @darnoldvcs please keep it simple(r). If possible, ditch the "passthrumacadd" option - and say sorry to your visitors : after a while (hard reset or IP change) : they have to login again. If these people are really, or more or less trusted users : give them another, more trusted network that doesn't use the captive portal.

@darnoldvcs If pfSense have native saml support,the user can make the most of captive portal with other 2FA,such as casdoor and other SSO solution. The pfSense can be the NAC.

@Gertjan Thank you for your response and effort, it all makes sense then.. I will try out the different DNS overrides and see how that will go.

@Gertjan Thanks

@johnpoz Thanks, I will do some more exploration today. I know that in the downloaded zip of the certs there is the: cert1.pem chain1.pem fullchain1.pem privkey1.pem The import into I pfSense only asked for the cert and private key. When I import into other applications like Synolgoy they ask for private key, certificate, and intermediate key chain. More fun on a Saturday... Solved it. Needed to use "fullchain1.pem" for the certificate field. Problem went away. It was your detailed walk though example that lead me to think to this. Thanks again @johnpoz

Hi, After few days of tests, the firewall's solution works. I'm still searching of to do that with FreeRadius and Groups.

Not exactly, I mean you connect using OpenVPN, so you did the first authentication user+password against a freeradius. That is what I'm doing now, an external freeradius authenticates "password+OTP" with a freeradius perl module. OpenVPN clients can connect to vpn server and when they are connected a captive portal asks for the second authentication factor. The main problem is that the openvpn client won't asks for a second auth, it only accepts user+password, so the workaround is use a "password+OTP" string on the password field. That can be done beause you know Google Auth OTP before the auth process, but with a SMS, email, ... sent you won't know that second "password" unless you did the first auth. BTW, I managed to connect to a captive portal disabling MAC filtering. @Gertjan said in Captive portal for OpenVPN clients to implement a MFA: @elbuit Isn't this a chicken and egg problem ? If you want to connect to the captive portal, your VPN client has to connect first. For the VPN client to be able to connect, you have to connect to the captive portal first. OpenVPN : if you want several choices to identify, you could consider using Freeradius as an authentication service for the OpenVPN server. Not the client btw. The OpenVPN client can only connect to a OpenVPN server. See here : Authenticating OpenVPN Users with FreeRADIUS LDAP can also be used.

@gertjan Thank you! That was the answer! I set the hard tie out to 30 minutes, 1 passthrough credit per mac address, and a 24 hour waiting period before they get another free credit.

@kabeda said in Is voucher in url still available?: I still don't know So you know what you're looking for. $_GET['voucher'] Open source ... heard about that one ? So, go here : https://github.com/pfsense/pfsense/tree/RELENG_2_6_0 Then click you way to /src/usr/local/captiveportal/index.php Look for, search, Ctrl-f "$_GET['voucher']" on that page. It's there Next test : on your pfSense, you have the console access. Use it. Use option 8. grep "GET\['voucher'\]" /usr/local/captiveportal/index.php You'll find the same thing. Btw : when you use vouchers, it's important that you have this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L156 in your own portal (html) page. You can add PHP into your html portal page. [image: 1684144832255-7ddeeee5-e9a5-49bd-ba4e-c955e20eab41-image.png]

Hi, I think I finally found how to do it. first, in /user/local/www/services-captiveportal.php find and add what are in remarks if ($a_cp[$cpzone]) { $cpzoneid = $pconfig['zoneid'] = $a_cp[$cpzone]['zoneid']; $pconfig['descr'] = $a_cp[$cpzone]['descr']; $pconfig['cinterface'] = $a_cp[$cpzone]['interface']; $pconfig['language_cp'] = $a_cp[$cpzone]['language_cp']; // get the language from the config // Check if is not set then get the global language if (!isset($pconfig['language_cp'])) { $pconfig['language_cp'] = $g['language']; } // Check if is not set then get the global language $pconfig['maxproc'] = $a_cp[$cpzone]['maxproc']; $pconfig['maxprocperip'] = $a_cp[$cpzone]['maxprocperip']; and $newcp['descr'] = $_POST['descr']; $newcp['language_cp']=$_POST['language_cp']; // get the language from the post variables $newcp['maxproc'] = $_POST['maxproc']; and $section->addInput(new Form_Select( 'cinterface', '*Interfaces', explode(",", $pconfig['cinterface']), get_configured_interface_with_descr(), true ))->addClass('general')->setHelp('Select the interface(s) to enable for captive portal.'); // add the input in the form $section->addInput(new Form_Select( 'language_cp', '*Language', $pconfig['language_cp'], get_locale_list() ))->setHelp('Choose a language for the Captive portal'); // add the input in the form $section->addInput(new Form_Input( 'maxprocperip', 'Maximum concurrent connections', 'number', $pconfig['maxprocperip'], ['min' => '0', 'max' => '100'] ))->setHelp('Limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in ' . 'to the captive portal, but rather how many connections a single IP can establish to the portal web server.'); then in /usr/local/captiveportal/index.php after header("Expires: 0"); header("Cache-Control: no-cache, no-store, must-revalidate"); header("Pragma: no-cache"); header("Connection: close"); global $cpzone, $cpzoneid; $cpzone = strtolower($_REQUEST['zone']); $cpcfg = $config['captiveportal'][$cpzone]; add $lang = $config['captiveportal'][$cpzone]['language_cp']; // get the language from the config putenv("LANG={$lang}"); setlocale(LC_ALL, $lang); textdomain("pfSense"); bindtextdomain("pfSense", "/usr/local/share/locale"); bind_textdomain_codeset("pfSense", $lang); // apply like done by pfsense That's all it works for me, I don't know how to show the changes with github.

@gertjan btw, I change mode to "last login" in the captive portal setting then it work fine for me, clients should re-enter the code at the time DHCP lease.

@gertjan said in OpenVPN in captive portal: Btw : what is your pfSense version ? edit : Who/where is the VPN server ? @andoniar78 said in OpenVPN in captive portal: Pass-through MAC [image: 1683114642750-e55af6a3-4fb1-4801-bcb5-2fa953527897-image.png] If you have a device with aa:bb:cc:dd:ee:ff, then there won't be any captive portal login page, the connection will be transparent, like if there was no captive portal at all.

@gertjan said in My captive portal: @bamb If you enable the logout page in pfSEnse, you are only half way. The browser on the device should also accept and show the popup window. Guess what : most users disable them ;) A good plan B is : have the users auto logged out if they don't use the connection any more. Set the soft time out to 15 minutes or so. Indeed, that is a good plan B.

@vanlier said in Captive portal shows blank page: Here is the situation before activating captive portal: clients connect to wifi they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254 they can browse the internet (dns resolution and internet access are working) Important test ! Good to know. @vanlier said in Captive portal shows blank page: Here is the situation after activating captive portal: clients connect to wifi they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254 nothing happens Using the 'default' build in login page, right ? You can't say that 'nothing happens' : you can't 'see it', but something happened. Every OS on planet earth will throw out a http:// request as soon as it obtained a DHCP lease. Check here : Status > System Logs > System > GUI Service Every OS using it own http request. For my iPhone it's : [image: 1682693584691-7e36196f-217b-4a17-9877-daf6a1b8770f-image.png] This is the page that it want to download : http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html Better known as : http://captive.apple.com/hotspot-detect.html Click on it and you'll see what happens. You should see this : [image: 1682693699106-001ff859-b0db-45f1-9b9e-0bc6908dd1b0-image.png] If the html page doesn't contain "Success" then the device start to presume a captive portal is might be present. Now, the OS launches a stripped down web browser, bot the full fledged IE, Chrome, Edge, Firefox, but a small bare bone browser. It's launched with the same web destination : http://captive.apple.com/hotspot-detect.html First, again, "captive.apple.com" will get resolved (was already found during the same test, some ms before). Then the browser connects to the IP on port 80 (remember : http), and asks for the page /hotspot-detect.html On the pfSense side, this "some destination IP : port 80 " request gets redirected to the internal login portal web page server on port 800x" with the help if a firewall rule (pfSense 2.6.0 : ipfw rules - the newer pfSense uses pf now). The portal page web browser does just one thing : it redirect the requesting browser to (your case) http://192.168.50.254/index.php?zone..... [image: 1682694179643-2f7a3e58-2899-4c32-9b94-f94427ceeef0-image.png] It also adds a 'zone' parameter, and 'redirect' parameter. The result will be of course : the captive portal login page shows up. So : to make this work, one thing needs to work for sure : DNS. The captive portal firewall rule works, that is for sure. If not, Netgate and FreeBSD will go out of business tomorrow. [https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html](link url) Btw : you already know that the 'default' pfSense 2.6.0 needs portal patches, right ? @vanlier said in Captive portal shows blank page: Disable mac filtering That's of if you want to 'break' things. @vanlier said in Captive portal shows blank page: Set various redirect urls https://www.google.com works fine. @vanlier said in Captive portal shows blank page: add firewall rule allow any any on interface "guest" The GUI firewall rues ? None is needed (I guess ?), the authentication will still work. But as soon as authenticated, yoy can go no where. Use the default LAN pass all TCPv4* rule to begin with. @vanlier said in Captive portal shows blank page: However when opening the same page with the pfsense ip in the guest subnet (http://192.168.50.254:8002 Invalid request. The ?zone=xxxx parameters needs to be present. These : [image: 1682694908331-7e93c7cc-43b6-4993-b5b5-f95007ac3f26-image.png] don't work for you ?