Hi ,
Thank you for your reply , I have two instances but still can't see where can I separate users for each zone, Because when I create users I see nothing that mention to whom the users will be applied to.
Selection_225.png

Ah sorry I'll be more careful in the future. Is it okay if I delete this post?

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

was for device names for DNS filtering instead of IP address. I didn't know it could be used for urls!?

URL (host names) or IP's : it's the same thing.
The only difference is that the URL (host names) will get resolved first.

Read https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html first.
Now, use the mentioned ipfw commands (console or SSH access, option 8) and check he captive portals ipfw rules for yourself.

@free4 : I have seen the same logs - actually, when I run radius by hand, using the -X mode.
For me, this is where error log comes from

5ac5bf95-8116-4025-a65c-cbf9c66b29fa-image.png

It's not the authentication, which probably just fine, but the REAUTHENTICATION which happens every minute. It's this one that checks upload/download bits, time etc.

@maherg : what pfSense logs is useless info - it's far to minial - although it show (me) "where" the problem is.
We told you now 3 times where to look for the what really happens.
Just do what admins (have to) do.

@kiokoman - Thanks for the feedback. I haven't thought about squid. I will have to look in to it and research it a little. Then I can have a look at installing it to see some of its configuration & settings.

Thanks again......

@free4 said in pfsense:

packetFence

I thought of packetfence but am not sure whether I will be able to configure packetfence on one machien and pfsense on another. The confusion was with respect to architecture.

Should Packefence be inline with one link to the internal network and the other NIC connected to pfsense which has three nics(two wans and one lan)

Will this solution slow down the speed with ths extra latency

I"m still reading here .... trying to figure out.

Last couple of weeks I loaded a Hyper-VM on my 2012 Win server, it has 3 NIC's, so I can simulate and test without disturbing my companie network. Also : I'm using a second PC @home loaded with pfSense (using VM also).

Detail these 2 phrases :

@h2professor said in Captive portal ignoring MACs in latest version and allowing all machines access:

After, with 28:c6:8e:0f:95:9b set to Block
after.txt
I note that the MAC is not found in the second output.

As soon as the captive portal is activated on an interface, everybody (MAC, IP, whatever) is blocked.
Even when you have this :
246fe421-2b9a-44dc-b1d1-2eefbaccdb6e-image.png
on the LAN interface.

ipfw takes precedence of the ip firewall. ip being the firewall you set up with the GUI.

When you add a MAC on the MAC tab as a "pass" , this MAC will be part of your table "default_pipe_mac":

02100 145763334 141217081935 pipe tablearg ip from any to any MAC table(default_pipe_mac)

This is a snaphot of your "default_pipe_mac" :

dc:ef:09:9b:a8:c0 any 2671 1155484 1699152753 1560263421 any dc:ef:09:9b:a8:c0 2670 11 0 1560262129

You can see the MAC, the pipe rule numbers 2670 (down) and 2671 (up) and the number of bytes received and send.

These are the related pipe rules 2670 and 2671 :

..... 02670: unlimited 0 ms burst 0 q133742 100 sl. 0 flows (1 buckets) sched 68206 weight 0 lmax 0 pri 0 droptail sched 68206 type FIFO flags 0x0 16 buckets 0 active ..... 02671: unlimited 0 ms burst 0 q133743 100 sl. 0 flows (1 buckets) sched 68207 weight 0 lmax 0 pri 0 droptail sched 68207 type FIFO flags 0x0 16 buckets 0 active ...

Both are unlimited pipes.

Btw :
I found one (just 1) speed limiting (half a mega / s )pipe :

02223: 500.000 Kbit/s 0 ms burst 0 q133295 100 sl. 0 flows (1 buckets) sched 67759 weight 0 lmax 0 pri 0 droptail sched 67759 type FIFO flags 0x0 16 buckets 0 active

Pipe 2223 : so this is device

28:c6:8e:0f:95:9b any 2223 11722 14806366 1560263421 any 28:c6:8e:0f:95:9b 2222 2 0 1560262183

is speed limited - this is the only device I found that was limited speed.

The blocked MAC list : as you might have understand, MAC's that are blocked are not present in the ipfw tables and rules.
When you add a MAC as blocked, it's been put in a list handled by the GUI.
The Captive portal web server, when intercepting a (in your case : http) visitor web browser http requests, are redirected to this page page :

4f399b5f-ba20-44a3-9571-2718f56ef43e-image.png

(some conditions have to be met, like this page must is on the same LAN segment as the captive portal - there must be a http web server that can serve the page, etc - it might, it might not. For me, using an iphone, it didn't redirect well )

If no URL, the device is blocked, for any IP, for any port, for any protocol.

But : when a MAC isn't present on the MAC tab, or it's set as a red block, it won't pass.

I advice you to use and old PC to test - make sure there is a second NIC, and setup pfSense for yourself. Although I strongly advise you to use a captive portal on a dedicated - OPT1 - NIC, and leave the LAN for administrative purposes.

When applied the minimal setup as per Netgate's video (there are 3 videos on Youtube, the Netgate channel, take a recent one that handles basic operations) no device can connect, and they will show the default Login when you use a web browser on a visiting device. https restrictions might apply.

Now, when you add ONE MAC as a pass, this device can pass to the net. Right ?
Still, no other device can pass. Right ?
Add another MAC as a pass. It passes right ?
An still, no other devices can pass.
For the fun, add a MAC of a device that you own, as a BLOCK. It can not pass, right ?
And again, other, non listed MAC's still can't pass.
Etc etc.

You could even import your entire "300 MAC" list.
I would do this by exporting the config.xml - then use notepad++ to insert the block of

.... <passthrumac> <action>pass</action> <mac>xx:8d:79:91:ec:52</mac> <bw_up></bw_up> <bw_down></bw_down> <descr><![CDATA[Sophie]]></descr> </passthrumac> <passthrumac> <action>pass</action> <mac>7c:bb:35:f2:a9:0e</mac> <descr><![CDATA[Serge Nouveau portable]]></descr> </passthrumac> .....

in the correct section, and import that file back in again.

Still, unlisted device you own can't pass as they are not part of the list.

I ended up listing all my devices (9) as blocked : they didn't pass.
I removed them from the MAC tab, so not listed as a pass or block : they still didn't pass.

Btw : do not hesitate to reset firewall states. I don't know if it is really needed, but it would harm to reset they all the time, after changes.

My main question is : can you replicate your issue on a barebone system, after a manual minimal setup.
And if so, after which change your issue happens ?

Also : export your

.... <passthrumac> <action>pass</action> <mac>xx:8d:79:91:ec:52</mac> <bw_up></bw_up> <bw_down></bw_down> <descr><![CDATA[Sophie]]></descr> </passthrumac> <passthrumac> <action>pass</action> <mac>bb:bb:35:f2:a9:0e</mac> <descr><![CDATA[Serge Nouveau portable]]></descr> </passthrumac> .....

section, and drop it in here.
Mistify all MAC's be replacing the first byte by placing 'bb', as I did above.

I'll import your list.
I wonder if I see the issue then ...

@kiokoman said in images from file manager not showing:

of course not there is a specific section on the Captive portal to load images,

Right.
It's here :

19678267-ca36-41e5-8f58-f2bd9b96c538-image.png

Check out this :

d55e67a6-8f49-4909-a7ec-a669a89cb0fc-image.png

Got it ? You see the first "check" : "Use custom captive portal page
Enable to use a custom captive portal login page" ?

It's not clear if @exofio is using the default, build in login page - which has an optional replaceable background and logo image, or if he is using a self-made login 'html' page.

I might say obvious things, but did you have a look to the documentation ? It has been updated recently

https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-configuration.html

Well, it seems supporting LDAP - which is supported by pfSense.

Never heard from "shibboleth" related to pfSense ....
A forum or Google search confirms.

Edit : there is one : https://forum.netgate.com/topic/60524/cp-authenticating-to-idp-via-saml !

I agree totally.

People that use devices to connect to the Internet are aware of the fact that an capital X and small case x are not always the same.

I know - again : we as a company still receive, ones in a while, mails in all capitals - or all lower case. Better yet : check out this forum, you will find the same thing.

Btw : forcing whatever is entered as a user name to capital ? No big deal.
Find line 216 in /usr/local/captiveportal/index.php

Here it is :

$auth_result = captiveportal_authenticate_user($user, $passwd, $clientmac, $clientip, $pipeno, $context)

Surround $user with "strtoupper" like this :

$auth_result = captiveportal_authenticate_user(strtoupper($user), $passwd, $clientmac, $clientip, $pipeno, $context)

This will force whatever the user entered, to capitals.

True : when pfSense updates, you will have to redo this edit - ones or twice a year.
A small shell script that starts when pfSense reboots could do this for you.

thank you. i am adding the school's default background.

@Gertjan separating LAN and WAN works! great Sir! thank you!

@exofio said in Logo and Background images missing:

i cant upload due to img limit size 10mib.. what to do?

Serious ?
An index landing page that weights over 10 mega ???
If you really have to, put the videos, images and other big resources in separate files, and link to them from the main index login page.
Note : None of the files can be bigger then 10 M.
Also : everything you upload will be stored into the config.xml file.

i uploaded the file to var/db/... what code will i use to call it on html file?

@Gertjan said in Captive portal looping:

The 'login' page and nearly identical 'login-error' page are not stored in /var/db/cpelements.

Thanks for the tip, that was indeed the source of the problem. An older login page was uploaded (at some point in the past) to the captive portal error page.

@jimp I found the problem, in the Voucher config page, I entered the server ip, the port and the username and password. And it gave me those errors.
But if I let them blank, the Local Database being on the localhost, everything work perfectly now.

Thanks

@ontzuevanhussen said in One account ONLY for one device on the captive portal:

one account for one device, but does not disconnect the account that was previously logged.

not sure i quite understand...you mean you want to allow only one login per user, and block additional logins attempts using an error page?

if yes :

pfSense does not natively support this feature. since you seems to be using freeradius, you could nevertheless add some freeradius setting (like simultaneous-Use : 1) to prevent an user to log in more than once. keep in mind that this kind of freeradius setting is not compatible with "reauthenticate users" for obvious reasons...

also,

independently of "is this technically possible", you should not do this. pfSense is using a MAC address&IP address couple to identify an user. for privacy reasons, a device may change them randomly over time. once its MAC or IP has changed, a device will face the login page again but won't be able to login anymore...is that really what you want?

@free4 Ok, I found it. Thank you so much friend..
Annotation 2019-08-18 163737-.jpg

@ontzuevanhussen

What are you trying to do?

Have you registered the aps in freeradius or the controller, it needs to have the aps registered.

Try running rasdniff -x from the pfSense cli, it might give you a clue.

https://docs.netgate.com/pfsense/en/latest/captiveportal/using-captive-portal-with-freeradius.html