@haydin81:

Squid3-dev–->"non-transparent", Patch captive portal" checked, "authentication-captive portal"
Captive Portal--> enabled, "authentication-radius" checked"disable mac filtering"

while state that,

1. if a user open explorer without proxy settings, he can access captive portal login page(of course some firewall rule added)
2. if a user open explorer with proxy settings, he cant open access captive portal and no access to internet (why?)
3. if a user open explorer without proxy settings and login captive portal (note.1), he can access internet with proxy settings explorer.

Help me!!

Hi, I'm with the same problem. But, pfsense 2.3.2-RELEASE-p1, package squid 0.4.29_1. Has anyone made work non-transparent proxy + captive portal?

–- edit

I solved the problem editing the error page (/usr/local/etc/squid/errors/.../ERR_ACCESS_DENIED) to redirect to captive portal. But the user needs to access some http page, not https, because the browser blocks https redirection.

That is a problem in Android. After login  the redirect url will crash right? I have captive portal set on other gateways not pfsense and also do this on Android, It is a known problem.

hi there again,

I played around with 2.3.2 in my lab and figured it out.

The old cp portal works flawless by adding the allowed ip "192.168.0.0/16", of course the pfSense interface / LAN Subnet my clients are using is in this range.
With 2.3.2 a client can access any ip without authentication as soon as the LAN subnet is added unter "allowed ip", which is used by the captive portal clients.

in my case:

setup all needed subnets manually, and add new one over time add all subnets manually in this range except the one of the captive portal clients

@sonidoP:

Try URL: http://x.x.x.x:8002/index.php?zone=cp_guest
(ref: https://forum.pfsense.org/index.php?topic=110073.30 ) with blank page result.

Like that ?
Your captive zone 'name' in question is really "cp_guest" ?
The port used by pfSense is really "8002" (mine is 8003 for https and 8002 for http - you can't chose them, they are assigned by pfSense when creating portals)

If "http://x.x.x.x:8002/index.php?zone=cp_guest" doesn't work, you have two possibilities :
You portal doesn't work -> make it work first.
Visiting "http://x.x.x.x" (your captive portal address) should redirect you to … as said here : https://forum.pfsense.org/index.php?topic=110073.msg679281#msg679281
Check your port number and zone name - it should be EXACT.

@sonidoP:

There is little documentation of the Pre-authentication procedure in version 2.3.2-RELEASE-p1,
Someone could tell me if the process is correct?

As said here https://doc.pfsense.org/index.php/Captive_Portal_Pre-authentication_Redirect and as you might guess, this page isn't really maintained, and rather tricky to use.

The file must somehow be listed multiple times in /usr/local/etc/php/extensions.ini

Don't put your wifi users behind routers. Put them behind access points (bridges) so the captive portal sees both the client MAC address and IP address.

@The:

Just a quick warning about this…

Apple in their wisdom, ..... .... see the "Success" page at Apple.

Hummm. I remember.
I tried to create a "logout URL", easy to remember for the visitor, so a "popup page" wasn't needed anymore. Juste type something like "logout.my-portal-pfsense.tld" and the user was logged out, no matter what. A very nice solution for those who like to $$ their connection.
The "session ID" has to be stored using a Cookie …. or, as you said, Apple lauches a crippled Safari browser that discards all info (among them : Cookies).
There is a huge thread somewhere in this part of the forum about this subject.

You would probably be easier creating a system at another host, and using cURL commands to send data?

On my firewalls, the captive portal page checks that it can see a second box on the network which is used to host most of the captive portal page, and Syslog-NG for logging. If it can't see this box, it uses cURL to talk to my website, (via https:// and to a password protected area) and set a flag, if the unit is online, offline etc.

If it is offline, I get an e-mail, and a button shows on the Captive Portal, saying "We've been automatically informed of the problem, however, to send us an SMS, please click here." if someone clicks on that button, I get an SMS through (using bulksms.com)

So, it is definitely possible.

What you would probably have to do, is setup a database, setup vouchers in pfSense, import the voucher roll into your database, then when someone sends the number through to you, you can set your system to send an SMS back to their number, taking a voucher code from the roll in your DB.

No need to checkout your pfSense install, you could tead this :

The main 'index.php' file that generates the login page (and error page) :
https://github.com/pfsense/pfsense/blob/RELENG_2_3_2/src/usr/local/captiveportal/index.php
and
https://github.com/pfsense/pfsense/blob/RELENG_2_3_2/src/etc/inc/captiveportal.inc

captiveportal.inc contains most, if not all the logic.

Thank you.  Great tips.  I ended figuring out my issue.  I accidentally defined my entire network in the Allowed IP list not realizing this is a bypass list.  All is good, portal comes up.

Took the entire idea and moved it over to a posted bounty here: https://forum.pfsense.org/index.php?topic=122701.0

Anyone interested or finding this thread via search, I imagine it'll be more active there

@lupin212:

I apologize for my question which is not specific so that you may misunderstand.
When I configure pre-authentication redirecting to URL: http://abc.com, this causes problems. When users open the first website with form https, time to direct to portal login website is too long (still can redirect). In case users open the first website in day with form http, it can redirect immediately.
How can users open the first website with form https and quickly redirect to portal login?

Understand that you see your setup in front of you.
I see none.

Please: detail ….

Also : lately, more questions about "per auth URL" have been posted and from what I can make of it, it's more then tricky to use it.
Do you need pre auth ? (why has the visitor visit first page A on server B to auth to the captive portal on page B using server B (B = PfSense)) ?
Is your A also pfSense ?
If not, did you list the URL or the domain so that a connection to "A" is possible even when NOt auth against portal pfSense ?
In that case : did you test that these rules where present ? ( use https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting - and show results here )
The GUI firewall rules permit visiting site "A" (if sdite A is not pfsense).

These are only the question I would check if I decided to use pre auth page usage - and because I never used it, is even more questions will pop up ......

So : what about telling us more ?

Thanks. Got thinkgs working. I modified and pasted following.

Add "login.college.com" to the DNS resolver or forwarder so it point to the IP of your captive portal.
See here : https://forum.pfsense.org/index.php?topic=63791.0 - read the DNS forwarder point.

Edit : tel visitors to http - not https.
Normally, you do not need to supply a login URL. Any http://what-ever-here.tld (like http://www.google.com ) will show the captive login  portal page without any user action needed.
By nature, laws and other unbreakable rules : "https" will NOT show the portal page …. and people will be unable to login.

What about : debug the "pfSense to Radius" connection both ends ?

@bassc:

….So what do you suggest now my friend? Thx and good work.

pfSene is translated in two other languages, one of them is … Turkish.
Check out how all the other html pages are generated and you have the solution ;)