When the user tries to access a page, if their MAC isn't listed as being logged in, they are directed to the portal page instead of whatever they tried to load.

DNS is needed because unless a client can resolve a hostname, it will never try to load a page, and thus would never hit the portal.

so no one knows how I can stop the user to re-authenticate after the session time runs out.

I have tried with just using the settings on the captive portal page with no luck at all. I can login without problems, but none of the rate limits i set work at all.. i have done it allowing each user 600k down and 600kup, testes and users get anywhere from 1mb to 4 mb down ans up..

i have a FreeRADIUS server, ready to go but i also cant get that to work with the captive portal. I set the radius servers IP in the external radius server settings, but when i try a login, i get an error saying that there was no valid radius reply or something like that.

Please, how do I install radius manager in pfsense, can you give me a guide plz,thank you

No one?? I really need this working and can't find an answer.. if someone could help it will be highly appreciated

@SEMIJim:

Basically the entire captive portal thing is as an alternative to a fully-open-access WiFi network.  I'd prefer to make clients have to use WPA-PSK, or at least WEP, but the Powers That Be at each site nix that idea as too much trouble for (prospective) users.

I know if you setup the open public Wireless on a specific port using pfSense you can basically tunnel that port right out the firewall to the DSL/Cable by using the "Any" rule and blocking your LAN. You could eliminate a passphrase and run wide open with the SSID broadcasting or as you already know you can use a public login with a known user/passphrase.
However the other point to your scenario will take some further study and I don't know if it can be done or if I fully understand what your end result will be.
I do know that you can use multiple logins as I have already tested this in my lab. I just created a user group "Wireless Users" and then created the User Account "Guest" who is a member of the "Wireless Users" group - with a setup passphrase and have logged in with multiple connections from 2 different laptops. So, yes to that question…. and if I remember you can control this on the CP interface but I will need to check this again... Perhaps someone else can chime in....

I wanted to have two wireless segments on my second customer I am now working with but want to control both public and private wireless using separate ports which goes back to bridging the private wireless to private lan. The other part to this would be to eliminate the port on the pfSense appliance and hang a WPA-PSK wireless AP off the switch for the private wireless network. (no CP)

Ok…
Kinda quiet here in this part of the forum... :o
After further deliberations I determined that you cannot edit the HTML using WinSCP...
For anyone else trying to do this remember to edit your HTML and then upload using the upload feature in the CP Portal page.

Cheers....

H.

@Afif90:

lolx..that not english version..

yeah…. your right! Mmmmmm - Language must be part of the pfSense curriculum... ???
What are you trying to do? With every journey there are always first steps.....

H.

if you use a layer2 switch with vlan's then you have virtual interfaces that you assign to squid ….

interfaces not assigned will not pass squid and thus not get filtered

Thanks, I created the group, added some users with no privileges and it works great. The captive portal is now working exactly as it should.

BTW everything in PFSense seems to be much easier to setup than other distributions I've tried, great job to those who worked on it.

John S.

The file:

/usr/local/etc/raddb/users

It get filled with the config file /config/config.xml

In 1.2.3 its not possible only 2.0 allows you to use schedules with CP.

We're using the internal "user-manager", (no Radius Server) with username/password (built-in database) authentication.

Are there other options?
(As long as we want to keep it simple we are a little frightened to set up the radius-server..because none of us ever has).

Excellent.. I have been tinkering at it for the last hour and have got the captive portal working.. Doing basically what you just said. all i did was untick the box under the DNS servers on the general settings, and i put the LAN ip as the DNS server on the DHCP settings.  Althought it does also seem to work without this, so maybe just removing the tick in the box next to "Allow DNS server list to be overridden by DHCP/PPP on WAN
" seems to do the trick.

@jimp:

On the LAN, block traffic going to any destination on port tcp/443 (except from your proxy server and/or unrestricted client IPs)

If someone has the proxy settings in their browser, it will never hit that rule since it's going to the proxy.

You can't force someone's browser settings to reset to "automatic" if they have been set to manual only or no proxy. If you have WPAD setup then it will work for those already set to automatic. Some browsers default to not try automatic configuration these days.

It's a little inelegant because we still need to retain access to the ssl services provided by google, but this actually works like a charm. Thanks!

OK, thanks for replies. I was thinking about this option - to generate new keys.

I already tried to change the magic number - I ended up with "Services : Captive portal : Vouchers" page all greyed out, "add voucher" icon (plus sign) disappeared, page reload didn't help, so warning to everyone, this is most likely not the way to go in RC1!

Assuming the CP users are on a different subnet, on a separate interface or VLAN, you can do that just with firewall rules (with or without CP).

Without DNS, the hostname never resolves to an IP, if the IP doesn't resolve, the client never makes a request, and pfSense can't redirect to a page if the client never makes the request.

Only possible way around that might be if you have some kind of default DNS response. I don't think the DNS forwarder in pfSense supports that, something like the ISP DNS setups that send you to a search page when they don't get a valid DNS response. If your clients were pointed at a local/internal DNS server that would return a response even on failure, it should work.