Great - thank's for the hint! My problem was, that I had a DC acting as a DNS and forwarding all unanswered queries to the POPs DNS (and not to pfsense) …

to answer my own question…I think...unless there is something wrong with this method that I am unaware of...

I decided to see what Mr. Ullrich meant by reuse the cert so I went in there and found that there is a way to create them. 
There is a link in the word create in the middle of the webGUI SSL certificate/key section.
as long as you fill out every field in there you will get a matching combo.

sslexplorer even has a built in java vpn client. It's pretty cool. Just forward the configured port to the ssl exporer and configure your users/apps there. I tested this at our office. works great.

@jeroen234:

rad you post 4 times still don't get it what you want

i have a transparend squid proxy running on pfsense and the portal

users get the portal first
afther login the reqest is diverted from port 80 to squid port 3128

Thank you, I got possible to use the HTTP (80).

Installation of package was not possible so that PFSense applied it in local address, and an answer became slow

However, HTTPS (443) and FTP (21) seem to be impossible by this method.

Is there a method according to anything?

Here is the file we are using.

/*     $Id: index.php,v 1.20.2.7 2006/09/22 14:40:03 sullrich Exp $     part of m0n0wall (http://m0n0.ch/wall)     Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.     All rights reserved.     Redistribution and use in source and binary forms, with or without     modification, are permitted provided that the following conditions are met:     1\. Redistributions of source code must retain the above copyright notice,       this list of conditions and the following disclaimer.     2\. Redistributions in binary form must reproduce the above copyright       notice, this list of conditions and the following disclaimer in the       documentation and/or other materials provided with the distribution.     THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,     INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY     AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE     AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,     OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF     SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS     INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN     CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE     POSSIBILITY OF SUCH DAMAGE. */ $host = getenv("REMOTE_ADDR"); list ($octet1, $octet2, $octet3, $octet4) = split ("\.", $host, 4); // The next lines are the redirections based on octet values.  You can also use ranges with different operators. '< or = or >' You get the idea if ($octet3 == "1") { $Redirect= "http://192.168.1.1:8000/captiveportal-mesaverde.html"; } elseif ($octet3 == "2") { $Redirect= "http://192.168.2.1:8000/captiveportal-index2.html"; } else { $Redirect= "http://192.168.1.1:8000/captive-portal-notallowed.html"; } header ("Location: ".$Redirect) ?> require_once("functions.inc"); header("Expires: 0"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); $orig_host = $_ENV['HTTP_HOST']; $orig_request = $_GET['redirurl']; $clientip = $_SERVER['REMOTE_ADDR']; if (!$clientip) {     /* not good - bail out */     echo "An error occured.  Please check the system logs for more information.";     log_error("Captive portal could not deterimine clients ip address.");     exit; } if (isset($config['captiveportal']['httpslogin']))     $ourhostname = $config['captiveportal']['httpsname'] . ":8001"; else     $ourhostname = $config['interfaces'][$config['captiveportal']['interface']]['ipaddr'] . ":8000"; if ($orig_host != $ourhostname) {     /* the client thinks it's connected to the desired web server, but instead       it's connected to us. Issue a redirect... */     if (isset($config['captiveportal']['httpslogin']))         header("Location: https://{$ourhostname}/index.php?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));     else         header("Location: http://{$ourhostname}/index.php?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));     exit; } if (preg_match("/redirurl=(.*)/", $orig_request, $matches))     $redirurl = urldecode($matches[1]); if ($_POST['redirurl'])     $redirurl = $_POST['redirurl']; $macfilter = !isset($config['captiveportal']['nomacfilter']); /* find MAC address for client */ $clientmac = arp_get_mac_by_ip($clientip); if (!$clientmac && $macfilter) {     /* unable to find MAC address - shouldn't happen! - bail out */     captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");     echo "An error occured.  Please check the system logs for more information.";     log_error("Captive portal could not deterimine clients MAC address.  Disable MAC address filtering in captive portal if you do not needs this functionality.");     exit; } /* find out if we need RADIUS + RADIUSMAC or not */ if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) {     $radius_enable = TRUE;     if ($radius_enable && isset($config['captiveportal']['radmac_enable']))         $radmac_enable = TRUE; } if ($_POST['logout_id']) {     disconnect_client($_POST['logout_id']);     echo << <eod<br><title>Disconnecting...</title> **You have been disconnected.** EOD; /* The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail */ } else if ($clientmac && portal_mac_fixed($clientmac)) {     /* punch hole in ipfw for pass thru mac addresses */     portal_allow($clientip, $clientmac, "unauthenticated");     exit; } else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip)) {     /* radius functions handle everything so we exit here since we're done */     exit; } else if ($_POST['accept'] && $radius_enable) {     if ($_POST['auth_user'] && $_POST['auth_pass']) {         $auth_list = radius($_POST['auth_user'],$_POST['auth_pass'],$clientip,$clientmac,"USER LOGIN");         if ($auth_list['auth_val'] == 1) {             captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR",$auth_list['error']);             portal_reply_page($redirurl, "error", $auth_list['error']);         }         else if ($auth_list['auth_val'] == 3) {             captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);             portal_reply_page($redirurl, "error", $auth_list['reply_message']);         }     } else {         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR");         portal_reply_page($redirurl, "error");     } } else if ($_POST['accept'] && $config['captiveportal']['auth_method'] == "local") {     //check against local usermanager     $userdb = &$config['captiveportal']['user'];     $loginok = false;     //erase expired accounts     if (is_array($userdb)) {         $moddb = false;         for ($i = 0; $i < count($userdb); $i++) {             if ($userdb[$i]['expirationdate'] && (strtotime("-1 day") > strtotime($userdb[$i]['expirationdate']))) {                 unset($userdb[$i]);                 $moddb = true;             }         }         if ($moddb)             write_config();         $userdb = &$config['captiveportal']['user'];         for ($i = 0; $i < count($userdb); $i++) {             if (($userdb[$i]['name'] == $_POST['auth_user']) && ($userdb[$i]['password'] == md5($_POST['auth_pass']))) {                 $loginok = true;                 break;             }         }     }     if ($loginok){         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");         portal_allow($clientip, $clientmac,$_POST['auth_user']);     } else {         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");         portal_reply_page($redirurl, "error");     } } else if ($_POST['accept'] && $clientip) {     captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");     portal_allow($clientip, $clientmac, "unauthenticated"); } else {     /* display captive portal page */     portal_reply_page($redirurl, "login"); } exit; function portal_reply_page($redirurl, $type = null, $message = null) {     global $g, $config;     /* Get captive portal layout */     if ($type == "login")         $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html");     else         $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal-error.html");     /* substitute other variables */     if (isset($config['captiveportal']['httpslogin']))         $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext);     else         $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext);     $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext);     $htmltext = str_replace("\$PORTAL_MESSAGE\$", htmlspecialchars($message), $htmltext);     echo $htmltext; } function portal_mac_fixed($clientmac) {     global $g ;     /* open captive portal mac db */     if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) {         $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ;         if (!$fd) {             return FALSE;         }         while (!feof($fd)) {             $mac = trim(fgets($fd)) ;             if(strcasecmp($clientmac, $mac) == 0) {                 fclose($fd) ;                 return TRUE ;             }         }         fclose($fd) ;     }     return FALSE ; } function portal_mac_radius($clientmac,$clientip) {     global $config ;     $radmac_secret = $config['captiveportal']['radmac_secret'];     /* authentication against the radius server */     $username = mac_format($clientmac);     $auth_list = radius($username,$radmac_secret,$clientip,$clientmac,"MACHINE LOGIN");     if ($auth_list['auth_val'] == 2) {         return TRUE;     }     return FALSE; } function portal_allow($clientip,$clientmac,$username,$password = null, $attributes = null, $ruleno = null)  {     global $redirurl, $g, $config;     /* See if a ruleno is passed, if not start locking the sessions because this means there isn't one atm */     if ($ruleno == null) {         captiveportal_lock();         $ruleno = captiveportal_get_next_ipfw_ruleno();     }     /* if the pool is empty, return appropriate message and exit */     if (is_null($ruleno)) {         portal_reply_page($redirurl, "error", "System reached maximum login capacity");         captiveportal_unlock();         exit;     }     // Ensure we create an array if we are missing attributes     if (!is_array($attributes))         $attributes = array();     /* read in client database */     $cpdb = captiveportal_read_db();     $radiusservers = captiveportal_get_radius_servers();     /* Find an existing session */     for ($i = 0; $i < count($cpdb); $i++) {         /* on the same ip */         if($cpdb[$i][2] == $clientip) {             captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],"CONCURRENT LOGIN - REUSING OLD SESSION");             $sessionid = $cpdb[$i][5];             break;         }         elseif ((isset($config['captiveportal']['noconcurrentlogins'])) && ($username != 'unauthenticated')) {             /* on the same username */             if ($cpdb[$i][4] == $username) {                 /* This user was already logged in so we disconnect the old one */                 captiveportal_disconnect($cpdb[$i],$radiusservers,13);                 captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],"CONCURRENT LOGIN - TERMINATING OLD SESSION");                 unset($cpdb[$i]);                 break;             }         }     }     if (!isset($sessionid)) {         /* generate unique session ID */         $tod = gettimeofday();         $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16);         /* Add rules for traffic shaping         * We don't need to add extra l3 allow rules since traffic will pass due to the following kernel option         * net.inet.ip.fw.one_pass: 1         */         $peruserbw = isset($config['captiveportal']['peruserbw']);         $bw_up = isset($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup'];         $bw_down = isset($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn'];         if ($peruserbw && !empty($bw_up) && is_numeric($bw_up)) {             $bw_up_pipeno = $ruleno + 40500;             exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any in");             exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100");         } else {             exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in");         }         if ($peruserbw && !empty($bw_down) && is_numeric($bw_down)) {             $bw_down_pipeno = $ruleno + 45500;             exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip out");             exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100");         } else {             exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out");         }         /* add ipfw rules for layer 2 */         if (!isset($config['captiveportal']['nomacfilter'])) {             $l2ruleno = $ruleno + 10000;             exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in");             exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out");         }         /* encode password in Base64 just in case it contains commas */         $bpassword = base64_encode($password);         $cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $username, $sessionid, $bpassword,                 $attributes['session_timeout'],                 $attributes['idle_timeout'],                 $attributes['session_terminate_time']);         if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {             $acct_val = RADIUS_ACCOUNTING_START($ruleno,                                                             $username,                                                             $sessionid,                                                             $radiusservers[0]['ipaddr'],                                                             $radiusservers[0]['acctport'],                                                             $radiusservers[0]['key'],                                                             $clientip,                                                             $clientmac);             if ($acct_val == 1)                 captiveportal_logportalauth($username,$clientmac,$clientip,$type,"RADIUS ACCOUNTING FAILED");         }     }     /* rewrite information to database */     captiveportal_write_db($cpdb);     /* redirect user to desired destination */     if ($url_redirection)         $my_redirurl = $url_redirection;     else if ($config['captiveportal']['redirurl'])         $my_redirurl = $config['captiveportal']['redirurl'];     else         $my_redirurl = $redirurl;     if(isset($config['captiveportal']['logoutwin_enable'])) {         if (isset($config['captiveportal']['httpslogin']))             $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";         else             $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/";         echo << <eod<br><title>Redirecting...</title> **Redirecting to [{$my_redirurl}]({$my_redirurl})...** EOD;     } else {         header("Location: " . $my_redirurl);     }     captiveportal_unlock();     return $sessionid; } /* remove a single client by session ID   by Dinesh Nair */ function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1) {     global $g, $config;     captiveportal_lock();     /* read database */     $cpdb = captiveportal_read_db();     $radiusservers = captiveportal_get_radius_servers();     /* find entry */     for ($i = 0; $i < count($cpdb); $i++) {         if ($cpdb[$i][5] == $sessionid) {             captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause);             captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);             unset($cpdb[$i]);             break;         }     }     /* write database */     captiveportal_write_db($cpdb);     captiveportal_unlock(); } ?></eod<br></eod<br></mk@neon1.net>

@hoba:

There are some packages in the pipe (like freenas) that won't work with the current version of pfSense (and therefor won't show up in the packagemanager yet) and require features that are in the head codetree, other packages might be a bit tricky to get going or not every feature of them will work. Others just work fine. The main focus was to release a stable basesystem first.

I suggest just setting up a system on a hdd and do a testdrive to see if pfSense is/does what you need.

thanks.

Ok I really hope they sort that out soon because I know alot of persons have requested it.

Hello Sullrich, you told right  ;)

I reinstall with 1.0 RC3 (livecd) and everything is allright now.  8)

Thank to all for your help…

Hau!

me again

Im not a PHP programmer and following mr. hoba suggestion I found a php script which verifies username and check it with ip addr where requisition for logon came from.

But when I try to run PHP code nothing happens, as if PHP running in PF is not understanding php code.
Where do I find PHP logs to see if there´s an error?

Thnx

p.s.: php code below - please remember "IM NOT A PHP PROGRAMMER" so if it´s crap is not my fault (yet) =P

// checa user function check_user() { //verifica se o form foi enviado if(isset($_POST['auth_user'])) { // separa a string $rede_user = explode('.',$_POST['auth_user']); // sub_rede do usuário echo "sub rede do usuário = ".$rede_user[1]; // ip verdadeiro $ip = $_SERVER['REMOTE_ADDR']; //- DESCOMENTAR ESTA LINHA // pseudo ip do usuário -  //$ip = '192.168.11.0'; //COMENTAR ESTA LINHA $ip_user = explode('.',$ip); echo " "; echo " "; echo "Conjuntos do ip do usuário"; echo " "; echo "parte 1 = ".$ip_user[0]; echo " "; echo "parte 2 = ".$ip_user[1]; echo " "; echo "parte 3 = ".$ip_user[2]; echo " "; echo " "; // REDES IPS $rede = array(); $rede[10][0] = 'x'; $rede[11][0] = 'y'; $rede[20][0] = 'k'; $rede[21][0] = 'w'; $rede[22][0] = 'v'; $rede[23][0] = 'm'; echo " "; // verifica se a sua rede do usuário pertence ao IP que ele está logado if(@in_array($rede_user[1] , $rede[$ip_user[2]])) { echo "O USUÁRIO PODE PASSAR "; echo "A sub rede ".$rede_user[1]." pertence a rede ".$ip"; }else { echo "PASSAGEM PROIBIDA "; echo "A sub rede ".$rede_user[1]." NÃO pertence ao ip ".$ip"; exit(); } } } check_user(); ?>

What version.

I've done it. Now everything works fine.

turn youre pfsense server `180 degrees
so that lan gets to be wan
add a route on the lan to 0.0.0.0 / 255.255.255.255 with the ip of youre wireless router as gateway

I can do that with no modification to the existing code…why did you feel you needed to create a mod?

thanx

;)

It is not currently in a situation to be modififed.  It is hard coded into the php file.

If you would like to get this option modified I would suggest emailing the m0n0wall list where Jonathon does most of the Captive Portal work.  We simply "borrow" from m0n0wall.

I solved now.. I configure 2 nework card on radius server. One with static IP, one with DHCP. I thought to of using the same server to test for CP function.. It only work after I delete the 1st network card (DHCP). It seem that radius send the reply but going out to DHCP IP one so CP firewall block it (or something like that)..

But now it working.. I can see, radius auth routine only check for Accept-Reply (1st byte only) and not other attribute. I will try to compare or do some hacking so session-timeout can be use.. Hopefully.

Hi,

I resolve this problem. I generate little perl script which checks if
account is activated and put Reject for it when crontab run this
script. Maybe some one else is thinking this same problem, so
i decide to put my answer here.

crontab:
0 0 * * * root /usr/bin/cpcheck.pl

script: see attachment.

Br,

Ville

cpcheck.pl.txt

Okay, changes will be present in RC3.

Thanks for testing.

Ops I forgot, in 2 i enabled the load balancer and i configured the gateway for LAN rule to Balancer.

Rodrigo Quilez
São Paulo - Brasil

Can you post that at the m0n0 list? The CP is more or less a rip off of the m0n0 code. As CP is mainly developed at m0n0wall this would break syncability between m0n0 and pfSense. We are trying to stay the same like m0n0 here.