Added to that, a captive portal should be run on its dedicated interface (VLAN, or more simpler : OPT1).
The hostname is communicated by the device when DHCP handshaking takes place, but know that a device doesn't have to communicate one.
Also note that IP's, MAC's and host names can be fakes because user (== read : visitor) editable.

The rules set for ipfw (ipfw is only use for the captive portal) is hard coded into the captive portal software.
These rules are non-user editable and normally you don't need to change them except if a total breakage is what is wanted.
YOUR rules should be put in with "pf" and this one can be edited with the GUI - just select the interface that the captive portal is using.
Best is that you use a dedicated interface (OPT1) for the captive portal - leaving the LAN for trusted devices only.
By very nature, a captive portal network IS for non-trusted devices (visitors).

Said that, know that when you add IP's and MAC's that should pass through without hitting the captive portal, their rules are added to ipfw.
Se the help page mentioned above, you can see all the ipfw rules and tables.

and also, kindly provide a sample schema where the vouchers will be uploaded.

Thanks in advance

Hi,

The 'captive portal login page', as the 'error page' and the 'logout page' are stored in this file : /conf/config.xml
All the other "user files" are also stored in /conf/config.xml

When the captive portal starts, a working copy is extracted here : /var/etc/
You will find files like
captiveportal_your-zone.html
captiveportal_your-zone-error.html
captiveportal_your-zone-logout.html

User files (working copies) are stored here : /var/db/cpelements/ and sym linked from the web root dir : /usr/local/captiveportal

@bulgurcu:

Yes.

radacct add columns

acctupdatetime datetime DEFAULT NULL,
  acctinterval varchar(255) DEFAULT NULL,

Hi. Thanks again. I got freeradius3 to send accouting data to MySQL. May I ask if you have any idea why my simultaneous use attribute is being ignored by freeradius3?

:o

Captive portal traffic flows through the firewall (pfSense) - an interface and then to the WAN, and back.

No way you can have what you ask (implies also the changing the gateway the visiting device that it became from pfSense, etc).

If you update the pfSense FreeRADIUS 3.x package now (To 0.15.3) it will calculate the bandwidth values the same as Captive Portal so it will not trigger the issue

Need a lot more detail here.

Is the RADIUS server on pfSense? Or somewhere else?

If it's on pfSense, did you complete the transition to FreeRADIUS 3.x? Is the RADIUS server process running? Any errors in the logs?

If it's on another system, how do you reach it? Locally or over a VPN? Is that connection still working?

Great. Thank you!

Yeah, while the Mac filtering worked fine, we ended up moving all the infrastructure items to a different, private subnet.  Not only was remote access made easier, bandwidth was improved.

@awahbi:

How can I get rid of the old versions?

How ?
An update overwrite all old files - removes stales (unused files).
It's like a Windows PC : when upgrading from Windos 7 to 10, nothings is left from "7".

@awahbi:

Shall I make a fresh installation of 2.4.1 then restore the configuration?

Think about this :
YOUR copy of pfSense - and mine, are THE SAME.
The only thing that is different is … the setup (and of course, packages that can break native behavior).
I'm using a plain vanilla setup, my MAC limiter for the captive portal works. I'm using the built in User Manger - no Radius, No squid - no nothing else.

You can try this :
Re install.
Make the captive portal work with built in login page and a User Manger user.
Set the MAC limiter on the captive portal setup page.
Test - login and see that it works.
Now, add you other settings one by one.
As soon as the MAC limiting doesn't work anymore you know where you can find the issue  - and report back.

By posting those keys, anyone can generate valid vouchers and connect to your portal. Now generate some new keys.

https://forum.pfsense.org/index.php?topic=44689.0

Have you followed this thread?

what error do you get?

I'd create a pre-auth page that passes the user from page to page (embedding content or using iframe for facebook), and then allow them to click "connect" that authenticates them.

if they close the window they'll have to go through it all again. They'll soon learn ;-)

We've done something similar using RADIUS and a custom CP page.

cron creates a username and password cron emails that username and password to a distribution list (could also use digital signage) cron deletes the previous days password

You'll need to identify the user and cross reference to their booking to do this effectively.

I've seen this setup before where a custom external page is used to:

user authenticates based on last name and room number booking system inserts the required info to modified freerad e.g. room, last name, check in and out dates freerad replies accept if it matches the criteria