@jimp Hi Jimp,

Thank You for the explanation. All I know is I am glad this is back to working transparently. This is ina production/school setting so very dynamic users as there are as many 'visitors' that were getting 'stuck' at the 'continue' button. You don't realize how many phone calls happen once this isnt working,even with the COVID-19 thing a school is like grand central station even in small town USA. Used to really enjoy figuring this kind of stuff out,,now,, i just like to do some clicks,,and it works. :)

Thanks again.

You can't.

To have FreeRadius use all the MySQL database tables, you have to modify /usr/local/etc/raddb/sites-enabled/default - and probably other files as well - which means you have to modify pfSense itself.
This means thorough FreeRadius knowledge and a good understanding about how pfSense makes the set up files.
If that was the case, you wouldn't ask question, you were just doing it.

Hi,

@pierrelyon said in Voucher creation for Dummies:

As any of you has faced that situation?

Yep. Half the planet was working from home last month.
These people are now aware that some activities can be done "from everywhere" ;)

You could write down the steps you do.
Try to enumerate what can go wrong - and what to do.
Use your phone for some serious stuff : film yourself doing it.
Then : meet up with the candidate that replaces you.
Tell him what a voucher code is - and be sure he actually understands it.
Show him how to make a voucher roll.
Let him always test one of the new vouchers himself before he thinks he's done.

Btw : you can prepare also yourself enough vouchers roles for a week, or even longer. Print them out, put a date or number per page and you're good.

I'll explain what happened using the old code :
Note : this part does not exist any more in the 2.4.5 version :

if (!empty($cpcfg['redirurl'])) {
$redirurl = $cpcfg['redirurl'];
} elseif (preg_match("/redirurl=(.*)/", $orig_request, $matches)) {
$redirurl = urldecode($matches[1]);
} elseif ($_REQUEST['redirurl']) {
$redirurl = $_REQUEST['redirurl'];
}

If "$cpcfg['redirurl']" exists, then set the rediction to that value.

You could have set "$cpcfg['redirurl']" like this :

4b39045a-fdbc-4a05-88a1-f1a315a0a6de-image.png

Else, if there was an original URL 'redirurl' paramter, it was stored in "$orig_request, and use that
Else, if the special PHP $_REQUEST exists, it's a PHP super global variable which is used to collect data after submitting an HTML form, with an item called 'redirurl', then that one is used.

So, before 2.4.5, when you set "After authentication Redirection URL" in the captive portal settings, browser get redirected to that URL, no matter what.

As of 2.4.5, things have been re ordered :

First this is looked up in the URL :

redirurl=(.*)

where .* (dot star) can be "any possible string", normally some ting like "http://www.msn.com" - if it exists, it has a (one) match, the match is used to set the redirurl, the variable to be used to redirect the browser.
( this is the same test above at step 2 - explained using others words)
If not, the $_REQUEST['redirurl'] is tested, and if present, used.
If not, finally, the $cpcfg['redirurl'] is used, the URL we had set up in our captive portal settings.

As you can see, it's all the same, but different order.

Which means that portal visitors are now not redirected any more to what we as pfSense admins decided. It's what the browser (user) wanted to visit initially what is being used now.
If that doesn't exist == unknown, the captive's portal admin's choice is used.

@ahmed20n8 said in Assigning Static Ip or Pool of Static Ip's using DHCP:

I have installed FreeRadius and tried assign static ip through that too but didn't worked

@free4 said in Assigning Static Ip or Pool of Static Ip's using DHCP:

Because DHCP process is made before connecting to the captive portal, it is not possible to assign specific IPs to users passing through the captive portal

Why not ?

.... but assigning a "DHCP Static Mappings" for the IP on the captive portal's DHCP server page is possible.
This way, the device will always obtain the same IP. That IP should be outside of the DHCP's server portal pool range.
I just tried it : it works. My device obtained the static DHCP lease == always the same IP.

I could now apply special "IP" conditional conditions with firewall rules .... didn't tied that.

Hi,

Could you ask this question to https://github.com/lirantal/daloradius/issues/ ?

The config.xml contains all the settings, of any configuration file on pfSense.
You have hundred pfSEnse installs in the field yet that very first strong point of pfSense is unknown to you ?

When you read :
Install pfSense 'from scratch', then import ONE congig file ans everything is setup, what do you make of that ?
It must be something like : from the config.xml file, all system config files are created. Right ?
Among them : (your own ) captive portal landing-login page.

If the uploaded file is the default one, you can get it right out of your browser : just look at the html .....
Every browser has a page inspection facility.
Still, you need to look up "in the manual" what actually in that file, because some are variables, put in place "on the fly" when the page is send to the visitor.

Or use :

29ebbd82-92bc-4f0b-9c6b-a2b8c41f5026-image.png

and then uses this info :

053a9fec-6259-478b-a406-bfa4e5779a17-image.png

to complete the minimal framework to get to a usable login page.

That's all there is.

So, no need to look and de-base64 parts of the config.xml.
It would work, that's for sure.

The final work flow will be :

You make your page - start with the default one (see below). Import it using the GUI. Test, if no-go, goto 1) Done.

Where step 4) might as well be the most difficult one ;)

@Zaqen said in Captif configuration:

and authenticating server is on WAN.
(is just an simple LDAP server). How i do configuration ?

That's not simple.
Btw : there are LDAP posts on the forum - so your first mission would be : find the pfSense Captive portal forum ....

Using the portal on a dedicated OPT interface= that's good.
Use of the official Netgate official captive portal video's to make it work, using basic local authentication.
There are even some LDAP video's out there.
And the pfSense manual ....

Hi,

For users connected to the switch, It is very possible to apply firewall rules to connected captive portal users (or to IP addresses not going through the CP because listed as "pass"). No specific thing to say here...I mean In order to do that you just to set up the firewall rules on the LAN interface, and to setup the captive portal on the same LAN interface

For users connected to the wifi.... I don't really know much about wifi mesh/adhoc mode... So i can't really guide you for this (sorry)

@Gertjan

Hey man,

thanks for your infos and quick reply, I checked it out and the portal page is there.

Based on the fact Gwifi AP "is" a down stream router (where everything is natted) i yesterday tried adding the device in "Allowed IP addresses" tab, without any success.

So it seems Google Wifi AP change this general behaviour, taking control over connection (I know it is a closed system for the most).

Then, if there are not any way to force redirection to portal page with my configuration, i would rely to a common AP in a new vlan.

Thank you

See https://redmine.pfsense.org/issues/9933

@free4
Which tools did you have in mind? I used the DNS Lookup diagnostic tool (built into PFsense). It looks as thought DNS lookups are taking place within an acceptable amount of time.

Screen Shot 2020-05-15 at 4.12.05 PM.png

Granted, this one test does not reflect the multitude of variables that might have effected the firewall, at the time I was experiencing the redirection lag.

Well, what about comparing ?

Like : export the two config.xml files, open them with a text editor like Notepad++, search for <captiveportal> and start checking ?

edit : Wait : yoiu can export captive portal only settings ... makes things even easier.

Also : take the device that works on pfSense Portal A, and bring it to B.

Or : import settings from pfSense A to B.

Well, update as it is. Ended up doing some testing with a fresh install and found the portal appears to open several sockets regardless of the interfaces even from base, so seeing that on the status was a bit of a red herring. The behavior though somehow still showed the others affected, however...

After reloading the existing config it no longer was binding to all the ports, until the portal stopped capturing again (still showed as running though), re-starting the config brought the multiple interface issue back. Interesting note that I'll have to keep testing though, Specifically attaching it to another interface, saving, then removing the second interface and save again and it behaves as expected.

I would consider using the portal on my APs, but they have no option for a allow-by-mac as the onboard one does which is very handy for things like the work laptop that I don't want on net, but don't particularly want to auth all the time either.

Whelp, nobody ever said having a fancy lab would be easy. Will keep poking at it and update in the rare chance that someone else runs into something similar later on. Might have to finally get more friendly with BSD as a system itself. 🤷

A few ways to go about it, but I've used some similar tricks internally to send imap/smtp traffic for a mail server directly to it, but calls to a webmail portal get passed over haproxy for a ssl frontend.

Even without squid you could say Allow sources > any over select ports, then sources > any 80/443 NAT port-forward redirect to <internal web page with info here>, then drop all others.

@Bashlory said in Requesting Assistance with Certificates:

It appears to successfully block access for OS X and Windows

Appears ? It does, or doesn't.

@Bashlory said in Requesting Assistance with Certificates:

OS X and Window

These are cables up - using RJ45 etc, or wifi connected (using the AP) ?

@Bashlory said in Requesting Assistance with Certificates:

while mobile devices can bypass without issues

Known issue. The AP should be in AP mode. It's firewall/router/DHCP/DNS facilities should be stopped. The AP must become a bridge that bridged radio signals to electrical (wire) signals. Nothing more.
Yours is probably still routing. That creates a situation where things seem top work, but soooo broken.

"And as already mentioned : disable MAC filtering on the OpenVPN Captive portal instance."

It may be adding another layer of complexity, but there is an option within the OVPN service to use 'tap' mode which operates at L2 of the stack, so it may still be possible to use the MAC filtering with that. Or it could just break the entire setup all together, might be worth looking into though in order to add some measure of source validation even if masking a MAC is a trivial thing. For that matter on recent android builds, it's even automatically does so when logging into an unsecured WiFi net.

@starnix It could be any number of reasons, if the device has something like virtualbox, a VPN client, or any other reason to have a virtual-nic it would show up as a second device. The trick to sort out is which interface is actually connecting to the network and does it have a suitable route to get there.

You mention doing the tests via a virtual machine, if you mean on desktop virtualization like VirtualBox then one thing that could easily go wrong is that the virtual client device is configured for NAT mode rather than 'bridged'. If it's in NAT mode, then the captive portal would actually see the connection coming from the host device rather than the client. The problem there is that the client device only knows that its 'gateway' (the host) didn't respond to a web request, so it treats it as a 503 timeout rather than expecting a captive portal page.

Check to see if it's on nat or bridge mode and switch to bridge if needed, then try again and let's see what happens.