Wifi is connected ? Run this on you PC: ipconfig /all When you disable the Captive portal, you have a connection to the net ? What firewall rules on OPT ?

@kcallis: As long as the CP is not enable (actually even when the CP is enabled), the client get DHCP correct: Connection-specific DNS Suffix  . : Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix  . : local.lan   Link-local IPv6 Address . . . . . : fe80::c887:397d:60d7:4e9e%14   IPv4 Address. . . . . . . . . . . : 192.168.15.101   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 192.168.15.1 …. You used ipconfig You should use ipconfig /all and then you would see what really happens  ;) You will be seeing : ....   Serveurs DNS. . .  . . . . . . . . . . : 192.168.15.1 .... This is valid for my setup - because as per DHCP-server instructions, I tell clients that "pfSEnse" is the DNS server - resolver. You didn't. You changed the rules. You tell your clients that someone else should be used as the DNS server : Google DNS or 8.8.8.8 But … the default firewall - ipfw - rule says : --- table(vl15_guest_host_ips), set(0) --- 192.168.15.1/32 0 0 0 0 which means : before authentication, only connections to 192.168.15.1 are possible. The result is that DNS resolving is dead. "8.8.8.8" can't be reached. It's ok if you want to use the DNS from Big Brother (Google, 8.8.8.8) but you should add this IP to the "Allowed IP addresses"  list. read https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting again - first 5 lines. Now you understand  :) edit : but I guess @heper is right. Live is so more easy if pfSense is the DNS for all connected clients.  It's so cool, nothing to maintain, rock solid, just perfect. I'm pretty sure you can make a deal with big brother.

Any Progess in this?

Morning, No Radius setup ?

When devices present on the captive portal network segment (OPTx) want to communicate with other devices, present on other LAN segments (LAN or OPTy) you have to add firewall rule(s) on OPTx. Example, I have a captiive portal on OPT1, 192.168.2.1/24 and several APs (192.168.2.2, 3, 4 ,5). These APs syslog to a syslog server on my LAN (192.168.1.1/24 using 192.168.1.14). I white-listed the IP's of these APs on the captive portal's setup pages and I setup a firewall rule on OPT1 so these IP's can communicate with an IP on my LAN. Using host names (why not IP's ?) is fine, but check if every device, including pfSense can really resolve these domaine names to IP's. All this doesn't explain why it could work sometimes, and sometimes it doesn't. I never had to reboot my pfSense to make things work.

I used it with great success for vouchers good for days or weeks. Set max clients to 1 and even if they change devices the old MAC gets bumped but they still get access. They do have to enter the voucher again to change devices but such is life. Actually that is a mis-statement. You can either allow simultaneous use (no limit on the number of MAC addresses on a voucher) or disallow simultaneous use (A new entry of the voucher bumps the old MAC address). A welcome feature would be to put the number of allowed MACs on a voucher in the voucher roll itself. That would be great but it doesn't currently exist.

Hi, Added to this : https://forum.pfsense.org/index.php?topic=84800.msg465167#msg465167 : use a dedicated (third)  interface for the Portal interface and hookup all the wifi access to it.

Hi, What are your portal setting ? I'm nothing using vouchers myself, just toying with them ones in a while. When vouchers are used - and accepted, the MAC address of the authenticated device is put in a table in the firewall that runs on the captive portal. From then, for the time the voucher is valid, that device/visitor will pass through. This rule will be removed when the time is up (duration of the voucher). The visitor could take a world trip, but when he comes back, and there is still time left, his MAC will be there in the firewall table, and he can access the net using your portal just fine. No need to re-authenticate. Note : the voucher-timer will not stop while the visitor is on his world trip ! Check : When a visitor uses a voucher (authenticate), can you see the MAC in the log and status in pfSense ? When he comes back, the MAC is still there ? His MAC is still the same ?

Yep, I installed pfSense 2.3.5 and set everything up, runs flawlessly, thanks for the help everyone, hope my bug is just random and will be automagically fixed in the next update :D

There is another thread going on about filterdns.

I have mine running on Chelsio 10GBASE-CX4 S320E-CXA 10GbE adapter and everything is working well for me. I am using : 2.4.3-DEVELOPMENT (amd64) built on Tue Dec 19 18:22:48 CST 2017 FreeBSD 11.1-RELEASE-p6 Which seems to be working well. Don't know if your environment will allow you to run a development branch but it is running very stable and I have not had any issues other than Captive Portal authenticating against LDAP but looks like that will be fixed soon. See https://github.com/pfsense/pfsense/pull/3640

Good ! This is probably a small bug then - consider it squashed. edit : notified : https://redmine.pfsense.org/issues/8238

What about this one : @Gertjan: …... IF MAC & IP are the same they can not hit the portal login page, because ipfw firewall rules are letting through the connection. So, next question : Use this https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and check the tables to see if MAC and IP are there - they should be there, except if hard or soft time out event removes them. ?

@asy67: …. however, when user try to browse 192.168.10.1 during its session, the admin page(pfsense) is appeared. how am i going to avoid the view the admin page while they on their session? Any device hooked up on the LAN can access the GUI - that is normal and by design, all "truisted devcies" should live on LAN, non-trusted devices should use other interface OPT1, OPT , etc. Typically, a captive portal is sued by non-trusted devices, you found out the exact reason why, normally, captive portakl should be set up on a OPTx interface. Visit System => Advanced => Admin Access anc check the "Anti-lockout" checkbox. If it isn't checked, some hidden rules even permits all the time this access from any devices on the LAN. When this is unchecked, access to the webConfigurator on the LAN interface is always permitted, regardless of the user-defined firewall rule set. Check this box to disable this automatically added rule, so access to the webConfigurator is controlled by the user-defined firewall rules (ensure a firewall rule is in place that allows access, to avoid being locked out!) Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well. However, what you really need, is a firewall. And, good news, pfSense is a firewall. So, it's becomes a matter of setup up some rules and your done. I advise you to : Add a static DHCOP lease for YOUR PC, the device you trust, the device you use to admin pfSense. This way, your device will always receive the SAME IP. Then, add a rule on the LAN interface that accepts connections coming from your device (== source == IP from your device) to pfSense (destination == "This firewall"), destination port 80 or 443 (in case of https GUI access). Right after this rule, put in place a block rule, source = Any, destination "This Firewall, destination port 80 and/or 443. Third rule : put in place an "any to any rule" (for testing purposes only). After this third rule are your other LAN captive-portal-related rules. Validate your rules Then, visit System => Advanced => Admin Access and remove the check for "Anti-lockout" ! Test now, and see that these rules work - use YOUR PC, check that the IP is ok (release and renew your IP to get the right one, the one you are using in your rules !) and that you can login from your PC. Use ANOTHER "untrusted" PC, login to the portal, and check that you can NOT login - BUT that you are using the third (pass-all) rule. The counters in front of the rules shown in the GUI-Firewall-LAN will show the rules are used. If all si ok, remove this third rule - your are using a captive portal, your other firwall rules follow See image. The "192.1638.1.6" is my trusted IPv4 (2001:470:1f13:5c0:2::c6 also) and as you can see the counters in front of the rule IPv6 work, because I' using IPv6. This is why I have 2 rules. I could also use an Alias for those 2 IP's and combine IPv4+Ipv6 as a rule. Note that I'm using only https access, so only port 443. [image: FWR2.PNG_thumb] [image: FWR2.PNG]

Hi, Auto MAC adding exists - see captive portal setup page (and doc). So when you choose a existing authentication system, you are fine. LADP isn't mentionned on that page, so … well .. no. But, you should follow - well, better : help with this : https://github.com/pfsense/pfsense/pull/3640 which is probably what you are asking for.

When I used them I used a 31-bit RSA key for shorter codes and never saw a problem. I was not issuing "lots" of vouchers though. Rolls of 100 usually.

thanks again thats what the webinterface showed for updating. tomorrow i will go further up until latest stable… users dont like internet downtime ;) -- no, entrusted devices use peap without captive portal. The new captive Portal site is for private devices. its a "present" from the Management

Hello krashneo I can't find the file /usr/local/etc/raddb/ldap.attrmap Can you help me?