Typically, captive portals host only unknown, non trusted devices from unknown visitors.
You should let them out to the Internet when they identify themself. You should even enforce the fact that they can't communicate with each other.
This is what windows does when you indicate that the network is "public".
You should put your AP's in client isolating mode.

Best will be : put the captive portal on an OPTx or VLAN interface, dedicated for these visitors.
Known and trusted devices could be on the LAN interface.

Btw no iptables on FreeBSD. It's 'ip' and 'ipfw' here.

@free4

So I went back and had another look at it, and have found the correct path to the file..

<img src="captiveportal-filename.jpg>

Now that works just fine.

Now I move on to the next issue with the page and that is that the fonts in the frame show as White, on a washed out white logo image. Very hard to read. The fonts should be black...
Just another small issue to get the bug worked out of.

Thanks for the reference to the file manager source file path as that once I discovered it was in the root of the captive portal helped a lot and corrected that issue.

D

Why do you think you need that? You have a vlan switch - does this itx box not even have 1 nic?

Hi !

What do you mean by :

@sa-hein-khant-i said in Captive Portal User Login 404 Error.:

could you pls solve this issue.

does some one has to come over to correct your settings ?

The "Logout popup window" is a pretty useless functionality these days as most browser do not permit popups to pop anymore (most users disable this function).
I'm using an iOS device (version 12.1.2) and the build in web browser (not Safari or other browser, it's some OS-build in browser) doesn't even open the build in popup logout page. It looks like it's discarded.

What does show up in (my) upper left corner is a text that says that the visitor is redirected to (my setup) : https://www.google.com - and that's what happens.
So no error for me.

Btw : I'm using a dedicated NIC for my portal, hooked up to a switch that is hooked up to 5 AP's. Works great for many years now.

Note : If you change portal settings, do not forget to disconnect all connected (authenticated) users (as is discussed many times now the last several months).

@free4 said in PFSense 2.4.4_1 Authentication failed:

did you update from 2.4.3?

I updated it from 2.4.4

@free4 said in Connecting to RADIUS Server:

Is there a reason why you are using this product? Why aren't you using FreeRADIUS like most people?

in my country (IRAN) for logging purpose we should use IBsng ( the only solution the police accept for tracing bad user).
thanks for your reply. i will try FreeRADIUS. is any GUI for this software. i am not familiar with linux.

Hello, I'm sorry but i didn't understand your message

Sorry, i found my solution :
https://www.netgate.com/docs/pfsense/book/captiveportal/zone-configuration-options.html section MAC Filtering
We can disable MAC address filtering !

@free4 Yes, when it's to wear or take somewhere. You don't actually take a website with you, it lives on a server, you publish it. :) ⌨

You made me think though, what if I carry the web server with me, like those early-days iOS file server apps, but I'd still need a browser to access it and even with the browser being on the same device somehow makes me think I'm getting it, that it's still somewhere in a colo. The one thing I think could make me see it differently is if the address bar was 3x as big and read ...://localhost/... . 😂

@gertjan said in In the captive portal state, the version 2.4.4-RELEASE-p1 does not show the number of connected users:

Yours doesn't.
What up ?

Perfect, it worked, thank you very much for the solution and sorry for my ignorance. I am new in the management of this great distribution.

Hi,

What is Radius Desk ? Can't find any references to it in the manual/doc of pfSense.

edit : two years ago : https://forum.netgate.com/topic/109044/setting-up-internet-data-quota/6

What's your use case?

I mean, why would you do that? What are you trying to do exactly?

Thanks for the reply, i got it working im on 2.4.5-DEVELOPMENT (amd64)
how can i test if the LDAP was correctly connected?

As mentionned more or less everywhere in the forum, there is currently a bug on the captive portal : if you edit captive portal settings while users are connected to it, connected users will become in a "rogue state", half connected half disconnected. This is probably what happened to your samsung device

Temporary solutions :

don't edit your captive portal settings when users are connected if you ever have to edit them anyway, go to status->captive portal and click on "disconnect all". This will fully disconnect users

however, I just want to warn you that using a wifi router between you and the pfsense isn't optimal (it will force you to disable captive portal MAC filtering...which is not good)

why don't you setup directly a captive portal on your Wi-Fi router? if the router can't offer such functionality, why don't you buy a pfsense appliance or a small Wi-Fi switch such as Cisco aironet?

Thanks a lot Grimson. That solved the problem.

hi,

did you enabled HTTPS captive portal?
what is your default page in IE?

btw, IE is outdated and is going to be removed soon
could you test with edge?

@jane-doe2 said in After updating to version 2.4.4 "RADIUS MAC Authentication Failed.":

Therefore the Portal page contents can be left empty for this scenario?

Left to "default"that is - the default error page is not empty - it's a login page with an extra line that reflects the error that occurred during a previous login attempt.

I've been using a guide at (https://community.jisc.ac.uk/groups/eduroam/document/walled-garden-onboarding-user-devices-eduroam) . Plus some local systems which definitely do resolve to multiple IPv4 addresses.
If the limitation in Allowed Hostnames is using gethostbyname(), is it possible to request having that replaced by something that does handle multiple addresses? (e.g. getaddrinfo())