Going from the very old 2.2.3 to a beta version ….  :o
What about the current 2.2.6 ? ( $PORTAL_ZONE$ already exists in the current version https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/captiveportal.inc#L60 )

@cmb:

@dpacheco:

The image show $PORTAL_ACTION$ no $PORTAL_ACTIONS$  (custom portal page have been working fine since 2 years and haven't been changed).  Don't know how this is treated by pfSense, but it seems that this is the normal behavior, at least for what is seen when everything works fine, client POST to /$PORTAL_ACTION$ and is redirected to the $PORTAL_REDIRURL$

I could have sworn it was typoed in one of those screenshots, but on second look, apparently not. It is still a problem that it's in there that way though, what are the contents of your portal page?

Ok.  The actual login page is a PHP file that detects if browser is a desktop or mobile one and redirect to a HTML file, which is uploaded directly on pfsense box by the file manager tab.

func_desktop.html.txt
func_index.php.txt
func_movil.html.txt

Hello,

I've finally posted the how to that goes with my single step captive portal wrapper here https://forum.pfsense.org/index.php?topic=108493.msg604190#msg604190
If you find this useful, could you consider putting it as sticky post ?

Regards,
Ozy.

You're trying to route traffic from the WAN side of the PFS. This is completely wrong. You seem to be trying to use your firewall as an internal router. Any traffic passing through from the WAN side needs to be port forwarded, which isn't really what you want to do here. Set the captive portal on the LAN side and route your guest traffic through from LAN to WAN, using the WAN address for managing the PFS. It's how firewalls are supposed to work.

Hi,

I create qrcode with this link : http://xxxxxxxx.fr/ubhZKcJbY6a3 (replace xxxxxxxx.fr with other website, ubhZKcJbY6a3 is a voucher code)

When user scan qrcode, it will redirect to portal auth page and the voucher field will autofill.
If a user is redirected with other url, the voucher field will empty and he could authentificate with his credentials.

$URL = htmlspecialchars($_GET["redirurl"]); if (strpos($URL, 'http://xxxxxxxx.fr') !== false) { $Code = str_replace("http://xxxxxxxx.fr/", "", "$URL"); } else { $Code = ""; } ?>

The problem sounds like a DNS issue. As to why, you'll have to provide some more information first. Like what DNS server(s) are you clients using? And what tests have you run so far? Have you tried running a dig or nslookup against any of the problem sites from a client? If so, what response do you get?

Yes.  Actually @Gertjan was correct. I can now access the server by putting it in the allowed IP list. Thank you!

on your captive portal form you can use the macaddress through this codes:

$arp=`arp $ipaddress`; #run the external command, break output into lines $lines = explode(" ", $arp); $macaddr = $lines[3]; #Actual code

Captive portal is a different from squid guard.  Captive portal prevent unauthenticated users from accessing the internet, squid guard is a list of blacklisted websites.  If you just want to block websites, use squid guard https://doc.pfsense.org/index.php/SquidGuard_package#Configure_the_squidGuard_Package

Thanks sebastiannielsen, but this solution wont let me change the voucher time so all vouchers will be expired after "Hard timeout" period i just wanted to make vouchers with various amount of times
so isn't there any other solution ??

@advcorp:

Today afternoon I installed, step by step, the various modules of pfsense, but the result is always the same.

Ok, you installed step by step. So at what step did the captive portal fail? What tests did you run after each change you made? As Gertjan suggested, start with a plain install with no packages. Test you can get out to the internet using the basic installation. Then, add the captive portal to your OPT1 network. Test again. Does the captive portal work? If so, move onto the next part of your install, testing each time until it stops working. You will then know at what point in your installation process things start to break and you can diagnose the problem. You've said nothing about testing at each point in the installation, so nobody can assume anything else but that you didn't.

@ishtiaqaj:

i had gone through the same probelm any find the solution??????????

ishtiaqaj,

See if the proposed work around resolve your issue.

https://forum.pfsense.org/index.php?topic=97457.msg543099#msg543099

I managed to get it all working, I had to use a combination of the two solutions I had found. Following the post found at:https://forum.pfsense.org/index.php?topic=80789.15 I used the two scripts which left me with this:

To disable the captive portal, I made a script called rc.captiveportal_disable:

#!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_disable(); function captiveportal_disable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { if (isset($cp['enable'])) { unset($cp['enable']); } captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?>

And another disable script that I made to call the above script and unload all IPFW tables(called that one rc.captiveportaloff):

/etc/rc.captiveportal_disable vouchers /sbin/kldunload ipfw.ko

After doing this the captive portal will be disabled and allowing internet traffic through

To re-enable I used the script to reconfigure the captive portal for the particular zone, named rc.captiveportal_enable:

#!/usr/local/bin/php -f /* $Id$ */ /*     rc.captiveportal_disable     copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_enable(); function captiveportal_enable() { global $config, $cpzone, $argv; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (strpos($argv[1], $cpzone) !== false) { $cp['enable']=true; captiveportal_configure_zone($cp); } } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?>

Then another script to call the above script and reload all the IPFW tables, named rc.captiveportalon:

/sbin/kldload ipfw.ko ipfw zone 2 create /sbin/ipfw -x 2 -q /tmp/ipfw_vouchers.cp.rules ipfw zone 2 madd hn1 /etc/rc.captiveportal_enable vouchers

Then use a cron job to call rc.captiveportaloff and rc.captiveportalon whenever you like. Seems like a dirty way of getting this done, but it works for me. It would take a bit more code if your are dealing with multiple zones, but for a single zone this works.

One other question, how does the tmp folder behave? I have my script using the ipfw rules found in /tmp/ipfw_vouchers.cp.rules, if I happen to reboot pfsense while CP is turned off, will it end up deleting that file thus breaking CP completely?

I would be very careful of offering this sort of speed service. What bandwidth does the hotel have to play with? What happens if 10 x people buy 15mbps internet? It's very difficult to explain to a paying customer why they're not getting 15mbps if they paid for it.

I would look at running two CP's on VLAN's then using AP's that have multi vlan/ssid and call them -

Hotel WiFi standard & Hotel WiFi premium, rather than tying yourself to a speed. You could then claim that premium WiFi is 3 x quicker without having to give any speed indications.

@sebastiannielsen:

no, he isn't out to restrict to a specific OS.

what he is out for, is, when a client authenticate correctly, the client's MAC, OS-fingerprint, and IP is saved in the firewall rule.
So the OS-fingerprint must match whatever the user authenticated with, to prevent spoofing.

Yes, that's precisely what I'm looking for. I wasn't aware that pf wasn't used for the Captive Portal. However, since pf is still available for filtering, I was thinking about something like this:

Create a pf rule that logs the OS fingerprints of clients.

After a successful login of a user, create a pf rule for the IP that the user got that only allows TCP traffic with the OS fingerprint that has been detected during login.

After either a voluntary logout by the user herself or after the soft / hard timeout, remove the pf rule for the user's IP.

This should add one more layer of security. Sure, it's not foolproof but certainly would add one more hurdle to abuse.

Ok, i understand ! it's logic.
i will see if it's possible whith a proxy…
Thanks you to all.

To solve this issue forever you must add the CA cert to Pfsense GUI and restart the Captive Portal Services

Step: Cert Manager –> CAs Tab --> Create a new records --> fill up "Certificate data" with CA Cert --> use IE or FireFox to test https url

Note: don't use Chrome because it can handle this case