@kabeda said in Is voucher in url still available?:

I still don't know

So you know what you're looking for.

$_GET['voucher']

Open source ... heard about that one ?
So, go here : https://github.com/pfsense/pfsense/tree/RELENG_2_6_0

Then click you way to /src/usr/local/captiveportal/index.php
Look for, search, Ctrl-f "$_GET['voucher']" on that page.
It's there 😊

Next test : on your pfSense, you have the console access.
Use it.
Use option 8.

grep "GET\['voucher'\]" /usr/local/captiveportal/index.php

You'll find the same thing.

Btw : when you use vouchers, it's important that you have this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L156 in your own portal (html) page.
You can add PHP into your html portal page.

7ddeeee5-e9a5-49bd-ba4e-c955e20eab41-image.png

Hi,
I think I finally found how to do it.

first, in
/user/local/www/services-captiveportal.php

find and add what are in remarks

if ($a_cp[$cpzone]) { $cpzoneid = $pconfig['zoneid'] = $a_cp[$cpzone]['zoneid']; $pconfig['descr'] = $a_cp[$cpzone]['descr']; $pconfig['cinterface'] = $a_cp[$cpzone]['interface']; $pconfig['language_cp'] = $a_cp[$cpzone]['language_cp']; // get the language from the config // Check if is not set then get the global language if (!isset($pconfig['language_cp'])) { $pconfig['language_cp'] = $g['language']; } // Check if is not set then get the global language $pconfig['maxproc'] = $a_cp[$cpzone]['maxproc']; $pconfig['maxprocperip'] = $a_cp[$cpzone]['maxprocperip'];

and

$newcp['descr'] = $_POST['descr']; $newcp['language_cp']=$_POST['language_cp']; // get the language from the post variables $newcp['maxproc'] = $_POST['maxproc'];

and

$section->addInput(new Form_Select( 'cinterface', '*Interfaces', explode(",", $pconfig['cinterface']), get_configured_interface_with_descr(), true ))->addClass('general')->setHelp('Select the interface(s) to enable for captive portal.'); // add the input in the form $section->addInput(new Form_Select( 'language_cp', '*Language', $pconfig['language_cp'], get_locale_list() ))->setHelp('Choose a language for the Captive portal'); // add the input in the form $section->addInput(new Form_Input( 'maxprocperip', 'Maximum concurrent connections', 'number', $pconfig['maxprocperip'], ['min' => '0', 'max' => '100'] ))->setHelp('Limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in ' . 'to the captive portal, but rather how many connections a single IP can establish to the portal web server.');

then in /usr/local/captiveportal/index.php
after

header("Expires: 0"); header("Cache-Control: no-cache, no-store, must-revalidate"); header("Pragma: no-cache"); header("Connection: close"); global $cpzone, $cpzoneid; $cpzone = strtolower($_REQUEST['zone']); $cpcfg = $config['captiveportal'][$cpzone];

add

$lang = $config['captiveportal'][$cpzone]['language_cp']; // get the language from the config putenv("LANG={$lang}"); setlocale(LC_ALL, $lang); textdomain("pfSense"); bindtextdomain("pfSense", "/usr/local/share/locale"); bind_textdomain_codeset("pfSense", $lang); // apply like done by pfsense

That's all it works for me, I don't know how to show the changes with github.

@gertjan
btw, I change mode to "last login" in the captive portal setting then it work fine for me, clients should re-enter the code at the time DHCP lease.

@gertjan said in OpenVPN in captive portal:

Btw : what is your pfSense version ?

edit :

Who/where is the VPN server ?

@andoniar78 said in OpenVPN in captive portal:

Pass-through MAC

e55af6a3-4fb1-4801-bcb5-2fa953527897-image.png

If you have a device with aa:bb:cc:dd:ee:ff, then there won't be any captive portal login page, the connection will be transparent, like if there was no captive portal at all.

@gertjan said in My captive portal:

@bamb

If you enable the logout page in pfSEnse, you are only half way.
The browser on the device should also accept and show the popup window.
Guess what : most users disable them ;)

A good plan B is : have the users auto logged out if they don't use the connection any more.
Set the soft time out to 15 minutes or so.

Indeed, that is a good plan B.

@vanlier said in Captive portal shows blank page:

Here is the situation before activating captive portal:

clients connect to wifi
they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254
they can browse the internet (dns resolution and internet access are working)

Important test ! Good to know.

@vanlier said in Captive portal shows blank page:

Here is the situation after activating captive portal:

clients connect to wifi
they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254
nothing happens

Using the 'default' build in login page, right ?
You can't say that 'nothing happens' : you can't 'see it', but something happened.
Every OS on planet earth will throw out a http:// request as soon as it obtained a DHCP lease.

Check here : Status > System Logs > System > GUI Service
Every OS using it own http request.
For my iPhone it's :

7e36196f-217b-4a17-9877-daf6a1b8770f-image.png

This is the page that it want to download :
http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html
Better known as :
http://captive.apple.com/hotspot-detect.html
Click on it and you'll see what happens.
You should see this :

001ff859-b0db-45f1-9b9e-0bc6908dd1b0-image.png

If the html page doesn't contain "Success" then the device start to presume a captive portal is might be present.
Now, the OS launches a stripped down web browser, bot the full fledged IE, Chrome, Edge, Firefox, but a small bare bone browser. It's launched with the same web destination : http://captive.apple.com/hotspot-detect.html
First, again, "captive.apple.com" will get resolved (was already found during the same test, some ms before).
Then the browser connects to the IP on port 80 (remember : http), and asks for the page /hotspot-detect.html

On the pfSense side, this "some destination IP : port 80 " request gets redirected to the internal login portal web page server on port 800x" with the help if a firewall rule (pfSense 2.6.0 : ipfw rules - the newer pfSense uses pf now).
The portal page web browser does just one thing : it redirect the requesting browser to
(your case) http://192.168.50.254/index.php?zone.....

2f7a3e58-2899-4c32-9b94-f94427ceeef0-image.png

It also adds a 'zone' parameter, and 'redirect' parameter.

The result will be of course : the captive portal login page shows up.

So : to make this work, one thing needs to work for sure : DNS.
The captive portal firewall rule works, that is for sure. If not, Netgate and FreeBSD will go out of business tomorrow.

[https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html](link url)

Btw : you already know that the 'default' pfSense 2.6.0 needs portal patches, right ?

@vanlier said in Captive portal shows blank page:

Disable mac filtering

That's of if you want to 'break' things.

@vanlier said in Captive portal shows blank page:

Set various redirect urls

https://www.google.com works fine.

@vanlier said in Captive portal shows blank page:

add firewall rule allow any any on interface "guest"

The GUI firewall rues ? None is needed (I guess ?), the authentication will still work.
But as soon as authenticated, yoy can go no where.
Use the default LAN pass all TCPv4* rule to begin with.

@vanlier said in Captive portal shows blank page:

However when opening the same page with the pfsense ip in the guest subnet (http://192.168.50.254:8002

Invalid request.
The ?zone=xxxx parameters needs to be present.

These :

7e93c7cc-43b6-4993-b5b5-f95007ac3f26-image.png

don't work for you ?

@ertegun

You just allowed (white listed) all the IP addresses, starting from 192.168.60.1 to 192168.60.254, or, the entire /24 network. Your entire captive portal network ?

All these devices that get an IP in that network assigned, will pass through the portal without seeing any login page or what so ever.

You might as well shut down the captive portal completely : that works also great.

The issue (if I recall well - 2.6.0 is a long time in the past for me) was : pfSense 2.6.0 only passes TCP traffic, not ICMP, neither UDP. That was a big bug, and breaked a lot.

As said on the first line, above :

@moelharrak said in Captive portal block whatsup:

After upgrade to 2.6 captive portal is blocking whatsup (audio and video, chat works fine), I did test other app like instagram and it's works fine.
when I disable the captive portal, whatsup goes back to work normal.

See also : UDP/ICMP is not working after upgrade to 2.6.0

I guess it's still a question of : install the System patches package, then apply all the patches listed in this package.
Done.

@gertjan I understand. When I mentioned that I preferred a minimum downtime of 15 days, it is because I see no sense in users logging in daily, since they already belong to the institution. In the case of a hotel it is different, because people stay for a few days and leave. In my case, I wanted sessions to be disconnected only when users took vacations or I no longer belong to the institution.

Anyway, now I understand the process. Now I'm just going to decide which way to go. Thank you very much for the clarification !!!

I've found the time to check the scripts in the new 2.6.0 version. I cannot edit the OP anymore (due to limitations from netgate).

Update (18/04/2023):

2.6.0 Version (credits to FSC830 for the require_once fix)

Voucher-Template-Printer-2.6.0.zip

@cxcx_avjj

Hummm.

After a success login, I simply redirect the user to the known :

95300287-8e35-4a7f-823b-a26585729c92-image.png

as that would make the user understand he is 'online'.

But I could also redirect to a "home made", locally available web page, like the portal login page.
This file should be uploaded with the Services>Captive Portal>CPZONE>File Manager
Be aware : the prefix "captiveporal-" will get prefixed.

Take a look at what this button shows you :

c3c27d9a-d1d4-4fb1-9c2d-c7c7bc0515fc-image.png

You will see the login page.
And more important : the URL used, with the port number, as it is not port 80 (http) or 443 (https). Probably a 800x port.
And the zone ID used with a parameter called 'zone'.

So, this is posisbile :
ec125b9e-23a2-4703-86f7-640e3760853a-image.png

Where :
https://portal.yourzone.tld = your captive portal URL - I'm a https access
:8003/ The port of this 'cpzone1 ID access
captiveportal-recap.html My home made file called 'recap.html'
?zone=cpzone1 My zone ID of this portal zone

The "recap.html" html can have use PHP !
And because you can use PHP, and the recap.html is called with the "?zone=cpzone" parameter, you can now access whatever you want !

Take /usr/local/captiveportal/index.php as an example. You'll see how it extract the zone argument.
If, for example, you use vouchers, you can test vouchers for time left : Status > Captive Portal > CPZONE > Test Vouchers
Just take a look at /usr/local/www/status_captiveportal_test.php and you'll know how to extract the time from a given voucher.

How do you know what voucher is used ?
Well, your 'recap.html' can obtain the IP your device is using.
With this IP, and the "connected users database" (see /etc/inc/captiveportal.inc - this file is a must-read-and-understand) you can get the user login code, which is the voucher code.
With the voucher code you can obtain the time left.

Want to know what the default popup logout window does - or how to log out a user?
Again, go have a look at /etc/inc/captiveportal.inc

So, yes, the sky is the limit.
An yes, this goes beyond what you can find in the GUI.

@timboau-0 said in Traffic Quota reset period (Caravan park use):

Each 'site/user' can login using their site number and a password

Probably better to use a unique number like a reservation number.
If you use a "site" (place) then you have to deal with overlapping between clients.

Freeradius makes it possible to put a "Expiration Date" on every created user so you don't have logout ueser yourself. You can clean up the 'users' list at the end of the season, and enter new ones when reservations come in.

A reservation number would be unique, and will be invalidated when the client leaves, as arrive and leave dates are known upfront.
This will also take care of traffic quota per user : everybody uses it's own traffic quota counter

Daily traffic quotas can be reset 'every day' :

24409d3c-c3a3-4145-912c-81d6067f78c1-image.png

I have a cron task that reset the daily 'used' counter every day at noon :

8ce20f01-a374-4ca9-97cd-86af32cd6180-image.png

I may have resolved this. I had the captive-portal zone configured as
captive-portal-page-head.png captive-portal-accounting-start-stop.png
I changed Send accounting updates
captive-portal-accounting.png

Now, when I submit the SQL query,
SELECT radacctid,username,acctstarttime,acctupdatetime,acctstoptime,acctinterval,acctinputoctets,acctoutputoctets FROM radacct
multiple times, I see ( in long format again )
query name value
<int> <chr> <chr>
1 1 radacctid 1
2 1 username ec:92:de:1b:16:4d
3 1 acctstarttime 2023-03-31 15:07:43
4 1 acctupdatetime 2023-03-31 15:10:55
5 1 acctstoptime NULL
6 1 acctinterval 60
7 1 acctinputoctets 257562
8 1 acctoutputoctets 10413921
9 2 radacctid 1
10 2 username ec:92:de:1b:16:4d
11 2 acctstarttime 2023-03-31 15:07:43
12 2 acctupdatetime 2023-03-31 15:11:56
13 2 acctstoptime NULL
14 2 acctinterval 61
15 2 acctinputoctets 283941
16 2 acctoutputoctets 11085058
17 3 radacctid 1
18 3 username ec:92:de:1b:16:4d
19 3 acctstarttime 2023-03-31 15:07:43
20 3 acctupdatetime 2023-03-31 15:12:57
21 3 acctstoptime NULL
22 3 acctinterval 61
23 3 acctinputoctets 530469
24 3 acctoutputoctets 20836789
25 4 radacctid 1
26 4 username ec:92:de:1b:16:4d
27 4 acctstarttime 2023-03-31 15:07:43
28 4 acctupdatetime 2023-03-31 15:24:06
29 4 acctstoptime NULL
30 4 acctinterval 60
31 4 acctinputoctets 530469
32 4 acctoutputoctets 20838821

The accountupdatetime value increases across the 4 queries and the acctstoptime is NULL ( the session is still active ). The values of acctinputoctets and acctoutputoctets are ( monotonically ) increasing.

@turntheterribletank said in maximum daily usage time error following update to 23.01:

You're setting Accounting Interim Interval to 600

AFAIK : because I'm using accounting with my captive portal settings :

58b2ae93-2be5-4e23-9630-566a7e5921bf-image.png

Strange that you have these fields set to "0" when the same fields are empty on your FreeRadius user settings page.
I don't have these "0" parameters.

The presence of the Exec-Program-Wait = "/bin/sh /user/local/etc/radbb/scripts/datacounter_auth.sh Test daily" doesn't look good at all.
See what the script does.
Check for yourself if a file like
/var/log/radacct/datacounter/daily/max-octets-Test
exists.
If that's so, and it contains '0' then yeah, when the user logs in he will already have generated more then "0" bytes so he'll be logged out right away.

@assistenzanet95

You have some digging to do in the past, here, on this forum.
If I recall well, when 2.6.0 came out, there was an issue with the portal : only TCP was passed, no UDP, no ICMP.
Solution were posted, and there was even a system patch that came with the pfSense system patcher packge (?).

@gertjan Ahh I see, so it's not a secondary login, it's a backup login.

Thanks again for the help.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

I didn't get any pop browser or captive portal login.

Ah, I'm curious.
What OS / what device ?

When you buy a device from here it works, and as far as I know you, as a user, can't do a thing to stop this process. As Apple checks accepting an app on their platform.
Other brands : they care less ?

Windows : I've tested 10 'home', 'pro', 11 home (burk) and 'pro'.
I even debloated them (see Youtube about that) and portals are recognized. That is, you still have to spot the tray notification message and act upon it.

I've seen people using some high end (consumer high end that is) firewalls/antivirus and they had set up : "only trust my home wifi network" so now their security was great ..... and moments later they want to use their device on my wifi network ....
Yeah, that was a fail .... as the device was following the original instruction : do not trust / use 'other' networks. So they went for the Hall 200 problem : do not give automates conflict instructions, as they will bite (the example : kill) you.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

I even tried a local url http://192.168.5.25:5000

Portal firewall rules will redirect port '80' and port 443 if you use https.
So port "5000" : you hit the wall.

Use these :

6cc8be0f-9940-4ffe-bfd8-17e55af044a9-image.png

to test the portal web server.

Or, when connected to the captive portal network, as soon as you received an IP (DNS, gateway, network) : use http://192.168.10.1:8002/index.php?zone=ZONE

where ZONE is your zone ID.

Btw : http://captive.apple.com/hotspot-detect.html should also work as this is a http thus port '80' TCP request.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

DNS server is my router 192.168.1.1 ( which I cannot ping when CP is enabled ).

I have to shave-up your definition of a captive portal.
A captive portal allows minimal interaction with itself.
If 19.168.10.1 is your captive portal pfSense interface, you can :
Do DHCP
Do DNS requests on port 53, UDP and TCP.
Port 80 (http) listens to you.
Port 443 (443) listens to you - if you've activated that
Ping the captive portal pfSense IP
You can NOT go to some other network, and that includes your local networks like 192.168.5.x

So, right, the portal works : no ping or whatever to 192.168.5.x

I just tested :
I've connected my phone to the captive portal (as the stupid thing does not accept the wifi connection without a login first).
With an phone app I launched a 100 times ping to the portal interface, that was 192.168.2.1 for me.
It replies constantly.
Then, in the pfSense dashboard GUI, I removed my phone's connection.

The ping app in my phone continued to send pings to 192.168.2.1, and 192.168.2.1 continues to reply. Or, at that moment, from a captive portal firewall point of view, my phone was disconnected.

@gertjan Do you know what I can do with it?

Here's my most recent logs by the way.
60f67b9e-a786-4435-9cfb-cf5b69c0b810-image.png

@heper I am on the latest stable version of pfsense 2.6.0

Well, I am rather sure, after about 8 years he did found a solution...🙃

Regards

@adnan97

From what I recall , these issues were solved with patches pfSense package ages ago :

4dcf0368-291d-486f-9000-c36f26764e2e-image.png

The bad news : you have to dig them up, here, in this forum or redmine.
The good news : 2.7.0 - coming out soon - will take care of things.

I was using 2.6.0 quiet long time, and issues (important to me) were solved after some forum interaction.