You were right wallabybob, I wasn't using the correct image. SOLVED

Thanks for your reply. Both pfsense and the radius server itself are managed by ntp (pfsense relies on 2 external servers and the radius server on the ntp server of pfsense). The radius database server runs on a different machine. The database server's time keeping is less accurate, but I guess this is less relevant. Or is this a wrong assumption? Jan

CP is blocking access to the port forward – it blocks inbound and outbound. You could add an "allowed IP address" entry for it but using only the "to" direction, then things can reach it from outside, but it can't get out itself.

where did you add this script? minicron says nothing to me.. i only know cron.

This setting limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in to the captive portal, but rather how many users can load the portal page or authenticate at the same time! Default is 4 connections per client IP address, with a total maximum of 16 connections. I my system (2.0.1-RELEASE & 1.2.3-RC1 ) default is 4 and 1.2.3-RC1 i can chaged it to below 4. do i miss something?

Yea the more I think about it that is the only way I am going to get it to work.  I already have the radius server setup doing authentication for my wireless and it was my intent to use it for this as well.  Just thought captive portal may have been easier but I can't think of a way to do it since I can't have multiple trunks to the firewall with the same VLANs them.

Well, we have several different set ups and scenarios. Not all of the locations require a Terms of Service and sometimes they do not want one! They just want the user to be directed to their website when they first connect to the wireless, but that's it. They want to advertise their website to the end users- not to create any sort of binding contract. While I do not recommend modifying pfSense unless you know what you're doing- and always recommend creating a backup before modifying any file(s), I'll share my personal work around: OPEN "/usr/local/captiveportal/index.php" FIND: LINE 228 } else { PASTE ABOVE THIS LINE: } else if (strpos($_GET['redirurl'], 'accept=yes') !== false && $clientip && $config['captiveportal']['auth_method'] == "none") {     captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");     portal_allow($clientip, $clientmac, "unauthenticated"); SAVE THE FILE Now change your captive portal page to this: if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { $url = "https://{$_SERVER['SERVER_ADDR']}:" . $_SERVER['SERVER_PORT'] . "/index.php?accept=yes"; } else { $url = "http://{$_SERVER['SERVER_ADDR']}:" . $_SERVER['SERVER_PORT'] . "/index.php?accept=yes"; } header("Location: $url"); ?> Then with Captive Portal enabled and "No Authentication" selected, the end user is authenticated and redirected to the "After authentication Redirection URL" just like I want! :)

Do not use mac address filtering and only base it on ip.

You are trying to redirect https connection to http server of pfsense. That is just an encrypted session trying to be forwarded by pfSense. Just ignore it for the moment since there is nothing to do about it.

@wallabybob: @ellors: How do I change the thread title so it could say "[SOLVED]" ? I believe if the post is not "too old" you can modify it through the Modify menu item Mmmmm too bad that the first post does not show a Modify menu. Thank you for your suggestion.

bump

Try applying a style to the button, instead of replacing it.

thanx for sharing.

@bikkerss: so both dns and gateway ? Yes. The gateway is the computer to which your computer forwards packets when your computer doesn't have a "direct" route. If the gateway is not the computer operating the captive portal then your computer can access the internet without going through the captive portal so the captive portal has no chance of controlling the access to the internet.

@Nachtfalke: Don't know if this is related to CP MAC-Auth but just for information you need to do "Plain-MAC-Auth as 802.1X request" with CP :-) I tried both methods and the auth works with "Plain-MAC-Auth as 802.1X request". Only thing is that CP doesn't seem to 'unblock' traffic for that authenticated client. Username password auth works correctly and lets me surf the internet. Also tried 2.0.3 pre-release but no luck yet. Probably better if I start a new topic since I haven't found a similar topic yet and don't want to muck about in someone else's topic.  :)

Those settings only affect the RADIUS server configured for captive portal auth. We don't have a setting in the user manager that does the same function (yet). For 2.2, those will likely be merged into the main RADIUS config in the user manager, but for now the settings on CP are just for CP.

@zcache: @kolomalo: Hi all. Perhaps this is not the correct way to do this, so sorry. I use CP to block websurfing to unauthoriced users, but would be desirable to allow some services to cross CP (like smtp, rdp, etc), since I haven't configured a DMZ, to permit some servers to connect to internet, but without websurfing. So will be a good improvement to allow to config some services to cross CP without authentication (something like "allowed hostames" tab, but with ports ;) ) Great job!! Many thanks!! I think if you just need block web surfing, I have new choice for your consider. let you see squid+squidGuard package, it can handle for block and bypass the website by user password and you also can specific the ip group. it easy over than CP.   ;D mmmmm yeah,, Now, I'm thinking that use CP to block only web surfing is not a good idea… But I didn't wanted to create too much rules...and Cp is too easy :D

Yes I can resolve the problem I clicked on the "view the current page" in the captive portal and I save the source code, and changed <title>Hotspot  Gare</ title><br />and it's OK</title>

I had these symptoms when I had inadvertently set the DHCP lease time to be LESS than the idle-timeout - logged-in user number would just keep growing until I restarted the CP service. [image: status_rrd_graph_img.png] [image: status_rrd_graph_img.png_thumb]

@pat1974: To solve this issue I go in "Services: Captive Portal" In the tab: Allowed IP addresses, I add the IP:23.1.173.15 This tells the Captive portal that when this address is being contacted it doesn't need to go through portal authentication. In this way you allow traffic to a single IP address but www.apple.com resolves to many. Here for example it resolves to 2.23.109.15: #host www.apple.com www.apple.com is an alias for www.isg-apple.com.akadns.net. www.isg-apple.com.akadns.net is an alias for www.apple.com.edgekey.net. www.apple.com.edgekey.net is an alias for e3191.c.akamaiedge.net. e3191.c.akamaiedge.net has address 2.23.109.15 maybe you have to define an 'Host Override' in Services->DNS Forwarder