@qssysadmin How does your question relate to the captive portal ? ( you posted in the captive portal section of the forum ) A reboot is always mandatory as you changed the kernel version (a kernel can't be reloaded in place). @qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established: ping for example to 8.8.8.8 is blocked Not an issue. 8.8.8.8 replies to DNS requests. No need to ping it. @qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established: I put a firewall Rule on the LAN Interface which allows all traffic from internal to external The default LAN firewall rue permits everything. No extra rules needed.

@ahmetakkaya You want to use the portal access from 'somewhere' on the Internet ? I never saw a setup like that. The captive portal is designed to give a devices on a local network acess to the Internet, and other selected resources. Devices that are already on the Internet don't need access t the Internet, they already have it. If you want to access local resources from the outside, use a VPN.

I want to bring up this subject again. CoA, Change of Authorization, basically consists in a UDP packet which a RADIUS server can send to a NAS (like the pfSense captive portal) to change reply attributes or disconnect a user. This is particularly helpful in implementing authorization flows in which the user gets a basic connection first and then is upgraded to different limitations (eg: more bandwidth, more traffic, more connection time, etc). It also helps to manage radius sessions for multiple NAS from a central point. I have been able to implement something with Coova-Chilli, which supports CoA and I think it would be great for PfSense to support this as Chilli does so I opened a feature request: https://redmine.pfsense.org/issues/13625. CoA RFC https://www.ietf.org/rfc/rfc3576.txt. Peace.

@level4 said in 22.05 - CP clients have connectivity issues after x amount of time: That "} else" .. shouldn't be a "} else {" with a "}" below the "$auth_result =" line ? You can place $auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context); between { .... }, true. Like : ....... } else { $auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context); } Or ....... } else { $auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context); } But as this is just one line, so no need.

@heper said in Import from a list (MAC addresses) possible: have mac-randomization enabled by default... yup that could be problematic for sure ;)

@gertjan said in Captive portale issue: not redirecting to the authentification page and no internet access when enabled: Look also at the official Netgate captive portal videos. Strange. I've used these https://www.youtube.com/c/NetgateOfficial/videos and that works very well for me. For more then a decade now. Tel me what your doing differently, then I'll tell you not to do that, and it will work for you also ;)

@emad4 said in Net topology: What shall I do ? Some more tests : On the portal client device, lauche a "ipconfig /all" The IPv4 show is in the correct network ? DNS IP == Gateway IP == the pfSense portal network IP ? When connected, wired or by Wifi, to the portal network, but before eautification, so before any login page shows up, DNS requests should work ! This is important. Again : DNS TCP and UDP to port 53, the pfSense portal network should not be blocked. So, nslookup google.com should work. Follow :theses tips : Troubleshooting Captive Portal For in depth portal info : see here. The captive portal video's, the classic and advanced, are still valid today.

@gertjan said in Captive Portal not redirecting on android: There are thousands of 'android' versions. "And they are not all equal". I've seen several versions working just fine. I had a new 'Samsung' phone in my hand yesterday, had to turn on the 'Wifi' and connect. What looks like a pop-up popped up, and ticking that opened the portal login page. After entering credentials, I was redirected to my redirect page ( https://www.google.com ). But, true, that was an unknown android version, didn't even look up which one. As the phone was brand new, it was probably not up to date anyway. Hi Yes, I understand that there are several versions of Android and that makes things difficult. I'd like to create a wifi network for my company's employees to use during their break, and as soon as they authenticate to the Captivel Portal, it automatically redirects to a landing page with company news. I know it's not a pfsense specific problem, because in Unifi's Captive Portal the redirect doesn't work on Android devices either, only on Windows and IOS. But, we keep on fighting. Thank you very much.

@emad4 [image: 1665297363846-net-topology.png]

@hugoeyng There are various captive portal bugs in version 22.05 You are probably hitting at least one of them. My guess would be this one: https://redmine.pfsense.org/issues/13488 Bug above can be worked around in different ways. See the posts linked in the redmine

@jiss Have a look at this Thread: https://forum.netgate.com/topic/174416/captive-portal-is-broken/19 Maybe you also have the Problem with the Limiters.... Like me

@gertjan said in Captive Portal is broken?: @denx Hi, I'm using 22.05 on a SG 4100. In the past, I was using 2.6.0 on a home made pfSense device. If my captive portal wasn't working, I would lose my job - sort-of, as I use the portal for a hotel. Last time I looked, it worked. I'm using a dedicated interface for my portal, and as LAN has already 192.168.1.1/24, my portal uses 192.168.2.1/24 - DHCP pool 192.168.2.5 -> 254. I use the Resolver, nearly default settings. The pfSense patches packages has one patch for the portal : This is the patch ID to be used : https://github.com/pfsense/pfsense/commit/add6447b9dc801144141bb24f8c264e03a0e7cae.patch [image: 1661847772551-778dc879-c8cd-4322-abad-7981440f311e-image.png] after install patch - same error dummynet: bad switch 21! dummynet: bad switch 21!

@nicolas-pissard said in Bandwidth restriction per user disabled on a schedule: concrete example When you visit this page : [image: 1663584238865-59b09b08-28c5-4ba6-9539-09dee14b4209-image.png] you are actually looking at this page : [image: 1663584286828-395df406-5b60-4c6f-8a46-bf76ab97dfae-image.png] or, to be more precise : a page (== a file) on a web server. Here it is : /usr/local/www/services_captiveportal.php Have a look at this file. It's PHP, worlds most easiest language - as simple as BASIC was in the eighties/nighties

I think pfsense captive portal will be a stopgap measure if we are asking too much. Im going to look at a packetfence again, although last time I looked it wasnt playing nicely with our UNIFI kit. We are almost entirely authorised users (secondary authentication is radius for our portal), the voucher users will timeout themselves as they are all limited 2 day vouchers. Our users will not be happy putting their details into the portal weekly. Thanks for the insight though.

@hamedlynx https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html When you're wired up with the portal, over wire or Wifi, DNS should work. The only DNS that gets passed, is not 8.8.8.8 - as everything is blocked. The DNS that works is : the portal interface, port 53. So the connected user should use that one, and not some 8.8.8.8. Then a http:// (not https://...) request should be possible .... etc.

@gertjan Thanks for your reply and help. I tested this PHP script and can get count online users. Do you know if I also can get each user downloaded/uploaded traffic and login start time ?

@gertjan said in FreeRadius and quotas, doesn't work since 22.05: as talking about quotas. i realize that you were talking about quota's and not bandwidth limiting, but since i didn't find anyone with the same issue i hoped it might have been related. i'll contact netgate support - perhaps they have more insight in the bandwidth-limiting issue i'm having, while yours seem fine on 22.05

@osbhutan even when it just moves AP but its the same ssid? That sure seems problematic for more than just a couple of reason. Can't you just turn that off - I have it off my my home wifi connections.