MSCHAPv2 uses a server side digital certificate. With this certificate it creates a secure tunnel. Inside this tunnel it uses CHAP or even PAP authentication.

Hopes this helps. Otherwise google RADIUS + MSCHAPv2. There is alot of information about it.

config.xml, as everything else. Do NOT mess with stuff via command line, everything will get lost on reboot. Backup the config, edit and restore.

The more characters in your character set the more bits are represented by each character.  If you reduce the character set to just 0-9 and leave everything the same, your voucher codes will be a lot longer since each character only represents just over 3 bits.

These are the codes generated with a 31-bit RSA key and just characters 0-9:

9767485071
4491872511
4010085371
7614876371
0462301741
5243682381
3307579181
5803371332
513190794
634302458

Same settings, same 31-bit key but with the following character set: 23456789abcdefghijkmnpqrstuvwxyz

wzig7z3
zamms3
qap4t54
nkrxf8
8mm4iw3
6hkyas3
saz7xh
zsinyi3
bybac33
ks7uzq

Now we'll include capitals: 23456789abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ

57TnR
tuWwW5
Lc4N93
L9cXZ
n39mK5
QEuvD5
2ugKX5
5WYvL3
ppmEr5
Mtmab

I, personally, don't think capitals are worth going from a maximum of 7 characters to a maximum of 6.

Helps to read the nifty release notes and fix your CP pages code…

https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes#Captive_Portal

It'll do just fine.  Overkill is a matter of opinion.

You want a rule allowing access from LAN net  to "any" not the gateway IP.

Of course, you want to block access from LAN to anything you don't want your guests to have access to.

Having access to free software like pfSense, I can't imagine why anyone would want to run the "firewall" built into a DSL modem, but that too is probably a matter of opinion.

Sorry for the noobness, but I'm trying and the documentation references here are minimal, most to buy the book if you want anything detailed(which I don't like)…

Hmm.  There are plenty of Captive Portal setup walkthroughs available.  From what you've described so far, it's a simple firewall rule problem.

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

doc.pfsense.org.  Charge: $0.00

As noted above, there is no IPv6 support in CP. (Also, I don't create any "default" any->any IPv6 rule on CP interfaces, so the traffic will get blocked by pf no matter what ipfw does.)

@Ferry:

….
i disabled dhcp in my linksys router

It's not an idea. It was the only solution.

If the DHCP server on AP was running then your clients could get a IP that the portal didn't assign. That is NOT good. But, never ever the client can pass the portal interface. It would mean that a client could assign himself an IP (static IP) in the net mask of the portal interface, and he would have a free ride.
No way.

If a second clients can pass through  the portal right away after a first client did login (with a password, voucher, whatever) then all your visitors are using the same IP and MAC. This means that your AP is in router mode.

You probably deactivated the "router-mode" of you AP.
That's why every thing works now as advertised  ;)

Thanks a lot.How can I use radius proxy?I did not find any instruction.

Thanks @Gertjan for that.  I'm actually using the stable version of squid.  I think squid3 beta is the best option for me now though I would prefer the stable version.  I actually need captive portal users to use the proxy server which we heavily do caching.  Thank you everyone!

Explain your setup more clearly.

U can limit the amount of MBs with RADIUS. Doesn't Mather if yoiu use a AP or not.

Just keep in mind that CNA might not support 'javascript'.

When the portal page doesn't come up it is almost always:

HTTPS set as browser's home page (go to a regular http site - just type 10.10.10.10 in the browser or something)
DNS (usually static DNS servers in the client even though they're DHCP)

Find out what port your portal is on and try connecting directly to that.  (eg http://192.168.10.1:8002)

in this moment we have connected 11596 users , not all this users is online simultaneously.

Thanks.  That still doesn't make it entirely clear that your port 8000/8001 portal is going to be changed to 8002/8003, etc.

Hello Gertjan!

Thanks for the reply.

with squid non transparent I am sure downloading continues after disconnecting via CP. In transparent squid everything is ok.

I am using pfsense 2.0.3 only because in this version I can use non transparent squid with CP login option as using non transport squid I can block https traffic and also able to cache https traffic.

@ermal:

You are sure this is still true on 2.2?

Not sure if MAC passthrough is still slow when new users join and there are already thousands in the list, but just allowing them through, the database appears to be cleared on reboot.