@grimson thank you sir,

One would assume that's how it should work, as 302 redirect seems to be standard for captive portal ... but I can confirm that Samsung devices for some reason -- do not follow this standard.

See here for more details:
https://android.stackexchange.com/questions/139588/captive-portal-detection-causing-phones-to-disconnect-from-wi-fi-in-intranet-env/208674#208674

Seems as though Samsung devices and their modified Android OS has changed the default handling to require some kind of response in the generate_204 instead of just using the code like mentioned above to trigger the captive portal login

Yeah. Add 208.67.222.222 and 208.67.220.220 to the Allowed IP Addresses in your captive portal configuration.

Linking again:

https://docs.netgate.com/pfsense/en/latest/book/captiveportal/troubleshooting-captive-portal.html#portal-page-never-loads-times-out-nor-will-any-other-page-load

Thanks for clearing that out--since I asked I had a major network redo and had two major "aha!" moments and I'm back to only the edge firewall + L3 switch and using every feature Windows Server's DHCP server has. I've been offline for really long periods while I broke some stuff.

But I accomplished what I wanted and was told repeatedly not to do it: DHCP option 121.
0_1551518079822_Screen_Shot_2019-02-13_at_08_45_54.png

I really liked the simplicity of using a transit network because all rules lay on a single interface plus a few floating ones it's awesome--parting from that and from this diagram I found:
:
0_1551518599407_chilli.png

and... your confirmation about no NAT needed (I'm really grateful, BTW) I'm thinking about setting up a captive portal as a transit network and whitelist hosts as needed. My previous experience with portals was with the UniFi system--it never occurred to me to look at things from another perspective.

I'll keep breaking stuff a little more, it's weekend, see what else can I learn--thanks a million!

The captive-portal was setup with MAC authentication. If login fails, rather then display a login page that scripts gets the MAC address and redirects to my captive portal site which allows them to setup an account and pay with PayPal.

@artz i think your issue has to deal with the following problem :

there is currently a bug with the captive portal ("reconfiguring a captive portal while users are connected to it, causes troubles for these users. they become half connected/half disconnected and cannot connect anymore").

this issue is known and will be resolved in the next version

the problem you are facing about "last activity" is a side effect of this issue

if you cannot wait for the next version, you could also patch your pfsense (here : https://forum.netgate.com/topic/137824/pfsense-no-internet-when-it-is-said-you-are-connected/13 )

@hugoeyng said in Invalid Local Database authentication after upgrading from 2.3.2 to 2.4.4:

Even there is only one option/Authentication Server is necessary to select/mark it.

As you said yourself :

@hugoeyng said in Invalid Local Database authentication after upgrading from 2.3.2 to 2.4.4:

You must select at least one authentication server.

@opticalx said in Creating users:

Hi Forum

On a follow up from my previous post.

I'm looking into if its possible to create a captive portal with a "create new user" button, that lets the user, type in e.g. Username and password.

The catch is that after this is done, it could create an actual user directly on the firewall.

Is this possible?

Or do I need radius/LDAP/AD?

Thanks in advance.

Why not just have an open network. it's as secure.

Perfect!

We overlooked this option, we've testet it and it works.

Thanks a bunch.

Hello,
Thank you for all this answers !! ;)
I detail my problem :

0_1550479043707_schéma_pfsense.jpg

In fact, I want to secure my machine networks with the use of a captive portal. The goal is that the client must be able to access the machine without knowing its internal address. Each machine has a differant network that's why I use a pfSense for each network.

I use the first pfSense(Router) for route all requests to the good pfsense.

I hope have been more clair, thanks for all !! ;)

@slybreiz i would recommand you to use PHP in your script ...for update your certificates :

In order to update the certificate in the config file, you could use cert_import() from certs.inc In order to restart the nginx server attched to a captive portal, you could use service_control_restart() function from service-utils.inc. That function will stop a captive portal zone, re-fetch the certificates from the config, and restart the cp zone.

@shood said in Captive Portal loss:

Thanks for reply .
The problem is as follows :

when enabled HA sync captive portal :
all users become after a peroid of time internet interrupting ,"you are already connected" ,..etc
see here :
https://forum.netgate.com/topic/139883/captive-portal-disconnect
change between 8003 and 8005
8003 captive portal page on slave
8005 captive portal page on master

That is another issue (which already has a fix. See https://forum.netgate.com/topic/137824/pfsense-no-internet-when-it-is-said-you-are-connected/13 ).

I created an issue on the bug tracker about the zones getting removed: https://redmine.pfsense.org/issues/9303

@fadygh said in block websites to certain users:

server and set dhcp relay on tplink routers

Huh? So you have downstream wireless routers doing nat? Just use them as AP.. Not routers..

Going to need a better picture. Too much guessing about how things are configured.

What are the different hosts behind the captive portal given as DNS servers to use?

How is that DNS server configured if it is one you manage?

You have 3 WAN interfaces in load balance?

Are you policy routing all traffic from the captive portal hosts to the same load balance group?

You can disable the second authentication method by using Ctrl+Click (Or Command+Click on Mac OS)

2fOco6ib

Unselecting all "Secondary authentication servers" in the GUI will result in the "second authentication method" part to disappear in the login page.

Also, vouchers are not considered as an "authentication server". In order to enable them, you can go to the "voucher" page on your captive portal settings. Here :

0_1548710946204_frame_00_delay-0.53s.jpg

finally, if you want to create a custom captive portal HTML login page, you can tick "Enable to use a custom captive portal login page" in your settings.

Normally, @free4 will drop in shortly to post
" https://forum.netgate.com/topic/139488/voucher-database-synchronization/2 "

edit : ah, you are already aware of this.

@jimp Thanks, this reply helped a lot