Captive Portal Hard Limits

free4

@tmtechonline yes, exactly

also, few things you need to know :

• since you are thinking about making your own script, you may want to have a look to the pfSense source code. you should check:

  • the captive portal login page seen by visitors
  • the captive portal edit settings page on pfSense GUI
  • the captive portal include file that contains lots of useful code used by the two pages above.

• pfSense is running a modified version of PHP, multiple functions have been created in order to send ipfw commands. These functions have been implemented in C++ and directly communicate with the FreeBSD kernel using low-level procedures (IP_FW3 sockets), for speed improvement.

tmtechonline

@free4 thanks for your kind help. I will look into it see what I can do though I am not really focused on development.

If there's a command/short script that would simplify getting the unauthenticated user and then disconnecting it after 15 minutes even running it on cron then that will be very helpful.

Thanks again.

Gertjan

@tmtechonline said in Captive Portal Hard Limits:

I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users.

That's as documented :

@tmtechonline said in Captive Portal Hard Limits:

somehow Unauthenticated users only

Unauthenticated devices can be connected to the portal network, but the gateway is not available for them.
What's the use of having a device being connected ?

There are not firewall rules for "
I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users. I thought or disconnecting somehow Unauthenticated users" so there is nothing to do for them on pfSense.

Are you using the portal using the Authentication Method set to None ?

tmtechonline

@Gertjan said in Captive Portal Hard Limits:

@tmtechonline said in Captive Portal Hard Limits:

I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users.

That's as documented :

@tmtechonline said in Captive Portal Hard Limits:

somehow Unauthenticated users only

Unauthenticated devices can be connected to the portal network, but the gateway is not available for them.
What's the use of having a device being connected ?

There are not firewall rules for "
I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users. I thought or disconnecting somehow Unauthenticated users" so there is nothing to do for them on pfSense.

Are you using the portal using the Authentication Method set to None ?

I am using authenticated users local database and the set up allows initial users (unauthenticated) to connect until hard limit is reached and will be diconnecred and prompted to enter username/password or voucher.

Using the hard timeout disconnects all users both authenticated and not. What I just wanted to do is disable hard limit and manually or thru script get unauthenticated users where logon times is 15 or more minutes will be disconnected and will be required to enter username/password or voucher.

Gertjan

@tmtechonline said in Captive Portal Hard Limits:

unauthenticated users

Who are these ?
Are the shown on the captive portal page ?

tmtechonline

@Gertjan yes, those users will be shown in Captive Portal status Active Users.

Gertjan

You are using :

?

edit : if so .... open /etc/inc/captiveportal.inc - locate 3600 (there are two of them) - change them for 60. Now the "Wating periode to restore ..." will be in minutes, not hours.
Btw : I didn't test.

tmtechonline

@Gertjan said in Captive Portal Hard Limits:

You are using :

?

edit : if so .... open /etc/inc/captiveportal.inc - locate 3600 (there are two of them) - change them for 60. Now the "Wating periode to restore ..." will be in minutes, not hours.
Btw : I didn't test.

Hi @Gertjan That is for the reset of the unauthenticated account which means after an unauthenticated user has reached the limit, user will just have to wait minutes and they will have access again.

What I need is to:

1. Determine who are the unauthenticated users
2. Get the login times of those unauthenticated users
3. once the login times equals or more than 15 minutes, then I will run a command, batch or script which will disconnect those unauthenticated users.

This is nowhere available in CP settings.

My current settings are:

Idle Time: = 15 (minutes)
Hard Time out = 0 (hour/hours meaning disabled, if enabled by inputting 1 or more hours, that would mean after that hour, all users (Authenticated, Unauthenticated and Voucher Users will all be diconnected so I have to put 0 since I don't want all to be disconnected.

Pass-through credits per MAC address = 1 ( I just need unauthenticated users to be allowed to access once and after that they will be prompted to use username/password or voucher key.

Waiting period to restore pass-through credits = 24 hours (since I wanted an unauthenticated user to be able to access the CP without authenticating after 24 hours.

Hope this make sense :)

So to tackle, first, what command in console I use to find unauthenticated users in CP? I have tried IPFW LIST ALL but it shows all connected users but only showing MAC info where user unauthenticated or authenticated is not shown.

Gertjan

@tmtechonline said in Captive Portal Hard Limits:

IPFW LIST ALL

will not work.
Command line commands can't be all capitals : check here :
https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html#ipfw-tables

Try :

ipfw table all list

I'm pretty sure these 'clients' are in the table called "xxxx_pipe_mac" where xxxxx is your captive portal zone name.

Also : there are close to none CLI commands to do what you want. pfSense is GUI based.
There are no (or very (few) CLI possibilities.

But, with some scripting there is no limit about what can be done.

tmtechonline

@Gertjan Thanks for your quick reply and really appreciate your help here.

I tried that command too but as mentioned I cannot determine which is unauthenticated using that.

Not that good in scripts, will you be able to draft me just a general function to search the unauthenticated and I can probably find my way in between?

Gertjan

The good news :
The captive portal is just two files.
/usr/local/captiveportal/index.php
and
/etc/inc/captiveportal.inc

The bad news : you have to read and understand the whole thing - only then you will know what needs to be done that fits your needs..

tmtechonline

@Gertjan Got it! So as my last hope to finding a solution to my needs, can you help me out how will I be able to query CP DB and list its contents using console?

Gertjan

Yep.

Make a file with this in it :

#!/usr/local/bin/php -q
<?php
	require_once("/etc/inc/util.inc");
	require_once("/etc/inc/functions.inc");
	require_once("/etc/inc/captiveportal.inc");

	/* Read in captive portal db */
	/* Determine number of logged in users for all zones */

	$count_cpusers = 0;
	/* Is portal activated ? */
	if (is_array($config['captiveportal']))
		/* For every zone, do */
		foreach ($config['captiveportal'] as $cpkey => $cp)
			/* Sanity check */
			if (is_array($config['captiveportal'][$cpkey])) 
				/* Is zone enabled ? */
				if (array_key_exists('enable', $config['captiveportal'][$cpkey])) {
					$cpzone = $cpkey;
					$result = captiveportal_read_db();
					foreach ($result as $cpentry) {
					print_r($cpentry);
					}
				}
?>

Execute like this : php -q test.php

tmtechonline

@Gertjan Great! I think I saw that code somewhere.

Will start with this one. Thanks a lot @Gertjan.

If anyone has other ideas that can make this happen, please do add some lines here :)