@jimp
I need voucher to be 5-6 characters ideally and 7 chars at most.
I copied those from some post about reducing the length of the voucher from a post floating on this forum.

@rdugaue said in External wifi router and Captive Portal. (possible?):

@derelict Yes, if I had spare lan port to do this I would have long ago. The sg-1000 has 1 wan/1 lan.

So get a managed switch and use VLANs to separate your inside network segments or get a router with enough ports for your use case.

this issue continues since the previous version. previously reported.
https://redmine.pfsense.org/issues/8514
https://forum.netgate.com/topic/132264/unable-to-login-loop/6

@gertjan

I know is possible but how the connection is done that's what I wanted to know. I currently have Ubuntu Server running MySQL how to connect it to the pfsense freeradius server is my problem.

Thanks

Hi, see, for example, what has been said here External wifi router and Captive Portal. (possible?).

If you have some time ( a small hour), take at look at the official videos mentioned in that thread. All issues I've seen for the last ten (10 ! ) years are treated.

As far as I know, there are no problems using any recent browser right now.

See for yourself pfSense Hangout Captive Portal - May 2017 - start at around 51 minutes, 20 seconds.
See the entire video - it's worth it, every second ;)

Hi,

Check :

0_1537005240365_86fe0274-6e78-47fd-8806-10511b965624-image.png

The device (PC) is still connected to the network. But all traffic will hit the firewall, and no pass rules present any more.
A login page will appear if that device (PC) throws out a http://www.google.com using a browser.
It's perfectly normal that that device (PC) can ping the IP of pfSense and DNS works, otherwise the captive portal would never show up.

Btw : the "private public key " is just a way to generate the Voucher codes so that people can't fabric their own codes, nothing more.
What also would make showing up the captive portal : shut down the network connection like pulling out the cable or shutting down the wifi. Wait a couple of seconds, and activate again. The OS-magic will make a hidden test-http request for you, and the portal login page shows up again.

bing.com or http://www.bing.com or http://www.bing.com ?
I would choose one of the last 2.

Gertjan very thanks for the help, this howto "kill" the problem...
insert into radcheck (username,attribute,op,value) values("fredf", "Cleartext-Password", ":=", "wilma");
attribute em freeradius3 is :=, and in the freeradius2 i was use ==
Changing the fields at radcheck:
attribute from User-Password to Cleartext-Password
op from == to :=
Works fine
Thanks!!

Good deal. Glad you found it.

@srk3461 said in captive portal login page help. [php]:

and but then internet does not work.

"Doesn't work", that's more what an end-user would say.
You, you are the administrator. You should say :
"I checked the ipfw rules using ipfw table all list and discovered that the MAC/IP were not entered in the tables [ZONE]_auth_down and [ZONE]_auth_up)." Did you look at these rules ?

First, you should understand how a captive portals works, and how pfSense implemented it.
You should read and understand /usr/local/captiveportal/index.php and this one where everything happens : /etc/inc/captiveportal.inc

You will find out that the file you mentioned, captiveportal-login.php is just a small part of what happens, only some mysql lookups are done in there.
Even if I was a real PHP and pfSense expert, I couldn't look at the code and "see" errors. I would the make the code more verbose (by logging to log files) and thus actually "see" what happens and when.

Hi,

The captive portal is a IPv4 only solution. There is no "press-here-and-the-portal -will-be-IPv6-ready" button. Even assigning an IPv6, activating dhcpd6 etc will not make the captive portal IPv6-ready.

It will be a using IPv6 once, no doubt about it, but we all have to wait several years for that one to come.

By nature, the captive portal is a solution to give controled access to the Internet (or extra-net) for unknown visitors and devices. The only thing that counts right now, is this connection. Today, and most probably also tomorrow,an IPv4-only connection will do, as all devices are IPv4 compatible right now.

edit : more details here : https://redmine.pfsense.org/issues/1831

When using multiple AP's, all hooked up to a 'dumb' switch, and this switch hooked up to an OPTx interface on pfSense, each AP should be enforced to allow communication to OPTx - and no body (any other device on the switch) else.
Client Isolation, or what ever the name is, on each AP isn't enough.

Consider "AP1" and 2 clients connected to it. Client Isolation on this AP handles the job. But a third client, connected to AP2 would be able to "see" client 1 and 2 on AP1.

On a low-budget Cisco/Linksys - typically an E1200 - using the DD-WRT OS, this can be handled with :

#!/bin/ash insmod ebtables insmod ebtable_filter ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT

"00:0f:b5:fe:4e:e7" is the MAC of my OPTx (pfSense - Captive portal) interface.
It states :
Allow all broadcasts.
Allow all traffic coming to interface OPTx
Allow all traffic coming from OPtx
(drop the rest)

With these ebtables rules on each AP, inter AP communication is prohibited.

I guess the same result can be obtained with a "smart switch".

Hi,

Can you how the last 20 lines from the captive portal log ?
Status => System Logs => Captive Portal Auth

I've been using "local users" for years. The GUI widget, and the "Status => Captive Portal => [zone]" always showed logged in users.

Btw : are these user really logged in ? It's not some "web pages" in the pfSenbse GUI that proves that, but this information : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html

ipfw table all list

The XXX_auth_up and XXX_auth_down tables contain the IP/MAC of all the connected users.

Some fancy setup might provoke what you are seeing - or not seeing - right now, but I can't figure out how "they" did so.

That image looks the same as the first image - thought you were going to fix the network? You added a switch is what? Vlan capable and you have vlan 192.168.32/23?

This would be typical setup removing your asymmetrical network with hosts on your 192.168.1 transit

0_1534942578470_typicalsetup.png

Do you really have so many AP that you need a /23, and so many wireless clients that a /16 makes sense?

It uses the routing table whether you use NAT or not.

Yes, you can make outbound NAT as simple or as complicated as you require.

Something tells me you are not accurately communicating what you are trying to do though.

You need to upload your own version of the captive portal page and add in the needed attributes and make it screen reader compatible. You can create vouchers, please download and install on a virtual machine with a single interface to look at how it works, or set up a VM with multiple interfaces and test using a visually impaired screen reader on any number of linux dumb terminals.

Well the WAN and the LAN just need to be in different subnets.
Doesn't really matter which.
e.g. keep the LAN on 172.16/16 and move the WAN and Modem to 172.17/16.