@david6464 said in Voucher expiry:

Can you send me screenshots of your captive portal and freeradius config?

Of course.
But before we compare apples with oranges, I'll describe my setup.
I have a dedicated 192.168.2.1/24 captive portal network interface.
I'm using the "https" access with known signed certs - I use acme.sh - this isn't related to your question I guess.
I'm using my own login and error page, just to add some logos etc - the internal html is identical ti the build in pages.

cpsettings.jpg

The auth server settings page :

9796d5cc-72a2-4a9f-8db0-b993c1a4b572-image.png

FreeRadius :
I have a bunch of users :

9796f809-cd8e-49f7-b3f2-23d36b9c4ac1-image.png

Most of them have only there 'name' and password set.
User '001' has a daily limit of 600 seconds.

Keep in mind : I use Radius, but are not really bit counting, are rate limiting, or whatever.
I'm not selling my access, and I don't have to educate kids or so.
My portal has one rule : if it works for you, then that's fine.
If it doesn't, then you (the portal user) has an issue - not me ;)

The MACs page is empty.

f32b9571-5ae0-4190-a1af-60db30e0a87e-image.png

75ff5cfc-16f4-443d-823e-8dbe58d13128-image.png

78b102e0-0c18-419e-9051-198c907e74ab-image.png

d63eda76-1ab3-465b-896b-fe7ccd408ba6-image.png

Note : the FreeRadius cert was auto generated ? I don't remember any more. The Youtube => Netgate FreeRadius movies will help you.

4193c5f4-102e-4f1c-99ac-4bb475feff22-image.png

Note 192.168.1.33 is my Synoloy NAS with the SQL server.

The last 3, LDAP View Config and XMLRPC Sync are not used by me.

Last image : My Mariadb (SQL) database with the tables.

fe060bb6-7f1e-44bb-9e79-7b48d1f1e361-image.png

Note : keep in mind : The pfSense FreeRadius package is a partial implementation of what FreeRadius can really do.
A lot is hard coded in the FreeRadius config, as bringing them to the GUI would be ..... mission impossible.
To understand what I mean look here : /usr/local/etc/raddb/ and have a look at
ALL the files and ALL the files in ALL the sub folders.

The main file is /usr/local/etc/raddb/sites-enabled/default , it all starts there.
Most of it is purely hard coded.

FreeRadius is complicated.

@harias

You should go here.

These are the ones you need :
IDS/IPS : as packets need to be inspected to know what a user on a LAN does.
Cache/Proxy can might also give information.

Both go way beyond (like a light year) of classic firewall / router management.
You asked for the full control of whatever traffic flows through pfSense.
This means you have to know for real what happens, and why.
When that is the case, these tools will do the dirty work for you.

A guy from Chine (of course) said ones : "You can only fight the dragon if you know what it looks like".

Btw : Freeradius can checks used ID, user hardware ID (MAC, IP) and bytes consumed. And clock the connection over time, and grant access basd on what ever criteria you chose.
Freeradius doesn't know anything about the traffic - or destination, or what it contains.

@gertjan very interesting. Thank you for this.

I was on a few 'premier' captive portals recently - American Airlines/GoGoInflight and a large state university - and I realized that they don't use the 114 option either. It's easy to break the Guest Wifi workflow though with iOS and Mac; just ignore the window the first time. Their Captive Portals don't redirect https either - so you have to know neverssl.com or something similar to get back to the portal.

Returning to the solution and discussion: setting the iOS device to see the 114 option is super easy. However, after I do my auth - the iOS requests again to the url, but now I have no context. I guess this is primarily because the IP address is forwarded from the pFSense. Even if I use Tailscale or Wireguard to get all the devices on the same network - pFSense / Netgate box is forwarding the request, so I can't tell who is coming in based on the iP address, nor mac address.

Am I missing something? After you got the 114 login portal working, how did you redirect the iOS device to a 'captive: false' json? I'm missing that part.

@lucas-2 said in Captive portal does not load google account authentications:

Google's hosts are all allowed, and so is authentication with Google's IP allowed, in the "Allowed IP Addresses" settings.

Check blog post again. No need to allow hosts.
Freeradius, running on pfSense, can access freely all IPs on the Internet, as it is just an outbound connection over WAN.

Netgate's blog post is written with pfSense 2.6.0 (or 22.05 Plus - identical I guess) and it should work.

@viragomann
Oh sorry I didn't know that.

Yes, the VLANs are defined as a virtual interface.
Yes, the captive portal was activated on an explicit VLAN.
So the VLANs that are on the physical LAN interface are tagged. The physical LAN interface can be reached via all VLANs.

9aba8909-bc04-4489-be6c-77532ecdca1b-image.png

This is just an excerpt, there are only other VLANs below.

@tapabrata

Did you ever get a solution to this?

Hello,
Thanks I'll try, I'll let you know

@jorge-igor said in Captive Portal x NXFILTER x PFSENSE:

NXFILTER

Easy answer : do not do that.

Portal users should be connected directly to the pfSense captive portal interface (passing trough cables, Wifi, switches etc)
That is : the client's IP and MAC should be known to the pfSense portal.

@unreal516 said in CP and DHCPD Issue 2.6.0:

I have tried rebooting the CP service

The captive portal isn't a 'service'.
A web server, a copy of nginx, is started and listens on port 'localhost' (127.0.0.1) using port 800x and 800x+ (if you are also using https).

Because you want the DHCP server to work for your clients (static IP setup for not network aware clients) won't work ;) you have set up a DHCP server for your captive portal network.

Normally, your "vmx1" should be your LAN.
The captive portal interface should be ... vmx2, some "OPT1" second LAN type interface. As I advice you strongly to put your trusted devices on a LAN and the not trusted devices on another, OPTx network, dedicated for portal users, who are nontrusted by default.
Otherwise : if you trust them, why bother : put an AP on your LAN network, give them your SSID password and you're done.

Btw "vmx1" means : you are using a VM ?
My advise : great ! But first make the portal work on a bare bone, and when it all works out very well, go add another layer of complexity.

"dhcp.c:4164: Failed to send 300 byte long packet over vmx1 interface." means : there is an issue with the vmx1 interface itself. Not some firewall issue.

Btw: the captive portal "ipfw" firewall rules, used by the captive portal, pass all DHCP (and DNS) traffic by default. You don't need to add "DHCP" type firewall rules on your vmx1 "pf" firewall
rule tab.
Also, firewall rules, pf and ipfw, filter incoming traffic. That is : traffic oming INTO the interface.
Your error shows an issue with outgoing traffic, traffic generated by the dhcd (with a "d") server deamon.
Your "dhcp" : is this an error from the dhcp client, typically running on the WAN interface ?

Also : can't remember any more, wasn't there an issue (bug) 2.6.0. with "captive portal only accepts TCP" (and not UDP and ICMP) ? This would explain DHCP == UDP issues.
What are your patches ?
Using the pfSense System patches packages is not optional anymore ;)

@michmoor Thanks, i didnt check if they got an IP. I will have to do more testing. With their MACs in the pass list, is it known that they do work? All the other devices were fine. Not using VLAN.

Thank you!!

@davvidde to answer your specific original question:

pkg upgrade php74-pfSense-module

However, I was in the same situation you were. This is on a Netgate 3100 on which 22.01 was installed from USB image, then an upgrade was attempted from the GUI to 22.05 on 2022-01-04. Standard old-fashioned install, not a ZFS boot environment.

The upgrade appeared to complete but upon reboot/login a "programming error" was reported, same as yours.

Thanks to @Gertjan 's advice on this this thread, I found the extant state to be:

[22.05-RELEASE][admin@pfsense]/root: ls -altr /usr/local/lib/php/20190902/ total 3456 -rw-r--r-- 1 root wheel 50164 Jan 12 2022 simplexml.so -rw-r--r-- 1 root wheel 37144 Jan 12 2022 filter.so -rw-r--r-- 1 root wheel 26772 Jan 12 2022 pcntl.so -rw-r--r-- 1 root wheel 9924 Jan 12 2022 sysvshm.so -rw-r--r-- 1 root wheel 79736 Jan 12 2022 session.so -rw-r--r-- 1 root wheel 7740 Jan 12 2022 sysvsem.so -rw-r--r-- 1 root wheel 41884 Jan 12 2022 sqlite3.so -rw-r--r-- 1 root wheel 25112 Jan 12 2022 xmlreader.so -rw-r--r-- 1 root wheel 34848 Jan 12 2022 xmlwriter.so -rw-r--r-- 1 root wheel 9408 Jan 12 2022 ctype.so -rw-r--r-- 1 root wheel 502668 Jan 12 2022 opcache.so -rw-r--r-- 1 root wheel 100124 Jan 12 2022 pfSense.so -rw-r--r-- 1 root wheel 39176 Jan 12 2022 json.so -rw-r--r-- 1 root wheel 73404 Jan 12 2022 ldap.so -rw-r--r-- 1 root wheel 12008 Jan 12 2022 sysvmsg.so -rw-r--r-- 1 root wheel 78296 Jan 12 2022 sockets.so -rw-r--r-- 1 root wheel 25168 Jan 12 2022 readline.so -rw-r--r-- 1 root wheel 22712 Jan 12 2022 pdo_sqlite.so -rw-r--r-- 1 root wheel 10324 Jan 12 2022 gettext.so -rw-r--r-- 1 root wheel 17080 Jan 12 2022 bz2.so -rw-r--r-- 1 root wheel 383852 Jan 12 2022 intl.so -rw-r--r-- 1 root wheel 8760 Jan 12 2022 shmop.so -rw-r--r-- 1 root wheel 25104 Jan 12 2022 posix.so drwxr-xr-x 4 root wheel 512 Feb 7 2022 .. -rw-r--r-- 1 root wheel 41392 Jun 1 2022 xml.so -rw-r--r-- 1 root wheel 37772 Jun 1 2022 zlib.so -rw-r--r-- 1 root wheel 34052 Jun 1 2022 mcrypt.so -rw-r--r-- 1 root wheel 16508 Jun 1 2022 tokenizer.so -rw-r--r-- 1 root wheel 158024 Jun 1 2022 dom.so -rw-r--r-- 1 root wheel 159584 Jun 1 2022 openssl.so -rw-r--r-- 1 root wheel 1004320 Jun 1 2022 mbstring.so -rw-r--r-- 1 root wheel 91544 Jun 1 2022 pdo.so -rw-r--r-- 1 root wheel 42736 Jun 1 2022 radius.so -rw-r--r-- 1 root wheel 30140 Jun 1 2022 bcmath.so -rw-r--r-- 1 root wheel 88780 Jun 1 2022 curl.so -rw-r--r-- 1 root wheel 26052 Jun 1 2022 rrd.so drwxr-xr-x 2 root wheel 1024 Jan 4 07:45 .

So some of the .so's were upgraded and some not. Looking further:

[22.05-RELEASE][admin@pfsense]/root: pkg which /usr/local/lib/php/20190902/pfSense.so /usr/local/lib/php/20190902/pfSense.so was installed by package php74-pfSense-module-0.76 [22.05-RELEASE][admin@pfsense]/root: pkg search pfSense-module php74-pfSense-module-0.81 Library for getting useful info [22.05-RELEASE][admin@pfsense]/root: pkg upgrade php74-pfSense-module Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: php74-pfSense-module: 0.76 -> 0.81 [pfSense] Number of packages to be upgraded: 1 Proceed with this action? [y/N]: y [1/1] Upgrading php74-pfSense-module from 0.76 to 0.81... [1/1] Extracting php74-pfSense-module-0.81: 100% [22.05-RELEASE][admin@pfsense]/root: ls -altr /usr/local/lib/php/20190902/ total 3460 -rw-r--r-- 1 root wheel 50164 Jan 12 2022 simplexml.so -rw-r--r-- 1 root wheel 37144 Jan 12 2022 filter.so -rw-r--r-- 1 root wheel 26772 Jan 12 2022 pcntl.so -rw-r--r-- 1 root wheel 9924 Jan 12 2022 sysvshm.so -rw-r--r-- 1 root wheel 79736 Jan 12 2022 session.so -rw-r--r-- 1 root wheel 7740 Jan 12 2022 sysvsem.so -rw-r--r-- 1 root wheel 41884 Jan 12 2022 sqlite3.so -rw-r--r-- 1 root wheel 25112 Jan 12 2022 xmlreader.so -rw-r--r-- 1 root wheel 34848 Jan 12 2022 xmlwriter.so -rw-r--r-- 1 root wheel 9408 Jan 12 2022 ctype.so -rw-r--r-- 1 root wheel 502668 Jan 12 2022 opcache.so -rw-r--r-- 1 root wheel 39176 Jan 12 2022 json.so -rw-r--r-- 1 root wheel 73404 Jan 12 2022 ldap.so -rw-r--r-- 1 root wheel 12008 Jan 12 2022 sysvmsg.so -rw-r--r-- 1 root wheel 78296 Jan 12 2022 sockets.so -rw-r--r-- 1 root wheel 25168 Jan 12 2022 readline.so -rw-r--r-- 1 root wheel 22712 Jan 12 2022 pdo_sqlite.so -rw-r--r-- 1 root wheel 10324 Jan 12 2022 gettext.so -rw-r--r-- 1 root wheel 17080 Jan 12 2022 bz2.so -rw-r--r-- 1 root wheel 383852 Jan 12 2022 intl.so -rw-r--r-- 1 root wheel 8760 Jan 12 2022 shmop.so -rw-r--r-- 1 root wheel 25104 Jan 12 2022 posix.so drwxr-xr-x 4 root wheel 512 Feb 7 2022 .. -rw-r--r-- 1 root wheel 41392 Jun 1 2022 xml.so -rw-r--r-- 1 root wheel 37772 Jun 1 2022 zlib.so -rw-r--r-- 1 root wheel 34052 Jun 1 2022 mcrypt.so -rw-r--r-- 1 root wheel 16508 Jun 1 2022 tokenizer.so -rw-r--r-- 1 root wheel 158024 Jun 1 2022 dom.so -rw-r--r-- 1 root wheel 159584 Jun 1 2022 openssl.so -rw-r--r-- 1 root wheel 1004320 Jun 1 2022 mbstring.so -rw-r--r-- 1 root wheel 91544 Jun 1 2022 pdo.so -rw-r--r-- 1 root wheel 42736 Jun 1 2022 radius.so -rw-r--r-- 1 root wheel 30140 Jun 1 2022 bcmath.so -rw-r--r-- 1 root wheel 88780 Jun 1 2022 curl.so -rw-r--r-- 1 root wheel 26052 Jun 1 2022 rrd.so -rw-r--r-- 1 root wheel 102804 Jun 1 2022 pfSense.so drwxr-xr-x 2 root wheel 1024 Jan 5 14:44 .

So that fixed the specific module. Looking further:

[22.05-RELEASE][admin@pfsense]/root: pkg which /usr/local/lib/php/20190902/json.so /usr/local/lib/php/20190902/json.so was installed by package php74-json-7.4.26 [22.05-RELEASE][admin@pfsense]/root: pkg search php74-json php74-json-7.4.28 The json shared extension for php

So I figured that several packages were not upgraded on the system upgrade.

Going for broke:

[22.05-RELEASE][admin@pfsense]/root: pkg upgrade Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (46 candidates): 100% Processing candidates (46 candidates): 100% Checking integrity... done (0 conflicting) The following 47 package(s) will be affected (of 0 checked): New packages to be INSTALLED: php74-libbe: 0.1.4 [pfSense] Installed packages to be UPGRADED: arpwatch: 3.1 -> 3.2 [pfSense] bash: 5.1.12 -> 5.1.16 [pfSense] bind-tools: 9.16.23 -> 9.16.26 [pfSense] clamav: 0.104.1,1 -> 0.104.2,1 [pfSense] db5: 5.3.28_7 -> 5.3.28_8 [pfSense] dnsmasq: 2.86,1 -> 2.86_3,1 [pfSense] dpinger: 3.0 -> 3.2 [pfSense] filterdns: 2.0_5 -> 2.0_6 [pfSense] hostapd: 2.9_4 -> 2.10 [pfSense] iperf3: 3.10.1_1 -> 3.11 [pfSense] links: 2.20.2_1,1 -> 2.25,1 [pfSense] mpd5: 5.9_6 -> 5.9_7 [pfSense] mtr-nox11: 0.94_1 -> 0.95 [pfSense] nginx: 1.20.2_1,2 -> 1.20.2_9,2 [pfSense] nss: 3.73 -> 3.76 [pfSense] ntp: 4.2.8p15_3 -> 4.2.8p15_5 [pfSense] openvpn: 2.5.4_1 -> 2.6.0_8 [pfSense] pfSense: 22.01 -> 22.05 [pfSense] pfSense-u-boot-env: 20211006 -> 20220429 [pfSense] php74-bz2: 7.4.26 -> 7.4.28 [pfSense] php74-ctype: 7.4.26 -> 7.4.28 [pfSense] php74-filter: 7.4.26 -> 7.4.28 [pfSense] php74-gettext: 7.4.26 -> 7.4.28 [pfSense] php74-intl: 7.4.26 -> 7.4.28 [pfSense] php74-json: 7.4.26 -> 7.4.28 [pfSense] php74-ldap: 7.4.26 -> 7.4.28 [pfSense] php74-opcache: 7.4.26 -> 7.4.28 [pfSense] php74-pcntl: 7.4.26 -> 7.4.28 [pfSense] php74-pdo_sqlite: 7.4.26 -> 7.4.28 [pfSense] php74-posix: 7.4.26 -> 7.4.28 [pfSense] php74-readline: 7.4.26 -> 7.4.28 [pfSense] php74-session: 7.4.26 -> 7.4.28 [pfSense] php74-shmop: 7.4.26 -> 7.4.28 [pfSense] php74-simplexml: 7.4.26 -> 7.4.28 [pfSense] php74-sockets: 7.4.26 -> 7.4.28 [pfSense] php74-sqlite3: 7.4.26 -> 7.4.28 [pfSense] php74-sysvmsg: 7.4.26 -> 7.4.28 [pfSense] php74-sysvsem: 7.4.26 -> 7.4.28 [pfSense] php74-sysvshm: 7.4.26 -> 7.4.28 [pfSense] php74-xmlreader: 7.4.26 -> 7.4.28 [pfSense] php74-xmlwriter: 7.4.26 -> 7.4.28 [pfSense] py38-libzfs: 1.1.2021100100 -> 1.1.2022021400 [pfSense] smartmontools: 7.2_3 -> 7.3 [pfSense] squid: 4.15 -> 5.4.1 [pfSense] suricata: 6.0.4 -> 6.0.4_3 [pfSense] zeek: 4.0.4 -> 4.0.5 [pfSense] Number of packages to be installed: 1 Number of packages to be upgraded: 46 The process will require 5 MiB more space. Proceed with this action? [y/N]: y ...

That ran OK, upon which:

[22.05-RELEASE][admin@pfsense]/root: ls -altr /usr/local/lib/php/20190902/ total 3500 drwxr-xr-x 4 root wheel 512 Feb 7 2022 .. -rw-r--r-- 1 root wheel 41392 Jun 1 2022 xml.so -rw-r--r-- 1 root wheel 37772 Jun 1 2022 zlib.so -rw-r--r-- 1 root wheel 34052 Jun 1 2022 mcrypt.so -rw-r--r-- 1 root wheel 16508 Jun 1 2022 tokenizer.so -rw-r--r-- 1 root wheel 158024 Jun 1 2022 dom.so -rw-r--r-- 1 root wheel 48780 Jun 1 2022 simplexml.so -rw-r--r-- 1 root wheel 159584 Jun 1 2022 openssl.so -rw-r--r-- 1 root wheel 1004320 Jun 1 2022 mbstring.so -rw-r--r-- 1 root wheel 91544 Jun 1 2022 pdo.so -rw-r--r-- 1 root wheel 37288 Jun 1 2022 filter.so -rw-r--r-- 1 root wheel 42736 Jun 1 2022 radius.so -rw-r--r-- 1 root wheel 30140 Jun 1 2022 bcmath.so -rw-r--r-- 1 root wheel 27268 Jun 1 2022 pcntl.so -rw-r--r-- 1 root wheel 10004 Jun 1 2022 sysvshm.so -rw-r--r-- 1 root wheel 78348 Jun 1 2022 session.so -rw-r--r-- 1 root wheel 7724 Jun 1 2022 sysvsem.so -rw-r--r-- 1 root wheel 42076 Jun 1 2022 sqlite3.so -rw-r--r-- 1 root wheel 25464 Jun 1 2022 xmlreader.so -rw-r--r-- 1 root wheel 34688 Jun 1 2022 xmlwriter.so -rw-r--r-- 1 root wheel 9532 Jun 1 2022 ctype.so -rw-r--r-- 1 root wheel 498832 Jun 1 2022 opcache.so -rw-r--r-- 1 root wheel 74556 Jun 1 2022 ldap.so -rw-r--r-- 1 root wheel 12200 Jun 1 2022 sysvmsg.so -rw-r--r-- 1 root wheel 25328 Jun 1 2022 readline.so -rw-r--r-- 1 root wheel 78344 Jun 1 2022 sockets.so -rw-r--r-- 1 root wheel 23188 Jun 1 2022 pdo_sqlite.so -rw-r--r-- 1 root wheel 10388 Jun 1 2022 gettext.so -rw-r--r-- 1 root wheel 17416 Jun 1 2022 bz2.so -rw-r--r-- 1 root wheel 8808 Jun 1 2022 shmop.so -rw-r--r-- 1 root wheel 26512 Jun 1 2022 posix.so -rw-r--r-- 1 root wheel 88780 Jun 1 2022 curl.so -rw-r--r-- 1 root wheel 26052 Jun 1 2022 rrd.so -rw-r--r-- 1 root wheel 33428 Jun 1 2022 libbe.so -rw-r--r-- 1 root wheel 102804 Jun 1 2022 pfSense.so -rw-r--r-- 1 root wheel 38456 Jun 1 2022 json.so -rw-r--r-- 1 root wheel 385828 Jun 1 2022 intl.so drwxr-xr-x 2 root wheel 1024 Jan 5 14:47 .

A reboot was successful with no error upon login.

n.b. @jimp , it appears this thread was accurately in the Installation and Upgrades category originally, if that matters (the captive portal error message appears to be incidental to a failed php74-pfSense-module upgrade). No captive portals are in use on this device.

It would be useful if the upgrade procedure verified successful state transition before or after its reboot.

Thanks for the tips
I will make some testing based on your advises.
If anybody else whant to share experience on that we will benefit from it.
Regards
Pierre

@giyahban

Read also https://forum.netgate.com/topic/174489/22-05-cp-clients-have-connectivity-issues-after-x-amount-of-time/44 ( the entire thread ).

The issue was : every portal users should have its own "pair of pipes". This isn't the case on 22.05, they wind up all sharing the same first pipe. When he first user gets logged out, the pipe is destroyed, the pipe every other user is also using : oops situation guranteed.
Solution is in the thread.

Btw : I get it : install 22.05 and now the portal is somewhat broken (depending your needs). You need to 'patch' yourself some files to make it work again ....

@michmoor
Oddly enough your idea about /16 being the big chunk is right!
I added /24 subnets seperately and apparently its working fine!
It was strange but thanks for your insight it helps a lot

@gertjan
Thanks for explanation, so its by design.
Its not bad, was just wondering about the different behaviour compared to the other widgets.

Regards