@ertegun You just allowed (white listed) all the IP addresses, starting from 192.168.60.1 to 192168.60.254, or, the entire /24 network. Your entire captive portal network ? All these devices that get an IP in that network assigned, will pass through the portal without seeing any login page or what so ever. You might as well shut down the captive portal completely : that works also great. The issue (if I recall well - 2.6.0 is a long time in the past for me) was : pfSense 2.6.0 only passes TCP traffic, not ICMP, neither UDP. That was a big bug, and breaked a lot. As said on the first line, above : @moelharrak said in Captive portal block whatsup: After upgrade to 2.6 captive portal is blocking whatsup (audio and video, chat works fine), I did test other app like instagram and it's works fine. when I disable the captive portal, whatsup goes back to work normal. See also : UDP/ICMP is not working after upgrade to 2.6.0 I guess it's still a question of : install the System patches package, then apply all the patches listed in this package. Done.

@gertjan I understand. When I mentioned that I preferred a minimum downtime of 15 days, it is because I see no sense in users logging in daily, since they already belong to the institution. In the case of a hotel it is different, because people stay for a few days and leave. In my case, I wanted sessions to be disconnected only when users took vacations or I no longer belong to the institution. Anyway, now I understand the process. Now I'm just going to decide which way to go. Thank you very much for the clarification !!!

@cxcx_avjj Hummm. After a success login, I simply redirect the user to the known : [image: 1680679212827-95300287-8e35-4a7f-823b-a26585729c92-image.png] as that would make the user understand he is 'online'. But I could also redirect to a "home made", locally available web page, like the portal login page. This file should be uploaded with the Services>Captive Portal>CPZONE>File Manager Be aware : the prefix "captiveporal-" will get prefixed. Take a look at what this button shows you : [image: 1680679588280-c3c27d9a-d1d4-4fb1-9c2d-c7c7bc0515fc-image.png] You will see the login page. And more important : the URL used, with the port number, as it is not port 80 (http) or 443 (https). Probably a 800x port. And the zone ID used with a parameter called 'zone'. So, this is posisbile : [image: 1680679841607-ec125b9e-23a2-4703-86f7-640e3760853a-image.png] Where : https://portal.yourzone.tld = your captive portal URL - I'm a https access :8003/ The port of this 'cpzone1 ID access captiveportal-recap.html My home made file called 'recap.html' ?zone=cpzone1 My zone ID of this portal zone The "recap.html" html can have use PHP ! And because you can use PHP, and the recap.html is called with the "?zone=cpzone" parameter, you can now access whatever you want ! Take /usr/local/captiveportal/index.php as an example. You'll see how it extract the zone argument. If, for example, you use vouchers, you can test vouchers for time left : Status > Captive Portal > CPZONE > Test Vouchers Just take a look at /usr/local/www/status_captiveportal_test.php and you'll know how to extract the time from a given voucher. How do you know what voucher is used ? Well, your 'recap.html' can obtain the IP your device is using. With this IP, and the "connected users database" (see /etc/inc/captiveportal.inc - this file is a must-read-and-understand) you can get the user login code, which is the voucher code. With the voucher code you can obtain the time left. Want to know what the default popup logout window does - or how to log out a user? Again, go have a look at /etc/inc/captiveportal.inc So, yes, the sky is the limit. An yes, this goes beyond what you can find in the GUI.

@timboau-0 said in Traffic Quota reset period (Caravan park use): Each 'site/user' can login using their site number and a password Probably better to use a unique number like a reservation number. If you use a "site" (place) then you have to deal with overlapping between clients. Freeradius makes it possible to put a "Expiration Date" on every created user so you don't have logout ueser yourself. You can clean up the 'users' list at the end of the season, and enter new ones when reservations come in. A reservation number would be unique, and will be invalidated when the client leaves, as arrive and leave dates are known upfront. This will also take care of traffic quota per user : everybody uses it's own traffic quota counter Daily traffic quotas can be reset 'every day' : [image: 1680678551810-24409d3c-c3a3-4145-912c-81d6067f78c1-image.png] I have a cron task that reset the daily 'used' counter every day at noon : [image: 1680678950927-8ce20f01-a374-4ca9-97cd-86af32cd6180-image.png]

I may have resolved this. I had the captive-portal zone configured as [image: 1680301806015-captive-portal-page-head.png] [image: 1680301805947-captive-portal-accounting-start-stop.png] I changed Send accounting updates [image: 1680301805997-captive-portal-accounting.png] Now, when I submit the SQL query, SELECT radacctid,username,acctstarttime,acctupdatetime,acctstoptime,acctinterval,acctinputoctets,acctoutputoctets FROM radacct multiple times, I see ( in long format again ) query name value <int> <chr> <chr> 1 1 radacctid 1 2 1 username ec:92:de:1b:16:4d 3 1 acctstarttime 2023-03-31 15:07:43 4 1 acctupdatetime 2023-03-31 15:10:55 5 1 acctstoptime NULL 6 1 acctinterval 60 7 1 acctinputoctets 257562 8 1 acctoutputoctets 10413921 9 2 radacctid 1 10 2 username ec:92:de:1b:16:4d 11 2 acctstarttime 2023-03-31 15:07:43 12 2 acctupdatetime 2023-03-31 15:11:56 13 2 acctstoptime NULL 14 2 acctinterval 61 15 2 acctinputoctets 283941 16 2 acctoutputoctets 11085058 17 3 radacctid 1 18 3 username ec:92:de:1b:16:4d 19 3 acctstarttime 2023-03-31 15:07:43 20 3 acctupdatetime 2023-03-31 15:12:57 21 3 acctstoptime NULL 22 3 acctinterval 61 23 3 acctinputoctets 530469 24 3 acctoutputoctets 20836789 25 4 radacctid 1 26 4 username ec:92:de:1b:16:4d 27 4 acctstarttime 2023-03-31 15:07:43 28 4 acctupdatetime 2023-03-31 15:24:06 29 4 acctstoptime NULL 30 4 acctinterval 60 31 4 acctinputoctets 530469 32 4 acctoutputoctets 20838821 The accountupdatetime value increases across the 4 queries and the acctstoptime is NULL ( the session is still active ). The values of acctinputoctets and acctoutputoctets are ( monotonically ) increasing.

@turntheterribletank said in maximum daily usage time error following update to 23.01: You're setting Accounting Interim Interval to 600 AFAIK : because I'm using accounting with my captive portal settings : [image: 1680240062828-58b2ae93-2be5-4e23-9630-566a7e5921bf-image.png] Strange that you have these fields set to "0" when the same fields are empty on your FreeRadius user settings page. I don't have these "0" parameters. The presence of the Exec-Program-Wait = "/bin/sh /user/local/etc/radbb/scripts/datacounter_auth.sh Test daily" doesn't look good at all. See what the script does. Check for yourself if a file like /var/log/radacct/datacounter/daily/max-octets-Test exists. If that's so, and it contains '0' then yeah, when the user logs in he will already have generated more then "0" bytes so he'll be logged out right away.

@assistenzanet95 You have some digging to do in the past, here, on this forum. If I recall well, when 2.6.0 came out, there was an issue with the portal : only TCP was passed, no UDP, no ICMP. Solution were posted, and there was even a system patch that came with the pfSense system patcher packge (?).

@gertjan Ahh I see, so it's not a secondary login, it's a backup login. Thanks again for the help.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ): I didn't get any pop browser or captive portal login. Ah, I'm curious. What OS / what device ? When you buy a device from here it works, and as far as I know you, as a user, can't do a thing to stop this process. As Apple checks accepting an app on their platform. Other brands : they care less ? Windows : I've tested 10 'home', 'pro', 11 home (burk) and 'pro'. I even debloated them (see Youtube about that) and portals are recognized. That is, you still have to spot the tray notification message and act upon it. I've seen people using some high end (consumer high end that is) firewalls/antivirus and they had set up : "only trust my home wifi network" so now their security was great ..... and moments later they want to use their device on my wifi network .... Yeah, that was a fail .... as the device was following the original instruction : do not trust / use 'other' networks. So they went for the Hall 200 problem : do not give automates conflict instructions, as they will bite (the example : kill) you. @yogi_en said in Help Needed!. Captive portal not working ( No login page ): I even tried a local url http://192.168.5.25:5000 Portal firewall rules will redirect port '80' and port 443 if you use https. So port "5000" : you hit the wall. Use these : [image: 1677654510615-6cc8be0f-9940-4ffe-bfd8-17e55af044a9-image.png] to test the portal web server. Or, when connected to the captive portal network, as soon as you received an IP (DNS, gateway, network) : use http://192.168.10.1:8002/index.php?zone=ZONE where ZONE is your zone ID. Btw : http://captive.apple.com/hotspot-detect.html should also work as this is a http thus port '80' TCP request. @yogi_en said in Help Needed!. Captive portal not working ( No login page ): DNS server is my router 192.168.1.1 ( which I cannot ping when CP is enabled ). I have to shave-up your definition of a captive portal. A captive portal allows minimal interaction with itself. If 19.168.10.1 is your captive portal pfSense interface, you can : Do DHCP Do DNS requests on port 53, UDP and TCP. Port 80 (http) listens to you. Port 443 (443) listens to you - if you've activated that Ping the captive portal pfSense IP You can NOT go to some other network, and that includes your local networks like 192.168.5.x So, right, the portal works : no ping or whatever to 192.168.5.x I just tested : I've connected my phone to the captive portal (as the stupid thing does not accept the wifi connection without a login first). With an phone app I launched a 100 times ping to the portal interface, that was 192.168.2.1 for me. It replies constantly. Then, in the pfSense dashboard GUI, I removed my phone's connection. The ping app in my phone continued to send pings to 192.168.2.1, and 192.168.2.1 continues to reply. Or, at that moment, from a captive portal firewall point of view, my phone was disconnected.

@gertjan Do you know what I can do with it? Here's my most recent logs by the way. [image: 1677541010091-60f67b9e-a786-4435-9cfb-cf5b69c0b810-image.png] @heper I am on the latest stable version of pfsense 2.6.0

Well, I am rather sure, after about 8 years he did found a solution... Regards

@adnan97 From what I recall , these issues were solved with patches pfSense package ages ago : [image: 1677241793042-4dcf0368-291d-486f-9000-c36f26764e2e-image.png] The bad news : you have to dig them up, here, in this forum or redmine. The good news : 2.7.0 - coming out soon - will take care of things. I was using 2.6.0 quiet long time, and issues (important to me) were solved after some forum interaction.

@david6464 said in Voucher expiry: Can you send me screenshots of your captive portal and freeradius config? Of course. But before we compare apples with oranges, I'll describe my setup. I have a dedicated 192.168.2.1/24 captive portal network interface. I'm using the "https" access with known signed certs - I use acme.sh - this isn't related to your question I guess. I'm using my own login and error page, just to add some logos etc - the internal html is identical ti the build in pages. [image: 1676635352738-cpsettings.jpg] The auth server settings page : [image: 1676635615367-9796d5cc-72a2-4a9f-8db0-b993c1a4b572-image.png] FreeRadius : I have a bunch of users : [image: 1676635684514-9796f809-cd8e-49f7-b3f2-23d36b9c4ac1-image.png] Most of them have only there 'name' and password set. User '001' has a daily limit of 600 seconds. Keep in mind : I use Radius, but are not really bit counting, are rate limiting, or whatever. I'm not selling my access, and I don't have to educate kids or so. My portal has one rule : if it works for you, then that's fine. If it doesn't, then you (the portal user) has an issue - not me ;) The MACs page is empty. [image: 1676635961022-f32b9571-5ae0-4190-a1af-60db30e0a87e-image.png] [image: 1676636004879-75ff5cfc-16f4-443d-823e-8dbe58d13128-image.png] [image: 1676636192622-78b102e0-0c18-419e-9051-198c907e74ab-image.png] [image: 1676636246114-d63eda76-1ab3-465b-896b-fe7ccd408ba6-image.png] Note : the FreeRadius cert was auto generated ? I don't remember any more. The Youtube => Netgate FreeRadius movies will help you. [image: 1676636101671-4193c5f4-102e-4f1c-99ac-4bb475feff22-image.png] Note 192.168.1.33 is my Synoloy NAS with the SQL server. The last 3, LDAP View Config and XMLRPC Sync are not used by me. Last image : My Mariadb (SQL) database with the tables. [image: 1676636434568-fe060bb6-7f1e-44bb-9e79-7b48d1f1e361-image.png] Note : keep in mind : The pfSense FreeRadius package is a partial implementation of what FreeRadius can really do. A lot is hard coded in the FreeRadius config, as bringing them to the GUI would be ..... mission impossible. To understand what I mean look here : /usr/local/etc/raddb/ and have a look at ALL the files and ALL the files in ALL the sub folders. The main file is /usr/local/etc/raddb/sites-enabled/default , it all starts there. Most of it is purely hard coded. FreeRadius is complicated.

@harias You should go here. These are the ones you need : IDS/IPS : as packets need to be inspected to know what a user on a LAN does. Cache/Proxy can might also give information. Both go way beyond (like a light year) of classic firewall / router management. You asked for the full control of whatever traffic flows through pfSense. This means you have to know for real what happens, and why. When that is the case, these tools will do the dirty work for you. A guy from Chine (of course) said ones : "You can only fight the dragon if you know what it looks like". Btw : Freeradius can checks used ID, user hardware ID (MAC, IP) and bytes consumed. And clock the connection over time, and grant access basd on what ever criteria you chose. Freeradius doesn't know anything about the traffic - or destination, or what it contains.

@gertjan very interesting. Thank you for this. I was on a few 'premier' captive portals recently - American Airlines/GoGoInflight and a large state university - and I realized that they don't use the 114 option either. It's easy to break the Guest Wifi workflow though with iOS and Mac; just ignore the window the first time. Their Captive Portals don't redirect https either - so you have to know neverssl.com or something similar to get back to the portal. Returning to the solution and discussion: setting the iOS device to see the 114 option is super easy. However, after I do my auth - the iOS requests again to the url, but now I have no context. I guess this is primarily because the IP address is forwarded from the pFSense. Even if I use Tailscale or Wireguard to get all the devices on the same network - pFSense / Netgate box is forwarding the request, so I can't tell who is coming in based on the iP address, nor mac address. Am I missing something? After you got the 114 login portal working, how did you redirect the iOS device to a 'captive: false' json? I'm missing that part.

@lucas-2 said in Captive portal does not load google account authentications: Google's hosts are all allowed, and so is authentication with Google's IP allowed, in the "Allowed IP Addresses" settings. Check blog post again. No need to allow hosts. Freeradius, running on pfSense, can access freely all IPs on the Internet, as it is just an outbound connection over WAN. Netgate's blog post is written with pfSense 2.6.0 (or 22.05 Plus - identical I guess) and it should work.

@viragomann Oh sorry I didn't know that. Yes, the VLANs are defined as a virtual interface. Yes, the captive portal was activated on an explicit VLAN. So the VLANs that are on the physical LAN interface are tagged. The physical LAN interface can be reached via all VLANs. [image: 1675953567348-9aba8909-bc04-4489-be6c-77532ecdca1b-image.png] This is just an excerpt, there are only other VLANs below.