@Gertjan

Yes, it turns out a whole trip to the theater.😊
Also, it turns out that the problem is solved, the solution (in my case) is found, published. Maybe it will help someone.

Thank you very much!

As for DNSBL - perhaps I will create a new topic.

@Chooks said in Captive Portal not redirected after successful login:

I'm using the latest version.

23.05.1 ?

This :

3c06064e-e679-421e-b8ef-8ae0286e7c88-image.png

looks like the OS - or program - knows or suspects that the device hasn't a direct Internet connection.
It's part of the portal detection.
Normally, the GET (www.example.tld)/connecttest.txt should return a 'page' like this one that shows the word (for example) "Success.".
If it doesn't, because another page came back : the pfsene captive portal login page, the OS should pop up a message, notification, or even a browser directly in front of the user.
If it doesn't do that ... well ...

After successful portal login :

d7c6be7a-64af-4e2d-88fd-3c4917acbd46-image.png

192.168.2.6 - - [07/Jul/2023:08:19:56 +0200] "POST /index.php?zone=cpzone1 HTTP/2.0" 302 0 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"

302 = Redirect.
You can also see the URL parameter "?zonecpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" see the "http://captive.apple.com/hotspot-detect.html" :

b8693d06-cfb9-4078-b69a-94e313943dd0-image.png

Because I've set :

9582e267-23f6-4b26-a378-ec51189fede9-image.png

I was take to https://www.google.com/
If my "After authentication Redirection URL" was empty, I would see the

fd83eba8-4ed9-4cab-ab1f-c7778b48ea29-image.png

and that's a bit stupid.
But correct my iPhone wanted to go to that page (that page because it uses it to detect the prence of a captive portal). When the captive portal authentification was done, it will show the page. My phone is now happy : the device has a working "Internet connection".

Look at /usr/local/captiveportal/index.php - that is the page PHP that shows the login page. But it does more then that. See /etc/inc/captiveportal.inc tells the whole (rather complex) story.

@adnan97

From what I recall , these issues were solved with patches pfSense package ages ago :

4dcf0368-291d-486f-9000-c36f26764e2e-image.png

The bad news : you have to dig them up, here, in this forum or redmine.
The good news : 2.7.0 - coming out soon - will take care of things.

I was using 2.6.0 quiet long time, and issues (important to me) were solved after some forum interaction.

@lucas-2 said in Captive portal does not load google account authentications:

Google's hosts are all allowed, and so is authentication with Google's IP allowed, in the "Allowed IP Addresses" settings.

Check blog post again. No need to allow hosts.
Freeradius, running on pfSense, can access freely all IPs on the Internet, as it is just an outbound connection over WAN.

Netgate's blog post is written with pfSense 2.6.0 (or 22.05 Plus - identical I guess) and it should work.

@gertjan very interesting. Thank you for this.

I was on a few 'premier' captive portals recently - American Airlines/GoGoInflight and a large state university - and I realized that they don't use the 114 option either. It's easy to break the Guest Wifi workflow though with iOS and Mac; just ignore the window the first time. Their Captive Portals don't redirect https either - so you have to know neverssl.com or something similar to get back to the portal.

Returning to the solution and discussion: setting the iOS device to see the 114 option is super easy. However, after I do my auth - the iOS requests again to the url, but now I have no context. I guess this is primarily because the IP address is forwarded from the pFSense. Even if I use Tailscale or Wireguard to get all the devices on the same network - pFSense / Netgate box is forwarding the request, so I can't tell who is coming in based on the iP address, nor mac address.

Am I missing something? After you got the 114 login portal working, how did you redirect the iOS device to a 'captive: false' json? I'm missing that part.

@osbhutan even when it just moves AP but its the same ssid? That sure seems problematic for more than just a couple of reason.

Can't you just turn that off - I have it off my my home wifi connections.

@bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:

@stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:

Employee see AP's SSID, "Team" for example. They enter the known password, known by all team peeps. They are presented with the CP (captive portal) challenge for user & pw from pfsense. They have their own user & password on pfSense, and use it to get past the challenge. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.

Now for each of your questions:

Do you mean simply entering the wifi pass key (WAP2/3)?
Yes. Steps 1 & 2 above.

Or are you using the Unifi captive portal for that?
I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!

If it's the latter then serial captive portals could be a problem.
I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.

Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.

P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.

I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.

Seems overly complex, thought about using wpa2-enterprise & freeradius ?

@danicavini
Thanks, i will try it !

@undrblack

Without knowing the details :
When you remove the 'virtual' part, that is : running pfSense with 3 real networking interfaces, bare bone, your issue will be gone. I can imagine the vitual interfaces / switch can be set up many ways, some of them could be wrong ?
See also Virtualization ! if you have a Windows 10 (Pro) orMS SErver : use the build in Hyper-V : I've one running iwth Hyper-V, and it works fine. There is a detailed step by step setup guide in the doc.
When a client connects to the Wifi, can you see the DHCP server log 'lease' attribution on the right interface ? What was the IP/mask/gateway/DNS received on the client ? That info should correspond to with the pfSense portal NIC.
pfSEnse doesn't handle the the AP <=> Client radio (wifi) connection.
if the AP is an AP and router, the pfSense portal only sees the IP and MAC of the router, not the IP and MAC of the clients. Ones a first client is logged in, all the others will pass without seeing a login screen.

@qssysadmin

How does your question relate to the captive portal ?
( you posted in the captive portal section of the forum )

A reboot is always mandatory as you changed the kernel version (a kernel can't be reloaded in place).

@qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established:

ping for example to 8.8.8.8 is blocked

Not an issue.
8.8.8.8 replies to DNS requests. No need to ping it.

@qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established:

I put a firewall Rule on the LAN Interface which allows all traffic from internal to external

The default LAN firewall rue permits everything. No extra rules needed.

@stephenkwabena

I placed a feature request. I do hope that it will be available soon.

@mbunal merhaba AP'lerde ağ için parola tanımlaması yaparsanız ağa bağlanmak isteyen her cihaz için önce wifi parolası girilmesi istenir sonrasında captive portal ekranına girerek oturum açmaları istenir. eğer ağlara bağlanan cihazlar aynı ise captive portal üzerinden mac adreslerine tek tek izin verebilirsiniz.

@gertjan said in Pfsense captive portal does not show on IPhone !!:

They don't care about de local castle from the 14 century.

heheh - I don't know when I was on business trips my favorite part was taking in the local history and stuff to do. This was mostly the local tavern ;) But still - hehehe

I spent a bit of time in Tulle on multiple occasions.. I had a couple of fav watering holes there.. One of my favorite spots was a little place tucked away on a side street, loved to sit outside and just watch the people going about their business and enjoy a few beers..

It was across from the cathedral there, and believe that was from the 14th century ;)

Your customizing, right ?

Use https://pfsense.yourlan.tld/system_usermanager.php as an example.

Normally, when you use a page like "https://pfsense.yourlan.tld/system_usermanager.php" you should be logged in.
But, as you create your won "user edit" page, you could throw away that need. Just borrow (copy) the code you need to update the user's settings - the 'saving part is happening after the line that says :

if ($_POST['save'] && !$read_only) {

Something like : have to look up the user ID first, and if it exists, compare the old password with what the user entered (first "old" password box) and if there is a match, update the user's password with what he entered in the "new" password second box.
This way, you allow only known users to change their own password.

https://forum.netgate.com/topic/97205/template-roll-printer-with-options-for-2-2-6-2-3-2-3-4-2-4-0

@chinraam said in Nginx "404 Not Found" Error after POST action to "$PORTAL_ACTION%2quot;:

Can you please guide or let me know how to overcome?

I'm not modifying or editing any of the pfSense PHP files. So I have no issues neither errors.

I can't do "self registration" as I'm not allowed (and not want to, neither maintain) ask for any private info like phone numbers or email addresses.

Issue created: https://redmine.pfsense.org/issues/10798

@dochy said in Windows RADIUS Server:

we are still waiting for that manual please

Like these : microsoft nps ?

You'll find the Documentation under Additional resources.
Remember : this isn't open source and a Microsoft product. Manuals are most probably copyrighted.