@asistio04:

is it possible to bypass the captive portal using a vpn on the phone or pc?

VPN trafic is just a TCP or UDP stream, coming from an IP, going to another IP.
Without the pfsense firewall (captive portal) being instructed to let it out, the IP of you device will be blocked.
So, short answer : No.

@yaman.amin:

I also intersted to know is there any special Firewall rules can I configure to get the best security features , in my acptive portal WLAN Network
I decided to deploy Snort , kindly ask you if there is other packages or rules can man use to enhance security?
thanks for feed back

Snort will prevent this kind of event?

Hi,
I tried to download the files from those links you provided, they are counted correctly.
I am using 2.2.4.

It works great !! I thank you  :)

1111111111111111111111111111111111111111

@Gertjan
thank for your long explanation. And I'm glad to hear that our neighbor has the same shitty law.

In our case the third member are renter in our house (Student flat). Normally we can trust them. But confidence is good, control is better.  ;)

VPN was the first idea. I saw the all the problems from configuration to compatibility and our user don't have much experience in computing. So VPN is to complex. Setting up an VPN server is no option, because we are glad to have a stable server now. So never change a running system. ( I keep thin option in mind, but my primary aim is to login via the web interface)

I noticed your judicial aspect. The pf-Sense should only protect the internet access owner. If a user get hacked, give the password to a friend or something else, than it is the problem of the user. We need to lists internal IP <-> web IP (collected by the firewall) and internal IP <-> user (collected by the CP).
BTW to get access to the pf sense you have to login in our intranet over some AccessPoints which are protected by WPA2 password.

– back to the problem
My aim is to login via web interface to send an POST request via command line to server.

@Gertjan

PS : try using curl.

That is what I had tried. (see the quote of my first post). But this doesn't work.

curl -F ...

Response is nothing, no request, no login.

curl -- data ...

The response is an new login form. no login. The POST-URL is copied in the redirect field.

I think there is another security feature, which reject my POST requests.

Captive portal doesn't care. Physical, virtual, doesn't matter.

Hi, Magura,
Please test the settings as described in this link:

https://forum.pfsense.org/index.php?topic=106119.0

thank you very much!

??

Thanks a lot Gertjan,
actually i already  read your tutorial post in 2013 , before i start setting the certificates . but it seems that the procedure in startssl.com changed somehow , it is not exactly as you explained that time . for example when apply for a certifictate wrote , that you have first to write a PSK , then the CSR ,….
now startssl directly asks you to submit the csr directly ,that means you must prepare your csr and generate your private key alone using openssl for example , then you submit the csr .
i got confused , that after you submit the csr , they offer you two options one of them  if you want to support the PKI system, if you choose it then startssl  will ask you to write a PSK (which PSK should i give , the one i used by openssl when i genertaed my private key , or a new PSK??) and then they will generate a private key. So i got confused which private key i have to use: the one i generated by openssl  or a different one ? taking in consideration my csr request has been signed by the private key i genertaed by openssl

what i did exactly:
1- generate private key:#openssl genrsa -aes128 -out key.key 2048
2-generate csr request:#openssl req -new -key key.key -out certificate.csr
3- i copy the contect of certificate.csr to the startssl.com (csr field)
4- (should i choose PKI system or not in the bottom of the page ?) i got confused here
5- generate the certificate he sent me three certificates:root , intermediate and CA.

i noticed in your images he classified the issuer as Root+intermediate+...  that is not the case in my certificates.
another question when you generate the CSR which information you have to include: i just included my domain name and the Country is there anything else? i will send you some images tomorrow. if you access the startssl.com  now you will see what i mean.

6-  on Pfsense i applied under CAs leaf : first the root , second the intermediate: her there is an optional field if you want to paste the private key as well . again the question , which private key the one of openssl or the one of PKI in openssl?

as you see there is some confused points need to be clarified .

@Drudge : reinstall from scratch (boot from a recent version like 2.2.6 - not a dead one 2.0.2 or even 2.1).
Redo your settings.
When activating the portal, do NOT use your own 'html' code, use the default.
Activate first the local user Manager (build in pfSEnse) and add one or two users.
Test that.
Then hook up Radius, and test again.
Then , and only then : use your own html login page (If you have one).

I guess something goes wrong with the redirecting … Some left-overs in the ancient config settings (maybe) ?

You are right , sorry for that , just wanted to discuss it with captive portal experts as well :)

@cs1:

I've seen that the topic of MAC or IP spoofing has been addressed plenty of times with respect to the captive portal and most of the time, the result was: "you can't do anything against MAC/IP spoofing". However, there seems to be an elegant solution included in Zerotruth (CP on top of Zeroshell) that significantly reduces the risk of MAC or IP spoofing by using a technique that the Zerotruth guys call "Authenticator packet".

You can't do anything (good at least) at the firewall level. That Zerotruth hack is ugly and only prevents hijacking sessions that aren't currently connected, which isn't all that useful. You're not going to stop someone good enough to hijack sessions (unless it gets down to 0 active sessions), and there's a good chance you'll introduce problems for legit users. Your APs and switches are where you can prevent that type of thing in a useful way (where the equipment has such functionality).

I saw that and not sue what it is from.  I do have a redirect URL entered but not sure if that's what was causing this issue.  The same redirect URL is there in my now working config.  I have not had any issues so far sine I killed the process and restarted the captive portal.

We have some plans here already: https://redmine.pfsense.org/issues/3882

;D

All this, and more, is actually easy to find if your 'read' /etc/inc/captiveportal.php

You will even find this:
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/captiveportal.inc#L187 (this is the 2.2.7 dev version - and the same as 2.2.6) :
Read it like this:

If Captive portal enbaled If Booting   then delete the database file .....

Also : a nasty bug was found when opening and managing the "sqlite3" database - this was one of the reasons why "2.2.5-Release" is ancient now, and that 2.2.6 came out ;)

Reading /etc/inc/captiveportal.php will show you that other files exist (in the same /var/db dir) : captiveportaldn.rules and captiveportal_<name_of_cp>.rules
These two files ARE deleted when the captive portal starts up.
These two files are NOT used to (re) preset the firewall after booting.</name_of_cp>

In any case make a backup of your config NOW and store it in a safe place.
After that reboot your machine and if it comes back alive perform the update through the GUI.

Have you tried to change in CP the MAC-Adress-sending format ( i.e. "Default" or "ietf" ) to the one your radius server expects.
https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS
"Captive Portal configuration
Enable RADIUS MAC authentication
Enter any shared secret desired. This field must not be empty! but it is not important what is entered. This is not the shared secret which is used for communication between NAS(CP) and the FreeRADIUS server. I used blaaa
MAC address format. In general this may be left at default or any other option because FreeRADIUS is converting the MAC address (Calling-Station-ID) into the correct format. To be 100% correct choose here ietf "