@jimp:

@cyberlocc:

I am aware of that. Not really what I am trying to do however.

It's exactly what you're trying to do.

@cyberlocc:

Okay so atm, I am doing that, and that works. However, that leads them to a PFsense login screen, where normals get confused, and a bunch of nav for things they cant access anyway.

I dont want all that, its not needed, and it just confuses less techie people.

If you only assign them the permission for the password change page, they get that page when they login, and nothing else. The menus are irrelevant and they're empty anyhow, if not hidden.

@cyberlocc:

They now see the PFsense logo, and now I am running PFsense and can begin trying to break in, with that somewhat helpful knowledge.

So? If you follow proper practices, that gives them nothing.

@cyberlocc:

They are allowed Full GUI access on the Guest Lan, so they can begin to try and brute force into the networks admin account.

The GUI has anti-brute force protection. If they try 15 times unsuccessfully, they are locked out of the GUI for an hour (minimum).

@cyberlocc:

So what I am wanting to do, is deny access to the GUI from the Guest Lan, and have the 1 Password change screen, be added through some type of Iframe, or even just a data entry method from Captive portal screens would actually be better. So once they are logged in, they have the ability to edit their account on the logout page.

You can't deny access to the GUI and then allow access to the GUI through an iframe. That is not possible, since their browser must reach the GUI to access any pages served by the GUI.

What you're describing would involve setting up a second web server on the firewall for just that one task, and would likely have less security than just using the firewall directly.

If you don't like how it's already handled in the GUI, then use RADIUS authentication off the firewall and then use whatever user/password management pages are provided by the authentication server software.

If your users are confused by the pfSense logo, then you need to give them better instructions.

Well using the PHP commands, they wouldn't need access to the GUI would they?

Also, you said if they are not hidden. That would be a very good start for me right there, I have read that is possible still trying to locate how. It was said in other threads it was doable, but the links to how are broken.

@mdes:

….
Image is not showing. Why? Image is stored in /var/db/cpelements/
What's the document root of web server running captive portal at 8002 port?

Run this one :

cat nginx-*-CaptivePortal.conf | grep 'root '

Over there (btw : /usr/local/captiveportal  ;) ) you should find stuff like this :

[2.3.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/etc: ls -al /usr/local/captiveportal total 40 drwxr-xr-x  2 root  wheel    512 Jul 21 10:42 . drwxr-xr-x  14 root  wheel    512 Aug  2 14:59 .. lrwxr-xr-x  1 root  wheel    43 Jul  4 12:32 captiveportal-2style.css -> /var/db/cpelements/captiveportal-2style.css lrwxr-xr-x  1 root  wheel    45 Jul  4 12:05 captiveportal-nvx-logo.png -> /var/db/cpelements/captiveportal-nvx-logo.png -rw-r--r--  1 root  wheel  11603 May  3 19:07 index.php -rw-r--r--  1 root  wheel  10434 May  3 19:07 radius_accounting.inc -rw-r--r--  1 root  wheel  6862 May  3 19:07 radius_authentication.inc

As you can see, I have two sym-links, they are generated when you upload a file - like your image.
I have an image to, called "captiveportal-nvx-logo.png", shows up just fine in my home made 'html' portal login page, using come html code like this :

[](http://www.brit-hotel-fumel.fr/)

@mdes:

HTML img tag contains src=captiveportal-logo.png.

I didn't know the quotes "" were optional  ;D ;D

Take a look at this look at this : https://forum.pfsense.org/index.php?topic=83155.0
Other thread exists about blocking specific web sites

Hi,

You are telling nothing about your setup, so I'll explain using mine as an example.

First of all, it's impossible to get rid of IP's. They will always exists  ;)

My captive portal lives on OPT1 - I'm using LAN for my own needs.
I'm using the DNS Resolver.
On the setup page of the DNS Resolver, I added a Host "Override". My OPT1 interface address is 192.168.2.1/24 (LAN is 192.168.1.1/24).
I added :
Host : portal
Domaine : my-domain.net
IP 192.168.2.1
Description : Whatever you want.

Know that declaring a host for a domain will not force your clients to use the this name … The captive portal is hard coded to use the interface address IP when working with "http mode". https mode will (have to !) change that.

Now, the funny part : you have to switch to HTTPS login on the captive portal page.
As a domain name you chose your "portal.my-domain.net".
And ... you have to chose a certificate that your clients will accept (the Let encrypt acme package can help you here).

@beerten:

Is it possible to import the vouchers into the external database? Generate vouchers, import them into the external database into a seperate table. Select on when required and mark it as used.
Just a thought

You saw https://forum.pfsense.org/index.php?topic=133872.msg736484#msg736484 ?

has this been done?

@Gertjan:

See here : Captive Portal Troubleshooting : Issue : Captive portal not redirecting : first answer :)

Yep, I did read that one. It might even have triggered the solution. To me it is not clear it says one should define a local dns server. Could have to do with me, not being an english native speaker. Or my knowledge about DNS resolving is not what it should be. I posted my solution for the sake of the search function. I so a lot of topics on similar problems I had. But I could not find the solution.

Would appreciate some help!

@Gertjan:

Your AP has its DHCP server shut down, router-mode is shut down, etc ?

Yes, it is in AP mode. It offers quite a few modes.

AP Mode
AP router
Client Router
WDS Bridge
WDS Router

and I think a few others, at any rate its in AP mode.

Also, the Mac addresses are shown in PFsense DHCP lease lists, however when the captive portal is on with the Mac pass through, it lets every device passthrough with the first logged in user.

@Derelict:

Any AP does.

If that one is not it is either in a router mode, not an AP mode, or is for some reason proxying ARP or something of that nature.

In either case you are probably going to get a faster reply asking on a forum specific to that product.

I didn't know those existed lol, will do.

It depends on how the solution was made.

What we'd like to see is:

1. Captive Portal adapted to use all settings from the User Manager, including defined Authentication Servers
2. Additional RADIUS settings moved from Captive Portal to the User Manager Auth Server RADIUS options where possible. Some settings may be specific to one portal and not others, but an admin could always define multiple RADIUS server profiles in the user manager to get the same effect, which is essentially what they're already doing now.

In doing that, Captive Portal would naturally pick up LDAP support as an authentication source without actually adding or touching any LDAP-specific code. The problem is adapting all of the RADIUS options in CP to the User Manager and making sure they are used in the correct context.

That is not currently a feature of FreeRADIUS on pfSense, and there are no plans for it.

You might have better luck asking for help on a FreeRADIUS forum/mailing list/subreddit/etc, because anything you need to change would be specific to FreeRADIUS and not pfSense.

Month or two is probably not something you want to task your firewall for.

Yes, that can be increased.

Whether it is enough depends on how much device churn you are expecting.

jimp this is the test for free radius i did when i get the above failed radius message. i am also sending the test result.

user:  shaheedullah
Password: school
sgared secret : cmc


New learnings sir! :D :D :D
I actually didn't know that I can view the voucher number including the time remaining per voucher.

As I randomly checked 10 vouchers from the previously generated voucher, all are fine. Maybe, there were some which are considered invalid.

Anyways, thank you so much sir's for your help!

@yfarouq:

@jimp:

Not nearly enough detail here.

What did you upgrade from?
What did you upgrade to?
What version of the FreeRADIUS package do you have installed now?

Im at pfsense 2.3.4 version, and Im still working with freeRadius2. I had tested FreeRadius3 but the same issues

Please answer all of the questions there. the first two are asking about pfSense versions before/after.