@emad4 said in Net topology:

What shall I do ?

Some more tests :
On the portal client device, lauche a "ipconfig /all"
The IPv4 show is in the correct network ?
DNS IP == Gateway IP == the pfSense portal network IP ?

When connected, wired or by Wifi, to the portal network, but before eautification, so before any login page shows up, DNS requests should work ! This is important.
Again : DNS TCP and UDP to port 53, the pfSense portal network should not be blocked.
So,

nslookup google.com

should work.

Follow :theses tips : Troubleshooting Captive Portal

For in depth portal info : see here.
The captive portal video's, the classic and advanced, are still valid today.

@gertjan said in Captive Portal not redirecting on android:

There are thousands of 'android' versions. "And they are not all equal".
I've seen several versions working just fine.
I had a new 'Samsung' phone in my hand yesterday, had to turn on the 'Wifi' and connect. What looks like a pop-up popped up, and ticking that opened the portal login page. After entering credentials, I was redirected to my redirect page ( https://www.google.com ).
But, true, that was an unknown android version, didn't even look up which one. As the phone was brand new, it was probably not up to date anyway.

Hi

Yes, I understand that there are several versions of Android and that makes things difficult. I'd like to create a wifi network for my company's employees to use during their break, and as soon as they authenticate to the Captivel Portal, it automatically redirects to a landing page with company news. I know it's not a pfsense specific problem, because in Unifi's Captive Portal the redirect doesn't work on Android devices either, only on Windows and IOS. But, we keep on fighting. Thank you very much.

@emad4 Net-topology.png

@hugoeyng
There are various captive portal bugs in version 22.05
You are probably hitting at least one of them.

My guess would be this one:
https://redmine.pfsense.org/issues/13488

Bug above can be worked around in different ways.
See the posts linked in the redmine

@jiss
Have a look at this Thread:
https://forum.netgate.com/topic/174416/captive-portal-is-broken/19

Maybe you also have the Problem with the Limiters.... Like me

@gertjan said in Captive Portal is broken?:

@denx

Hi, I'm using 22.05 on a SG 4100. In the past, I was using 2.6.0 on a home made pfSense device.

If my captive portal wasn't working, I would lose my job - sort-of, as I use the portal for a hotel.

Last time I looked, it worked.

I'm using a dedicated interface for my portal, and as LAN has already 192.168.1.1/24, my portal uses 192.168.2.1/24 - DHCP pool 192.168.2.5 -> 254.

I use the Resolver, nearly default settings.

The pfSense patches packages has one patch for the portal :
This is the patch ID to be used : https://github.com/pfsense/pfsense/commit/add6447b9dc801144141bb24f8c264e03a0e7cae.patch

778dc879-c8cd-4322-abad-7981440f311e-image.png

after install patch - same error
dummynet: bad switch 21!
dummynet: bad switch 21!

@nicolas-pissard said in Bandwidth restriction per user disabled on a schedule:

concrete example

When you visit this page :

59b09b08-28c5-4ba6-9539-09dee14b4209-image.png

you are actually looking at this page :

395df406-5b60-4c6f-8a46-bf76ab97dfae-image.png

or, to be more precise : a page (== a file) on a web server.
Here it is :
/usr/local/www/services_captiveportal.php

Have a look at this file.
It's PHP, worlds most easiest language - as simple as BASIC was in the eighties/nighties 😊

I think pfsense captive portal will be a stopgap measure if we are asking too much. Im going to look at a packetfence again, although last time I looked it wasnt playing nicely with our UNIFI kit.

We are almost entirely authorised users (secondary authentication is radius for our portal), the voucher users will timeout themselves as they are all limited 2 day vouchers. Our users will not be happy putting their details into the portal weekly.

Thanks for the insight though.

@hamedlynx

https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html

When you're wired up with the portal, over wire or Wifi, DNS should work.
The only DNS that gets passed, is not 8.8.8.8 - as everything is blocked.
The DNS that works is : the portal interface, port 53. So the connected user should use that one, and not some 8.8.8.8.

Then a http:// (not https://...) request should be possible .... etc.

@gertjan
Thanks for your reply and help.
I tested this PHP script and can get count online users.
Do you know if I also can get each user downloaded/uploaded traffic and login start time ?

@gertjan said in FreeRadius and quotas, doesn't work since 22.05:

as talking about quotas.

i realize that you were talking about quota's and not bandwidth limiting, but since i didn't find anyone with the same issue i hoped it might have been related.

i'll contact netgate support - perhaps they have more insight in the bandwidth-limiting issue i'm having, while yours seem fine on 22.05

@osbhutan even when it just moves AP but its the same ssid? That sure seems problematic for more than just a couple of reason.

Can't you just turn that off - I have it off my my home wifi connections.

@jimp Hi,

Thanks for the reply, my eyes are playing tricks with me I did not see that.

Restart a local captive portal instance: Select "Restart Local Service" and enter captiveportal zonename replacing zonename with the zone to restart.

@gertjan I ran pfsense-upgrade -y and it is working now.
Thank you.

brilliant, thank you. I saw the example but couldn't find an example with the variable. Not having experience of this Im grateful for the help. I didn't realise it was literally simply put"$PORTAL_MESSAGE$" in the HTML!

I thought it was going to be a php line or some javascript. That was the last thing I needed, captive portal going live...

@nickologic said in Intermittent connectivity when accessing allowed hostnames:

Everything loads correctly when connected to the non-captive interface.

Isn't there some known bug with captive portal - believe there is a patch..

I believe this
https://redmine.pfsense.org/issues/12834

@gertjan

i also added a comment about the "Dot" Problem in the Bug Report. So i think all should be fine for now.

THX Gertjan for your help!

Interestingly I did all my testing with a Windows 10 and Windows 11 laptop until I was happy with my captive portal. I tested at each stage:

set up captive portal with defaults, no authentication. set up voucher roll and voucher authentication. add SSL certificate (I already use an ACME letsencrypt with pfsense so I added another URL to the SAN for the captive portal) set up radius customise the logon HTML and the "error" HTML

I was happy that this all worked - only the "edge browser" seems to have an oddity with captive portal (force redirect sorted that and I was going to force redirect to my "company landing page" anyway, chrome and firefox have no issue sending its captive portal check plus redirecting back. Now to test with other devices:

*Ipad worked fine.
*Android did not. Android was convinced that it was connected - it attempted a www.gstatic.com/generate_204 which apparently (according to the device) succeeded pre authentication! There was no traffic flow though (good). However I could not get the captive portal page to trigger on an android device, it was convinced that it needed to "sign in" but then would simply say that it was connected.

I spent quite a lot of time looking at firewall logs, device logs and trying to fathom why the android device was convinced it had a connectivity allowed and I was never shown the captive portal page, I checked everything from DNS (I use pfsense forwarder and there is only one "exception" which is a "disclaimer landing page" simple URL on a local webserver).

In the end I found that if I "disconnected all users" then this would work. After digging it seems that if I make a change to the pfsense portal settings I need to disconnect all users for my android device to see the captive portal. Most odd.

Android device is version 12. I have no idea what this will do to the people who have vouchers when I disconnect (radius auth will be irrelevant of course, they can re-sign in.

@pieter_sa said in Captive Portal breaks policy routing for bypassed MAC addresses after upgrade to 22.05 [fixed]:

@bitrot You marked this as fixed, so others, like me, will also go through the entire journey of registering for pfsense+ and updating all the way up to 22.05 just to see the same old Captive Portal issues.

No. I found an issue with Captive Portal in 22.05, made a post about it, troubleshot it, and created a bug report about it. Once a patch was available I linked it and marked the issue as fixed.

The other issue you've mentioned is Regression #13290: dummynet. This is a cosmetic issue only that does not affect functionality and is also already fixed.

If you have some other "same old Captive Portal issues" I again suggest you be much, much more specific and also open a separate thread and maybe create a bug report that deals with your specific problems instead of hijacking another thread that is about a different issue that has already been fixed.