@Gertjan @JonathanLee
It has been fixed, found the same issue.
https://redmine.pfsense.org/issues/15404

@msalavee said in Ips allowed in Captive Portal pfsense 2.7.2 does not work:

2.6.0

I've been using 2.7.2 for a while and then switched to pfSense Plus, currently 24.03.

Did you saw the last post in the thread I've shown ?

@msalavee

It's always a language issue ;) See your other post.

After two years of work, I was able to create a captive portal system on IPv6.

installation guide on YouTube:

https://youtu.be/iNjzQ0beCaA?si=6PNOC3vEFhUfPJe4

Download link for the trial version:

https://drive.google.com/file/d/1cbmzbUVbu6Wg_kWNLfXjOb7QZB8LlZFS/view

Best regards

@Intone said in Relationship between uploaded HTML and index.php in Captive portal.:

the relationship

When the device hits the captive portal's web server at @IP-Portal:800x the index.php is used.
"index.php" because : see the nginx main configuration file - one for http and one for https.

9c814fc8-8d56-4bad-acdb-fc7a62a19dc5-image.png

If the user isn't already logged in, the index.php doesn't do match and falls trough the index.php up until this point.

The function portal_reply_page is called with $type set "login" so the main 'html' login page is sourced (line 1835), this is your uploaded html file, variables are put in place, stuff like #PORTAL_ZONE#, and then the magic happens at line 1868.

echo $htmltext;

and done.

When you hit "Connect", now your 'posting', the same index file is used, and you reach the most common point where user and password entries are tested, and if ok, access is granted.

short survey : You can use php in your self made 'html' page. edit : go for the easy mode : create a link text (URL) that links to another web page that you upload into pfSense. You will have to write some back end code (script) to handle the user input.
Get a copy of the default build in login page (you can see it here) for an example.

@andreychernik999

Not something you can do on pfSense.
And not an issue neither.

As soon as devices are connected and authenticated against the captive portal, everything works as if there was no captive portal.
So gmail, whatsapp, telegram and everything else just plain works.

I saw your network diagram.

Normally, afaik, captive portal users are non-trusted users.
Cameras, normally should be made accessible for trusted users.

Try this : declare every camera as a host in one of these :

ed7ad9c0-9cb4-4c65-bc6b-dfc9b835370c-image.png

so no portal access rule (and counters) are used to access the cameras ?
(I'm not sure but easy to try out )

@dimsum said in How can I get a user sent/received size:

idea

Like this ?

@Gertjan Yes but it didn't work, the problem was still there

Using SQL and chosing for SQLight ?
Didn't know that was possible / was an option.
I use FreeRadius, but use a 'SQL' server (MariaDB on my NAS).

"SELECT value FROM radcheck WHERE username = '$username' AND attribute = 'Max-Monthly-Data'");

Did you modify the FreeRadius config files manyally so it adds "attribute" in the radcheck table ?
I see just this :

2540284a-b474-4dd1-95de-9b8bb8b373c9-image.png

= the user name and password. No other colums.

edit : wait : by default, this table is empty as pfSense uses the GUI to create a file ( this file : /usr/local/etc/raddb/mods-config/files/authorize ) that contains the users, passwords and some other stuff.

Be ware : FreeRadius can have thousands of options, pfSense uses (enables) just a few of them.
The rest is hard coded / not used.

@fakearia said in pfSense Captive Portal + FreeRADIUS + SQLite Configuration Issues:

Why is this happening, and how can I prevent it?

pfSense controls the construction of config files of every and any process on the system.
The the core essence of what is pfSense all about.
If you want to have your own config files, you should modify the files that create these files (modifying pfSense, itself)

@ricardocasagrande said in Captive Portal + freeradius + LightSquid:

so, maybe you have a better solution for my problem.

Normally, there is the concept of being responsible for what is done with your Internet connection.
So when I set up a captive portal for a hotel somewhere in 2006 using m0n0wall, pfSense was forked from it, I was looking for securing what portal clients could access.

Today, I'm using pfBlockerng to block the most obvious host names (DNSBL) and if I suspect something, I can route all portal traffic over a VPN connection.

Never had any issues with my ISP, knowing that I know they are looking, as I saw the warnings they send out when they detect something : a couple of my friends / neighbors were 'caught' while streaming and or sharing "Disney content".

The real streamer / downloader uses a VPN anyway. Or is just to scared to connect to a network he doesn't know/trust.

And, IMHO, all this has nothing to do with pfSense.
If you want to use a proxy so you can analyze content, you need to know :
What the "Internet" actually is, down to the packet.
You need to know how proxies are set up and maintained.
You need to have a good list with rules so you can actually detect something.
You have to stay on to it permanently, as handling false positives will happen all the time.
More and more sites just can't be proxied anyway.

I've decided already a long time ago : it's not worth it.

I already host my own web servers on my own dedicated Debian 12 dedicated server, a "big iron" device. I'm doing my own DNS domain name zone hosting using bind. When that was running, I've added DNSSEC everywhere, added my own postfix mail server for all my domains, fully compliant with all the modern mail constraints. No GUI what so ever to maintain all this, everything is set up the old way.
All this to say : I've started to know what 'Internet' is, and I know also I still don't know enough.

@brunow said in Captive portal is not displayed in Windows 10:

Could the request be stopping at the switch?

if it has broken ports, or you are using bad (broken) cables, then yes ;)

A switch, a non-administered switch, can't block anything.
If the switch is manageable, then call the admin of the switch. Let him solve the issue, or fire him.

Your image is a physical setup of your network, with some details about how the "Virtual" part is assigned. I've never used the devices you use, except pfSense. So all I can say is "... ok ...."
I don't use VLAN at all, as I have to apply the rule "keep it simple" as this implies "nothing to learn".

Btw : Why would you keep a Mikrotik in place if you have a pfSense ;)

My advise : use a router, and this could be any PC you find out there, add an extra 5 $ network card into it, or better : a quad NIC if you want more interfaces (and wind up with a situation where you don't need VLAN, so one big can of worms less) and you have the perfect setup to test about everything, captive portal included.
Later on, with the acquired experience, you can go wild with convoluted setups but I'll bet you'll say : "no-way ..."

Many thanks!

@Gertjan Thanks, man. You really help me

@publictoiletbowl

Normally, I would tell you : upgrade, and see what new development offers you.
24.03 is out there for months now, and rock solid.

But .... when upgrading, everything goes up, and old stuff 'that used to work just fine' disappears. Old security issues also.
Like the openssl libraries and the functionalities it offers. Everybody want 4096 ... no 8192 bits (size !!) RSA encryption these days.

Your question is : you want the "10 bit" encryption ... euh, yeah, sorry, that was probably ditched for 'security' reasons.
After all, who (go count them) use openssl to make 'voucher' codes, and tries to make them as small as possible ?
I don't say it isn't possible anymore, but you have to dive into the open ssl doc to see what is possible.
To get the OMG experience, type :

opensll help

edit : so, for ones : downgrade way back to the version of pfSense that had the possibility to make 'small vouchers' 😊

@Gertjan thanks for reply, it works now
Screenshot_20240806_160208_com.android.captiveportallogin.jpg

@colleytech you could use say snort for example

As i said 2 years ago.

Other option might be doing something with IPS package..

https://docs.snort.org/rules/options/non_payload/ttl

But different OSes can use different default TTLs, so you would most likely need multiple rules with different values. Unless you knew all the devices on your network used a specific ttl. Which is unlikely in a scenario where such detection would make sense. I could see it as a way to detect users using multiple devices behind another device to circumvent a captive portal for example.

Where they have to pay for access or something. Keep in mind - that it is possible for the natting device to manipulate the traffic so the drop in ttl is not done.. Which would defeat this detection method.

@EDaleH
Same screen, alternate route to it in the menu. The Gateways must match the one(s) set in Interfaces, Wan. when changing the Gateway. I do this all the time when I restore a Production Server to the Lab setup, the gatweay setup always changes. Lately I have gotten lazy and edit the config.xml file before restoring it, as follows:

<interfaces>
<wan>
<enable></enable>
<if>igc0</if>
<blockpriv></blockpriv>
<blockbogons></blockbogons>
<descr><![CDATA[WAN]]></descr>
<ipaddr>192.168.123.111</ipaddr>
<subnet>24</subnet>
<gateway>WANGW</gateway>
<spoofmac></spoofmac>
</wan>
and:
<defaultgw4>WANGW</defaultgw4>
<defaultgw6>-</defaultgw6>
</gateways>

By editing config first, it enables internet access sooner for the package installs and that is less likely to time out during the restore if you don't edit it fast enough. I do go an get a coffee though so it has the side effect of more coffee consumption.

@Gertjan said in Help with CP on OPT1:

Looks like it's working now ?

It seems so, just a mystery as to why? My test methodology is typically to change something, test and restore if it doesn't work.

Perhaps it was just the devices acting out of sorts. (We have a lot of Chromebooks come through here)

I will try and get the prod setup working...