@jarlel said in CP Quota limit with Freeradius/MySQL:

but when using MySQL it doesn't...

FreeRadius needs a book-keeping system where it stores its working data.
A file system based method exists.
MySQL can also be used, as many other databases. Up to you to create a database with tables that contain the correct fields etc.

When you setup a limited amount of up- and download traffic for a user like this :

1be2a07d-4c7a-4a85-aa01-54ddf96d31c4-image.png

You'll be seeing lines in the log :

6468f8aa-e8f7-4b04-a759-111c40ba5036-image.png

When the quota (dialy in my case) is consumed, you see a line like this in the captive portal page :

a359cccd-a09f-4698-92bb-da86d2b30a4c-image.png

Why would your VLAN 10 clients need to access the RADIUS server?

This :
fd71b78d-7064-43fc-a6ee-6a3e8d963ee1-image.png

Is the 'simple' setup.

The ipfw firewall works best when it 'sees' the MAC addresses of the connected devices.
If it doesn't, well ... check our AP again : make it work as an AP, not a router. Routers hide MAC addresses for upstream routers (= pfSense). That not good if you want the captive portal to work flawlessly.

Hey Gertjan, Thank you for your suggestion on my topic. Sadly the only 3 videos i can find are each at least 45 minutes long. Can you please link me to the suggested "Basic" captive portal video? you mentioned it would be up and running in about a minute or so, which would be great. :)

You want more videos ? Less ?

Keep in mind : managing a captive portal is like driving a car. Takes you a faction of a second to take a seat, start and drive.
Took you several months to learn how to do so.

The videos : just take the most simple one. Do what Jimp (the author) does. Guaranteed it will work.

A setup with FreeRadius ( ... RADIUS MSCHAPv2. AD Server .... ) that already a more advanced setup. See the other videos.

Radius is like adding a tool (package).

FreeRadius will hailstorm the log if you set it up to use daily/weekly/monthly quotas.

Something like :

Jun 14 14:21:46 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:21:46 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:20:45 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:20:45 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:19:45 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:19:45 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:18:44 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:18:44 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:17:43 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:17:43 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:16:42 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:16:41 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:15:40 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted. Jun 14 14:15:40 root FreeRADIUS: User x has used 251 MB of 256 MB daily allotted traffic. The login request was accepted. Jun 14 14:14:40 root FreeRADIUS: User 107 has used 323 MB of 2048 MB daily allotted traffic. The login request was accepted.

Not very informative ....

@free4 I believe you can use LDAP with Google auth, but yes, Facebook is a gigantic pain. Not much I can do to fix them, this was just a requirement for us as an ISP to allow our customers to offer free WiFi.

You might be able use pass-thru credits to reduce exposure, although I think that would be a whole other can of worms.

@free4 said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps:

@micdeep i would choose solution B
gsuite seems to supports LDAP authentication

see https://support.google.com/a/answer/9048516?hl=en
or maybe https://github.com/hlavki/g-suite-identity-sync ?

(pfSense support LDAP logins for captive portal out of the box )

Any tips about captive portal engine modification? https://github.com/hlavki/g-suite-identity-sync seems to be a good suggestion, thanks

@free4 said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps:

you can configure ldap authentication from the user manager (check the documentation for more info : https://docs.netgate.com/pfsense/en/latest/usermanager/user-authentication-servers.html )

once you added an ldap server, you will be able to use it in the captive portal, as authentication backend

Maybe I didn't explained myself well (sorry, English is not my primary language), I already enabled LDAP on my pfsense, and it works quite well, but when a user do login, but this authentication doesn't enable him on Google Suite Apps, he needs to make another login directly on a google App.

@micdeep said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps:

Actually, my PFSense Captive Portal works fine with the new Google LDAP implementation, my "Google Suite User" login correctly with his account email and password. Then pfsense enable my user to go online, but my user needs to reauthenticate in all Google Suite apps (gmail / gdrive etc and our custom web app).

Thank you for your help

Hi,

Captive portal on a WAN interface ?
Never saw that before.
It should be on a LAN type interface.

@lukas333 said in Apply Captive Portal only on 1 internet:

and need MAC restriction only on the WAN

Same thing. MAC restriction can be enforced by the captive portal MAC tab, or if you use FreeRadius.
You can also enforce MAC access by setting up static leases for DHCP server - and refuse unknown MAC's. A DHCP server runs of course on a LAN type interface.

edit : I don't have multiple WANs so I don't use and don't have expedience with load balancing.

well

first of all HLR don't exist in phone networks anymore. we are now in the age of 3g and 4g, HLR have been replaced by HSS.

second of all, unless you are a government agency, you can't have access to such data, for obvious safety reasons. you are not allowed to track the location of any user you want

third, the recommanded way to check that a phone number really belong to someone, is to send a confirmation code to the phone.
this is what banks do for verifying an user's phone, so you should be safe with it

in order to do this, you could either code your own system using a sim card reader, or use an external services for this. multiple companies are offering this services. you can type "confirmation SMS API" or "F2A API" on google to find one

@D3messiah said in Up limiter in captive protal cannot be deleted:

When trying to delete or disable the Per-user bandwidth restriction it has no effect.
....
I did not use traffic shaping

When you use the "Per-user bandwidth restriction", you actually instructed to 'ipfw' to build pipes for the connections, these pipes produces the band with restriction. I guess this is pretty close to traffic shaping ^^

When you de-activate the captive portal on an Interface, ipfw won't run any more. That ends any "bandwidth restriction" related to the captive portal.

As @free4 said : show us the

ipfw pipe show

command when the portal is down.
If you don't use any traffic shaping else where, then something bad's going on.

Don't use less then 2.4.4-p3. You'll get bitten by other bugs.

@schabi said in Captive portal always bypasing:

Ah wtf, I din't see that. How did this setting even get there?

Config changes are logged - so bring along the baseball bat, and consult the log ;)

@kramtw said in Freeradius stop working:

Parse error

Hi,

As stated : needed files are missing or plain wrong.
Beforere you re install FreeRadius, do a file system check (fck).

In deed the problem was the application is also using external ressources but i didnt notice the change as soon, now I downloaded whatever resources was needed and I load it locally.

That solved my problem.

Thanks!

@ishtiaqaj as everyone said, 2.2.X is end of life, no support will be provided anymore for this version.

That includes forum support.

@bryanfoo79 said in This MAC address has been blocked:

My question is how can I modify this page to something else

Somehow you totally missed what the captive portal of pfSense can do for you.

Check this :

4b0e7831-86b8-4c28-a846-1ff8326537d6-image.png

View the 3 Captive portal pfSense (Netgate) videos.

Apply this simple rule : RTFM. It's all there.

Bassically, you should write your own html (with some PHP) file that contains some mandatory info, and other text/images/whatever you like.
You'll be needing the error page aoso. This is the same page as the main index file, added to it the red line that shows a message (the error as you saw yourself).

(Sorry for my previous post, it was a mistake)

The information about vouchers that are in expired is stored in /var/db/voucher_{$cpzone}_used_{$roll}.db. This file is a binary file, and it is not exported when performing a backup.

Is it expected? Well, i'm not netgate....but in my opinion, yes. Connected users, and inuse/expired vouchers are not configuration elements and should not be saved when performing a backup.

Active DHCP leases (for instance) are also not saved when performing a backup. Because they are not configuration elements.

Yeah that is just FAIL!! 2.2 has not been supported for years.. Update to current!! 2.4.4p2, the whole 2.3.x line is not even supported any more.

... and what about looking at the graph of the interface that the portal is using ?

@riessal i have a question : is it the first Time ever that you are using a voucher on your macbook?

I mean, did you successfully connected/authencated to the wifi using your macbook (possiblly long time ago)?

@Gertjan Yes, Im aware of that.