The config.xml contains all the settings, of any configuration file on pfSense.
You have hundred pfSEnse installs in the field yet that very first strong point of pfSense is unknown to you ?

When you read :
Install pfSense 'from scratch', then import ONE congig file ans everything is setup, what do you make of that ?
It must be something like : from the config.xml file, all system config files are created. Right ?
Among them : (your own ) captive portal landing-login page.

If the uploaded file is the default one, you can get it right out of your browser : just look at the html .....
Every browser has a page inspection facility.
Still, you need to look up "in the manual" what actually in that file, because some are variables, put in place "on the fly" when the page is send to the visitor.

Or use :

29ebbd82-92bc-4f0b-9c6b-a2b8c41f5026-image.png

and then uses this info :

053a9fec-6259-478b-a406-bfa4e5779a17-image.png

to complete the minimal framework to get to a usable login page.

That's all there is.

So, no need to look and de-base64 parts of the config.xml.
It would work, that's for sure.

The final work flow will be :

You make your page - start with the default one (see below). Import it using the GUI. Test, if no-go, goto 1) Done.

Where step 4) might as well be the most difficult one ;)

@Zaqen said in Captif configuration:

and authenticating server is on WAN.
(is just an simple LDAP server). How i do configuration ?

That's not simple.
Btw : there are LDAP posts on the forum - so your first mission would be : find the pfSense Captive portal forum ....

Using the portal on a dedicated OPT interface= that's good.
Use of the official Netgate official captive portal video's to make it work, using basic local authentication.
There are even some LDAP video's out there.
And the pfSense manual ....

Hi,

For users connected to the switch, It is very possible to apply firewall rules to connected captive portal users (or to IP addresses not going through the CP because listed as "pass"). No specific thing to say here...I mean In order to do that you just to set up the firewall rules on the LAN interface, and to setup the captive portal on the same LAN interface

For users connected to the wifi.... I don't really know much about wifi mesh/adhoc mode... So i can't really guide you for this (sorry)

@Gertjan

Hey man,

thanks for your infos and quick reply, I checked it out and the portal page is there.

Based on the fact Gwifi AP "is" a down stream router (where everything is natted) i yesterday tried adding the device in "Allowed IP addresses" tab, without any success.

So it seems Google Wifi AP change this general behaviour, taking control over connection (I know it is a closed system for the most).

Then, if there are not any way to force redirection to portal page with my configuration, i would rely to a common AP in a new vlan.

Thank you

See https://redmine.pfsense.org/issues/9933

@free4
Which tools did you have in mind? I used the DNS Lookup diagnostic tool (built into PFsense). It looks as thought DNS lookups are taking place within an acceptable amount of time.

Screen Shot 2020-05-15 at 4.12.05 PM.png

Granted, this one test does not reflect the multitude of variables that might have effected the firewall, at the time I was experiencing the redirection lag.

Well, what about comparing ?

Like : export the two config.xml files, open them with a text editor like Notepad++, search for <captiveportal> and start checking ?

edit : Wait : yoiu can export captive portal only settings ... makes things even easier.

Also : take the device that works on pfSense Portal A, and bring it to B.

Or : import settings from pfSense A to B.

Well, update as it is. Ended up doing some testing with a fresh install and found the portal appears to open several sockets regardless of the interfaces even from base, so seeing that on the status was a bit of a red herring. The behavior though somehow still showed the others affected, however...

After reloading the existing config it no longer was binding to all the ports, until the portal stopped capturing again (still showed as running though), re-starting the config brought the multiple interface issue back. Interesting note that I'll have to keep testing though, Specifically attaching it to another interface, saving, then removing the second interface and save again and it behaves as expected.

I would consider using the portal on my APs, but they have no option for a allow-by-mac as the onboard one does which is very handy for things like the work laptop that I don't want on net, but don't particularly want to auth all the time either.

Whelp, nobody ever said having a fancy lab would be easy. Will keep poking at it and update in the rare chance that someone else runs into something similar later on. Might have to finally get more friendly with BSD as a system itself. 🤷

A few ways to go about it, but I've used some similar tricks internally to send imap/smtp traffic for a mail server directly to it, but calls to a webmail portal get passed over haproxy for a ssl frontend.

Even without squid you could say Allow sources > any over select ports, then sources > any 80/443 NAT port-forward redirect to <internal web page with info here>, then drop all others.

@Bashlory said in Requesting Assistance with Certificates:

It appears to successfully block access for OS X and Windows

Appears ? It does, or doesn't.

@Bashlory said in Requesting Assistance with Certificates:

OS X and Window

These are cables up - using RJ45 etc, or wifi connected (using the AP) ?

@Bashlory said in Requesting Assistance with Certificates:

while mobile devices can bypass without issues

Known issue. The AP should be in AP mode. It's firewall/router/DHCP/DNS facilities should be stopped. The AP must become a bridge that bridged radio signals to electrical (wire) signals. Nothing more.
Yours is probably still routing. That creates a situation where things seem top work, but soooo broken.

"And as already mentioned : disable MAC filtering on the OpenVPN Captive portal instance."

It may be adding another layer of complexity, but there is an option within the OVPN service to use 'tap' mode which operates at L2 of the stack, so it may still be possible to use the MAC filtering with that. Or it could just break the entire setup all together, might be worth looking into though in order to add some measure of source validation even if masking a MAC is a trivial thing. For that matter on recent android builds, it's even automatically does so when logging into an unsecured WiFi net.

@starnix It could be any number of reasons, if the device has something like virtualbox, a VPN client, or any other reason to have a virtual-nic it would show up as a second device. The trick to sort out is which interface is actually connecting to the network and does it have a suitable route to get there.

You mention doing the tests via a virtual machine, if you mean on desktop virtualization like VirtualBox then one thing that could easily go wrong is that the virtual client device is configured for NAT mode rather than 'bridged'. If it's in NAT mode, then the captive portal would actually see the connection coming from the host device rather than the client. The problem there is that the client device only knows that its 'gateway' (the host) didn't respond to a web request, so it treats it as a 503 timeout rather than expecting a captive portal page.

Check to see if it's on nat or bridge mode and switch to bridge if needed, then try again and let's see what happens.

Well, I guess you would able see why it stops.

If the Freeradius package has the same functionality as real stand alone radius server, that I can't tell.

Hi,

@Bashlory said in Automating Authentication Profiles for Splash Page:

The aim is to easily create login details for guests staying in a small hotel, valid for the duration of their stay.

Yeah. And while you're at it, use the hotel's PMS so that during check-in the accounts gets created and activated, and during check-out the account is destroyed.
I managed to implement such a thing with pfSense, it worked well.
And true, the receptionist doesn't need to have access to pfSense or anything.

pfSense and the captive portal have several option to identify the visitors : user/password or vouchers, you can also use the package FreeRaduis to do basically the same thing, with much more control over how long, how much etc. Even OTP is possible.

Btw : I had to edited the way how FreeRadius config files were created, so it uses the SQL database in stead a flat text file for user identification. Now I could "inject" new users, password and other details into the SQL database from other sources in the network, like the PMS adding and deleting users without having to change FreeRadius settings in pfSense.

The down side was : I had to manually edit the package source files, and create the facility for the PMS to drop user info into the database, something that has to be taken care after every update on both sides. Not really a problem for me, as I can do it remotely. And most and for all : it 'my' pfSense, and it's 'my' hotel, I'm in control, and I need no one to take care of things when there are issues, I just need my hands and head.
And yes, some basic PHP (Python, shell script etc) is not an option here. Actually, you have to know how things really work before you start changing them.

I finally choose to have logins user names like 101, 102 103 104 etc, our room numbers.
The small booklet in the room the "room directory", on the first page, right after the "Read me first" I mention a room unique password.
I never change these passwords. This works great for many years now. Actually, it's just perfect since pfSense was created (forked) , a decade ago.

I advise you to go for the most important atomisation design rule : "Keep It Simple".

@Bashlory said in Automating Authentication Profiles for Splash Page:

valid for the duration of their stay.

Not really needed, because, when a clients leaves, they won't be able connect any more ;)

I did changed it to "Interim" still not working this is my configuratio,:
e8adabf3-d9df-4b66-b264-8c8d6b2098bd-image.png
81fc90da-4a01-438c-af79-171abd7e10e0-image.png
87c1b397-8a44-4701-99fa-47a0c00de923-image.png
a5270edb-cb1c-4c8a-8de9-0145cabfe6cd-image.png
481ff2d6-7a3c-424a-8993-c59e3211b672-image.png

@velbon said in Syslog Not showing Devices added/deleted on Captive Portal:

user A

That would be a user A that has the rights to login into pfSense and can actually visit the page where a MAC can be deleted.

When I visit this page, Services > Captive Portal > cpzone1 > MACs to add a MAC, I see this in the syslog (not the pfSense System log page, a real syslog )

04-24-2020 10:26:30 Local5.Info pfsense Apr 24 10:26:34 nginx: 2001:470:1f13:5c0:2::c6 - - [24/Apr/2020:10:26:34 +0200] "GET /services_captiveportal_mac_edit.php?zone=cpzone1&act=add HTTP/2.0" 200 6878 "https://pfsense.brit-hotel-fumel.net/services_captiveportal_mac.php?zone=cpzone1" "Mozilla/5.0 (Windows NT 6.1; rv:75.0) Gecko/20100101 Firefox/75.0" 04-24-2020 10:26:21 Local5.Info pfsense Apr 24 10:26:26 nginx: 2001:470:1f13:5c0:2::c6 - - [24/Apr/2020:10:26:26 +0200] "GET /services_captiveportal_mac.php?zone=cpzone1 HTTP/2.0" 200 6694 "https://pfsense.brit-hotel-fumel.net/services_captiveportal.php?zone=cpzone1" "Mozilla/5.0 (Windows NT 6.1; rv:75.0) Gecko/20100101 Firefox/75.0"

Btw : 2001:470:1f13:5c0:2::c6 is the IP of my PC. I was actually logged in etc ...
here :

Apr 24 10:26:11 php-fpm 31452 /index.php: Successful login for user 'admin' from: 2001:470:1f13:5c0:2::c6 (Local Database)

edit : so, your captive portal can also user their access credentials to enter the pfSense GUI ???
Don't tell that that is true ....

Hi,

@inghaj said in Login Page Customisation:

but every time I disable and reenable the Captive Portal it gets overwritten!

Because the page you design yourself, and uploaded, is stored in the main config file.

So, again, you should design your own 'httml' page, and upload it.
Check the captive portal settings page again, and the pfSense manual.

Start by checking "Use custom captive portal page" and read the text being shown carefully.

f01a63f0-09d5-487c-9c1e-9a6300296d26-image.png

To get a starting point : connect to your captive portal, you'll see the default login page.
Ask your browser to show you the html ^^

Also, have a look at the official Netgate videos.

@sana said in pfSense avec daloRadius pour configurer la limitation du quota de téléchargement:

daloRadius

pfSense daloRadius

@sana said in pfSense avec daloRadius pour configurer la limitation du quota de téléchargement:

Mais lorsque j'ajoute certains attributs pour la limitation de la bande passante ou la limitation des quotas de téléchargement,

Added to pfSense ?
On the daloRadius side, these must exist also.