Got to the bottom of it:

It was a problem with the (cheap) CF card the pfSense was installed on and the Realtek NICs doing the watchdog timeout thing - basically, made a mess of the whole CP behaviour.  Have moved to new hardware and all is fine.

Nothing saying you have to remake them weekly, just make a bunch of rolls at a time.

Individual vouchers are tracked, as they are no longer considered valid once they expired (if they have a time value).

I am using lightsquid for the reporting and it allows me to see and actually go to the sites where the users are going … the reporting is nice as it shows the users with the biggest usage etc and it has a daily and weekly overview

Philip Van Cleven

@ermal:

Now you can allow by dns name access in CP.
This is on 2.0 latest snapshots.

I tried the snapshot of 23 Feb 2011 on a Dell GX620 with one additional card (standard stock) and 1 Gig of ram.
the software loaded without a hitch.
I configured the captive portal (no users) and checked if it was possible to get to the internet and the answer was : display of the login to the captive portal (good)
nothing configured in the captive portal –> no email in thunderbird going in or sending out (using imap.gmail.com and smtp.gmail.com)
configured the captive portal --> allow host names and configured in one direction (from ) to allow the imap and smtp service on gmail
thunderbird was able to receive and send emails while internet was still blocked

–--------> success story!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

next question : how far are we from a release of the version 2 as I want to install this as soon as possible. I probably will install the snapshot already at the factory hoping it is stable enough?
I normally have squid running and litesquid for reporting and a cron task to rotate the log files
15 users with no internet but email
10 users on captive portal
10 users not going through the proxy

Philip

I know that the solution is not going to be that easy for you to do via pfsense.  Another solution which might help you would be something like http://www.hotspotsystem.com/.  You load the firmware up on your wireless access point and then set up the account.  Lots of solutions for CP pay for services, just search around.

@cmb:

It's as secure as you're going to get at the gateway level. Your infrastructure at layer 2 (switch and/or AP) has to handle any other bad things that people try to do as that's beyond the firewall's control.

+1 - Get better switches

hi there.

i am on pfSense 2.0-BETA5-pfSense (i386)  still the same the voucher time does not stop even the user has logout.

A user with 30 minutes voucher time and logout after 10 minutes, when the user comes back after 20 minutes the account is already expired. It is supposed to be the user still can login because it has a 20 minutes remaining.

Hope this feature would be included in the next or future release.

regards,
sarhento

Thank you, muchly appreciated  ;D

If CP doesn't redirect it's one of two things, you either aren't allowing the initial HTTP request in your firewall rules on that interface, or your DNS isn't functional.

Man, almost a whole day of messing with this and it turns out that the CA/chain file I downloaded was in DOS format (CRLF rather than just CR).  I ran it through "dos2unix" and re-copied it and all is well.  cat -v is your friend!

wow this is great and is a much needed feature captive portal cannot do without
however – doing this for like 100 or so users is very tedious.  >:(

I run a captive portal with HTTPS auth that handles about 150 concurrent users on version 1.2.3.  If you can get it to run in 2.0 I would recommend it only because most certificate authorities use intermediate certs that you would need to put in the chained certs field.  In my case that meant patching the GUI because the webserver supports it but the GUI did not.  If you can't use 2.0, here's the link for the patch.

http://forum.pfsense.org/index.php?topic=10888.0

Worked great, now I can use the Comodo wildcard cert we bought for our domain.  Good luck.

This does not work…

if ($_POST['logout_id']) {
   echo << <eod<br><title>Disconnecting…</title>

You have been disconnected.

EOD;
   register_shutdown_function(disconnect_client,$_POST['logout_id']);
   exit;
–-

As stated before the only thing that I have been able to make work is this...

--- index.php 2011-02-06 16:24:13.000000000 +0000
+++ index.php.new 2011-02-06 16:16:27.000000000 +0000
@@ -412,29 +412,7 @@
 */
function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1) {

global $g, $config; $cplock = lock('captiveportal'); /* read database */ $cpdb = captiveportal_read_db(); $radiusservers = captiveportal_get_radius_servers(); /* find entry */ for ($i = 0; $i < count($cpdb); $i++) { if ($cpdb[$i][5] == $sessionid) { captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause); captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason); unset($cpdb[$i]); break; } } /* write database */ captiveportal_write_db($cpdb); unlock($cplock); mwexec_bg("/usr/local/captiveportal/captiveportal-disconnect.php $sessionid $logoutReason $term_cause");

}

Where /usr/local/www/captiveportal/captiveportal-disconnect.php contains the following
–-
#!/usr/local/bin/php -f
require_once("functions.inc");
global $g, $config;

$sessionid = $argv[1];
$logoutReason = $argv[2];
$term_cause = $argv[3];

if ( $argc != 4 ||  $sessionid == "" || logoutReason == "" || $term_cause == "" )
   exit;

echo "$sessionid $logoutReason $term_cause";

$cplock = lock('captiveportal');

/* read database */
$cpdb = captiveportal_read_db();

$radiusservers = captiveportal_get_radius_servers();

/* find entry */
for ($i = 0; $i < count($cpdb); $i++) {
   if ($cpdb[$i][5] == $sessionid) {
       captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause);
       captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);
       unset($cpdb[$i]);
       break;
   }
}

/* write database */
captiveportal_write_db($cpdb);

unlock($cplock);

?>
–-</eod<br>

this sounds like what we are after.  If you've got this working any chance of a walkthrough?

If i'm not mistaken, you can run PHP code in your CP login page..

so your CP login page can have a php code to check user_agent / browser  and redirect user to another CP login page based on that..

if you can only run 1 page for CP (as i see in pFSense) then you can try embedded iframe for that CP page and load pages from external (but still on the PFsense publicly accessible folder www/)

seems to be a little un-understandable

if the users do not buy a voucher, they may use the wlan for free to see only one Domain.
Nothing else but one single Homepage (and the login…)

If someone is buying a voucher, he is allowed to access all the www...

and sorry: My linux-knowledge and also my english is really not perfect...

I lowered the MTU enough but now CP will not even show the login screen. Something happened though because I lost the ability to surf to any webmail sites. I had to reboot to regain access to any webmail. I was planning on waiting til 2.0 is ready for production.