Your customizing, right ?

Use https://pfsense.yourlan.tld/system_usermanager.php as an example.

Normally, when you use a page like "https://pfsense.yourlan.tld/system_usermanager.php" you should be logged in.
But, as you create your won "user edit" page, you could throw away that need. Just borrow (copy) the code you need to update the user's settings - the 'saving part is happening after the line that says :

if ($_POST['save'] && !$read_only) {

Something like : have to look up the user ID first, and if it exists, compare the old password with what the user entered (first "old" password box) and if there is a match, update the user's password with what he entered in the "new" password second box.
This way, you allow only known users to change their own password.

It's solved! I noticed that some columns were missing from the radacct table. I copied a new MySQL schema radacct table and it already works.

@argilla

How do the portal user login ?
=> to log in, user have to be collected. To do this, users are redirected to the portal's web server, so a login page shows up. These credntials are posted against the portal server, who sends it to the Radius server for checking.
When the user is authorized, a firewall rule make the users device (IP and MAC) totally transparent.
This means it's not 'easy' for a user to get back to the login page of the portal at this moment.
Question : does the portal user actually logged in multiple times ?

Years ago, I detected in the "radacct" Freeradius table entries that seem be be abandone, there as a start time, but no interval updates neither a stop time.
A newer entry for the same logged in user existed.
This might be what you are seeing now.

I created this :
ac259eab-4b33-4908-89b0-d75c88395040-image.png

<?php try { $link = new PDO('mysql:host=radius.local.net;port=3307;dbname=radius', 'radius', 'verysecretpassword'); // Check connection if($link === false) { die("ERROR: Could not connect."); } // Attempt delete query execution $sql = "DELETE FROM `radacct` WHERE `acctstoptime` IS NULL and `acctstarttime` < (NOW() - INTERVAL 610 MINUTE)"; $stmt = $link->prepare($sql); $stmt->execute(); unset($stmt); } catch (PDOException $e) { print "Error!: " . $e->getMessage() . "<br/>"; die(); } ?>

When there are entries with an empty STOP time "acctstoptime" and a acctstarttime that more then 610 minutes in the past, that entry gets deleted.
Now, these 'stray' entries get removed.
I has no more issues.
Actually, don't recall what the issue really was.
(I should stop this cron task, see what happens)

pfSense shows the correct number f logged in users ?

edit :
Can you 'debug' the radius process , like the FreeRadius3 package of pfSense ?

You have to stop the radius process, and then launch it by hand :

radius -X

@moelharrak said in Create vouchers with specific Download/Upload:

erent Bandwidth or the Download/Upload are inherent from captive portal configuration?
and what is the best solution to create an account that can be used by many devices ( seminar for example) but also can specify the Bandwidth ?

Hi,

The best solution is to use a radius server (such as FreeRadius).
FreeRadius is an authentication server. It takes some user lists as input (eg : an SQL database, a plain text file, etc...) and provide "access granted"/"access denied" messages as output.

FreeRadius can indicate some settings to pfSense when responding "access granted" ("Access-Accept") for one user.

Session-Timeout (a per-user hard timeout) pfSense-Max-Total-Octets (a per-user max allowed traffic) pfSense-Bandwidth-Max-Up (a per-user upload speed) and pfSense-Bandwidth-Max-Down (a per-user download speed)

You will find more info on the documentation i guess.

@decipher2099 hi,

It's not supported.

You could play around with ipfw commands (the technology used by the captive portal to allow/block users) but you will face a lot of issues (such as your MACs not being displayed in the GUI, being wiped at each captive portal change, etc).

If this feature ever existed, it would not be implemented in shell...but using an HTTP API

Netgate had plans to implement an API for pfsense....then dropped it. More info here : https://www.netgate.com/blog/more-on-aes-ni.html

@gertjan: That’s why I have turned off the router functionality, except for the router being able to report to the Linksys cloud servers for remote management. I have turned off DHCP on the Linksys AP and instead have turned on DHCP on the SG-1100’s OPT port. All Wi-Fi clients thus bypass the router functionality of the Velop system.

@lens said in Log guest users traffic internal IP and destination IP:

I just need to be able to prove that a certain request at a certain time was not from myself the owner.

Another solution might be : route all the traffic from the captive portal's interface over a VPN.
At least, use the LAN for yourself, and some OPTx interface for the captive portal.

Btw : i'm using the captive portal for a hotel, in France. I've abandoned years ago any form of 'extra' logging. Even the MAC addresses that are recorded are fake ones, created just for our captive portal's Wifi (at least, iOS is doing so be default).
What exists today : some IP - my WAN IP, hits some questionable IP address. Traffic content will be complete unknown as it is all TLS these days.
Never had a message from HADOPI (except the day the night auditor decided to use our connection to download some Disney movies ...)

These these I have the users share my single Orange VDSL "24 Mbits.sec" connection (the fibre is coming soon).

Also : pfBlockerNG with some feeds that lists famous download peers will help you.

The bandwidth monitoring can also show suspected 'full scale' downloads :

3ed6ae49-68a4-44c4-94aa-f1fe1792117d-image.png

= 4 years of stats.

Keep in mind taht even 'Windows' uses P2P to download the winter edition of windows 10 ^^

I'm able to change the PHP part of the captive portal, to make little changes and, most often, test different possibilities.

Writing something up that I'm not going to use myself (means : less testing) is not a good plan.

Btw : I already have a full time job - and I do not have spare pfSense systems to 'play with'.

You should try here.

It has to be created first.

See the "Bounties" section of the forum.

@ciidfrance said in Wrong captive portal login page redirection:

And add https://www.google.com url redirection after login but no redirection appear after login

pfSense 2.5.0 - right ??

Strange, as I'm using :

39524145-18fd-4bc4-aabc-b01a48a406e1-image.png

for years now.

It works ™

Btw : you uploaded your own "captive portal login page" ?
If so, what happens when you use the default, build in page ?

edit : oops.
I'm not using the build in User manager, but FreeRadius to identify users.
Using the local user manager, I'm not seeing "You are connected".
But "Succes".

Because (the logs tells a lot : Status > System Logs > System > GUI Service) I'm using a iPhone, and when connected to a Wifi network, it (the iPhone OS) throws out a test request over http (not https) to : http://captive.apple.com/hotspot-detect.htm

192.168.2.102 - - [10/Mar/2021:09:06:55 +0100] "POST /index.php?zone=cpzone1 HTTP/2.0" 302 0 "https://portal.local.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"

I'll inspect this situation somewhat later on.

It does remind me of an identical issue that happens a year (or so ,) ago.
You'll find references - and a possible solution for it - in the forum.

edit :

The message

You are connected.

Is shown when, according the code :

/* If client try to access captive portal page while already connected, but no custom logout page does exist and logout popup is disabled */

edit 2 :

At this line :
https://github.com/pfsense/pfsense/blob/0d8a927099acaa50479c2616265541bdeb6c27a9/src/usr/local/captiveportal/index.php#L110

Line 110 :
Paste this :

if (!empty($cpcfg['redirurl'])) { /* 2021-03-11 https://forum.netgate.com/topic/161673/wrong-captive-portal-login-page-redirection/10 According the GUI : "After authentication Redirection URL - Set a forced redirection URL. Clients will be redirected to this URL instead of the one they initially tried to access after they've authenticated. */ log_error("Zone: {$cpzone} - Captive portal : redirurl = {$orig_request}"); $redirurl = $cpcfg['redirurl']; }

It's a workaround.

The test is taken just a couple of lines above.
It's the third one that assigns the $redirurl in the GUI.
But if your browser was using a 'test http request' to detect the portal, it's this one that takes precedence : the second test - and that one nearly always 'wins'.
At least, for the Apple family, it does.
Sorry, can get my hand s on a samsung

@jangchu-dorji said in Fatal error: Uncaught Error: Class 'mysqli' not found:

What could be probable error

You said it yourself :

Class 'mysqli' not found

This = /var/etc/captiveportal_jan.htm is a working copy of your own uploaded captive portal page.
It is asking (wants to include include) PHP MySQL support - client or server, and it wasn't found.

From what I remember, you've been patching your pfSense way back in the past. And or added other FreeBSD packages like MySQL client or server support.
Upgrading normally undoes that patching.
That brings a dilemma :
Yo have to redo the patching, but this time the files that need to be modified are different, their content did change over time.

Or remove the uploaded captive portal page, and use another one, like the default page.

Where did you get your patch from ?
Ones you start to patch, you need to maintain it yourself so it works with future pfSense version.

@youzersef said in captive portal url:

The problem for https that i need ssl certificat. "LetsEncypt" for exampel need renew every 3 months and i can not do

The acme package will renew the cert for you - you have nothing to do.

@youzersef said in captive portal url:

and also i can not leave the port 80

And you're right. And you don't have to open nothing. There are far better ways.
You'll be needing a domain name. That will not be free. Something like 5 $ a year ?
But, take the time to chose the right registrar. One that is supported by acme : see here for all the details.

@youzersef said in captive portal url:

Or i need payment ssl but the ....

In that case you need a domain name first.
And you have to buy the cert every year or so == always more expensive.

@youzersef said in captive portal url:

the most of customers do not want pay regularly.

That's different, but I guess these people are not what I would call customers.
The easy way : don't work for these people.
most of customers do not want pay regularly.

@gertjan
Thank you for kind suggestion it had hlep me so much.For now i have intsalled fresh pfsense and upgraded.After that we worked.

Thank you Gertan

Hello @Gertjan
Yes, you're right. Thank you for your support.

@gertjan

Yeah! you're right and thank you!

@serlogo53
After more then 6 years, pfSense still doesn't have a API or 'cli' access to all it's settings.
pfSense is web based.

It can be done, of course, as the GUI is after all just good old plain PHP.

If you are using and can work with FreeRadius : https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth

But ..... check out /usr/local/etc/raddb/sites-enabled/default, line 24 :

##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####

which means you have to modify the FreeRadius pfSense packet source files yourself .....

Update on this.

I already found the "ipfw.ko" kernel module. It's not loaded that is why Captive Portal Per User Limit is Not Working.
I tried loading it manually from the terminal. And guess what, my box went down. I had no choice but to fresh install then restore backup config.

Its restored now. Also the Per User Bandwidth Limit is now working.

@gertjan said in Need some clarifications for Concurrent User Logins:

@1ntr0v3rt3ch said in Need some clarifications for Concurrent User Logins:

If User A turn off his/her wifi, how many minutes does it take to completely logout?

Whatever comes first :

b2bff013-8ba0-43c6-a26d-b24a9d7cb556-image.png

thank you for this settings sir!

@free4 Thanks for the response. The reason I ask is that even having the members in the right group, no one could authenticate until I disabled "Local Privileges Option". Maybe it's not a big deal since it is working.

Maybe "Local Privileges" refers to local pfSense box login?