This seems very unintuitive
I would expect there to be a global list of vouchers ad whe one is used it is removed from the list.
The session for that MAC would then continue until it timed out, at which time a new voucher (or a login) would have to be used.
If this si not what happens , then, what DOES it do? and what value is it?

If my kids can share vouchers then I might as well turn off he whole feature.. the aim is to have them separate..

Checkout pfSense Forum » pfSense English Support » Captive Portal » [Captive Portal] Blocking a Previously White-listed MAC Doesn't Work Right.

Hi i will make the same thing.
Did your config work?

Good day sir??? is this already marked as functioning??  :)  I want to have this set up on my site … thanks

update to a current stable release. (try it on a testbed first)

perhaps ntop ?
https://github.com/ntop/ntopng/wiki/03-MySQL-FAQ

will probably needs some tweaking to get it to work

@simone:

….
    https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id
....

So, before accessing your network that support this User-ID, the user should have this User-Id ….

I guess I place my bets on an alias that lists all Facebook IP's (IPv4 at least, and with IPv6 at best) - a list that would refresh every xx hours or so. Just some script file and the the cron package.

Or, this one : https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158 - I'm sure it could block all DNS resolving easily by returning 127.0.0.1 or ::1 if a "facebook.com" passes by.

OHH the forum isn't showing the imgur images!!

I figured a solution to take the MAC address from the DHCP lease and somehow give to the Captive Portal to authenticate through Freeradius. I still don't know how to do it but I'm walking on this way.

Hi,

No, people always enter wrong passwords first, nothing wrong with that, it seems normal.
Never had to restart something or pfSense for that matter afterwards.
Are you using the default "login" and default "error" page ?

Both default pages are identical, only the "error" page shows a message, if one is present. Like "User or password is wrong".

So, good news, all is well, but it seems something is wrong in your setup.
You are using the latest version, right ?

It depends on the Switch or Access Point you have in your LAN

if you have an Access Point that can do Multiple SSID's , VLAN's and Routing Capability then its possible

Wifi is connected ?

Run this on you PC:

ipconfig /all

When you disable the Captive portal, you have a connection to the net ?

What firewall rules on OPT ?

@kcallis:

As long as the CP is not enable (actually even when the CP is enabled), the client get DHCP correct:

Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix  . : local.lan
  Link-local IPv6 Address . . . . . : fe80::c887:397d:60d7:4e9e%14
  IPv4 Address. . . . . . . . . . . : 192.168.15.101
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.15.1
….

You used

ipconfig

You should use

ipconfig /all

and then you would see what really happens  ;)

You will be seeing :

....   Serveurs DNS. . .  . . . . . . . . . . : 192.168.15.1 ....

This is valid for my setup - because as per DHCP-server instructions, I tell clients that "pfSEnse" is the DNS server - resolver.
You didn't.
You changed the rules.
You tell your clients that someone else should be used as the DNS server : Google DNS or 8.8.8.8

But … the default firewall - ipfw - rule says :

--- table(vl15_guest_host_ips), set(0) --- 192.168.15.1/32 0 0 0 0

which means : before authentication, only connections to 192.168.15.1 are possible.
The result is that DNS resolving is dead. "8.8.8.8" can't be reached.

It's ok if you want to use the DNS from Big Brother (Google, 8.8.8.8) but you should add this IP to the "Allowed IP addresses"  list.
read https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting again - first 5 lines. Now you understand  :)

edit : but I guess @heper is right. Live is so more easy if pfSense is the DNS for all connected clients.  It's so cool, nothing to maintain, rock solid, just perfect. I'm pretty sure you can make a deal with big brother.

Any Progess in this?

Morning,

No Radius setup ?

When devices present on the captive portal network segment (OPTx) want to communicate with other devices, present on other LAN segments (LAN or OPTy) you have to add firewall rule(s) on OPTx.

Example, I have a captiive portal on OPT1, 192.168.2.1/24 and several APs (192.168.2.2, 3, 4 ,5). These APs syslog to a syslog server on my LAN (192.168.1.1/24 using 192.168.1.14). I white-listed the IP's of these APs on the captive portal's setup pages and I setup a firewall rule on OPT1 so these IP's can communicate with an IP on my LAN.

Using host names (why not IP's ?) is fine, but check if every device, including pfSense can really resolve these domaine names to IP's.

All this doesn't explain why it could work sometimes, and sometimes it doesn't. I never had to reboot my pfSense to make things work.

I used it with great success for vouchers good for days or weeks. Set max clients to 1 and even if they change devices the old MAC gets bumped but they still get access. They do have to enter the voucher again to change devices but such is life.

Actually that is a mis-statement. You can either allow simultaneous use (no limit on the number of MAC addresses on a voucher) or disallow simultaneous use (A new entry of the voucher bumps the old MAC address).

A welcome feature would be to put the number of allowed MACs on a voucher in the voucher roll itself. That would be great but it doesn't currently exist.