https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L277

It syncs the rolls when they are made, and it also syncs the usage when a user logs in and starts using a voucher, iirc. So there wouldn't be a need to periodically resync the whole DB when it happens as they are used.

@wallabybob: In pfSense version 2.1 snapshot builds the User Manager (System -> User Manager in web GUI) allows users to be assigned to groups and there is a group permission for "Login to captive portal". So it would appear you can accomplish what you describe by using "local authentication" in captive portal. I haven't tried this and I haven't checked availability in pfSense 2.0.x builds. I try this method (local authentication) and also Radius server (internal and external), it worked very well BUT there is NO WAY to disable a group of users to access internet at the same time. It appears that it must be done one-by-one, and for my needs it's a mess. I wish to disable/enable internet access to a group of 20/30 users at the same time… It seems no possible with pfsense. [UPDATE]: I realize that this function is added in pfsense v. 2.1 beta. You can choose at group (or user) level if the user/group can authenticate to Captive Portal.

One answer useful for all: in order to have it back, backup configuration, remove everything between the tags named logouttext and restore the file. Ciao

Thanks for pointing me in the right direction.  However my knowledge of this area is not sufficient to be able to work how to do it.  The reason the links mentioned earlier do not work is, apparently, the post was taken down by the user. If anyone has a saved copy of the Tutorial I would appreciate it if they reposted it. Also where does the CP store user credentials? Jodel

@ermal: No one has really pushed this to be implemented and is tedious. Its not supported but if you want to have this done you can go through portal.pfsense.org Could you give me a rough idea how much it would cost to implement functionality like this? (I have no idea whether it is 500€ or 5000€?) I could provide a printer like the SP-300e for free, although it would make much more sense to implement this feature using more open hardware.

The only thing I know is this: http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#CaptivePortal_Self-Registration:FreeRADIUS.2B_MySQL

@Metu69salemi: they need to be hosted on the cloud because I have several boxes over a large geographic area and need to change those fields periodically. @islandwifibill: great! Thanks! I will try that and come back if I have any issues.

@-mike-: what I'd like to do is remove this speed limit for any files that are already stored within squid. Is this possible? Check ZPH (Zero Penalty Hit) http://wiki.squid-cache.org/Features/QualityOfService

The problem solved.  My fault.  I had set up networking on my client computer to get the IP only from dhcp and I had given it the dns ip specifically to be the ip of the broadband router/modem. Thanks for all the help.  The more I look at pfSense, the better it looks! Jodel

Hi, thank oyu for your feedback. I will of course update to 2.0.3 if it is released. I know that there were many fixes. @dhatz I thought that Hard Timeout is an independent CP feature. Re-authenticate users every minute will spam my RADIUS even if its possible that it will work. What do you think - could Session-Timeout enabled on CP and set on RADIUS solve this problem ? Thanks

for 1:1 NAT configuration I tried to use as a type Internal IP = WAN address, I do not have an alias for this value (only "single host IP" or "WAN address") but I still have the same problem on the server pfSesne backup (GW unreachable "Offline"). It looks like a bug in pfSense synchronization between the primary and backup configuration CARP / VIPs or 1:1 NAT Everything works if I use "NAT Outbound" with: Interface = WAN Protocol = UDP Source Type = Network Source Address = 62.xxx.xxx.96/28 Destination = any Translation = 62.xxx.xxx.100 (CARP WAN) I run other tests

about freeradius you can use freeTDS libraries to connect to ms-sql. you can enable radius accounting to know when users disconnects as well as session informations such as time spent online or data transferred.

The image is being pulled from a host which is accessible from behind the captive portal?  I would double check this.  Also, you might want to tail your web server log file while you load the page and see if you get any error messages associated with the request.

I am querying a mysql server that is NOT running on the pfsense machine.  Pretty straightforward stuff.

hum.. looks like your "variable name"``` JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl.MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl.MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx.I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk.MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm.JyUkJCQxI1cxI1d9YA can be split in lines after the dots "." JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl. MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl. MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx. I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk. MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm. JyUkJCQxI1cxI1d9YA excluding the dots the line is 76 chars long (RFC 1521 states it have to be the length of base64 output stream). delete dots and pad it with "=" JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiEl MSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1cl MSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cx I1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQk MSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEm JyUkJCQxI1cxI1d9YA== base64 decode and see what 'file' magic looks like: echo -n "JiQlJzkkJzkkJj8mJjEnVScgMSdVICExI1cxI1cjJiUlIiYjICQsJiIsJCIkIiMxI1cxI1cnOiElMSNXMSNXJiQkMSNXMSNXfWA5XUAxI1cxI1ckMSRQMSRVJDEmJyAxI1cxI1clMSYnIScxI1cxI1clMSYnISMxI1cxI1cmMSYnISwxI1cxI1clMSYnIS0xI1cxI1clMSYnIiQxI1cxI1clMSYnIiUxI1cxI1clMSYnIiIxI1cxI1clMSYnLCUxI1cxI1clMSYnLCMxI1cxI1clMSYnLCIxI1cxI1clMSYnJiQkMSNXMSNXJjEmJyYlJDEjVzEjVyIxJicmJSExI1cxI1clJSMsLDEmJyYlIjEjVzEjVyUtJSwhJjEmJyUkJCQxI1cxI1d9YA==" | base64 -d | file - /dev/stdin: Sendmail frozen configuration  - version ' 1'U !1#W1#W#&%%"&# $,&",$"$"# So it's not an attacker but maybe some users with the mail client hitting the Captive Portal.

When running a -PRERELEASE, -BETA, -RC, etc, it is always best practice to update to the latest available version before posting/reporting issues.

My guess is that it is telling you 20034 and 20035 are not MAC addresses. What are you trying to do and why aren't you using the GUI to do it? (Changes made outside the GUI will not be preserved across reboot.)