Sorry i forgotten i dont have a domain.

I prefer the last of your potential solution.

We have an apartment house with more than 120 users with different price models. RADIUS and daloRADIUS is flexible to build customer groups. It was the best solution what I found. It really works. All other solutions have some limitations. Further daloRadius is a separate web solution which can be used by our staff without a risk.

There are some disadvantages:

You need another Linux or Windows server to install RADIUS and daloradius You need time to find out how to install. you have a further point of potential failure. I use pfsense with CARP (redundant). But if RADIUS or MySQL behind RADIUS fails the hotspot doesn't work anymore. Pfsense has no fallback to regognize a RADIUS error and pass through users in this time. I will try to replicate MySQL and to use Pfsense package RADIUS with two databases. But this needs know how.

As you see there is no easy solution with one installer software.

@bqbqr:

…
Seems like the right thing to do for keepin my user list .. no?

You can keep your user list from the 'old' XML file: It's a copy and paste thing between files ;)
XML files are human readable and have a simple structure.

raduis is a bit hard for me. i can use voucher but im using cp for public network.
i just saw in our mall that freewifi, enter portal without voucher. no authentication. just portal page "accept". and after an hour i can't login again. banned for 24hours.
thanks again.

Hi Everyone,
I have been looking for a custom logout page for 2.2.4 but I could not find one. What I've been using in my setup is this tutorial but it is only usable only for 2.1.5 "https://www.youtube.com/watch?v=xk60lg-9o3A". Can you share some ideas on this?
Thank you.

client[10.200.200.50/24]–-pfsense opt1[VLAN131 10.200.200.10/24]–-router LAN [VLAN131 10.200.200.11/24]–-rouer wan

All that is on the same subnet.  The only possible way that might work is if pfSense was a transparent bridge and Captive Portal can't work on a transparent bridge.

client[10.200.200.50]–-[VLAN131 10.200.200.10/24]opt1 pfSense opt2[VLAN130 10.100.100.10/24]–-router LAN [VLAN130 10.100.100.11/24]–-router wan

client has default gateway 10.200.200.10
pfsense has default gateway 10.100.100.11
NAT should be disabled in pfSense
router has default gateway of WAN plus a route to 10.200.200.0/24 gateway 10.100.100.10
router must perform NAT for 10.100.100.0/24 and 10.200.200.0/24

I am beginning to thing there is some kind of a db cache file in the PfSense Captive-Portal that is stuck or corrupted or not getting cleared.

That's about the last thing I would suspect.  portalauth.log should log something.  You can also run a packet capture on the portal interface and see what's going on.  You can do that from remote if you can get into the pfSense captive portal node in question.  Save the pcap, download it, and pull it into wireshark.

Hi

Thanks for your answer. Well PHP is not one of my best sides and therefore I am looking for help here. Maybe a template. I have tried
to edit the captiveportal.inc as suggested earlier in the thread but that screws up captive portal totally.
We are using 2.1.5 because we did not manage to get squid with SSL proxy to work correctly under 2.2. This works fantastic in 2.1.5 and is one of our most important functions.
So the question is still their. Can anybody give us a hint on how this could be done. In the best of worlds we would propose the pfsense team to implement this in the GUI :-)

Best regards
Toby

Thank you. In my search I could not find this answer.

yea… i dont know what to do now. Because i installed pfsense in pc because mikrotik didn't supported UDP port openvpn, but now i cant limit the bandwidth of hotspot user in pfsense.

For sure they don´t and this perhaps for ever, related to the circumstance that OpenVPN is OpenSource
Software and mostly if you or another one adopt something from this kind of software you must be serve
then this new software to the whole public again! But MikroTik is taking license fees for their software
called RouterOS, and so they don´t take all inside of RouterOS, thats the point.

If you need a really good VPN server that is accepting nearly all kinds of VPN types
you should be having a closer look on this project here, SoftEtherVPN si able to be
installed on Linux, Windows, FreeBSD and is really feature rich. Many peoples use
it in a DMZ as a VPN server with great efforts on older HP Proliant Micro Servers.

I'll probably just flash the mikrotik router with openwrt and run both thing from there. thanks for the reply

You could be taking a small MikroTik router behind the pfSense and let the MikroTik do the
queuing job for all the user limitings, its not such a big deal or?

Good luck.

@doktornotor:

Yeah, stop using the Squid patch.@new_in_pf:

when i enable  transparent mode of squid, these empty lines added to file, even i get any permission of capticeportal.inc file but this will continue to add empty lines.

Yeah, stop enabling that with CP.

https://redmine.pfsense.org/issues/4583

Now with PR to remove the "feature" and hopefully fix the screwed code. https://github.com/pfsense/pfsense-packages/pull/904

Dude, dunno. If you make vouchers with short expiration as said above and add the MAC to passthrough, it's kinda hard to share it later because it's no longer valid.

Could you send me a backup of your impacted config? Not sure what could be happening there but there's clearly something wrong. Can email to cmb at pfsense dot org with a link to this thread.

@doktornotor:

Meaning CP in general just miserably FAILS to work with Squid. Plus will itself get screwed by the Squid "integration" patch.

Hi Thanks for the information,seems got no solution for this, may be an update in the future  will…

Thanks a lot..

n3by is right.

Just activate 'Local user' login - don't add any users.
This way, users with a MAC on the list have access - others will just hit the portal ….

@uaxero:

then you mean, that functionality will no longer be present from the 2.2 release?

No, just saying in that context, lan_vip15 is no longer listed because it no longer exists.

You get redirected to 127.0.0.1, not the CARP IP, which is always how things worked. There is no need to do anything with the CARP IP there.