Ah, then it might be something to do with the expiration bit. I didn't try that, just a normal login. Not sure how much can be done about that since it's browser specific…

It's by MAC and IP (CP enforces the association between them). IP and MAC passthroughs have no limits in 1.2.3, they have per-entry limits in 2.0.

this is a good idea! keep us posted on your progress if i get soem time at work tomorrow i will play with this a little as well

I left my global DNS setting as provided from my ISP.  And leave the local OPT interface DNS config for the CP interface.  And I pipe OPT/CP traffic only through Squid.  Inside Squid I set the DNS provided by client.  This does a real nice job.  This solves your need, as it does mine.  And provides a real nice feature, even if the clients DNS servers entry is statically set, it will still resolve names from OpenDNS servers, transparent to the user, reducing the ability to get around my OpenDNS content filtering rules.

Captive portal works at layer 2 (read: MAC address), so unless your clients are bridged to the same layer 2 network as pfSense, and pfSense can see the client MAC addresses directly, then it will not do what you are after.

We have a feature request open (not sure if it's on redmine or elsewhere) for a layer 3 captive portal that would work by IP, but it's something that requires quite a lot of time toward (and funding…) in order for it to happen.

i have add on Cp a idle timeout (30 min) and it seems to be fonctionnal …

That's up to your AP's configuration. Nothing pfSense can do about that, and Captive Portal only works at Layer 2 so there isn't a workaround at the firewall level.

If you were coming from an older snapshot then you might be seeing this:

https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/2d4003aab1d969ed9ba3e52f2fe3ec083e4bef8c

We were not calculating the bandwidth received from RADIUS according to the standard. You'll probably have to fix your bandwidth values in your RADIUS server.

Maybe a CAPTCHA on the landing page?

No, that isn't possible to do with the code as it is. It could probably be modified to do that, but it would be a bit of work to pull off.

2.0 can't do that either.

Many thanks for your response.

There is a work around for this scenario - and that is to NAT into the existing LAN and 1:1 NAT from one subnet to the other.

Hopefully the pfSense will provide firewall logs of translations so we can match user's traffic on the Internet to authenticated traffic on
wireless LAN.

I don't know of another distribution that supports this feature, maybe ZeroShell?

- so we may just build one!

Thanks

Rob

Cool, thanks a bunch!

You probably want to upload your own error page in section "Authentication error page contents" (right below "Portal page contents"). That's what I did and my portal login and error pages are of the same style and look.

Logout pop-up doesn't work, you're right. I guess it is a bug.

@ermal:

You need a radius server to do this for you.

Hi ermal,

I've managed to make CP + Active Directory (through RADIUS in Win2k8 R2) work for my RC1 2.0 box.

But i'm not sure where should I create groups for limiting bandwidth?

you don´t need to get this domain, this could work if you use a local dns server.

i have a local dns server, but i have no idea, how i can change that behaviour..

i want the captiveportal redirect go to http://pfsense.company.com:8000  instead of http://ipadress:8000, but how i can i do this?
any rule to set in pfsense, to forward from ipadress to pfsense.company.com, or configure captiveportal to use domain instead ipadress?

You can configure a passthrough IP for this.
("Allowed IP addresses" on the CP config page)

Done!  :)