Hi,

I know, time is money.
But if you have 5 minutes, this https://forum.netgate.com/topic/78016/captive-portal-manual-logout might work for you.

If not, you should communicate the logout URL to the users. Forget about the popup-logout windows, most users will never see them. Did you saw it ? This page shows the url needed, and how it works.

Also :
https://www.netgate.com/docs/pfsense/captiveportal/index.html for basic setup guide lines.
Use the "make it work first" approach.
This means : leave everything to default. Always. After installing pfSEnse, activate your WAN.
Then activate captive portal on LAN.
This takes 120 seconds max.

If you really want to use your own ideas, ok, have them validated here : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html
For example, most issues are just plain DNS issues (aka : not using the build in Resolver, which means they did change default settings) .

What you should know : the captive portal ins't really a program or service.
It's just :
A web server serving a "login" page.
Some nifty firewall rules (30 years old technic).
And the big surprise : captive portal works, because support is included in the OS the visitor is using - support is included in the web browser the user is using.

A captive portal needs a perfect network setup (relax : only IPv4 - things will get nasty when IPv6 comes along)

Yup I would concur - I mean if your going to be using firewall from 2014, your devices should be from that era as well ;)

Try this Video Jimp pfSense Captive Portal.

Hello,

In short, High availability for captive portal is not working at all currently :

The only part that is supposed to work is the synchronization of avaliable/used vouchers (meaning each node will be aware of which vouchers has been already used or not) Connected users syncronization is NOT working (meaning if one user connect on a node, he/she won't be considered as connected on the other node). This feature has not been implemented yet in pfSense. There is a feature request asking for it : https://redmine.pfsense.org/issues/97 For avaliable/used vouchers sync, only master->slave synchronization is working correctly. Backward sync (slave->Master) is not working correctly, even if it should (see https://redmine.pfsense.org/issues/7972#note-5 )

There is ongoing work for real captive portal High Avaliablilty implementation. No ETA or expected ready time however, that's just ongoing work and it may be avaliable in very long time...or maybe never.

If you still want to configure vouchers synchronization despite these elements, here is how you can do it :

You do need to configure both System -> High Availability Sync (on the master node) and Services -> Captive Portal -> NameZone -> Vouchers (on the slave node) The configuration area Services -> Captive Portal -> NameZone -> Vouchers has to be filled only in slave node (the purpose of this setting is to perform backward sync). Don't configure these settings on the master node. Voucher sync port in your config should be the port of the master node's web GUI (normally, 80 or 443. But not 8888).

this is a known issue. it happens because you re-configured your captive portal while you was connected to it.

you should have a look to https://redmine.pfsense.org/issues/8616 and https://github.com/pfsense/pfsense/pull/4031

I hate it not having details when a solution is provided.

I run into this same issue when I was trying to get captive portal to authenticate to an external freeradius server I had setup on a different lan and this is how I figured it out

test the user/locally on your radius server and ensure you have the right user/pass combo first ensure that your client and your pfsense box is able to ping the external radius server. that's obvious. if having problems check your firewall logs, rules and if needed whitelist the radius server in your captive portal configuration. get freeradius started in debug mode on your external radius server
a. first turn off the service and then start it backup again using either radiusd -x or freeradius -X on your external radius server and ensure you get the prompt to see the requests as they come in. try to authenticate to the server from the client.. I was using captive portal so I tried with a know good user check the console on your radius server to see where the request is coming and why is being ignored or rejected.

my particular problem was that I set te client.conf file on the radius server with the ip address of the lan where I setup captive portal and I should've set up the ip address of interface facing the radius server instead. this was obvious once I saw the authentication request being ignored while in debug mod by the radius server as they were not coming from the ip I set up in the client.conf.

Hope this helps some one

I would think by your own discovery it's designed to be non stop. Think about it like a internet cafe, and people are paying for a block of time. I'm sure there are more elaborate setups where you can get a report about how much time or data a user has consumed but I'm guessing this isn't what you are looking for in your home environment. Again I don't use CP that way so I may be speaking from a place of pure ignorance.

@gsa-tech Beautifully simple.. thank you.

Classic ☺

Although using the LAN interface as the captive portal interface isn't the best choice, it has something very important : a general pass rule.
On a dedicated interface, you need to pass traffic that you would allow for your users. One of them should take care of "UDP traffic to any port 53". Simply copying the default rule from LAN will do the trick.
Of course, you can narrow down your rules for captive portal users (actually, you should !) but again : do not forget to have DNS coming in.
The default ipfw rule set adds the IP of the interface of the Captive portal as a accepted "all traffic" destination : this means that when you use the resolver unbound or forwarder dnsmasq on pfSense, you'll be fine without thinking about DNS issues or rules.
When you want to communicate all DNS requests to some outsider then you have to deal with it.

Consider this : no one ever asks about : what is needed for DHCP ?
On any interface, LAN and others, the ip firewall does accept incoming broadcasts, and replies, all for port 69. Without these, even DHCP wouldn't work .... Hidden 'DHCP' rules are setup for evey LAN type interface.
Remember : if no pass rules are triggered, the firewall blocks.

@fahad77678 said in Captive portal not redirecting on https requests. problem on every browser:

@gertjan
is it necessary to add captive portal ports add in firewall's wan and lan rules ?
it it is? the which ports should i add to the rules ?

Two cases :
If you activate the portal on the LAN you have nothing to do : the default firewall rule is a pass-all, the portal will work right away.
If you activate the captive portal on an extra interface (the best choice !), like OPT1, you have to, initially, add one firewall rule : the same one as you can find on the LAN interface.
Like this :

0_1547200712194_bf62f6c6-807f-413d-8f57-a02fd9357a26-image.png

Never ever add firewall rules to the WAN interface. Rules for that interface belong to the experts.

Thank you for your answer.

By the your second part, I think you misunderstood what the client want a little.

The app itself is on the classic app store (google, apple), but the content is local (in the box). if the client is a museum for example, all the detail of the exposition are local. Like that, it can be change everytime an exposition change.

The popup page is done by dev and already finish. I provide systems expertise, in that case pfsense. my client DONT want authentification.

Like I say, I don't have all the technical detail but for the scenario would be (museum example) something like that:

Visitor come to museum, buy a ticket Clerk sell ticket and say "You can have more info if you donwload the museum app" Visitor connect to museum wifi The popup pop up(?), with a link to the app stores (google or apple). The user choose to download or not. When he leave the front the front desk, he loose the wifi but the app with the museum info are in the phone so no 4G

The issue is with the popup which doesn't pop or block the user.

is it clearer? Frankly, I not sure I can do better because I don't have more information of the situation.

Still thank you again for the reply

this is what I thought, I wiil try that
thank you for the help

Typically, captive portals host only unknown, non trusted devices from unknown visitors.
You should let them out to the Internet when they identify themself. You should even enforce the fact that they can't communicate with each other.
This is what windows does when you indicate that the network is "public".
You should put your AP's in client isolating mode.

Best will be : put the captive portal on an OPTx or VLAN interface, dedicated for these visitors.
Known and trusted devices could be on the LAN interface.

Btw no iptables on FreeBSD. It's 'ip' and 'ipfw' here.

@free4

So I went back and had another look at it, and have found the correct path to the file..

<img src="captiveportal-filename.jpg>

Now that works just fine.

Now I move on to the next issue with the page and that is that the fonts in the frame show as White, on a washed out white logo image. Very hard to read. The fonts should be black...
Just another small issue to get the bug worked out of.

Thanks for the reference to the file manager source file path as that once I discovered it was in the root of the captive portal helped a lot and corrected that issue.

D

Why do you think you need that? You have a vlan switch - does this itx box not even have 1 nic?

Hi !

What do you mean by :

@sa-hein-khant-i said in Captive Portal User Login 404 Error.:

could you pls solve this issue.

does some one has to come over to correct your settings ?

The "Logout popup window" is a pretty useless functionality these days as most browser do not permit popups to pop anymore (most users disable this function).
I'm using an iOS device (version 12.1.2) and the build in web browser (not Safari or other browser, it's some OS-build in browser) doesn't even open the build in popup logout page. It looks like it's discarded.

What does show up in (my) upper left corner is a text that says that the visitor is redirected to (my setup) : https://www.google.com - and that's what happens.
So no error for me.

Btw : I'm using a dedicated NIC for my portal, hooked up to a switch that is hooked up to 5 AP's. Works great for many years now.

Note : If you change portal settings, do not forget to disconnect all connected (authenticated) users (as is discussed many times now the last several months).

@free4 said in PFSense 2.4.4_1 Authentication failed:

did you update from 2.4.3?

I updated it from 2.4.4

@free4 said in Connecting to RADIUS Server:

Is there a reason why you are using this product? Why aren't you using FreeRADIUS like most people?

in my country (IRAN) for logging purpose we should use IBsng ( the only solution the police accept for tracing bad user).
thanks for your reply. i will try FreeRADIUS. is any GUI for this software. i am not familiar with linux.

Hello, I'm sorry but i didn't understand your message