I'm new to pfsense but, can't you limit the bandwidth by voucher or put some download limit ?
and use 5ghz antenas.

simple : enable captive portal without enabling DHCP, then set up static IP on your clients.....

@louger said in How do I call Radius server to my Access Point outside the local network?:

I followed this tutorial

Why ?
The original 'from the authors' video isn't good enough ?

If your Radius server isn't hosted on pfSense using the FreeRadius package
and
The Radius server isn't hosted on the captive portal network segment
then
Add the IP of your Radius server to this page :

1a0cc4d7-24c3-4944-a665-15d308299f61-image.png

@Gertjan said in Anyone that can configure a captive portal?:

Hi,

Be aware that the guy who offers a captive portal should also support it.
Like : you want to drive a car : you'll get best results when you actually are trained to do so

Oh thanks for the suggestion, but i don't need that, once we test it and it works, i am fine with that, no need for support, i will pay again if necessary.

Hi, @ felipe-volpato. First of all thank you very much for sharing the video. I'm looking to do something like that, would you be so kind as to share some information on how you did it?

Thank you very much in advance for your time

Ok, that's what i thought,
GJ

Only way you could do that would be to setup a VPN to pfSense and run the captive portal on that. It would probably still be painful though.

Steve

Still willing to hire someone, if there is anyone which can do the job online, kindly let me know your fee, thanks.

@free4
thx,
i've setup a transparent proxy + HTTPS/SSL Interception on the netgate itself and use my existant proxy as a peer proxy.
it works

@ilarioQ Find solution, in same place to image.

@free4 I disconnected everyone, stopped and restarted the captive portal. I had some users connected with the vouchers, some were reconnected and some were not. Thanks.

@Crunch1788 said in Redirect does not work:

type anything in the browser it just dont redirect...

This "anything" should not be a https site that you already visited before.
These days, certs are persistent, ans some of them even completely forbid that you use the http:// destination.

So, type in a http (not https) site that you never visited before. This would start the usual DNS questioning and when the answer comes in (the A one) then the browser will (try to) connect to it using port 80. Nifty ipfw firewall rules on the Captive portal interface will redirect any "connections to port 80" to the firewall itself.
And guess what, the web server that servers the captive login page is listening over there. So you see that, instead of the site you wanted to visit.

So, this "anything" should be something valid, if not the DNS exchanges "anything" for "does not exist" and you still have a no go.

But : these days there is no need any more to explain these things.
All OS's are captive portal aware these days so it works out of the box.

I tend to say : activate the portal with as Authentication Method : None.
and your done.

The trick is : a good working DNS isn't optional thing. The captive portal really needs it - that is, the clients do. So, people that m*ss up the DNS (Resolver) settings will wind up with a non working captive portal.

Most issues are being handled here : https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html

Btw : I could show you the video that my brother made about captive portals. Very nice except that it wouldn't help nobody.
If you want a video, use the real videos from Netgate, the official ones. "Done by the guys who build it". Like having Windows explained to you by the guy from Microsoft. Not your car dealer. really, it makes a difference.

edit : I was typing to slowly .... (during work hours) ...

What I advice you to do :
(All) device use DHCP - and pfSEnse should hand out the IP mask gateway and DNS.
The latter two are the IP of the network where the captive portal is running.
The DNS resolver settings should be "default" : example adding 8.8.8.8 and you're out of business.
First test : just use one (1) ether-net cable, no switches - no AP's, nothing except the one 1 $ cable. This should work.
Now you can include a switch. A switch has no settings so this can't go wrong.
Test again.
Now add an AP ... and be careful : an AP - not some "router-with-AP-with-router-functionalities" like DHCP/Firewall/NAT etc still activated.
Just an AP. Shut down the rest (DCP ... DNS ....).
Give this AP a static IP - gateway being the IP of pfSense - DNS is the IP of pfSense and you'll be fine.

About the OS detection : example : an iPhone :
Select the captive portal wifi network.
Wait 5 seconds.
The portal login page shows up "as by magic" : no need to open up a browser first.
Same thing for Microsoft Windows since version 7.
I think even "android" devices have it working out of the box these days.
No interaction from your side is needed.

Hi ,
Thank you for your reply , I have two instances but still can't see where can I separate users for each zone, Because when I create users I see nothing that mention to whom the users will be applied to.
Selection_225.png

Ah sorry I'll be more careful in the future. Is it okay if I delete this post?

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

was for device names for DNS filtering instead of IP address. I didn't know it could be used for urls!?

URL (host names) or IP's : it's the same thing.
The only difference is that the URL (host names) will get resolved first.

Read https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html first.
Now, use the mentioned ipfw commands (console or SSH access, option 8) and check he captive portals ipfw rules for yourself.

@free4 : I have seen the same logs - actually, when I run radius by hand, using the -X mode.
For me, this is where error log comes from

5ac5bf95-8116-4025-a65c-cbf9c66b29fa-image.png

It's not the authentication, which probably just fine, but the REAUTHENTICATION which happens every minute. It's this one that checks upload/download bits, time etc.

@maherg : what pfSense logs is useless info - it's far to minial - although it show (me) "where" the problem is.
We told you now 3 times where to look for the what really happens.
Just do what admins (have to) do.

@kiokoman - Thanks for the feedback. I haven't thought about squid. I will have to look in to it and research it a little. Then I can have a look at installing it to see some of its configuration & settings.

Thanks again......

@free4 said in pfsense:

packetFence

I thought of packetfence but am not sure whether I will be able to configure packetfence on one machien and pfsense on another. The confusion was with respect to architecture.

Should Packefence be inline with one link to the internal network and the other NIC connected to pfsense which has three nics(two wans and one lan)

Will this solution slow down the speed with ths extra latency

I"m still reading here .... trying to figure out.

Last couple of weeks I loaded a Hyper-VM on my 2012 Win server, it has 3 NIC's, so I can simulate and test without disturbing my companie network. Also : I'm using a second PC @home loaded with pfSense (using VM also).

Detail these 2 phrases :

@h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

After, with 28:c6:8e:0f:95:9b set to Block
after.txt
I note that the MAC is not found in the second output.

As soon as the captive portal is activated on an interface, everybody (MAC, IP, whatever) is blocked.
Even when you have this :
246fe421-2b9a-44dc-b1d1-2eefbaccdb6e-image.png
on the LAN interface.

ipfw takes precedence of the ip firewall. ip being the firewall you set up with the GUI.

When you add a MAC on the MAC tab as a "pass" , this MAC will be part of your table "default_pipe_mac":

02100 145763334 141217081935 pipe tablearg ip from any to any MAC table(default_pipe_mac)

This is a snaphot of your "default_pipe_mac" :

dc:ef:09:9b:a8:c0 any 2671 1155484 1699152753 1560263421 any dc:ef:09:9b:a8:c0 2670 11 0 1560262129

You can see the MAC, the pipe rule numbers 2670 (down) and 2671 (up) and the number of bytes received and send.

These are the related pipe rules 2670 and 2671 :

..... 02670: unlimited 0 ms burst 0 q133742 100 sl. 0 flows (1 buckets) sched 68206 weight 0 lmax 0 pri 0 droptail sched 68206 type FIFO flags 0x0 16 buckets 0 active ..... 02671: unlimited 0 ms burst 0 q133743 100 sl. 0 flows (1 buckets) sched 68207 weight 0 lmax 0 pri 0 droptail sched 68207 type FIFO flags 0x0 16 buckets 0 active ...

Both are unlimited pipes.

Btw :
I found one (just 1) speed limiting (half a mega / s )pipe :

02223: 500.000 Kbit/s 0 ms burst 0 q133295 100 sl. 0 flows (1 buckets) sched 67759 weight 0 lmax 0 pri 0 droptail sched 67759 type FIFO flags 0x0 16 buckets 0 active

Pipe 2223 : so this is device

28:c6:8e:0f:95:9b any 2223 11722 14806366 1560263421 any 28:c6:8e:0f:95:9b 2222 2 0 1560262183

is speed limited - this is the only device I found that was limited speed.

The blocked MAC list : as you might have understand, MAC's that are blocked are not present in the ipfw tables and rules.
When you add a MAC as blocked, it's been put in a list handled by the GUI.
The Captive portal web server, when intercepting a (in your case : http) visitor web browser http requests, are redirected to this page page :

4f399b5f-ba20-44a3-9571-2718f56ef43e-image.png

(some conditions have to be met, like this page must is on the same LAN segment as the captive portal - there must be a http web server that can serve the page, etc - it might, it might not. For me, using an iphone, it didn't redirect well )

If no URL, the device is blocked, for any IP, for any port, for any protocol.

But : when a MAC isn't present on the MAC tab, or it's set as a red block, it won't pass.

I advice you to use and old PC to test - make sure there is a second NIC, and setup pfSense for yourself. Although I strongly advise you to use a captive portal on a dedicated - OPT1 - NIC, and leave the LAN for administrative purposes.

When applied the minimal setup as per Netgate's video (there are 3 videos on Youtube, the Netgate channel, take a recent one that handles basic operations) no device can connect, and they will show the default Login when you use a web browser on a visiting device. https restrictions might apply.

Now, when you add ONE MAC as a pass, this device can pass to the net. Right ?
Still, no other device can pass. Right ?
Add another MAC as a pass. It passes right ?
An still, no other devices can pass.
For the fun, add a MAC of a device that you own, as a BLOCK. It can not pass, right ?
And again, other, non listed MAC's still can't pass.
Etc etc.

You could even import your entire "300 MAC" list.
I would do this by exporting the config.xml - then use notepad++ to insert the block of

.... <passthrumac> <action>pass</action> <mac>xx:8d:79:91:ec:52</mac> <bw_up></bw_up> <bw_down></bw_down> <descr><![CDATA[Sophie]]></descr> </passthrumac> <passthrumac> <action>pass</action> <mac>7c:bb:35:f2:a9:0e</mac> <descr><![CDATA[Serge Nouveau portable]]></descr> </passthrumac> .....

in the correct section, and import that file back in again.

Still, unlisted device you own can't pass as they are not part of the list.

I ended up listing all my devices (9) as blocked : they didn't pass.
I removed them from the MAC tab, so not listed as a pass or block : they still didn't pass.

Btw : do not hesitate to reset firewall states. I don't know if it is really needed, but it would harm to reset they all the time, after changes.

My main question is : can you replicate your issue on a barebone system, after a manual minimal setup.
And if so, after which change your issue happens ?

Also : export your

.... <passthrumac> <action>pass</action> <mac>xx:8d:79:91:ec:52</mac> <bw_up></bw_up> <bw_down></bw_down> <descr><![CDATA[Sophie]]></descr> </passthrumac> <passthrumac> <action>pass</action> <mac>bb:bb:35:f2:a9:0e</mac> <descr><![CDATA[Serge Nouveau portable]]></descr> </passthrumac> .....

section, and drop it in here.
Mistify all MAC's be replacing the first byte by placing 'bb', as I did above.

I'll import your list.
I wonder if I see the issue then ...