@Gertjan

Yes, it turns out a whole trip to the theater.😊
Also, it turns out that the problem is solved, the solution (in my case) is found, published. Maybe it will help someone.

Thank you very much!

As for DNSBL - perhaps I will create a new topic.

@Chooks said in Captive Portal not redirected after successful login:

I'm using the latest version.

23.05.1 ?

This :

3c06064e-e679-421e-b8ef-8ae0286e7c88-image.png

looks like the OS - or program - knows or suspects that the device hasn't a direct Internet connection.
It's part of the portal detection.
Normally, the GET (www.example.tld)/connecttest.txt should return a 'page' like this one that shows the word (for example) "Success.".
If it doesn't, because another page came back : the pfsene captive portal login page, the OS should pop up a message, notification, or even a browser directly in front of the user.
If it doesn't do that ... well ...

After successful portal login :

d7c6be7a-64af-4e2d-88fd-3c4917acbd46-image.png

192.168.2.6 - - [07/Jul/2023:08:19:56 +0200] "POST /index.php?zone=cpzone1 HTTP/2.0" 302 0 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"

302 = Redirect.
You can also see the URL parameter "?zonecpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" see the "http://captive.apple.com/hotspot-detect.html" :

b8693d06-cfb9-4078-b69a-94e313943dd0-image.png

Because I've set :

9582e267-23f6-4b26-a378-ec51189fede9-image.png

I was take to https://www.google.com/
If my "After authentication Redirection URL" was empty, I would see the

fd83eba8-4ed9-4cab-ab1f-c7778b48ea29-image.png

and that's a bit stupid.
But correct my iPhone wanted to go to that page (that page because it uses it to detect the prence of a captive portal). When the captive portal authentification was done, it will show the page. My phone is now happy : the device has a working "Internet connection".

Look at /usr/local/captiveportal/index.php - that is the page PHP that shows the login page. But it does more then that. See /etc/inc/captiveportal.inc tells the whole (rather complex) story.

@adnan97

From what I recall , these issues were solved with patches pfSense package ages ago :

4dcf0368-291d-486f-9000-c36f26764e2e-image.png

The bad news : you have to dig them up, here, in this forum or redmine.
The good news : 2.7.0 - coming out soon - will take care of things.

I was using 2.6.0 quiet long time, and issues (important to me) were solved after some forum interaction.

@lucas-2 said in Captive portal does not load google account authentications:

Google's hosts are all allowed, and so is authentication with Google's IP allowed, in the "Allowed IP Addresses" settings.

Check blog post again. No need to allow hosts.
Freeradius, running on pfSense, can access freely all IPs on the Internet, as it is just an outbound connection over WAN.

Netgate's blog post is written with pfSense 2.6.0 (or 22.05 Plus - identical I guess) and it should work.

@gertjan very interesting. Thank you for this.

I was on a few 'premier' captive portals recently - American Airlines/GoGoInflight and a large state university - and I realized that they don't use the 114 option either. It's easy to break the Guest Wifi workflow though with iOS and Mac; just ignore the window the first time. Their Captive Portals don't redirect https either - so you have to know neverssl.com or something similar to get back to the portal.

Returning to the solution and discussion: setting the iOS device to see the 114 option is super easy. However, after I do my auth - the iOS requests again to the url, but now I have no context. I guess this is primarily because the IP address is forwarded from the pFSense. Even if I use Tailscale or Wireguard to get all the devices on the same network - pFSense / Netgate box is forwarding the request, so I can't tell who is coming in based on the iP address, nor mac address.

Am I missing something? After you got the 114 login portal working, how did you redirect the iOS device to a 'captive: false' json? I'm missing that part.

@osbhutan even when it just moves AP but its the same ssid? That sure seems problematic for more than just a couple of reason.

Can't you just turn that off - I have it off my my home wifi connections.

@bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:

@stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:

Employee see AP's SSID, "Team" for example. They enter the known password, known by all team peeps. They are presented with the CP (captive portal) challenge for user & pw from pfsense. They have their own user & password on pfSense, and use it to get past the challenge. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.

Now for each of your questions:

Do you mean simply entering the wifi pass key (WAP2/3)?
Yes. Steps 1 & 2 above.

Or are you using the Unifi captive portal for that?
I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!

If it's the latter then serial captive portals could be a problem.
I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.

Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.

P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.

I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.

Seems overly complex, thought about using wpa2-enterprise & freeradius ?

@danicavini
Thanks, i will try it !

@undrblack

Without knowing the details :
When you remove the 'virtual' part, that is : running pfSense with 3 real networking interfaces, bare bone, your issue will be gone. I can imagine the vitual interfaces / switch can be set up many ways, some of them could be wrong ?
See also Virtualization ! if you have a Windows 10 (Pro) orMS SErver : use the build in Hyper-V : I've one running iwth Hyper-V, and it works fine. There is a detailed step by step setup guide in the doc.
When a client connects to the Wifi, can you see the DHCP server log 'lease' attribution on the right interface ? What was the IP/mask/gateway/DNS received on the client ? That info should correspond to with the pfSense portal NIC.
pfSEnse doesn't handle the the AP <=> Client radio (wifi) connection.
if the AP is an AP and router, the pfSense portal only sees the IP and MAC of the router, not the IP and MAC of the clients. Ones a first client is logged in, all the others will pass without seeing a login screen.

@qssysadmin

How does your question relate to the captive portal ?
( you posted in the captive portal section of the forum )

A reboot is always mandatory as you changed the kernel version (a kernel can't be reloaded in place).

@qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established:

ping for example to 8.8.8.8 is blocked

Not an issue.
8.8.8.8 replies to DNS requests. No need to ping it.

@qssysadmin said in Pfsense 2.6 Captive Portal does not allow vpn connection established:

I put a firewall Rule on the LAN Interface which allows all traffic from internal to external

The default LAN firewall rue permits everything. No extra rules needed.

@stephenkwabena

I placed a feature request. I do hope that it will be available soon.

@mbunal merhaba AP'lerde ağ için parola tanımlaması yaparsanız ağa bağlanmak isteyen her cihaz için önce wifi parolası girilmesi istenir sonrasında captive portal ekranına girerek oturum açmaları istenir. eğer ağlara bağlanan cihazlar aynı ise captive portal üzerinden mac adreslerine tek tek izin verebilirsiniz.

@gertjan said in Pfsense captive portal does not show on IPhone !!:

They don't care about de local castle from the 14 century.

heheh - I don't know when I was on business trips my favorite part was taking in the local history and stuff to do. This was mostly the local tavern ;) But still - hehehe

I spent a bit of time in Tulle on multiple occasions.. I had a couple of fav watering holes there.. One of my favorite spots was a little place tucked away on a side street, loved to sit outside and just watch the people going about their business and enjoy a few beers..

It was across from the cathedral there, and believe that was from the 14th century ;)

Your customizing, right ?

Use https://pfsense.yourlan.tld/system_usermanager.php as an example.

Normally, when you use a page like "https://pfsense.yourlan.tld/system_usermanager.php" you should be logged in.
But, as you create your won "user edit" page, you could throw away that need. Just borrow (copy) the code you need to update the user's settings - the 'saving part is happening after the line that says :

if ($_POST['save'] && !$read_only) {

Something like : have to look up the user ID first, and if it exists, compare the old password with what the user entered (first "old" password box) and if there is a match, update the user's password with what he entered in the "new" password second box.
This way, you allow only known users to change their own password.

https://forum.netgate.com/topic/97205/template-roll-printer-with-options-for-2-2-6-2-3-2-3-4-2-4-0

Hi,

@emad said in Nginx "404 Not Found" Error after POST action to "$PORTAL_ACTION%2quot;:

So, do I miss knowledge with CP behavior or should I modify something?

You might as well check (== read and understand what happens when and why etc) this file /usr/local/captiveportal/index.php
It's the file that's get 'executed' when a users is redirected that the portal login interface.
Read that file carefully - and also check this one : /etc/inc/captiveportal.inc which contains all the functions.

For instance, you'll find why/where/when a string like $PORTAL_ACTION$ is replaced by the correct URL before getting send to the client.
Throwing $PORTAL_ACTION$ at the client's web browser who throws it back to the captive portal web server will produce 404 errors.

Issue created: https://redmine.pfsense.org/issues/10798

@dochy said in Windows RADIUS Server:

we are still waiting for that manual please

Like these : microsoft nps ?

You'll find the Documentation under Additional resources.
Remember : this isn't open source and a Microsoft product. Manuals are most probably copyrighted.

@Gertjan shodan.io is a service that scans the internet for known exposure and for vulnerabilities

i remember you are french, so I link you here a video in French on the subject https://youtu.be/SxjmOFBtsvk

Thanks dear for your kind reply. I solved my problem that I created another portal to handle the pfsense CP pages to the users and now everything is going perfect EXPECT I need to add a code to my logout page to get the close event from the pages with a warning message to the users that "if you close this page will be logged-out" then if the user confirm this warning message I will force the logout button before closing.
Your suggestion is highly appreciated :)

Thanks dear for your kind reply :)

This :
fd71b78d-7064-43fc-a6ee-6a3e8d963ee1-image.png

Is the 'simple' setup.

The ipfw firewall works best when it 'sees' the MAC addresses of the connected devices.
If it doesn't, well ... check our AP again : make it work as an AP, not a router. Routers hide MAC addresses for upstream routers (= pfSense). That not good if you want the captive portal to work flawlessly.

If you just want a count, you can use the script that is there for RRD:

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'loggedin'

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'concurrent'

@Gertjan Other one are missing,

because of google being blocked in china, cellphones and multiple chinese garbage browsers (360browser, etc...) are usually using one of these URL:

https://connect.rom.miui.com/generate_204 (Xiaomi) http://www.qualcomm.cn/generate_204 (Huawei) http://www.265.com/generate_204 (Google Chrome, Asus cellphones. This website is owned by google)

I also heard that nintendo devices are using http://conntest.nintendowifi.net for captive portal detection
but anyway, i don't think that's very important..

@Gertjan said in Trouble With CaptivePortal on Two VLANs in One Interface:

You are already using multiple interfaces - a VLAN is considered as a interface.

Typically, each interface has its own dedicated AP(s) - using a dedicated radio (== Wifi) setup.
A user should choose the correct Wifi SSID first to use the correct network. You can't automatize this.

I just wanted to make it happen. I was planning to redirect the user to the correct VLAN by using just one SSID. But I completely got that I can not do it. Thanks for your helps.

@free4 I still can not find an opportunity to try PacketFence. I will write down here if I can be successful on it.

@Gertjan thanks, it looks like a solid explanation for my case

@jimp Thanks, this reply helped a lot

I think I got it going. After upgrading to v.2.4.4 I downloaded the built-in portal.html and adapted it to work for me. the ones in the book didn't work.
thx for your patience with me.

Install the Patch package.
Read the Patch package manual (Netgate's pfSense doc).

Or : as you already found out, it concerns only the edit of a file, a couple of lines.
A good text editor like Ultraedit or Notepad++ and a tool like SmartFTP or FileZilla (both can handle SFTP access) and your do it as is done old fashioned way - ans still today : with your fingers. Btw : and keyboard.