@gertjan said in Captive Portal is broken?:

@denx

Hi, I'm using 22.05 on a SG 4100. In the past, I was using 2.6.0 on a home made pfSense device.

If my captive portal wasn't working, I would lose my job - sort-of, as I use the portal for a hotel.

Last time I looked, it worked.

I'm using a dedicated interface for my portal, and as LAN has already 192.168.1.1/24, my portal uses 192.168.2.1/24 - DHCP pool 192.168.2.5 -> 254.

I use the Resolver, nearly default settings.

The pfSense patches packages has one patch for the portal :
This is the patch ID to be used : https://github.com/pfsense/pfsense/commit/add6447b9dc801144141bb24f8c264e03a0e7cae.patch

778dc879-c8cd-4322-abad-7981440f311e-image.png

after install patch - same error
dummynet: bad switch 21!
dummynet: bad switch 21!

@nicolas-pissard said in Bandwidth restriction per user disabled on a schedule:

concrete example

When you visit this page :

59b09b08-28c5-4ba6-9539-09dee14b4209-image.png

you are actually looking at this page :

395df406-5b60-4c6f-8a46-bf76ab97dfae-image.png

or, to be more precise : a page (== a file) on a web server.
Here it is :
/usr/local/www/services_captiveportal.php

Have a look at this file.
It's PHP, worlds most easiest language - as simple as BASIC was in the eighties/nighties 😊

I think pfsense captive portal will be a stopgap measure if we are asking too much. Im going to look at a packetfence again, although last time I looked it wasnt playing nicely with our UNIFI kit.

We are almost entirely authorised users (secondary authentication is radius for our portal), the voucher users will timeout themselves as they are all limited 2 day vouchers. Our users will not be happy putting their details into the portal weekly.

Thanks for the insight though.

@hamedlynx

https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html

When you're wired up with the portal, over wire or Wifi, DNS should work.
The only DNS that gets passed, is not 8.8.8.8 - as everything is blocked.
The DNS that works is : the portal interface, port 53. So the connected user should use that one, and not some 8.8.8.8.

Then a http:// (not https://...) request should be possible .... etc.

@gertjan
Thanks for your reply and help.
I tested this PHP script and can get count online users.
Do you know if I also can get each user downloaded/uploaded traffic and login start time ?

@gertjan said in FreeRadius and quotas, doesn't work since 22.05:

as talking about quotas.

i realize that you were talking about quota's and not bandwidth limiting, but since i didn't find anyone with the same issue i hoped it might have been related.

i'll contact netgate support - perhaps they have more insight in the bandwidth-limiting issue i'm having, while yours seem fine on 22.05

@osbhutan even when it just moves AP but its the same ssid? That sure seems problematic for more than just a couple of reason.

Can't you just turn that off - I have it off my my home wifi connections.

@jimp Hi,

Thanks for the reply, my eyes are playing tricks with me I did not see that.

Restart a local captive portal instance: Select "Restart Local Service" and enter captiveportal zonename replacing zonename with the zone to restart.

@gertjan I ran pfsense-upgrade -y and it is working now.
Thank you.

brilliant, thank you. I saw the example but couldn't find an example with the variable. Not having experience of this Im grateful for the help. I didn't realise it was literally simply put"$PORTAL_MESSAGE$" in the HTML!

I thought it was going to be a php line or some javascript. That was the last thing I needed, captive portal going live...

@nickologic said in Intermittent connectivity when accessing allowed hostnames:

Everything loads correctly when connected to the non-captive interface.

Isn't there some known bug with captive portal - believe there is a patch..

I believe this
https://redmine.pfsense.org/issues/12834

@gertjan

i also added a comment about the "Dot" Problem in the Bug Report. So i think all should be fine for now.

THX Gertjan for your help!

Interestingly I did all my testing with a Windows 10 and Windows 11 laptop until I was happy with my captive portal. I tested at each stage:

set up captive portal with defaults, no authentication. set up voucher roll and voucher authentication. add SSL certificate (I already use an ACME letsencrypt with pfsense so I added another URL to the SAN for the captive portal) set up radius customise the logon HTML and the "error" HTML

I was happy that this all worked - only the "edge browser" seems to have an oddity with captive portal (force redirect sorted that and I was going to force redirect to my "company landing page" anyway, chrome and firefox have no issue sending its captive portal check plus redirecting back. Now to test with other devices:

*Ipad worked fine.
*Android did not. Android was convinced that it was connected - it attempted a www.gstatic.com/generate_204 which apparently (according to the device) succeeded pre authentication! There was no traffic flow though (good). However I could not get the captive portal page to trigger on an android device, it was convinced that it needed to "sign in" but then would simply say that it was connected.

I spent quite a lot of time looking at firewall logs, device logs and trying to fathom why the android device was convinced it had a connectivity allowed and I was never shown the captive portal page, I checked everything from DNS (I use pfsense forwarder and there is only one "exception" which is a "disclaimer landing page" simple URL on a local webserver).

In the end I found that if I "disconnected all users" then this would work. After digging it seems that if I make a change to the pfsense portal settings I need to disconnect all users for my android device to see the captive portal. Most odd.

Android device is version 12. I have no idea what this will do to the people who have vouchers when I disconnect (radius auth will be irrelevant of course, they can re-sign in.

@pieter_sa said in Captive Portal breaks policy routing for bypassed MAC addresses after upgrade to 22.05 [fixed]:

@bitrot You marked this as fixed, so others, like me, will also go through the entire journey of registering for pfsense+ and updating all the way up to 22.05 just to see the same old Captive Portal issues.

No. I found an issue with Captive Portal in 22.05, made a post about it, troubleshot it, and created a bug report about it. Once a patch was available I linked it and marked the issue as fixed.

The other issue you've mentioned is Regression #13290: dummynet. This is a cosmetic issue only that does not affect functionality and is also already fixed.

If you have some other "same old Captive Portal issues" I again suggest you be much, much more specific and also open a separate thread and maybe create a bug report that deals with your specific problems instead of hijacking another thread that is about a different issue that has already been fixed.

That makes sense. I guess the client has software which is trying to talk to the gateway.

Thank you guys, all your inputs are highly appreciated.

@backlash619 said in 22.05 issues:

broke my captive portal, authentication servers don't work anymore,

If you're using the pfSEnse "freeradius3 0.15.7_33"package as an auth server, give it some more tries.
And detail your config.

22.05 + pfSEnse "freeradius3 0.15.7_33" works for me ©®
It's being used by the most comprehensive type of clients : tourists in a hotel.

@refugeesonline said in Used voucher db with strange content:

Anyone having the same or similar problems? Or any idea?

The thing is, if I recall the entire forum (and I can't / don't, although I'm posting here since a decade or so), you are the first I see posting about a voucher usage on a big scale.
And its not one set up, but multiple setups 190.

My advise is : start logging.
Not using the GUI, as the GUI probably offer 'close to none' possibilities here.
I would add lines lines like :
log_error("This is a log line in file abcd.php");

This line will get shown in the System main log like this :

94c4c696-f55f-406c-b376-f67b639b7351-image.png

change abcd for the file name you placed your log line.
You can / should add variables.

I don't have much experience with vouchers, I just played with them, by creating some 30 minutes vouchers and use them, and see how they time out of the preset time.
That is, I know, that if a voucher is used for the first time, and it's 'valid', the voucher code will get entered in the 'used voucher' database (probably the SQLITE3 PHP database file that is kept for every portal).

The captive portal uses a 'mini cron' process :

53161 - Is 0:00.00 /usr/local/bin/minicron 60 /var/run/cp_prunedb_cpzone1.pid /etc/rc.prunecaptiveportal cpzone1

that runs every 60 seconds, the function captiveportal_prune_old() in /etc/inc/captiveportal.inc gets called. That's where the magic is happening.

The good news is : nothing magic is going on. See for yourself. Its plain vanilla PHP - PHP was removed from the rocket science list in 1999.

@refugeesonline said in Used voucher db with strange content:

26.000 used vouchers

Vouchers are created, and you can print them out.
They are not known to the captive portal authentication system at this moment. They are generated, and you print them.
If 26000 vouchers are shown as used, then they had to be typed in by some one one by one.

Vouchers are active the moment they get entered.
The voucher code identifies the duration of the "roll" it belongs.
The voucher stays valid while ("enter date/time" + "roll duration") < "current time".

Here is the test : https://github.com/pfsense/pfsense/blob/9490042fdaafa481bcf131f3805dcc9022d973f1/src/etc/inc/captiveportal.inc#L654

Sorry not being able to help you more.

@full-malito

What is your pfSense version ?

What your are your captive portal firewall rules ?
What happens when you put in place the rule you've found when you installed pfSense ?

@joaobruno said in Shorten Voucher:

vouchers of up to 6 digits

The same questions was asked, way back in time, on this forum.
My "find", at the top of the screen, is somewhat broken (I'm using a small phone right now), I advise you to find and look for yourself what can be done to make the voucher code smaller.