I would suggest showing us these rules and captive portal settings..  Because to be honest this is really click and it works.

I enabled a captive portal on my dmz interface, just accepted defaults and get this page when try to google - click continue and there is google.

Running
2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9

Without some info to work with it is impossible to even guess where your problem is.  And that is with my dmz rules being pretty much locked down..  Not your typical any any rule say on your lan.

cp.png
cp.png_thumb
onlythingtouchedcp.png
onlythingtouchedcp.png_thumb
dmzrulescp.png
dmzrulescp.png_thumb
cpstatus.png
cpstatus.png_thumb

I was planning to implement similar functionality, but decided for a different approach in the end.

What I can say from my tests: you can create an "intermediate" PHP file that receives the form input, proccesses it in the may you want (send to syslog, send to database, etc.), and then calls the actual CP login page, passing the necessary fileds for a login (user/password, voucher code, etc.). AFAIK, the PHP MySQL module on pfSense is disabled by default, but can be enabled via some shell commands. I was planning to send the data to a syslog-ng instance installed on the pfSense machine, which would have spared me the hassle of setting up a database, connecting to it, etc. .

@Gertjan:

The current version of pfSEnse (2.2.2) using its Squid package Squid doesn't work (when a captive portal is used).
Many people - check out this forum for that - have signaled problems.

Well, it's working fine for me. What I can see in the forums is some people having trouble with CP, but that seems to be because they didn't configure it correctly, or have other config problems. My guess is that this is where OP's problem is coming from.

comeback1106, I think you're trying to solve the "users can access internet without being logged on" problem from your other thread, right? Maybe you should review/redo your confguration, using one of the many How-To's as a guide. Try to setup CP without Squid first, then test, then add Squid, and test again. This will probably give you more useful data than asking for a logging function that probably won't reveal anything useful anyway.

@Gertjan:

elaborate please.
Without password etc, that what it does, you can't pass by it.
Logged in users can bypass.
Or do you mean that when you use Squid you can't bypass, whatever you do ?
Something else ?

CP with Squid works fine for me. I was assuming that doktornotor meant "can be bypassed" by "doesn't work", but reading his message again, this was a misinterpretation.

@chowtamah:

….
if I run this code it gives error; Failed setsockopt.

Somewhere, deep down in /etc/inc/captiveportal.inc, the global variable "$cpzoneid" needs to have a valid value - related and like "$cpzone".
This part is handling that one:

// also surface the global $cpzoneid $cpzoneid = $captiveportalzone['zoneid'];

I'm sure there are packages available for apache, maybe nginx.  You can probably use the lighttpd that runs the webgui and captive portal interfaces.

I've never done it.  I only described how I would do it.

I mistakenly implied the server has to be local. It doesn't have to be.  All that has to happen is all port 80 requests get redirected and there's no captive portal or anything blocking their access to the target site.  Maintaining one external web server for all the sites probably makes sense.  My post forwarded to localhost but that's just what I chose as an example.

You can NAT the destination address to your deadbeat page (happens on LAN in) then outbound NAT can translate the source address (happens on WAN out).  All you would lose is the ability to see what source address hit your web server but who really cares.  You're just trying to make them call you, pay you, and get you to turn it back on.

In the first place, stop sticking your CP on LAN where things like domain controllers reside. Putting CP on trusted LAN is just bad idea (TM).

The DC should be connected to the same switch like everything else on the LAN and the switch goes to pfSense LAN interface. While the DC is routing and NATing, this will never work.

CP goes to dedicated interface.

You are indeed a hero member added the mine type and worked straight away  :)

Thanks Demco.

That does indeed fit the issue so I will try this out and see if it helps.

@Derelict:

Note that if you have more than one AP or wired + wireless clients you need isolation in the switch.  Asymmetric VLANs can do this.  Cisco PVLAN edge is even better (easier to configure).

Another solution exists, while still using 'no-brain' (non-expensive) switches.
I (still) use inexpensive Linksys (Cisco now) AP's - ejected the original firmware and installed DD-WRT.

The secret is : use 'ebtables' (yep, that not iptables.)

#!/bin/ash insmod ebtables insmod ebtable_filter ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT ebtables -t filter -A FORWARD -j DROP

00:0f:b5:fe:4e:e7  = The MAC of my Portal Interface NIC
(DHCP) broadcasts are permitted.
Traffic TO and FROM the portal NIC are permitted.

These rules enforce:
A client who is connected by Wifi on AP "1" cannot not communicate with any other clients that are connected on other AP's (AP "2", "3", etc).
All connections are only permitted TO the gateway, the pfSense Portal Interface NIC.

@comeback1106:

I get this  squid does not work with CP, but how can resolve this.

You can! Get the pfSense and squid sources from Github and start coding.

So I never got that process in the OP to work.
It seems that all config data is stored in the XML config file, changing the HTML files on disk doesn't do anything.

I then tried  some other hack that involved disabling the captive portal and then re-enabling it using cron. That didn't work either.

I just wanted a normal captive portal login during the day, and after hours, a simple page showing the AUP and a button to accept it and get online.

But this did:

Install and configure freeradius; create 2 users, one for normal guest access, one for after-hours access. The normal account has a password we change periodically and only give to known guests. The after-hours account has a simple password, but is restricted in radius to only be allowed to login after hours. Configure captive portal to use radius for authentication. Create custom captive portal login screen with a bit of javascript which hides an entire DIV. During the day it shows a DIV containing the normal captive portal login form. After hours, it hides that DIV and displays another one which shows a different login form, using the after-hours username/password as hidden fields, and a plain ACCEPT button. In morning, I reboot the firewall to boot everyone who might be using the after-hours login still off the guest network.

Since the after-hours radius user is restricted to certain login hours, even if someone does a view source and gets the account info, it won't help them.

Only downside is it relies on the time on the client being correct, but I'm willing to live with that.

I can post the source of the captive portal login page if anyone is interested.

When all users show as unauthenticated, your custom CP code is broken.

That is how all users appear when the No Authentication mode is used.  Your custom page can just have them, for example, click a terms and conditions checkbox and press Access the Internet.

It's a perfectly valid config but there's no login name to put with the CP entry so it uses unauthenticated.

Ok, well problem solved.

Issue was i didn't put the proper interface on pfsense cp & and nps radius client…

Had to be all LAN, even though CP is to be used on the wifi... :P Login from AD works now.

Dear Jim,

adding the IP to the allowed addresses does solve the problem - thank you very much! I wonder why I did not find this based on intuition, but the answer is also somewhat obvious: This was not required in the previous version and thus, one does not think about it.

Regards,

Michael

It just does NOT work that way. Please, actually read on how this works. I already linked it here: https://forum.pfsense.org/index.php?topic=93479.msg518607#msg518607

Sorry for not making this clear: im using the local user not radius for authentication

Thank you for pointing me to the right section .. i can see who are logged in now. Much appreciated.

I would not use VLAN 1 (I'd use all untagged ports on, say VLAN 2 through 4094) but that looks much better if replacing the existing firewall with pfSense is not an option and you just want to use captive portal.

Thank you guys. I will take a look.

This html code https://github.com/pfsense/pfsense/blob/master/usr/local/www/services_captiveportal_vouchers.php#L510
is present in your browser ?
Line "510" is executed ?

A browser cache problem ?
The image file $g['theme']}/images/icons/icon_plus.gif => /themes/pfsense_ng/images/icons/icon_plus.gif exists ? It has the correct owner and rights ?