bing.com or http://www.bing.com or http://www.bing.com ?
I would choose one of the last 2.

Gertjan very thanks for the help, this howto "kill" the problem...
insert into radcheck (username,attribute,op,value) values("fredf", "Cleartext-Password", ":=", "wilma");
attribute em freeradius3 is :=, and in the freeradius2 i was use ==
Changing the fields at radcheck:
attribute from User-Password to Cleartext-Password
op from == to :=
Works fine
Thanks!!

Good deal. Glad you found it.

@srk3461 said in captive portal login page help. [php]:

and but then internet does not work.

"Doesn't work", that's more what an end-user would say.
You, you are the administrator. You should say :
"I checked the ipfw rules using ipfw table all list and discovered that the MAC/IP were not entered in the tables [ZONE]_auth_down and [ZONE]_auth_up)." Did you look at these rules ?

First, you should understand how a captive portals works, and how pfSense implemented it.
You should read and understand /usr/local/captiveportal/index.php and this one where everything happens : /etc/inc/captiveportal.inc

You will find out that the file you mentioned, captiveportal-login.php is just a small part of what happens, only some mysql lookups are done in there.
Even if I was a real PHP and pfSense expert, I couldn't look at the code and "see" errors. I would the make the code more verbose (by logging to log files) and thus actually "see" what happens and when.

Hi,

The captive portal is a IPv4 only solution. There is no "press-here-and-the-portal -will-be-IPv6-ready" button. Even assigning an IPv6, activating dhcpd6 etc will not make the captive portal IPv6-ready.

It will be a using IPv6 once, no doubt about it, but we all have to wait several years for that one to come.

By nature, the captive portal is a solution to give controled access to the Internet (or extra-net) for unknown visitors and devices. The only thing that counts right now, is this connection. Today, and most probably also tomorrow,an IPv4-only connection will do, as all devices are IPv4 compatible right now.

edit : more details here : https://redmine.pfsense.org/issues/1831

When using multiple AP's, all hooked up to a 'dumb' switch, and this switch hooked up to an OPTx interface on pfSense, each AP should be enforced to allow communication to OPTx - and no body (any other device on the switch) else.
Client Isolation, or what ever the name is, on each AP isn't enough.

Consider "AP1" and 2 clients connected to it. Client Isolation on this AP handles the job. But a third client, connected to AP2 would be able to "see" client 1 and 2 on AP1.

On a low-budget Cisco/Linksys - typically an E1200 - using the DD-WRT OS, this can be handled with :

#!/bin/ash insmod ebtables insmod ebtable_filter ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT

"00:0f:b5:fe:4e:e7" is the MAC of my OPTx (pfSense - Captive portal) interface.
It states :
Allow all broadcasts.
Allow all traffic coming to interface OPTx
Allow all traffic coming from OPtx
(drop the rest)

With these ebtables rules on each AP, inter AP communication is prohibited.

I guess the same result can be obtained with a "smart switch".

Hi,

Can you how the last 20 lines from the captive portal log ?
Status => System Logs => Captive Portal Auth

I've been using "local users" for years. The GUI widget, and the "Status => Captive Portal => [zone]" always showed logged in users.

Btw : are these user really logged in ? It's not some "web pages" in the pfSenbse GUI that proves that, but this information : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html

ipfw table all list

The XXX_auth_up and XXX_auth_down tables contain the IP/MAC of all the connected users.

Some fancy setup might provoke what you are seeing - or not seeing - right now, but I can't figure out how "they" did so.

That image looks the same as the first image - thought you were going to fix the network? You added a switch is what? Vlan capable and you have vlan 192.168.32/23?

This would be typical setup removing your asymmetrical network with hosts on your 192.168.1 transit

0_1534942578470_typicalsetup.png

Do you really have so many AP that you need a /23, and so many wireless clients that a /16 makes sense?

It uses the routing table whether you use NAT or not.

Yes, you can make outbound NAT as simple or as complicated as you require.

Something tells me you are not accurately communicating what you are trying to do though.

You need to upload your own version of the captive portal page and add in the needed attributes and make it screen reader compatible. You can create vouchers, please download and install on a virtual machine with a single interface to look at how it works, or set up a VM with multiple interfaces and test using a visually impaired screen reader on any number of linux dumb terminals.

Well the WAN and the LAN just need to be in different subnets.
Doesn't really matter which.
e.g. keep the LAN on 172.16/16 and move the WAN and Modem to 172.17/16.

Thank you! I will check out the hangouts--been meaning to enable https on the portal now that we are rolling w/ ACME, but I didn't realize it would help the situation.

It's possible the trouble we've been having with Avast (and I assumed firefox soon) is related to a firewall rule we've used to limit DNS to pfsense. Will dig deeper. Appreciate all you have done and continue to do @jimp

Might be solved.

I had 20 or so hosts listed but have removed all but 2 of them and turned off DNS resolver. This seems to have resolved the situation.

There is nothing special about Captive Portal on VLANs. It works the same as any other interface type.

@conanhughes said in Client who disconnected with a logout button regains Internet access when the voucher (or FreeRadius account) he used is entered in another device:

EDIT: I don't know if it matters, but I also already enabled Disable Concurrent user logins.

Be careful with this one.
Read https://www.netgate.com/docs/pfsense/captiveportal/using-captive-portal-with-freeradius.html

The most recent update actually restored somewhat the "expected behavior".

When you use the Captive portal and really want to understand what happens, there is something is more then the GUI to look at : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html
You'll be seeing the "ipfw" firewall rules that make the portal actaully working. Probably impressive the first time you see them, but, hey, what the heck, you're running a firewall, these rules are what makes it work.
(and you would have detected that the GUI said that there is no user connected anymore - but the rules said otherwise, permitting you to find a "problem" in a split second)

It's not your question, but still missing today is the "Use the first login, and do not accept any others logins, when using vouchers - thus enforcing the rule : "one voucher - one user - one device, the first device he'll be using - and not share the voucher,, even with himself (the user)".

Hi,

The WAN IP changes for millions of us every day or every week. That didn't "break" the portal.

But : changing the LAN could imply far more then "change some data on the Interface page and done". You didn't say what you did - neither if this implies settings on packages like "squid, squidward, clamav, cicap, snort" (I'm using none of these) so ... can't tell from here what you forget to change.

Btw ; but you did find one more reason non to run the captive portal on LAN - thanks for that.

Adding "connectivitycheck.android.com" to the allowed host list doesn't seem a good idea to me.
This URL is probably member of the http challenge page that the OS is using to check if a portal is present.
When white listing this URL (an IP) the OS will conclude no portal is present, and a direct connection to the net is available. The user will get directed the the captive portal login page when another http request to somewhere else passes by.

See also https://android.stackexchange.com/questions/123129/how-does-wifi-in-android-detect-if-the-device-has-to-sign-in-or-not

If you enable the Enable Pass-through MAC automatic addition with username the MAC entry will be expired/pruned along with the voucher when the voucher expires. I am not sure what happens if you disable the voucher as username. I would guess the MAC address entry stays until manually cleared.