Since your family will not be changing hardware often, use the DHCP server to statically assign them IP addresses in a range you allow to access the LAN.  Place them in Allowed IPs if you wish and they will not need to log in.  Other users will use standard DHCP and leave that scop with no access to you lan.  They would need to log in…

I have lots of login pages with css.  Not that the file names change when you upload them and the base page html must reflect that…

Just a quick update.
Connecting this Zyxell to an external antenna it's a waste of time, not sure if the signal get dispersed on the 4 meters RG6 or just it doesn't pull out enough Watts…

It worked! It's funny! All of this trouble just because of a single 'ñ'.

Thank you!! thank you very much , seriosly!!!

It's upgraded now, but I can't enter webconfiguration. Why?, it doesn't even respond to ping, even though the IP address for LAN is assigned perfectly, and it connects the WAN perfectly, too

@ermal:

There was an issue with IE 8/9 and some type of url redirection which made IE block. That should be solved on the coming 2.0.2 release.

I see.
IE9 is my current browser, so, it's much worse of what i thought.
Good to knows anyway, at least i will not try to test other options.
Any ideas of when (approximately) this new release with the "fix" will be available?
Thanks!

I submitted a fix for this last year some time where it wouldn't delete the fields if you configured and then unconfigured it.

Glad your browser cache fixed it.

Thanks GeertJan,

i also aggree, that is a useful scenario, for hotels too
most guest have multible devices, for eg. a laptop, an ipad, or a smartphone.
i suggest an option: max concurrent connection per voucher/session/whatever: <number>so you can open a time window for a limited range of devices and doesn't loose all the security…</number>

I see you are using a "Beta" release, wouldn't be better to go for a "Stable" version which are supposedly free from bugs/errors ???

http://forum.pfsense.org/index.php/topic,34148.0.html

@electric34:

I dont know htlml coding, and this url pre-auth redirect is throwing me off. What do i redirect to for users to sign in? For each user i have to setup a account for? if i do local user authentication. I have a terms and conditions policy i need to upload.

You don't need the "pre-auth redirect", as the words say, that can be a page that users can see before they reach the login's page.
The problem with this option, is that any page you want to use, will need some code on it to send back the user to the login's page, i hope the developers will find a more user's friendly option at some point, as the "After authentication Redirection URL" option.
Here is a usefull link to read:    http://forum.pfsense.org/index.php/topic,34148.0.html

I changed my tact completely on this, as I struggled to get it working firing the data to a different server as javascript doesn't like posting between domains.

I altered the index.php file that resides in the captiveportal folder (using the package 'filemanager' is ideal).

I then use PHP to recieve the form fields, turn them into a line of data "timestamp|name given|email given|postcode given|ip address";  (something like that).  This is then appended/written to a file, one entry per line, a new file being created each day.  The file is available to view via a web browser (see screen shot).

The green 0's shows there has been no warnings given for dodgy details.

If I click the 0, that mac address is added to an associative array and that user booted off the captive portal.  They then have to fill in the form again, but a red warning appears on the form too.  The green 0 then becomes a red 1.  If they log back in, the red 1 turns blue.  You can then click this again to ban once more, you then get a red 2 which turns to blue when they log back in.  3 warnings and the warning message they then see is titled "LAST WARNING".  If they get warned once again, they are banned for three days (they just recieve a page explaining why they have been banned when they try to login.

Sounds complicated, but it works really well.

If I knew anything about creating packages, I would consider it.  I would like to integrate the log viewer into the pfsense template, at the moment it is accessed seperately via http://pfsenseIP/wifilogs/wifilogs.php (with a php sessions password).

This can be used in conjunction with the Squid Proxy and Sarg Reports to see what websites were accessed by the users.

untitled.PNG
untitled.PNG_thumb

Sorry but cannot understand your post!

As previously stated, Captive Portal is implemented on pfSense using ipfw. I believe ipfw will handle input traffic before pf (the standard pfSense firewall) and output traffic after pf.

The log extract you posted shows traffic from port 80 on a server at 174.35.67.7. This is traffic passed by pf which is independent of captive portal. It doesn't mean ipfw will also pass the traffic. (I don't know whether ipfw passes or blocks such traffic when there are no active users.)

@AudiAddict:

I am somewhat "scared" that it's allowing traffic on this interface even when users are not logged in?

That log is showing traffic allowed by pf, not traffic allowed by ipfw. The traffic is mostly TCP from a HTTP server. It is quite possible this traffic is the server probing a previously established TCP connection to see if the client is still "listening". I don't know if there is any mechanism for ipfw to notify pf that pf should now block traffic on particular flows because the user is now "logged out".

@AudiAddict:

Also I'm seeing traffic inbound and not outbound when I look at the logs?
How is this possible?

Please provide a specific example of your concern if you are not satisfied by the previous explanation. Note that firewalls can't stop "inbound" traffic (that is they can't stop another computer sending traffic to them).

In short, you haven't provided any evidence that anything is "broken". I understand your concern. A packet capture on the interface is a far more reliable way of seeing traffic that is actually sent and received but a capture doesn't tell you what the firewall does with the traffic.

You are saying that there is a chance to obtain this wispr compliance without asking help to pfsense developers? If yes do you have a suggest for me?

Thank very much. This seemed to be the solution.

Hello Board,

We've got it working as intended!
On Pfsense 2.1 beta we have now 3 OpenVPN services running connected to 3 different Captive Portals.
De virtual interfaces have each a DCHP range and also the squid proxy is listening.

The downsides are;

RRD graphs are not there (yet) for providing statistical Information. shaper isn't working on de openvpn interfaces. IPv6 isn't working in conjuction with openvpn and / or captive portal.

I'm sure this is only a matter of time!

Thanks for delivering and stable box of pandora!

Ok,

I have this bit of code which works to turn a MAC into the ID, and assume there wont be issues in using that to get the ID?

//error_reporting(0); $ourmac = $_GET["mac"]; $oursid = ""; require("captiveportal.inc"); if (file_exists("{$g['vardb_path']}/captiveportal.db")) { $captiveportallck = lock('captiveportaldb'); $cpcontents = file("/var/db/captiveportal.db", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); unlock($captiveportallck); } foreach ($cpcontents as $cpcontent) { $cpent = explode(",", $cpcontent); if($cpent[3] == $ourmac){  $oursid = $cpent[5];  break; } } echo "The SID is: $oursid"; exit; ?>

And I can then use:

captiveportal_disconnect_client($oursid);

to kick a client?

@dhatz:

@Lee:

It gets to be real fun when some antivirus link checker tries to check the database for the captive portal link and fails…  ::)

Is this behavior common among AV software? (I've never actually used a AV …). And if it is relatively common, is there a "best practice" for dealing with that? Perhaps a list of URLs used by popular antivirus programs, so one can white-list them ?

It seems to be in the hotels we support.  And they keep moving the servers!

ok, don't really know what happened, but even though I put the shared secret into the CP interface correctly, the capitalization of one of the characters was wrong in the clients.conf file.  That seems to have fixed it.  Thanks for the input folks.