@extranjero A pfSense device that doesn't have access to the net ? That means : no dns. You saw the Troubleshooting Captive Portal : the very first "DNS resolution not functioning" will stop you right there. Device connecting to a (wifi) network will trow out a 'hidden' http request, right after the DHCP negotiation. This can be any host name (most are know, though), so DNS needs to work. But you have no WAN ..... So no auto captive portal login page opening. The user could still know that it is connected to a gateway/router, so they could enter http://a.b.c.d (where a.b.c.d) is the IP of the pfSense interface IP. That wouldn't make the portal login page showing up neither, as needed parameters are missing. Using a laptop for such experiments is making your live hard on yourself. Any sub 50 $ old PC, with at least 2 network interfaces will do the job. Throw in an AP, and your good. You can always add some rules on the portal interface that block traffic to the outside world (except DNS, right ?!)

@yogendraaa said in Captive portal making WAN gateway losses in 2.7.0: Please help I'd love to, as soon as I found out how to simulate what '5000' users can do when they discover that they need to logging again, and they all hit the pfSense captive portal web serer to login at the same time Your portal setup is not a, @home version, I tend to say : industrial ? So, good to know you use a Xeon and boat loads of memory, please share more info. For example : Here : /var/etc/ : look for the two files starting with "nginx-", these are the captive portal web server config files. The default worker_processes is "6". The number of max connections is "1000". With these numbers I suspect that their will be some "pushing-at-the-gates" and not everybody will make it. A less scientific approach of 5000 users number : not every device is fully "portal" aware, and will hammer the portal web server without doing an actual login ...... (less aware users makes things only worse ). Add to this : for every established connection, the portal login page wilml get spewed out, and this happens when nginx piped the request to PHP-(fpm), and got the parsed result back. PHP is a lot, but managing a stressed PHPP interpreter is ... a world apart. Take note : I'm not an nginx expert. When that login storm is over, and the firewall tables are all filled up with 5000 IP and 5000 MAC addresses, then these 5000 will generate 1 Mbits / sec per second ? That's already 5 gig .... Don't worry, I get it, even if 5000 portal users are realty connected, far from 5000 are actually active. @yogendraaa said in Captive portal making WAN gateway losses in 2.7.0: WAN gateway showing losses This doesn't say much. Losses = the gateway (WAN) monitoring tool sends a ping every 500 ms and checks if it gets back. If pings get lost, no big deal. If other, 'user' traffic gets lost, that indeed not good. But dpinger (the monitoring tool) can not know that. What does the Status > Monitoring (WAN) show you ? And sorry, I just gave you more questions, not really solutions.

Update: I tried to use NPS on server 2016 as RADIUS server just now, it works. Pfsense version is 2.7.0, RADIUS MS-CHAPv2 .

@Gertjan Thank you, I did as you said, it works in 2.7.0 too!

Yes, you can use LDAPS authentication. You need to add LDAP authentication server in System / User manager / Authentication servers, select "SSL/TLS encrypted" in Transport option. You may test it using Diagnostics / Authentication. Then select the LDAP server you added in your captive portal settings (Authentication Server). As I recall, if I use Domain\Username or Username@Domain as user in CP login page, it will fail, but use only "Username" will be OK.

@johnpoz said in Secure Wireless Hotspot rule with IPv6: You could put in a redmine.. https://redmine.pfsense.org/issues/14948 Hope I done it right.

@MiguelGon17 Can it be done with the pfSense GUI, filling in some fields and done : No. pfSense by default doesn't use or include MySQM (maraidb) support. Although, as soon as you install (no need to use it) the pfSense Freeradius package, PHP MySQL client support will be loaded. Your question is known already, and there are answers, even solutions, just use the search button (look above) and search in the Captive portal forum the word MySQL. It all boils down to : make your own captive portal login page, and upload it into pfSense. Edit/modify the pfSense support 'code', PHP scripts actually, most probably /usr/local/captiveportal/index.php and /etc/inc/captiveportal.inc so you can 'get' to the records entered by the portal visitor, and do with them what you want, like : sending them to a mysql database. This : Collecting Users Data for Marketing (Email, Phone Number, Name) is of course forbidden in most civilized countries ;) Most users that are willing to enter some information, will use fake names, phone numbers, mail address etc. You could say : ok,; I'll send a sms with a random 6 digit code to the phone number, and the user has to use this code to validate the info. And the same thing for the entered email address, but at that moment, the user can't access his mail account as the portal isn't open yet. So, yes, of course, it can be done. The question will change very soon : are you willing to do this ? Support this ?

@bokikay Can you tell something about the circumstances ?

@Gertjan To update! I restarted the system and it worked. Thanks for all the support.

@Gertjan Yes, it turns out a whole trip to the theater. Also, it turns out that the problem is solved, the solution (in my case) is found, published. Maybe it will help someone. Thank you very much! As for DNSBL - perhaps I will create a new topic.

@owenv said in Image URL in captive portal not showing: I’ve added the domain name AWS bucket as a host name but even with this the image won’t show Connect to the portal without identification. Can you use / visit / see the AWS rule now ? Keep in mind : a firewall doesn't use URLs or host names for that matter : it only understands "IPs" so if you use a host name, it should be present listed in the allowed host names and now you have to hope that the IP (only one IP !!) it resolved to is the correct one (AWS is typical for using a lot of IP addresses, not just "one"). See here : Allowed Hostnames - the first Note.

@des000 said in Captive portal and subnet: want to transform dd-wrt into an ap [image: 1697433202309-4760f5b0-081a-40eb-a817-de3b34fc97bb-image.png] Disable WAN. Give it a static IP, like 192.168.2.2 / 24 Gateway and DNS is 192.168.2.1 - my captive portal pfSense interface. Shut down the DHCP server. You might even assign the WAN port as anther LAN port, if needed. I've 4 of these (192.168.2.2 -> 192.168.2.6) Btw : Wifi network security : [image: 1697433519693-3f2fe97d-3986-4a01-9b39-7a742a913f73-image.png] Pretty rock solid.

https://forum.netgate.com/topic/183222/how-to-use-the-pfsense-name-instead-of-the-ip-address-in-http The same purpose

Thank you for this feedback. Correct me if I'm wrong but the normal process for the captive portal is as follows (on Windows 10 22H2) : step 1: action of connection to public wifi step 2: the PC obtains an IP address from DHCP step 3: the Windows system attempts to connect to a url "www.msftconnecttest.com" with the LNASvc service (NCSI probe) step 4a: the captive portal "captures" the previous HTTP connection attempt and opens the default browser. The captive portal login page opens. step 4b: launch the browser by entering an HTTP URL and the captive portal page is displayed My problem is that step 4a is not done. The default browser does not open. Unlike I can successfully perform step 4b. The fact that the browser does not open is a problem for BYOD. We cannot configure user devices... I don't know if this is a problem related to PfSense...but in other establishments, it works with the same configuration...

@wendel_gt 2.6.0 is something of the past. It had its issues. For example, it had an issue with UDP, which was solved a couple of day later. "But who uses 2.6.0 these days ?" Take a look at the rule I showed above : if you are connected (authenticated if needed) to the portal, then pfSense isn't blocking you. If you have non-default settings or a non common setup, please detail them.

@stevencavanagh Try these settings : Use pfSense using default settings : nothing altered or added by you. Your device ; use default settings, so nothing altered or add by you. Example : You could set up your device to use a DNS like 8.8.8.8 instaed of the DNS you got from pfSense. That great, your choice. But now the portal doesn't work anymore, as their is no DNS available until the portal gets unlocked (and for that to happen DNS need to work) : chicken and egg problem. Another example : You've set up your browser to use DoH. That great, your choice. Free world and so. But now the portal doesn't work anymore, as their is no DNS available until the portal gets unlocked (and for that to happen DNS need to work) : chicken and egg problem. Etc.

@Gertjan I've implemented pfSense on VmWare VM, with one nic(lan) on WiFi VLAN to provide captive portal for wifi client, and the other nic(WAN) on my lan network.

@goldsoft said in I am using a self-signed certificate. HTTP is working fine, but HTTPS is not.: My certificate is the one that comes with PFSENSE If you had a web site with a self signed certificate, yo would see the same issue : the browser would complain, as the certificate was signed by 'some one' that isn't on his 'trusted signer list'. When you visit pfSense GUI using the build in auto generated certicate, you saw the same thing. Easy solution : import the cert into your web browser cert store, and now its trusted. The thing is : a captive portal, typically, is used for visitors, and you want them to be able to use your wifi. With a self signed certificate, they should accept your unsigned cert first, or they have to import the cert .... and this is way to impractical. If you want to use https : get a domain name, and use that domain name to get a trusted certificate with the help of the pfSense package "acme". Btw : the https login page is only protecting the login page. As soon as the user is logged in, every site he'll visit on the internet is using https anyway. Mail comes in also over TLS. I'm using https for my captive portal (a hotel) because its more serious to show "https://portal.hotel-brand.tld" with a nice padlock an no browser complaints, as a login URL as is "http://192.168.2.1/...." ( Yes, I won (rented) "hotel-brand.tld") You could do this.

@aminbaik Captive portal, or not, you should know who connects to your network. Portal users : you gave the login credentials, right Next time : when give them the login, ask them to give you their device's MAC address. With the MAC, you can set up a "static DHCP Lease" and from that moment, when a user (person) connects, you == actually : pfSense, will know who it is. => or observe the pfSense log Status > System Logs > Authentication > Captive Portal Auth and yo can see what 'login' uses what MAC (and IP) addresses. => Or look at the Captive Portal Status Dashboard widget. With the IP you (== pfSense) can do what is called policy routing. Captive portals make often use of policy routing, as you do not want the un trusted portal users using your WAN IP. Image these users use infected devices, you'll be having troubles. See this example. I'm using the captive portal for a hotel, and I should (as I'm actually not doing it right now) route my captive portal users over to a "VPN ISP". Using a VPN for them can gibe issues, as, for example, Netflix usage could be impossible. The choice is up to you.