Hi Dereclict

Thank you very much for your answer :-)

I'll disable Captive Portal on the Passive node.

Have a nice day :-)

It will be keepalive_timeout 0 in 2.3.1_2.

https://redmine.pfsense.org/issues/6421

I have this implemented in my network.
You will have WAN connected in your internal network and will have the same settings as any other pc in your network (DHCP or static).
Assign Wireless card to WLAN Interface (name it WLAN) & Configure WLAN Interface.
Create Captive portal for that interface.
Stop DNS Server and start DNS Forwarder.
Configure DHCP Server for WLAN Interface.
Connect device on wireless from Pfsense and see if the redirect works when trying to access a webpage.

@DanieleIT:

Hello,
Yes, once the roll is "finished" you will have to recreate it.

Ok, I thought it will be intelligent enough to output only unused voucher and recreate new vouchers when necessary  ::)

Thank you!

Ok thanks for your feedback, I will continue to search how it's working with an external database

@Gertjan:

Deactivate the "internal dns forwarder" for your Captive Portal.
Instruct the DHCP server that serves the Captive Portal with your (example) ISP DNS servers, or Google DNS servers, or whatever.

Like this, portal visitors can not resolve your internal LAN FQDN's anymore.

[…]Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work.

Not possible, because the unauthenticated clients can never resolve a dns.
@Gertjan:

BUT : why do you care anyway ? Normally, portal visitors can go (only !) "out" to the net, and your firewall rules for the captive portal interface won't let them into your LAN …. so even if they 'know' that a FQDN exists on your ... what ? LAN ? they can't do nothing with it.

Yes, you are right my visitors can only go out into the internet.

Thank you guys for quick response. I've been playing with the options for a while and it kinda works.

I've added my domain to the allowed hostnames. The website has links to google map and restaurants facebook page but I cannot allow those two or else I will be giving them access to surf either of these freely (right?).

So the part that is not working is redirection to the restaurant website before CP page. I would like to redirect guests to my website right away and only if they want to leave my garden I would present them with the CP page asking them to input their voucher. I set the Pre-authentication redirection url to http://www.salas-ostrazica.com and it doesn't work. At the moment I am still using the default pfsense captive portal page tho. Furthermore I also tried to upload my own html page changing $PORTAL_REDIRURL$ to www.salas-ostrazica.com and it didn't work. I got redirected to www.salas-ostrazica.com after the authentication.

However the after authentication redirection url works perfectly with the default CP page. What variable holds the value for redirection before authentication?

You have to do this in two steps.
First step, you make your own submission, which reloads the same page, and launches the php code where you store your info.
Then, once this is done, you just show the CP form and have javascript autoclick on the submit button.
See my captive portal code in thread, my code does this more or less with the Login function.

Thanks for your replies, but I didn't want to have general discussion about IPv6 sense and non-sense. Fact is that IPv6 is upcoming more and more and Pfsense should be ready in all areas. We have a hotel with captive portal for our guests. CP isn't ready and it doesn't support for IPv6 traffic. In this year we will get a full dual stack (IPv4/IPv6) from our provider. Sometime in the future our guest will ask about IPv6 support. IPv4 addresses will by more and more rare so that some day a part of the internet won't support IPv4 anymore.

The question is still: Is planned that CP will support IPv6 in the future?

Captive portal can't be used in that manner. It authenticates the user or machine, then their access is determined by firewall rules the same as without CP.

Depends how your authentication works.
If it is the local user manager, go here : Status => Captive portal.
To see who logged in the past (and gave their sessions removed) : go see the captive portal log.

I watched a few videos and was going to start configuring the radius server. I found out my modems allow bridging so thats another option I guess. Thanks a bunch.

So it looks like for some reason Google DNS is not working from this location at all.  I disabled DNS resolver and enabled DNS Forwarder and changed DNS under general to Comcast instead of google and all working.  :o

@Derelict:

Two choices:

Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

Third choice:

Disable captive portal. Let the users connect and go.

Thanks I too option 1 I added https://google.fr and it works.

I am interested in this solution, but….
:-[