• 0 Votes
    6 Posts
    4k Views
    E

    Great - thank's for the hint! My problem was, that I had a DC acting as a DNS and forwarding all unanswered queries to the POPs DNS (and not to pfsense) …

  • Captive Poral Https Help

    Locked
    5
    0 Votes
    5 Posts
    4k Views
    D

    to answer my own question…I think...unless there is something wrong with this method that I am unaware of...

    I decided to see what Mr. Ullrich meant by reuse the cert so I went in there and found that there is a way to create them. 
    There is a link in the word create in the middle of the webGUI SSL certificate/key section.
    as long as you fill out every field in there you will get a matching combo.

  • External (Reverse?) Captive Portal

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    H

    sslexplorer even has a built in java vpn client. It's pretty cool. Just forward the configured port to the ssl exporer and configure your users/apps there. I tested this at our office. works great.

  • About a combination method with Proxy

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    T

    @jeroen234:

    rad you post 4 times still don't get it what you want

    i have a transparend squid proxy running on pfsense and the portal

    users get the portal first
    afther login the reqest is diverted from port 80 to squid port 3128

    Thank you, I got possible to use the HTTP (80).

    Installation of package was not possible so that PFSense applied it in local address, and an answer became slow

    However, HTTPS (443) and FTP (21) seem to be impossible by this method.

    Is there a method according to anything?

  • Per source IP login page

    Locked
    7
    0 Votes
    7 Posts
    5k Views
    S

    Here is the file we are using.

    /*     $Id: index.php,v 1.20.2.7 2006/09/22 14:40:03 sullrich Exp $     part of m0n0wall (http://m0n0.ch/wall)     Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.     All rights reserved.     Redistribution and use in source and binary forms, with or without     modification, are permitted provided that the following conditions are met:     1\. Redistributions of source code must retain the above copyright notice,       this list of conditions and the following disclaimer.     2\. Redistributions in binary form must reproduce the above copyright       notice, this list of conditions and the following disclaimer in the       documentation and/or other materials provided with the distribution.     THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,     INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY     AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE     AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,     OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF     SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS     INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN     CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE     POSSIBILITY OF SUCH DAMAGE. */ $host = getenv("REMOTE_ADDR"); list ($octet1, $octet2, $octet3, $octet4) = split ("\.", $host, 4); // The next lines are the redirections based on octet values.  You can also use ranges with different operators. '< or = or >' You get the idea if ($octet3 == "1") { $Redirect= "http://192.168.1.1:8000/captiveportal-mesaverde.html"; } elseif ($octet3 == "2") { $Redirect= "http://192.168.2.1:8000/captiveportal-index2.html"; } else { $Redirect= "http://192.168.1.1:8000/captive-portal-notallowed.html"; } header ("Location: ".$Redirect) ?> require_once("functions.inc"); header("Expires: 0"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); $orig_host = $_ENV['HTTP_HOST']; $orig_request = $_GET['redirurl']; $clientip = $_SERVER['REMOTE_ADDR']; if (!$clientip) {     /* not good - bail out */     echo "An error occured.  Please check the system logs for more information.";     log_error("Captive portal could not deterimine clients ip address.");     exit; } if (isset($config['captiveportal']['httpslogin']))     $ourhostname = $config['captiveportal']['httpsname'] . ":8001"; else     $ourhostname = $config['interfaces'][$config['captiveportal']['interface']]['ipaddr'] . ":8000"; if ($orig_host != $ourhostname) {     /* the client thinks it's connected to the desired web server, but instead       it's connected to us. Issue a redirect... */     if (isset($config['captiveportal']['httpslogin']))         header("Location: https://{$ourhostname}/index.php?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));     else         header("Location: http://{$ourhostname}/index.php?redirurl=" . urlencode("http://{$orig_host}{$orig_request}"));     exit; } if (preg_match("/redirurl=(.*)/", $orig_request, $matches))     $redirurl = urldecode($matches[1]); if ($_POST['redirurl'])     $redirurl = $_POST['redirurl']; $macfilter = !isset($config['captiveportal']['nomacfilter']); /* find MAC address for client */ $clientmac = arp_get_mac_by_ip($clientip); if (!$clientmac && $macfilter) {     /* unable to find MAC address - shouldn't happen! - bail out */     captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR");     echo "An error occured.  Please check the system logs for more information.";     log_error("Captive portal could not deterimine clients MAC address.  Disable MAC address filtering in captive portal if you do not needs this functionality.");     exit; } /* find out if we need RADIUS + RADIUSMAC or not */ if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) {     $radius_enable = TRUE;     if ($radius_enable && isset($config['captiveportal']['radmac_enable']))         $radmac_enable = TRUE; } if ($_POST['logout_id']) {     disconnect_client($_POST['logout_id']);     echo << <eod<br><title>Disconnecting...</title> **You have been disconnected.** EOD; /* The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail */ } else if ($clientmac && portal_mac_fixed($clientmac)) {     /* punch hole in ipfw for pass thru mac addresses */     portal_allow($clientip, $clientmac, "unauthenticated");     exit; } else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip)) {     /* radius functions handle everything so we exit here since we're done */     exit; } else if ($_POST['accept'] && $radius_enable) {     if ($_POST['auth_user'] && $_POST['auth_pass']) {         $auth_list = radius($_POST['auth_user'],$_POST['auth_pass'],$clientip,$clientmac,"USER LOGIN");         if ($auth_list['auth_val'] == 1) {             captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR",$auth_list['error']);             portal_reply_page($redirurl, "error", $auth_list['error']);         }         else if ($auth_list['auth_val'] == 3) {             captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE",$auth_list['reply_message']);             portal_reply_page($redirurl, "error", $auth_list['reply_message']);         }     } else {         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR");         portal_reply_page($redirurl, "error");     } } else if ($_POST['accept'] && $config['captiveportal']['auth_method'] == "local") {     //check against local usermanager     $userdb = &$config['captiveportal']['user'];     $loginok = false;     //erase expired accounts     if (is_array($userdb)) {         $moddb = false;         for ($i = 0; $i < count($userdb); $i++) {             if ($userdb[$i]['expirationdate'] && (strtotime("-1 day") > strtotime($userdb[$i]['expirationdate']))) {                 unset($userdb[$i]);                 $moddb = true;             }         }         if ($moddb)             write_config();         $userdb = &$config['captiveportal']['user'];         for ($i = 0; $i < count($userdb); $i++) {             if (($userdb[$i]['name'] == $_POST['auth_user']) && ($userdb[$i]['password'] == md5($_POST['auth_pass']))) {                 $loginok = true;                 break;             }         }     }     if ($loginok){         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN");         portal_allow($clientip, $clientmac,$_POST['auth_user']);     } else {         captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE");         portal_reply_page($redirurl, "error");     } } else if ($_POST['accept'] && $clientip) {     captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT");     portal_allow($clientip, $clientmac, "unauthenticated"); } else {     /* display captive portal page */     portal_reply_page($redirurl, "login"); } exit; function portal_reply_page($redirurl, $type = null, $message = null) {     global $g, $config;     /* Get captive portal layout */     if ($type == "login")         $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html");     else         $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal-error.html");     /* substitute other variables */     if (isset($config['captiveportal']['httpslogin']))         $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext);     else         $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext);     $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext);     $htmltext = str_replace("\$PORTAL_MESSAGE\$", htmlspecialchars($message), $htmltext);     echo $htmltext; } function portal_mac_fixed($clientmac) {     global $g ;     /* open captive portal mac db */     if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) {         $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ;         if (!$fd) {             return FALSE;         }         while (!feof($fd)) {             $mac = trim(fgets($fd)) ;             if(strcasecmp($clientmac, $mac) == 0) {                 fclose($fd) ;                 return TRUE ;             }         }         fclose($fd) ;     }     return FALSE ; } function portal_mac_radius($clientmac,$clientip) {     global $config ;     $radmac_secret = $config['captiveportal']['radmac_secret'];     /* authentication against the radius server */     $username = mac_format($clientmac);     $auth_list = radius($username,$radmac_secret,$clientip,$clientmac,"MACHINE LOGIN");     if ($auth_list['auth_val'] == 2) {         return TRUE;     }     return FALSE; } function portal_allow($clientip,$clientmac,$username,$password = null, $attributes = null, $ruleno = null)  {     global $redirurl, $g, $config;     /* See if a ruleno is passed, if not start locking the sessions because this means there isn't one atm */     if ($ruleno == null) {         captiveportal_lock();         $ruleno = captiveportal_get_next_ipfw_ruleno();     }     /* if the pool is empty, return appropriate message and exit */     if (is_null($ruleno)) {         portal_reply_page($redirurl, "error", "System reached maximum login capacity");         captiveportal_unlock();         exit;     }     // Ensure we create an array if we are missing attributes     if (!is_array($attributes))         $attributes = array();     /* read in client database */     $cpdb = captiveportal_read_db();     $radiusservers = captiveportal_get_radius_servers();     /* Find an existing session */     for ($i = 0; $i < count($cpdb); $i++) {         /* on the same ip */         if($cpdb[$i][2] == $clientip) {             captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],"CONCURRENT LOGIN - REUSING OLD SESSION");             $sessionid = $cpdb[$i][5];             break;         }         elseif ((isset($config['captiveportal']['noconcurrentlogins'])) && ($username != 'unauthenticated')) {             /* on the same username */             if ($cpdb[$i][4] == $username) {                 /* This user was already logged in so we disconnect the old one */                 captiveportal_disconnect($cpdb[$i],$radiusservers,13);                 captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],"CONCURRENT LOGIN - TERMINATING OLD SESSION");                 unset($cpdb[$i]);                 break;             }         }     }     if (!isset($sessionid)) {         /* generate unique session ID */         $tod = gettimeofday();         $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16);         /* Add rules for traffic shaping         * We don't need to add extra l3 allow rules since traffic will pass due to the following kernel option         * net.inet.ip.fw.one_pass: 1         */         $peruserbw = isset($config['captiveportal']['peruserbw']);         $bw_up = isset($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup'];         $bw_down = isset($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn'];         if ($peruserbw && !empty($bw_up) && is_numeric($bw_up)) {             $bw_up_pipeno = $ruleno + 40500;             exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any in");             exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100");         } else {             exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in");         }         if ($peruserbw && !empty($bw_down) && is_numeric($bw_down)) {             $bw_down_pipeno = $ruleno + 45500;             exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip out");             exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100");         } else {             exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out");         }         /* add ipfw rules for layer 2 */         if (!isset($config['captiveportal']['nomacfilter'])) {             $l2ruleno = $ruleno + 10000;             exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in");             exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out");         }         /* encode password in Base64 just in case it contains commas */         $bpassword = base64_encode($password);         $cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $username, $sessionid, $bpassword,                 $attributes['session_timeout'],                 $attributes['idle_timeout'],                 $attributes['session_terminate_time']);         if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {             $acct_val = RADIUS_ACCOUNTING_START($ruleno,                                                             $username,                                                             $sessionid,                                                             $radiusservers[0]['ipaddr'],                                                             $radiusservers[0]['acctport'],                                                             $radiusservers[0]['key'],                                                             $clientip,                                                             $clientmac);             if ($acct_val == 1)                 captiveportal_logportalauth($username,$clientmac,$clientip,$type,"RADIUS ACCOUNTING FAILED");         }     }     /* rewrite information to database */     captiveportal_write_db($cpdb);     /* redirect user to desired destination */     if ($url_redirection)         $my_redirurl = $url_redirection;     else if ($config['captiveportal']['redirurl'])         $my_redirurl = $config['captiveportal']['redirurl'];     else         $my_redirurl = $redirurl;     if(isset($config['captiveportal']['logoutwin_enable'])) {         if (isset($config['captiveportal']['httpslogin']))             $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";         else             $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/";         echo << <eod<br><title>Redirecting...</title> **Redirecting to [{$my_redirurl}]({$my_redirurl})...** EOD;     } else {         header("Location: " . $my_redirurl);     }     captiveportal_unlock();     return $sessionid; } /* remove a single client by session ID   by Dinesh Nair */ function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1) {     global $g, $config;     captiveportal_lock();     /* read database */     $cpdb = captiveportal_read_db();     $radiusservers = captiveportal_get_radius_servers();     /* find entry */     for ($i = 0; $i < count($cpdb); $i++) {         if ($cpdb[$i][5] == $sessionid) {             captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause);             captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason);             unset($cpdb[$i]);             break;         }     }     /* write database */     captiveportal_write_db($cpdb);     captiveportal_unlock(); } ?></eod<br></eod<br></mk@neon1.net>
  • Hi, how could pfsense help me out? (capitve portal user using m0n0wall)

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    G

    @hoba:

    There are some packages in the pipe (like freenas) that won't work with the current version of pfSense (and therefor won't show up in the packagemanager yet) and require features that are in the head codetree, other packages might be a bit tricky to get going or not every feature of them will work. Others just work fine. The main focus was to release a stable basesystem first.

    I suggest just setting up a system on a hdd and do a testdrive to see if pfSense is/does what you need.

    thanks.

  • Multiple Interfaces

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    J

    Ok I really hope they sort that out soon because I know alot of persons have requested it.

  • Need help about broken images on captiveportal

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    D

    Hello Sullrich, you told right  ;)

    I reinstall with 1.0 RC3 (livecd) and everything is allright now.  8)

    Thank to all for your help…

  • How to force Captive Portal to check user subnet before authentication?

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    R

    Hau!

    me again

    Im not a PHP programmer and following mr. hoba suggestion I found a php script which verifies username and check it with ip addr where requisition for logon came from.

    But when I try to run PHP code nothing happens, as if PHP running in PF is not understanding php code.
    Where do I find PHP logs to see if there´s an error?

    Thnx

    p.s.: php code below - please remember "IM NOT A PHP PROGRAMMER" so if it´s crap is not my fault (yet) =P

    // checa user function check_user() { //verifica se o form foi enviado if(isset($_POST['auth_user'])) { // separa a string $rede_user = explode('.',$_POST['auth_user']); // sub_rede do usuário echo "sub rede do usuário = ".$rede_user[1]; // ip verdadeiro $ip = $_SERVER['REMOTE_ADDR']; //- DESCOMENTAR ESTA LINHA // pseudo ip do usuário -  //$ip = '192.168.11.0'; //COMENTAR ESTA LINHA $ip_user = explode('.',$ip); echo " "; echo " "; echo "Conjuntos do ip do usuário"; echo " "; echo "parte 1 = ".$ip_user[0]; echo " "; echo "parte 2 = ".$ip_user[1]; echo " "; echo "parte 3 = ".$ip_user[2]; echo " "; echo " "; // REDES IPS $rede = array(); $rede[10][0] = 'x'; $rede[11][0] = 'y'; $rede[20][0] = 'k'; $rede[21][0] = 'w'; $rede[22][0] = 'v'; $rede[23][0] = 'm'; echo " "; // verifica se a sua rede do usuário pertence ao IP que ele está logado if(@in_array($rede_user[1] , $rede[$ip_user[2]])) { echo "O USUÁRIO PODE PASSAR "; echo "A sub rede ".$rede_user[1]." pertence a rede ".$ip"; }else { echo "PASSAGEM PROIBIDA "; echo "A sub rede ".$rede_user[1]." NÃO pertence ao ip ".$ip"; exit(); } } } check_user(); ?>
  • Password Truncated

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    S

    What version.

  • WLAN PROBLEM

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    N

    I've done it. Now everything works fine.

  • Captive portal on WAN interface

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    J

    turn youre pfsense server `180 degrees
    so that lan gets to be wan
    add a route on the lan to 0.0.0.0 / 255.255.255.255 with the ip of youre wireless router as gateway

  • Allow anonymous for a time period but only allow one session per day

    Locked
    17
    0 Votes
    17 Posts
    13k Views
    M

    I can do that with no modification to the existing code…why did you feel you needed to create a mod?

  • Allow users change their passowrd online

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    R

    thanx

    ;)

  • Modify the logout popup window!

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    S

    It is not currently in a situation to be modififed.  It is hard coded into the php file.

    If you would like to get this option modified I would suggest emailing the m0n0wall list where Jonathon does most of the Captive Portal work.  We simply "borrow" from m0n0wall.

  • Freeradius attribute data?

    Locked
    10
    0 Votes
    10 Posts
    6k Views
    A

    I solved now.. I configure 2 nework card on radius server. One with static IP, one with DHCP. I thought to of using the same server to test for CP function.. It only work after I delete the 1st network card (DHCP). It seem that radius send the reply but going out to DHCP IP one so CP firewall block it (or something like that)..

    But now it working.. I can see, radius auth routine only check for Accept-Reply (1st byte only) and not other attribute. I will try to compare or do some hacking so session-timeout can be use.. Hopefully.

  • Captive portal and Reauthenticate dont work (RC2)

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    V

    Hi,

    I resolve this problem. I generate little perl script which checks if
    account is activated and put Reject for it when crontab run this
    script. Maybe some one else is thinking this same problem, so
    i decide to put my answer here.

    crontab:
    0 0 * * * root /usr/bin/cpcheck.pl

    script: see attachment.

    Br,

    Ville

    cpcheck.pl.txt

  • Important Captive Portal changes for RC2

    Locked
    22
    0 Votes
    22 Posts
    12k Views
    S

    Okay, changes will be present in RC3.

    Thanks for testing.

  • Captive Portal and Load Banlancer

    Locked
    6
    0 Votes
    6 Posts
    6k Views
    R

    Ops I forgot, in 2 i enabled the load balancer and i configured the gateway for LAN rule to Balancer.

    Rodrigo Quilez
    São Paulo - Brasil

  • Allow subnets to ANY on Captive Portal

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    H

    Can you post that at the m0n0 list? The CP is more or less a rip off of the m0n0 code. As CP is mainly developed at m0n0wall this would break syncability between m0n0 and pfSense. We are trying to stay the same like m0n0 here.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.