yes, it is configured
the broblem is solved,

accBand.png
accBand.png_thumb

Thank you  :)
I have read you post an the Bug is Fix.  ::)
We are still testing everythin … any we need it for a little more peopla than 20 ;)
Do not get me wrong we love the pfsense.  :-*

The bit about getting internet access without validating through the portal page is apparently a known bug in 2.4.3:  https://forum.pfsense.org/index.php?topic=146046.msg795216#msg795216

Got that point,
But why CP is working fine means redirecting and not working on VLAN 50 (only showing redirected IP address)

2nd

where should be CP page store for VLAN 50 ?

Oi, você está postando no fórum Norte Americano, faça sua postagem aqui:
https://forum.pfsense.org/index.php?board=12.0  ;)

@alexssi:

No matter what URL I type, I always come across the captive portal page.

This is normal of course.
Any "http" access - when not authenticated - will be redirected to the captive portal login page : /usr/local/captiveportal/index.php - this is how the captive portal works.
But the "captiveportal-." are an exception.

Do you use http login or https login ?
Show us the correspond nginx setup files in /var/etc/ (not the names, what's in it).

These are mine :

[2.4.3-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/etc: ls -al nginx-*-CaptivePortal*.conf -rw-r--r--  1 root  wheel  2596 Apr 10 11:17 nginx-cpzone1-CaptivePortal-SSL.conf -rw-r--r--  1 root  wheel  2107 Apr 10 11:17 nginx-cpzone1-CaptivePortal.conf

What is your captive portal IP (IP of the NIC used by pfSense)
What is the hostname of pfSense and domain (System => General Setup) ?

in Services> FreeRADIUS> Users - "Number of Simultaneous Connections" you can limit how many log in per user account

@joeboypascual:

…
I want that the portal will appear automatically once connected in wifi or lan

And that's how it works.

If not, use Captive Portal Troubleshooting and you'll be fine.

OK, I was able to reproduce that now. I opened a ticket: https://redmine.pfsense.org/issues/8441

Sorry, no luck. Rather a general outcry that nothing was working that forced me to turn it off…
I think some of the kids services (push notices I suspect) kept the connection open and used up all their quotas while they were at school, so when they came home they found their quota used up and there was a lot of angry phone calls to dad while I was at work...

I now see there's an allowed IP section, so maybe I can let some things go through there, but I will have a hard time figuring out the IP addressess of things like Snapchat and whatever they decide to use.
No, I think I need a firm logout button for this to be accepted at home...

For now, I'm stuck with firewall rules and scedules, paired with a VPN connection so I can close and open things from my mobile if needed.

Does the TV need access to internet? Otherwise just block everything from that TV to everywhere else.

@fmohcine26:

… connect the TV by wifi and only by wifi

Unplug the wired ethernet.

Derelict nailed it…

Max-All-Session in radcheck
Set to interim accounting in captive portal

The message that you are receiving is that radius3
Does not understand Max-Forever-Session

Search forum for QHotspot

Hello Derelict, thanks for your reply.

Wifi-Garden it's a paid service and I want to construct my own with pfsense.

I tried a Blackhole DNS that redirects to a host with PHP scripts that do the magic redirecting to each CP, the problem is that I always receive the login page of each portal no matter if the user logged into the portal.

I read this post https://forum.pfsense.org/index.php?topic=34148.msg181641#msg181641

but in the documentation there is not much explanition on how this works
https://doc.pfsense.org/index.php/Captive_Portal_Pre-authentication_Redirect

Thanks to all for yours replies

I found out what was my BIG FAULT  :D

CP are assigned ports increasing by 2

8002, 8004,8006 and so on.

connecting to:

http://xxx.xxx.xxx.xxx:8002
http://xxx.xxx.xxx.xxx:8004, etc

Solved my problem

@krischeu:

First thing -    I will give DNS a try. Entry with DNS allow. Same error. No redirect.

Testing your DNS:
Use a PC with command line access.
Connect to you portal network.
Do not use the portal login page - if it shows up, just close it.
Open command line "cmd'.
Type

ping google.com

There will be no replies, but the domain should be resolved (google.com becomes [216.58.213.142] for me :

C:\Documents and Settings\Gertjan.BUREAU>ping -4 google.com Envoi d'une requête 'ping' sur google.com [216.58.213.142] avec 32 octets de données : .... ....

This means DNS is ok - resolving works.

@krischeu:

Second thing - When a client/customer has a "starting page" in the browser with a target https, what is your captive portal doing?

Read this : and start at here Read this again
So : you cable up, by plugging in the RJ45 plug - or you select a portal Wifi network (never ever have your device auto select Captive portal networks - selecting it needs manual interaction = you as a person entering voucher codes or user/passwords)) and the "login browser will popup. These codes may change, so automatic Wifi connection won't 'help' you here.
If it doesn't - upgrade your OS. Most OS's (Microsoft, Apple, Debian, Android's etc work fine).

@krischeu:

Third thing - pfsense book, I will talk to my boss for gold subscription.

The book talks about pfSense.
Captive portal handling is not a real pfSense thing.
It's more an unwritten RFC.
I tend to say : if your DNS is ok, Captive portal works.
(other problems are often : non-pfSEnse related : AP not setup up correctly. VLAN mess, etc)

Btw : I'm using the default Resolver (not the Forwarder) - my interface is OPT1 using IP 192.168.2.1/24. This is the gateway and DNS for all connected clients. When a client connects, it receives 192.168.2.1 as a DNS - and 192.168.2.1 as a gateway - and an IP like 192.168.2.x
When I check my ipfw tables / rules, as explained above - I have :

...--- table(CPZONE_NAME_host_ips), set(0) --- 192.168.2.1/32 0 1068615 38261875 1522157881 ....

which means that all connections send to "192.168.2.1" (the gateway and DNS for my portal) are passing.
No need to create a firewall rule for DNS traffic for my captive portal (on the interface for my portal) - it works out of the box - as long as you keep settings "out of the box".

Note : your DNS resolver should 'listen' to all interfaces - or at least to your local 'LAN/OPTx' interfaces ! Does it ? Same thing for the DHCP server.

What are your tables / rules ? ? ? ? ? ? ?

The images :
Image 1 : connection to the Portal network - called "BritHotelFumel". The "warning shiled" indicated that this network is not protected with WPA - that's ok for a captive portal network)
Image 2 : I connected to network …. Windows shows a popup (!). Click on this popup.
Image 3 : My default browser opens (remark : mine is FF with an empty page) It was NOT redirected to my portal login page. No problem, I enter http://www.google.com and bingo : my portal page shows. As you already know, typing https://www.google.com will fail.

On my iPhone all this is much simpler : I select a (my) captive portal network, the login portal shows. Period.
A Android … well .... I know more the day I have an android device. I know that my clients can work with my portal, so I guess it's ok.

1.png
1.png_thumb
2.png
2.png_thumb
3.png
3.png_thumb

Is this A problem?

dns.PNG
dns.PNG_thumb

Worked Great!

Thanks

@alexribeirodesa:

posted and found :)
https://community.spiceworks.com/topic/1952864-pfsense-bypass-rules-with-captive-portal-or-other-method

spiceworks.com ?

What about the user manual at https://doc.pfsense.org/index.php/Captive_Portal - it states cleary :

Pass-Through MAC Tab

Allows managing a list of MAC addresses which are allowed to bypass the portal.

When specified by MAC address in this way, the client's IP address may change and they will still be allowed through. However, the client will still be disconnected after the captive portal timeout period has elapsed.
Allowed IP addresses

Allows managing a list of IP addresses which can either:

Always connect from behind the portal (clients)
    Always allow clients to an IP address (external servers)

These IP addresses will bypass the portal authentication in the direction specified.