@1013215273 Look again at the captive portal settings. There are no IPv4 addresses to be set. You have to select an interface, like LAN, or, so what I have, PORTAL (was originally OPT1). How where why do you want to set "172.16.69.x" ? What are you trying to achieve ?

@stompro said in Captive portal only works on mobile or Chromebook not yet logged in: It seems like the GoGuardian extension might be trying to check the captive portal page to see if it is in their filter... but since the captive portal blocks the https connection it tries to make, the extension doesn't allow the page to render. In my case there must be a 5 minute timeout for goguardian to check a url because the captive portal page will load after about 5 minutes. It looks like that application is created for a world where there are no captive portals. Ok, why not. Use the app, and then don't bring your device to public networks, McDonald's, plains, trains, etc etc etc. Just use it 'at home' and you'll be fine On the other hand, every OS created since ... not sure, 2012 ? is captive portal aware. Connect any phone, pad, PC, whatever over a cable ( ! ) or wifi connection and you see that right after DHCP did it's work, the PC got a lease and knows in what network it is, it sends out a http (not https !) request. Example : Apple device use this request : http://captive.apple.com/hotspot-detect.html - click on it and you'll see what happens. If the reply on the http request wasn't 'Success', then the device knows it hasn't a direct Internet connection and a portal is presumed. A browser will open, the same request will be repeated in that browser and the actual answer back will be ... the portal login page. Using an app that does 'DNS' requests from the start and if it can't do them then blocks/locks up is .... then you can't use that if there is a portal. On the other hand, some devices are not meant to be used behind a captive portal. A portal is there for the 'public' that wants to use an Internet connection, and don't want to use their own 3G/4G/5G device capabilities (or because it doesn't have a sim card, etc).

@leonida368 said in Captive portale with FreeRadius joined with Google Workspace: Can you give me some advice on how to do this configuration? There are a lot of variables there, version of pfSense or Plus, duration of power outage, etc. Basically, all versions of pfSense support the "Preserve Connected Users across Reboot" option so if you don't have that checked off under Services, Captive Portal, then select the portal itself. [image: 1743154539280-526aaae2-7ec0-46c9-accb-b4f89ee5ae33-image.png] There is also the duration of the lease and settings for idle and hard timeouts: [image: 1743154595417-60091acf-a826-4df5-aa4b-13a21b1431d1-image.png] If you are following the DHCP instructions, your hard timeout will be less than the lease duration but many users of ISC DHCP do not respect that requirement as it allocates the oldest IP next so, depending upon the number of different connections vrs size of lease pool, the IP may remain available for reassignment to the same mac address for days, weeks or even months. This fact lets the DHCP Lease expire and when the device returns with the same mac address, it will get the same IP, thus the fact you set the hard timeout in CP longer than the lease duration is not a problem as when the device returns, it gets the same IP and is still authenticated. In the Kea DHCP server, the duration of lease retention for assignment to the same mac address is very short, a second or so. In order to address this concern, they support "lease affinity" but just as you mentioned for the default CP authentications, it is lost on a reboot. There is a ticket to change that but it is well into the future. Redmine 15854 and Redmine 15934 may interest you in regard to this.

@kamu said in téléchargement de l'Appliance pfsense: je ne sais pas si c'est un problème de région. Essayez ceci: https://atxfiles.netgate.com/mirror/downloads/ Le ISO doit correspondre à ton appareil (serial or vga)

After much digging into /usr/local/captiveportal/index.php and /etc/inc/captiveportal.inc, I was able to figure out logic behind Captive portal itself and successfully created custom PHP login page, now I can collects guests info (with their permissions of course) and store it in Google Spreadsheets. @Gertjan , thank you very much for help, now I just need to solve legal and design problems with this page :)

@Gertjan Yes, i am using interim and also tested it with stop/start I do not have the logs for the diagnostic mode but the outputs were as follows concurrent connection limit was set to 1 Radius was aware that user4 was connected 4 times as the radius itself would show me connections would always allow requests stop was only sent if the credentials were incorrect again, I am not sure if this helps but I was not using SQL. Instead the flatfile radutmp? i think is whats it called was being used. so perhaps that's why it wasn't being enforced properly [image: 1742486160688-7f3ea3d8-fccf-4d74-9205-129c61b22831-image.png] It says to read the documentation but where..? i went through it and only found this, the yellow box I think is referring to the captive portal configuration "first,last, multiple, disabled" so its implying it to be multiple [image: 1742486372492-ee7d1a63-2655-40b3-a426-681527e10bc9-image.png] Source: https://docs.netgate.com/pfsense/en/latest/usermanager/index.html

@Gertjan Agreed, perhaps ill change my approach and perspective. I shouldn't be punishing the 9 people for one bad player, I can just limit them abusers by IP if I must and have a talk with them for their abuse. I am really starting to learn that network administration is really simple to talk about "oh, ill do this and that" but implementation is just a whole another game. We've been too spoiled with the "one-click" culture

@EDaleH Installed "25.03-BETA (amd64)" ( 25.03.b.20250204.0023 ) - Updated the latest 'kea options' patch as mentioned in this thread : all is ok.

Hi @AYSMAN Did you happen to find the solution to this by anychance?? I am stumped as well after spending weeks on this... i know my accounting is working fine since its all logged but FreeRadius will not stop the connection after the limit is reached. Ive setup identical to the OP except my IP is on 127.0.0.1 and listening ports * Also added the Simultaneous-Connection := 1 to the user profile which didn't appear to do anything.

@scifoflux said in Captive portal with sponsorship approval: Is this possible? You are effectively looking for a "validating parking" application. If the employee has to give them their email address, why not have the employee at the same time also send an access code good for a fixed amount of time. That access code could be a voucher or you could create a multiuser account and use the employee email address (before the @) as the login. If you still want to send the email, you could look at something like the phpmailer application. I do agree with Gertjan though, keep it simple. Why can't the receptionist just hand them the "info". It could be the wifi password and you could use unauthenticated access, just an "accept the terms" button. For that matter, the employee could email them that password in advance. You could change the password every Monday if you need greater security. Depending upon the number of employees, you could even set up a portal (on a separate VLAN) for each employee if your WiFi router supports sufficient number of stationIDs/VLans. OpenWrt on the WiFi Router could get that done. Good Luck.

@GeorgeCZ58 said in PHP Fatal error: Uncaught TypeError in /etc/inc/captiveportal.inc: Can somebody explain why that happen? Are you sure ? A portal user entered (with the keyboard) the URL manually, and forgot to add a mandatory paramter. He/she was using an URL like https://your-portal.your-hostname.tld:8003/ which would work, as /index.php would be tried by the browser. Or https://your-portal.your-hostname.tld:8003/index.php Better, but it will fail as https://your-portal.your-hostname.tld:8003/index.php?zone=CPZONE1 The zone paramter has to be present, with a valid ID so 'pfSense' knows what portal instance is accessed. A valid ID is this : [image: 1738676919067-efdc8fa7-cefc-4e7b-a920-6d332d9ff8fd-image.png] without it, the PHP triggers. The thing is, the fact that it is wrong or absent is detected. The portal user will receives a html page telling that an error happened. But to make this html page, the zone paramter is used, ..... and it was not there. => bug. Again, normally, this can't happen. Nobody has to or should type in manually the rather cryptic login URL ......

@Gertjan said in Does FreeRadius allow voucher creation?: activate vouchers in pfSense, you can see a third line showing up on the captive portal login p Thank you @Gertjan, at first this went little over my head but your solution is genius. It is all about perspective, essentially hard-coding the password into the code and renaming the field name from user to voucher. This is great approach. I am going to think about this a little more to fine-tune it further. To give you some insight, I am essentially operating a coworking space with about 250 users. Ideally, I would like to give each user their unique credentials which i would like to expire and only renewed once i receive subsequent months payment. Users are restricted to two devices (hence Radius) but it seems like a hasttle having to manually update their exprations. I thought perhaps i can mass print my vouchers in advance and distribute them as soon as payment is received. However, vouchers are not expired by date, rather time and do not allow machine limitations. Back to the drawing board.... seems like ill have to take the bullet for this administration task.

@Neverstopdreaming too bad no one ever answered. I'm having the same problem, and it started after I configured carp HA. After entering CP settings and saving without doing any changes it starts working again, like your said. Logs after doing this show a check_reload_status activity followed by a minicron "(/etc/rc.prunecaptiveportal) terminated by signal 15 (Terminated)" message that is what actually gets it back to working.

@Gertjan I read the thread from @DanieleIT . I saw a new Version at bottom. Everything works properly now with voucher-template-printer-2.6.0. Thank you for your help

@Swicago said in Different rate limits based on login ?: I hope my voucher and radius mods will be able to help others as well. I am sure the working application will help numerous developers as the concept alone is powerful for freeRadius users that wish to "manage" Captive Portal Attributes that aren't exposed by the standard installation. iOS, i.e. Apple, created DHCP 114 and it is now mature enough that it is seeing wide spread use. See what you can do with the vendor URL in addition to just logging out.

@EDaleH said in FreeRadius: Something reduces the value in octet file (used): @jarlel said in FreeRadius: Something reduces the value in octet file (used): Once or twice every day/night something is randomly reducing the value I thought I would clarify one point even though implementing the reply above should have corrected it. I realized the explanation as to why I believe you see "reduced values" in the used-octets file may not have been clarified. Thank for the detailed explanation :-) We are and have been running "interim" for accounting updates. It seems that enabling "Idle timeout" solved it, then it will force an update that updates the octet-file and closes the session file. Maybe we also should change it to "Stop/Start (FreeRADIUS)" as you suggest above?

@Gertjan said in How to use the pfsense name instead of the IP address in http?: Well ok, not an issue for me, and it will their problem. Its fine that they block their device's incoming connections, I get that. But when they also start to limiting to port X and port Y, but not port Z, that has nothing to do with security, that's just an overdoses of Toctic. I don't agree that this is their problem. CP is running on a different port that is not designated for http(s) traffic. Port 8002/8003 are used for different purposes. eg. Port 8002 is used by Teradata ORDBMS and port 8003 by M'sft SCCM. Blocking these outgoing ports IS better for security. This way a user is not able to (accidentally) connect to a service on an unknown network Not blocking this traffic could potentially lead to an information leak (depending on the services). Especially services that can be configured through DHCP or other autoconfig services. I do get your point that this is somewhat ridiculous, as a device always needs to allocate high dynamic ports to connect to other servers anyway. But security wise it is (a little) better to block these requests by default. I have a brand new pc with a clean installation of Windows 11. It was not able to connect to port 8002/8003 as it was blocked by the WIndows Firewall by default! I think this block happened because i had chosen "untrusted network" when connected for the very first time (= do not share device on the network). In this instance I do have control over this local firewall. @Gertjan said in How to use the pfsense name instead of the IP address in http?: When visiting a site, any site, it will be a https site. As there are no more http sites left to visit. Browser will even warn if a site is http only. The https certificate only works for my CP domain (of course). I have disabled the interception of https traffic. Yes, you are correct that most browsers will not use http in favor of https. Especially on websites using HSTS, which enforces https for a certain period on that domain. This is not an issue. When a Windows, Android or iOS device connects to a network, the device will always start a normal http request in the background. A message or notification is shown to the user when it receives a redirect to a CP page. This is sufficient. There is no need to show invalid Https certificates when browsing other public domains. The renewal of LE certificates works. However, the CP process does needs a restart after the renewal in order to pick up the new certificate by nginx. No big deal. This can be configured on cert renewal. @Gertjan said in How to use the pfsense name instead of the IP address in http?: Be ware that the pfSense GUI nginx listens to ALL interfaces, and that includes even WAN. You've showed it yourself : My PF GUI is not exposed to my WAN interfaces. However, nginx does listen on all interfaces. This traffic is blocked on my WAN interfaces (main and failover WAN). @Gertjan said in How to use the pfsense name instead of the IP address in http?: It's not defined what happens when multiple instances of the same process are listening to the same interface, port and protocol. This is defined in the nginx doc. more specifically: nginx first tests the IP address and port of the request against the listen directives of the server blocks. It then tests the “Host” header field of the request against the server_name entries of the server blocks that matched the IP address and port. If the server name is not found, the request will be processed by the default server. The listen directive with an explicit IP will take precedence over the wildcard directive. So in this case the PF GUI will be shown when the CP process is stopped. However, The red PF page will be shown on the CP domain because the hostname is invalid. But you can access the PF gui when entering the right domain / hostname. As it will be listening on that interface. example: PF GUI domain: router.somedomain.com CP GUI domain: guests.somedomain.com When CP process active: browsing to router.somedomain.com will redirect and serve the CP GUI browsing to guests.somedomain.com will serve the CP GUI When CP process is inactive: browsing to router.somedomain.com will serve the PF GUI (with login option) browsing to guests.somedomain.com will serve the PF error page (invalid hostname) In other words: this setup could expose the PF GUI on the Guest interface when something bad happens with the CP process. This could result in a security issue. I just wanted to point this out that I'm aware of this.

@rt050 said in External Captive Portal. Is it actually possible?: but I'm almost sure it's because the symlinks are wrong. When you upload these files : [image: 1735552023999-1912b189-e60d-4477-9fb6-8feccf8517aa-image.png] 2style.css, custom.css mac-block.html etc you can use them with the names captiveportal- 2style.css etc [image: 1735552157725-67c4e090-d618-4249-9c4c-255861c32807-image.png] @rt050 said in External Captive Portal. Is it actually possible?: nor can I get a database connection what database ? MySQL ? in the good old days, the PHP MYSQL extension could be installed easily.* These days, when you install the FreeRadius pfSense package, you'll get the PHP MYSQL extension also. No need to actually use FreeRadius. @rt050 said in External Captive Portal. Is it actually possible?: the page where the user then clicks connect and lives happily ever after. Do they ? Already years ago, its was nearly "impossible" to ask for people's mail address so they would gain access to my hotel portal. They wouldn't fall for it back then and now even less. These days, here in Europe, collecting private info is 'not done' as you need to deal with all kind of administrative barriers to be able to store things like email addresses. It's just to much of a hassle.

@Gertjan said in Captive Portal not working on iOS devices only (DHCP 114): Anyway, I've edited services.inc : I assume you are now aware of the fact Kea's Affinity memfile does not survive a reboot and will loose expired leases that still have affinity "protection". Netgate has raised Redmine #15934 to attempt to address this and other lease expiry concerns but so has the Kea development team. See the link in the Redmine. The Kea development team have scheduled this for possible correction in V 3.0 which is slated for an April 2025 release. There is no certainty that they will include it. Until Kea supports Affinity surviving a reboot, using Kea with Captive Portal is very risky as a reboot will likely scramble the IP/MAC assignments unless the devices reconnect in the exact same order. We will have to use ISC until then, religiously have idle timeouts less than lease duration (and the frequent re-logins that implies), or incorporate a MAC Captive Portal authorization scheme like that proposed in Redmines 15854 or 15904 This suggests that we are unlikely to have a built in solution for Captive Portal ISC equivalent support under Kea at the next plus release (25.03?) or until Netgate incorporates Kea 3.0 into the pfSense plus and CE releases.