Having the same problems on pfSense 2.0 RC3 (using the pfSense-2.0-RC3-1g-i386-20110621-1821-nanobsd.img.gz Image).

Per-user-bandwith restriction set to 200kbit/s.
Captive portal is loading, I login using username and password, it authenticates me (listed on status page), redirect times out. No site is loading.

restriction is turned off:
Redirect works like a charm.

I'm not using squid, so I don't think it's the problem here.

Thanks for your reply. I'm gonna try it and tell u if it's working.

secure connection protocol or something like that.
with winscp you move files between windowd and *nix like systems, like bsd linux etc

O.o it works…
I don't change anything, just update pfsense and now seems it works.
i'll try clean my cache and i'll try some other notebook...

i confirm...now it works. i didn't do anything, just restart my AP, my router and start pfsense today, update this one to new version (2.0-RC3 (i386) -built on Thu Jul 28 23:16:13 EDT 2011 ). Nothing more.

i post again the results of ifconfig and ipfw show (i don't know if could be useful)

ifconfig bge0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500        options=8009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstat  =""  e="">ether 00:11:43:ab:3c:1e        media: Ethernet autoselect (none)        status: no carrier xl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500        options=80009 <rxcsum,vlan_mtu,linkstate>ether 00:04:76:18:b0:32        inet 192.168.0.3 netmask 0xff000000 broadcast 192.255.255.255        inet6 fe80::204:76ff:fe18:b032%xl0 prefixlen 64 scopeid 0x2        nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)        status: active xl1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500        options=80009 <rxcsum,vlan_mtu,linkstate>ether 00:04:76:18:b0:2b        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255        inet6 fe80::204:76ff:fe18:b02b%xl1 prefixlen 64 scopeid 0x3        nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)        status: active rl0: flags=108843 <up,broadcast,running,simplex,multicast,ipfw_filter>metric 0 m                          tu 1500        options=8 <vlan_mtu>ether 00:e0:4c:39:14:6b        inet 10.59.1.8 netmask 0xffffff00 broadcast 10.59.1.255        inet6 fe80::2e0:4cff:fe39:146b%rl0 prefixlen 64 scopeid 0x4        nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)        status: active plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384        options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000        inet6 ::1 prefixlen 128        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6        nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33200 pfsync0: flags=0<> metric 0 mtu 1460        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 enc0: flags=0<> metric 0 mtu 1536 ipfw0: flags=8801 <up,simplex,multicast>metric 0 mtu 65536 ipfw show 65291   0      0 allow pfsync from any to any 65292   0      0 allow carp from any to any 65301  14    464 allow ip from any to any layer2 mac-type 0x0806 65302   0      0 allow ip from any to any layer2 mac-type 0x888e 65303   0      0 allow ip from any to any layer2 mac-type 0x88c7 65304   0      0 allow ip from any to any layer2 mac-type 0x8863 65305   0      0 allow ip from any to any layer2 mac-type 0x8864 65306   0      0 allow ip from any to any layer2 mac-type 0x888e 65307   0      0 deny ip from any to any layer2 not mac-type 0x0800 65310 329  34233 allow ip from any to { 255.255.255.255 or 10.59.1.8 } in 65311 277 118046 allow ip from { 255.255.255.255 or 10.59.1.8 } to any out 65312   0      0 allow icmp from { 255.255.255.255 or 10.59.1.8 } to any out icmptypes 0 65313   0      0 allow icmp from any to { 255.255.255.255 or 10.59.1.8 } in icmptypes 8 65314   0      0 allow ip from table(3) to any in 65315   0      0 allow ip from any to table(4) out 65316   0      0 pipe tablearg ip from table(5) to any in 65317   0      0 pipe tablearg ip from any to table(6) out 65318   0      0 allow ip from any to table(7) in 65319   0      0 allow ip from table(8) to any out 65320   0      0 pipe tablearg ip from any to table(9) in 65321   0      0 pipe tablearg ip from table(10) to any out 65322 653  78203 allow ip from table(1) to any in 65323 685 660723 allow ip from any to table(2) out 65531 296  26923 fwd 127.0.0.1,8000 tcp from any to any in 65532 264  35405 allow tcp from any to any out 65533 472  42177 deny ip from any to any 65534   0      0 allow ip from any to any layer2 65535   0      0 allow ip from any to any</up,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast,ipfw_filter></full-duplex></performnud,accept_rtadv></rxcsum,vlan_mtu,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,vlan_mtu,linkstate></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstat></broadcast,simplex,multicast>

Thanks for yours help guys.

Bye :)

If you stay in limits of licensing ;)

Note: I'm not developer so that was only guessing.

@bucky31:

Will I need to set my wireless controllers default gateway to the pfsense LAN IP address?

I'm not familiar with those wireless controllers but I would guess:
No if the wireless controller gets its "WAN" IP address from pfSense by DHCP.
Yes if you have configured a static IP address on the wireless controller's "WAN" interface.

One problem with using snapshot builds is that there might be a temporary bug introduced as part of a fix for a different. I've had good results with the official RC3 built Tue Jun 21 17:40:54 EDT 2011 and with the snapshot build in file pfSense-Full-Update-2.0-RC3-i386-20110719-2331.tgz

update to latest build…this option already available

I think I figured this out.  It appears that newer browsers make multiple embryonic connections to the user's homepage – based on my testing they try to make more than 16 connections, which is the max allowed to the portal at the same time.

Two questions:

On the portal settings page (Services -> Captive portal -> Captive portal tab), if the maximum concurrent connections setting is blank, does that mean that the default of 4 per IP is used, or does that mean the same as setting it to zero?  When I set it to zero and click Save, the number disappears -- so does that mean 4 connections per IP, or the max of 16?

Is there a way to increase the max beyond 16 to see if that resolves the problem with newer browsers attempting to make more than 16 connections?  I didn't see that as a system tunable.

Update on more browser testing:  this doesn't appear to be a problem on Firefox 5.0 and IE8.  So far I've only seen the problem on Chrome 12.x and IE9...but that represents a significant portion of users so would be great to get the problem fixed.

Thanks,
Mike

or even use "Bypass proxy for these destination IPs" and block whole LAN subnet via normal firewall rules.

thanks for the support

Hi wallabybob,

you are right. Changing the dns rule didn´t will fix the problem. Today, i have checked the problem with one of our device. If i didn´t enter a voucher ticket and try to catch mail or do other communication to the internet, so transfer will blocked. If i will go to a www url over port 80, the captive portal catch me and ask me for a voucher. Looks all ok. Only the firewall log makes me crazy.

You are not clear on your request!
How can you resolve that?

Give a description of the problem
Give a description of your setup

Ermal…...

I created a rule that prohibits all but the captive configured on the interface.
It seems that when the captive-enabled interface, they do not respect the firewall
rules, after the user authenticates to the captive rules are then followed.
Something that I think should happen is just spotting nmap tcp port 8000
for authentication, nothing more.

Thank you very much

UP

When I was running the July 4th (before the snapshot location changed) I had the problems outlined above.  As of yesterdays (2.0-RC3 (i386) built on Wed Jul 13 18:38:42 EDT 2011) build, the user is now showing up.

Presently not.
It could be achievable through some tricks but i am not interested for the moment.

Thank you :)

I´m using a syslog server and….

I have all logs the voucher.....

Could you try.

Thanks

@Piplfox:

I’ve managed pfSense with captive portal (voucher auth.) and on LAN I have WiFi AP. Clients that connect thru wiFi AP, I don’t want them to be able see or communicate to each other. Is there an options to so.

To add to the previous post, this is sometimes called "wireless isolation" in your router's GUI.

Regards,
Stuart