@yaseen-naseer

Not stupid, as you need to do it.
Doing nothing means your portal is pretty broken.

This means :
https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/225f86af947822e6bd6f816f6b8fa926c34fe857/diff/src/etc/inc/captiveportal.inc
is very special secret indication that :
You have to edit the pfSense /etc/inc/captiveportal.inc source file.
First, remove the red line - or, better, place // at the beginning of each line.
Next : don't type (never use the keyboard, that always goes wrong) but copy past the green lines.
The not-green and not red lines - thus black lines - are there so you can find the right place in the file.
If you've never done so before : this is your first attempt to actually program something : you've been writing some PHP.

Because you and I are humans, I advise to execute this command first :

c9c15ee8-c512-4e76-b823-7848925d51bc-image.png

It will take a copy of the original file /etc/inc/captiveportal.inc and place it in /etc/inc/captiveportal.inc.backup
So, when thing go bad, for example, you didn't remember how to operate the keyboard, you can always go back to the situation before.

From what I've been reading and writing, issue 12834 had a patch in the pfSense system patcher package.
See here : https://forum.netgate.com/topic/170762/captive-portal-on-specific-vlan-prevents-routing-to-other-networks-since-22-01/4?_=1670414478625
If that's not the case : manual editing is needed.
( or making your own patch file and use that. That's not a "beginners" task )

Don't worry, you can do it.

This exists : Editing Files on the Firewall/edit-file.html - but I never used it (to hard ;).
I use the console - or better : SSH access. Ones in, go for option 8.
There is an editor called 'ee' (Google will tell how it works, no rockets science here, promised).
Tip : ask Google if it can show line numbers.
Now you edit the file.

@ahmetakkaya

not an error message

but I created a panel for accounting, it's annoying to see it here

I don't want to use 2.6.0

Because I created Limiters in Traffic Shaper didn't work

@gtt1229 said in Username Only Captive Portal:

I am trying to setup Captive Portal to just take a username.

Why do you want to take a name ?
a) so the user can type in sjkdfhsqjfhskjhfsjkqsqjdfhsdqfjh and then you trow that name away, and have all user login using a generic name, common among all users ?
b) or do you want that name to match with an existing using, so "sjkdfhsqjfhskjhfsjkqsqjdfhsdqfjh" has to exist ?

No need to patch the system, you can (have to) create your own 'html login page'.
The concept is shown here :

c111e717-d4e1-4e32-a1b8-ae4cf432ee7c-image.png

To see the full html page, have the login page shown in your browser, and tell your browser to show the 'source' (and that is html of course, as that is what the browser received).

You could hide the real user name, and the real password. Just show a welcome message.
The hidden (not shown on the screen) user name and password will be used for all users to login. This user password pair has to be defined in the pfSense User manager.

You'll have to set this :

5142ad4c-5e25-47a1-ac45-f48eefc92da0-image.png

otherwise an existing logged in user will get thrown of if some else is logging in.

Or, go for the

088455cb-6256-46ae-9380-17ac82d3e200-image.png

option. You can add a html field that asks for a name, phone number, or why not, ask for a credit card number **, as the entered text gets ditched anyway.

** I advise you to use https to show the portal login page, if not, you'll get hurt.

@axel-1 said in Redirect URL:

if there was another method other than the captive portal to achieve this result.

Redirect to a locally hosted (on pfSense) web page that states :

Please close this windows / app.
You are now connected.
Use any app, like mail client, SSH, VPN, Web browser at you wish.

OMG!!!

9793b76c-8d7a-4038-9b81-ef684434d901-grafik.png

My guess the "outline" is the enabled option...so i didnt check it... 😵

Now it looks like

b86daf5a-bd6f-422c-933e-d1075f30010e-grafik.png

Thanks for swapping the brick from my head... 😊

Regards

@cpa said in Command to regenerate /tmp/rules.debug:

and why there is no MAC in the rules.debug)

![f366120c-a5d9-4364-8aca-eb282b157c45-image.png](/assets/uploads/files/1668610461740-f366120c-a5d9-4364-8aca-eb282b157c45-image.png

and you're right : nothing in the /tmp/rules.debug

But when I read Troubleshooting Captive Portal you'll find ways to see pf firewall rules :

pfSsh.php playback pfanchordrill

shows me :

..... cpzoneid_2_passthrumac rules/nat contents: cpzoneid_2_passthrumac/001122334455 rules/nat contents: ether pass in quick from 00:11:22:33:44:55 l3 all tag cpzoneid_2_auth dnpipe 2008 ether pass out quick to 00:11:22:33:44:55 l3 all tag cpzoneid_2_auth dnpipe 2009

@cpa said in Command to regenerate /tmp/rules.debug:

So what I plan to do is to change the config.xml by ansible, regenerate the /tmp/rules.debug-File and reapply this file to the packetfilter.

Easy answer : ok to look for solution but forget about using (modifying) "/tmp/rules.debug" yourself.
This file exists as read only, and can be changed by the system at any time.

It would work, of course, as most part of the GUI is written in PHP, but : You have to know how pfSense works - and there is no way to short circuit that.
Adding a MAC to the MAC list of the captive portal isn't rocket science, as you can borrow all the PHP scripts that already exist.
How to 'flush' the new MAC to the config and applied it to the firewall : you'll find out fast enough, as code writing always starts with a lot of reading (about how the system works).
pfSense doesn't have an API or something like that.

@qssysadmin

How does your question relate to the captive portal ?
( you posted in the captive portal section of the forum )

A reboot is always mandatory as you changed the kernel version (a kernel can't be reloaded in place).

@qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established:

ping for example to 8.8.8.8 is blocked

Not an issue.
8.8.8.8 replies to DNS requests. No need to ping it.

@qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established:

I put a firewall Rule on the LAN Interface which allows all traffic from internal to external

The default LAN firewall rue permits everything. No extra rules needed.

@ahmetakkaya

You want to use the portal access from 'somewhere' on the Internet ?
I never saw a setup like that.

The captive portal is designed to give a devices on a local network acess to the Internet, and other selected resources.
Devices that are already on the Internet don't need access t the Internet, they already have it.

If you want to access local resources from the outside, use a VPN.

I want to bring up this subject again.

CoA, Change of Authorization, basically consists in a UDP packet which a RADIUS server can send to a NAS (like the pfSense captive portal) to change reply attributes or disconnect a user.

This is particularly helpful in implementing authorization flows in which the user gets a basic connection first and then is upgraded to different limitations (eg: more bandwidth, more traffic, more connection time, etc).
It also helps to manage radius sessions for multiple NAS from a central point.

I have been able to implement something with Coova-Chilli, which supports CoA and I think it would be great for PfSense to support this as Chilli does so I opened a feature request: https://redmine.pfsense.org/issues/13625.

CoA RFC https://www.ietf.org/rfc/rfc3576.txt.

Peace.

@level4 said in 22.05 - CP clients have connectivity issues after x amount of time:

That "} else" ..
shouldn't be a "} else {"
with a "}" below the "$auth_result =" line ?

You can place

$auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context);

between { .... }, true. Like :

....... } else { $auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context); }

Or

....... } else { $auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context); }

But as this is just one line, so no need.

@heper said in Import from a list (MAC addresses) possible:

have mac-randomization enabled by default...

yup that could be problematic for sure ;)

@gertjan said in Captive portale issue: not redirecting to the authentification page and no internet access when enabled:

Look also at the official Netgate captive portal videos.

Strange.
I've used these https://www.youtube.com/c/NetgateOfficial/videos and that works very well for me.
For more then a decade now.

Tel me what your doing differently, then I'll tell you not to do that, and it will work for you also ;)

@emad4 said in Net topology:

What shall I do ?

Some more tests :
On the portal client device, lauche a "ipconfig /all"
The IPv4 show is in the correct network ?
DNS IP == Gateway IP == the pfSense portal network IP ?

When connected, wired or by Wifi, to the portal network, but before eautification, so before any login page shows up, DNS requests should work ! This is important.
Again : DNS TCP and UDP to port 53, the pfSense portal network should not be blocked.
So,

nslookup google.com

should work.

Follow :theses tips : Troubleshooting Captive Portal

For in depth portal info : see here.
The captive portal video's, the classic and advanced, are still valid today.

@gertjan said in Captive Portal not redirecting on android:

There are thousands of 'android' versions. "And they are not all equal".
I've seen several versions working just fine.
I had a new 'Samsung' phone in my hand yesterday, had to turn on the 'Wifi' and connect. What looks like a pop-up popped up, and ticking that opened the portal login page. After entering credentials, I was redirected to my redirect page ( https://www.google.com ).
But, true, that was an unknown android version, didn't even look up which one. As the phone was brand new, it was probably not up to date anyway.

Hi

Yes, I understand that there are several versions of Android and that makes things difficult. I'd like to create a wifi network for my company's employees to use during their break, and as soon as they authenticate to the Captivel Portal, it automatically redirects to a landing page with company news. I know it's not a pfsense specific problem, because in Unifi's Captive Portal the redirect doesn't work on Android devices either, only on Windows and IOS. But, we keep on fighting. Thank you very much.

@emad4 Net-topology.png

@hugoeyng
There are various captive portal bugs in version 22.05
You are probably hitting at least one of them.

My guess would be this one:
https://redmine.pfsense.org/issues/13488

Bug above can be worked around in different ways.
See the posts linked in the redmine

@jiss
Have a look at this Thread:
https://forum.netgate.com/topic/174416/captive-portal-is-broken/19

Maybe you also have the Problem with the Limiters.... Like me