Session Time Out, allow the user navigate the time in seconds you entered. For example: a value of 300 would be just 5 minutes after that el CP disconnect the user, with a Session Timeout entry log.

Of Course the same user can continue surfing the web, if you configure  the option below (Amount of time). For Example : 60 minutes.
So, the user will be hard out disconnected every 5 minutes until he reached the total 60, thats means about 12 times.

Greetings!

Thanks everyone. I finally got this to work. I had to make one modification. I had to change "After authentication Redirection URL" from 192.168.100.1/captiveportal-PC.html to 192.168.100.1:8002/captiveportal-PC.html.The URL for the main captive portal page contains the port 8002 and the second page never would come up until I added the port to it. Hope this helps anyone who might run into this issue.

It works!! Somewhat. I get disconnected after 30 minutes and cannot get internet without authenticating with an username and password for another hour which is good. But I have another problem. When pass-through-credits for a user is 1 and I connect to the captive portal network, I get a notification about logging in (usual). But when I tap that, I get no landing page to accept the terms and service and directly get redirected to connectivitycheck.gstatic.com (or something lke that) and I get internet access. I want my guests to accept to my terms first and after that get internet access. Is that possible with this method? Thanks

@jpsolis:

Can i set a separate portal on this setup or 192.168.1.1 have portal and 192.168.2.1 don't have portal. this can be possible?

Of course.

You have at least 3 interfaces :
WAN
LAN
OPT1

On the last two, you can activate a CP.
You have to do so for each interface (LAN and OPT1) - just go to  Services => Captive Portal and click on the green "Add" button.

I belive it's not IP range issue because the DHCP range contain more that 200 IP to use and I adjusted the lease time to 1 hour.

What are your LAN firewall rules ?
I didn't configure any firewall rules on em0 (LAN), only the default rules (Anti-Lockout Rule & Default allow LAN to any rule).

What did you removed from default after you installed pfSense ?
Nothing!

can you use the Captive Portal "as it should be used" : on a dedicated, NOT LAN, but OPTx interface ?
is it mandatory to add OPTx interface for Captive Portal ?

-pfSEnse runs in a VM ? (and guess what, when it is NOT running in a VM, but running in its own box, the errors disappear ;) ?)
Not VM, I installed pfSense directly on PC.

Finlay, after along time search in google I found that may be the problem occurred because of network memory buffer, so I am tried to increase the buffer size by adding some buffer tuning settings in "System Tunables" and "loader.conf.local"  , it helps some how as the error didn't occurred again but I got some delay on network.

I don't know it's solved permanently or it will occurred again but for 2 days now it's not occurred. before the tuning settings it was occurred one or two times every day

Vouchers are the key to the (your) access to Internet.
If someone looses his key, well, this should be his problem, not yours.

The "use only ones to gain access" has an nasty side affect.
Let say : you hand out vouchers that last 24 hours.
The guy logs in, all is well.
Then, he goes of site, his IP in the lease table will get removed eventually.
Another guy logs in with his voucher, and obtains the IP the first guy was using.
Our first guy comes in, and want to connect.
Ok, the MAC address is (could be) known, but he will be using another IP => he will NOT having access anymore.

A captive portal session is based on : the IP and the MAC address. If the voucher code come in again, and their is still time left, old sessions are removed, as you saw, and a new one is created.

Inform your voucher user that he should consider this voucher as a 100 $ paper, a credit card or his house keys. That will do the job.
If he calls in and say "I lost it !!" and you have a copy of the voucher code, you can declare it "used". Then you yell at him - sell him a new voucher, or keep him out because he proved he couldn't take care of his stuff (or whatever ;))

The same way : what you are asking for, is that a voucher user can only use his voucher for ONE device - but many users have also a smartphone, an iPad, notepad, whatever. Using a voucher on ONE device will lock the usage to that device, as long as he keeps the same IP (that pfSense gave him).

Your question concerns a household-with-kids situation, right ? In this case I can imagine why you asked.

Btw : I do think it's possible what you are asking. You will have to change the code (PHP) somewhat.

The way captive portal works in many cases it has to reauthenticate users to make sure their login is still valid. For example, to enforce time or data limits. If you limit a user to one login, this reauthentication fails since they are currently online when the reauth happens. So for one user to connect from one device the limit has to be at least 2.

So to allow them to login twice, it would have to be set for 4+.

Kind of ugly, though. Using multiple logins so they have one unique login per device is cleaner and more secure.

You can't edit the vouchers and make your own codes. The codes are computed mathematically based on the keys and other info stored in the roll.

There isn't a way to change any attributes that are not shown in the GUI already.

If you want to allow people to login using a "code" that lets them on indefinitely, create users instead. You can change the usernames to whatever you liked to stop an old "code" from working for new logins.

@Gertjan:

@bishoptf:

Running 2.2.6 and having issues with ….

What about leaving this old version, and upgrade ?

I didn't heard about android users complaining that 2.3.2 isn't working well for them.

Take note : who remembers issues and bugs present in 2.2.6 ?

Yeah understand, it's in the plan and will be taking place hopefully shortly but was hoping to tweak and keep things working.  I finally had to turn the portal off and just leave it running without the TOS, its not working for anything including PC browser.  Source looks correct with a URL in the redirect value but nothing I tried got it working.  It redirects to the portal page and when you select continue it just reloads the portal page and adds your MAC address to the passthrough list but thats about it, each time you do your MAC address gets added to the list.

Hopefully I can get it working when I upgrade, I have new hardware so I will be able to test it and make sure its working before going live.

I put together a one-time-password radius server using this:

http://motp.sourceforge.net/

Not Google, I know, but as Gertjan says, this takes a bit of coding. Alternately, you might be able to write an interface between your radius server and Google, but the details are up to you to find.

Use some javascript to change it in the HTML on submission, it won't require any changes to pfSense code, just the portal page you upload.

Hi,

Without telling more about your setup ?
Well …. euh ..... no.

When a user logged in, check using this doc page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and double check that you can find the user's IP and MAC in related tables.

Is their a reason for the fact your are using an (very) old pfSense version ?? You shouldn't - and if you do, do not ask for help, people that know or knew 2.2.4 upgraded for very logic reasons. No one knows what issued 2.2.4 had back then ....

nah no IPs. I allowed these hostnames:

ajax.googleapis.com
fonts.googleapis.com
maxcdn.bootstrapcdn.com

The thing that I can't wrap my head around is that it works in the browser but not this app that pops up "Captive Network Assistant". I also tried allowing the captive.apple.com hostname so device thinks it's got Internet access and there is no more of this pop up but that makes it really inconvenient to authenticate on mobile devices.

I guess I am going to have to try and make pure html and css page and see if that does the trick.

Yeah cookbook is well a cookbook and nothing more. I am glad you suggested the other book so I ended up getting Pfsense: The Definitive Guide and The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall 3rd Edition. I'll be away for a while now hh ;D

@BGS:

The "bits and bytes" solution :
Nail down the place where the test is made if a MAC address should be added to the MAC pass-through list.
Add your own test that skips the "MAC pass-through" adding part IF the login was done with a "voucher".

I don't get this. I'm new at pfsense … sorry ...-.-

pfSense is a software product.
You actually have 99,99% of the source code at your disposal. So the possibilities are unlimited.

I advise you to look for a 4 NIC box.

@johnpoz:

….
  I think its http://captive.apple.com/ but not 100% on that - I believe it looks to see if it can get back a 200 from there, if it doesn't than it assumes its behind a cp or something like.

I disconnected form an AP on the LAN (192.168.1.1/24 - my iPhone was using 192.168.1.25)
It obtains a 192.168.2.139 (my Captive portal is 192.168.2.1/24)
Some non-important local IPv6 hanshaking is also present.

10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Reply NA: address 2001:470:1f13:5c0:2::c6 to client with duid 00:01:00:01:14:20:18:e3:b8:ac:6f:47:2c:77 iaid = 246983791 static 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Renew message from fe80::75cd:7073:d0a4:bc7c port 546, transaction ID 0x1239AA00 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Sending Reply to fe80::75cd:7073:d0a4:bc7c port 546 10-06-2016 10:03:21 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: DHCPREQUEST for 192.168.1.25 from 90:b9:31:77:5e:26 via fxp0: unknown lease 192.168.1.25. 10-06-2016 10:03:22 Local7.Info 192.168.1.1 Oct  6 10:03:25 dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 via sis0 10-06-2016 10:03:23 Local7.Info 192.168.1.1 Oct  6 10:03:26 dhcpd: DHCPOFFER on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPREQUEST for 192.168.2.139 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPACK on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0

Note : the DHCP server on pfSense tells my iPhone that DNS, Gateway, etc etc == 192.168.2.1 == the Captive portal 'pfsense' interface IP.
I'm still figuring out why I should use the DNS from "Google". Upfront, my FAI proposes two DNS's when pfSense opens a WAN connection. They always worked fine.
It's imprtant to understand that my visitors devices on the Captive portal have only 'pfsense' as a DNS server.
pfSense itself uses the DNS that came with the WAN connection.
That is the default setup.
Works fine for a decade now.

As soon as the link goes up (wifi in this case) the iOS launches a http request to http://captive.apple.com/hotspot-detect.html  :

10-06-2016 10:03:26 Local5.Info 192.168.1.1 Oct  6 10:03:29 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:29 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:27 Local5.Info 192.168.1.1 Oct  6 10:03:30 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:30 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:28 Local5.Info 192.168.1.1 Oct  6 10:03:31 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:31 +0200] "GET /hotspot-detect.html HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.1" 200 849 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /captiveportal-style.css HTTP/1.1" 200 836 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "POST /index.php?zone=cpzone1 HTTP/1.1" 200 635 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:36 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr"

Btw : I'm using https portal authentication. This is just a detail.

I was able to get this resolved.  It turned out to be a problem with my switch.  I backed it up, defaulted it and restored the config and everything started working.