One Voucher Per Device



  • dear all,

    my is i want one voucher for only and only for one device. even if i have checked disable concurrent login and enable pass-through mac.

    this problem arise in version 2.4.4, in previous versions pfsense CP was working fine.
    and when i unchecked disable concurrent login on voucher work on multiple devices at same device



  • 0_1540361651228_1.jpg

    @Gertjan @Derelict @jimp how can this happen one voucher on two devices at same time even if enable pass-through mac is checked..

    and when i checked disable concurent user login and enable pass-through mac then most recent login is active means one voucher work on multiple device in 2.4.4 and 2.4.5 snapshot also



  • @ishtiaqaj said in One Voucher Per Device:

    my is i want one voucher for only and only for one device.

    Right now, pfSense uses the last device active. Not the first.
    So, you need to "code and test" - the question was already asked in the past, so https://forum.netgate.com/topic/130046/disable-concurent-user-is-useless/6 for more info what you could do to change the default behavior.

    Btw :
    @ishtiaqaj said in One Voucher Per Device:

    and enable pass-through mac

    Using this option goes against what you are asking for - I advise you not to use "pass-through mac".


  • LAYER 8 Netgate

    It's been a while since I used it but as I recall with single-use vouchers (disable concurrent logins) then if another device uses the voucher, it is the one that now has access.

    This allows people to move the voucher from device to device (like wired to wireless) without needing a voucher.

    If they give their voucher to someone else, well, I guess they shouldn't do that.

    Using pass-through MAC is a great way to grant really long-term vouchers (like weeks or months) because you don't have to worry about balancing DHCP with the captive portal timeout settings.

    If, when you enable both auto-added pass-through MAC and disable concurrent users the MAC table is cleared and replaced with the latest login, it is working as expected. You might be able to get the behavior you desire for your specific circumstance in your login page php.



  • @derelict said in One Voucher Per Device:

    If, when you enable both auto-added pass-through MAC and disable concurrent users the MAC table is cleared and replaced with the latest login, it is working as expected. You might be able to get the behavior you desire for your specific circumstance in your login page php.

    @Derelict how can i get the desire scenario on my login page. please help me i am not a skilled user.
    this feature was working in 2.4.3-1 and previous versions what have change in 2.4.4. please guide me how to do this in 2.4.4


  • LAYER 8 Netgate

    I am not a programmer. Sorry. You would do best to explicitly and clearly state:

    1. What you are doing (steps to reproduce)
    2. What the expected result is
    3. What it happening instead

    That would be the starting point for a bug report.

    I suggest the steps to reproduce are from a new CP instance in its default configuration with the default login page. Keep it as simple as you can to demonstrate the specific issue you wish to report.



  • @Derelict i am sorry but i did't get from your post.
    please anybody else who can help me..

    @Derelict @Gertjan just like mobile recharge prepaid cards person uses and through nobody can use this card again... but according to pfsense new feature anybody can use the cards of others...just like my case i am providing internet in labor camp. the people can steal the cards other which cause severe problem for me.



  • @ishtiaqaj said in One Voucher Per Device:

    @Derelict i am sorry but i did't get from your post.
    please anybody else who can help me..

    @Derelict was asking for details : your setup, info about how you want it to work.

    @Derelict @Gertjan just like mobile recharge prepaid cards person uses and through nobody can use this card again... but according to pfsense new feature anybody can use the cards of others...just like my case i am providing internet in labor camp. the people can steal the cards other which cause severe problem for me.

    Like credit cards : if they are stolen then that means troubles for everybody. Your client should come back to you to get a new card, you should block the old card, etc.

    I suggest for you :
    Vouchers with a real short validity time, something like 5 minutes or even less.
    The "checked disable concurrent login" isn't needed, but could be activated.
    Use also the "Pass-through MAC Auto Entry" option. The MAC(device) will have an indefinitely access, up to you to delete it after X time.

    What you really need is probably what has been mentioned here https://forum.netgate.com/topic/130046/disable-concurent-user-is-useless
    First time login using vouchers that sticks with that device - the voucher can't be used for any other device any more.
    As said, this option doesn't exist at this moment.

    People shouldn't hand out their vouchers to other people, and this is enforced by the fact that "disable concurrent login" will disconnected their (first) device, like not giving away their credit card.



  • @Gertjan @Derelict .
    I am giving Internet Service in multuple labour camps.. my vouchers are for 30 days. as 4 to 5 persons live in one room so there are much chance they can see or stole room fellows cards.. and for me its not possible to delete mac of stolen voucher cause its time consuming and unprofessional approch..
    2.4.3-1 was working well.
    i regret why i update to 2.4.4
    i am just asking please provide help piece of code and how to di that would do the same.



  • @Gertjan @Derelict
    getting no help from forum many days passed.
    nobody wants to help??



  • @ishtiaqaj said in One Voucher Per Device:

    nobody wants to help??

    Because there is no answer that brings a solution for your case.
    5 people in a room that steal vouchers will steel also passwords, and if you stop this (can you ?) then they will share the same device.
    And then things will get worse : these 5 people could start thinking, and then they will find this device (15 $ at Amazone) that will connect to you wifi with one voucher (or one password/user) and knowing so your pfSense only sees the one IP/MAC of this device, so it seees just "one user". Or, this device will offer a locally generated, in the room, WiFi network that permit all 5 users to connect, and you can't see anything, so you can't do nothing, except throttling the bandwidth a max. ....



  • Dear @Gertjan you are right they can connect more devices but share the fix speed(1mbps) so they will get slow speed. slow speed nobody like definately they will take new voucher.



  • With FreeRadius you can also add a new limitation factor : quantity of data a day, week or month.
    When it's up, for the rest of the day, week or month the connection will be stopped.



  • @ishtiaqaj same problem for mee too..any solutions ?



  • @ajmaltms said in One Voucher Per Device:

    @ishtiaqaj same problem for mee too..any solutions ?

    @ajmaltms no solution yet get... using old version 2.4.2..
    @Derelict help us



  • @ishtiaqaj okey..hope somebody will find a solution for this..


  • LAYER 8 Netgate

    Did anyone document and open a bug report?


  • Rebel Alliance

    @Derelict I don't think a bug report is needed here....the problem seems due to settings misconfiguration. It should however be documented. I made a fist pull request to pfsense Docs, I'll wait for it to be approved before making the change.

    @ishtiaqaj said in One Voucher Per Device:

    I want one voucher for only and only for one device. (...) even if i enable pass-through mac.
    this problem arise in version 2.4.4, in previous versions pfsense CP was working fine.

    "Add connected users as Pass trough Mac" is not compatible with "disable concurrent connections". Because ....well because that's the purpose of pass-through.

    • Pass through MAC : these MAC addresses will be whitelisted. As such, they will never be disconnected
    • Disallow concurrent logins : disconnect the previous device when a new device use the same logins

    Could you explain precisely why are you using pass through MAC addresses exactly ? I think you should use vouchers with a very long expiration date (eg, 6 month or more) instead ....



  • @free4 voucher with long expiration date means(hard timeout ) ??...


  • Rebel Alliance

    @ajmaltms said in One Voucher Per Device:

    @free4 voucher with long expiration date means(hard timeout ) ??...

    I was thinking that you was using vouchers

    If you are using another authentication method, then you could set a very long "idle timeout"



  • @free4 yes..am using voucher code method..because i need to generate almost 500 vouchers every month..



  • I know it isn't a permanent solution, but here https://forum.netgate.com/topic/136995/one-voucher-per-device/3 I posted the link that locks down a voucher to "one voucher => one user".

    I tested that code and it worked.

    It needs some code patching .... true, but, hey, it's just PHP ;)

    A more permanent solution would be a feature request (check if one already exists first) https://redmine.pfsense.org/projects/pfsense



  • @Gertjan for this method we need to install freeradius package ? am not familiar with pfsense..before i used mikrotik for voucher generation...



  • No.
    It concerns vouchers, not an authentication against the local user database or FreeRadius (a "remote" database).

    The captive portal code that handles vouchers will disconnect an existing connection, a user that used a voucher, if the voucher is used again on another device (another IP, another MAC).
    That situation can be changed as : if a voucher is used (once) then do not accept any other connections any more while the initial user is still logged in.

    If you set the soft- and hard time out rather high, no other used could use the voucher any more.



  • @Gertjan ok thanks..now got the idea



  • This post is deleted!


  • @Gertjan i will explain my problem here..

    my company providing internet in labourcamps..i want to create vouchers for 30 days..every month i want to provide new voucher..1 voucher for 1 phone..almost 500 members in camp..

    disabled concurrent login

    i created captive portal and vouchers with the help of youtube video and tried many options..but my voucher can use multiples phones..the last login is active..my problem is peoples using same card for 2 peoples(day shift peoples give voucher to night shift peoples while they going to work ) this is a big problem..any solutions?


  • LAYER 8 Netgate

    That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.



  • @Derelict so no need to disable concurrent login ?
    which are them i need to use and i dont need to use ??


  • LAYER 8 Netgate

    Of course you should disable concurrent login if you don't want concurrent logins.



  • @Derelict said in One Voucher Per Device:

    That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

    It should be working as you stated.
    It doesn't.

    The last login will be granted, previous user using the same code are ejected.
    That's the problem of @ajmaltms .
    The code changes I tested out ones - in the linked thread - does just that : ones a voucher is used for a login, another login using the same voucher will be denied. This works as long as the voucher is listed in the "connected user list". For this reason I advise big values for soft and hard time out. If not, the user who obtained the voucher initially can't login again if he gave it to some one else .... (not a bad situation actually ... very educational )

    edit : I managed ones to use the same functionality using User/passwords and FreeRadius.
    A setting like this for a user :

    4f42c91b-5f6a-41e5-a643-4087b0b46e01-image.png

    enforces one user at the time using a unique user/password pair.

    You'll be needing FreeRadius (and probably - I advise - some database like MySQL or MariaDB running on some server).


  • LAYER 8 Netgate

    @Gertjan said in One Voucher Per Device:

    @Derelict said in One Voucher Per Device:

    That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

    It should be working as you stated.
    It doesn't.
    The last login will be granted, previous user using the same code are ejected.

    How is what you said and I said different?



  • You :

    That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

    That's how it works now.

    What @ajmaltms wants : Voucher being used ones not usable for a next (concurrent) login.

    The actual pfSense approach is based on the fact that some one how obtains a voucher can use it for (his) multiple devices.
    For his smartphone,then his tablet, and then his portable PC - to wind up using it on his game box.
    Every time the voucher is used 'again', the existent connection is shut down ( note : this should already inhibit non voluntary voucher sharing = when you 'loose' your voucher you loose your connection.)
    @ajmaltms has other experiences. As he explained above.


  • LAYER 8 Netgate

    That would be a feature request.



  • Yup - that's what I proposed earlier in this thread - a day or so ago.
    But : I have some code to play with that does just what @ajmaltms wants.


  • LAYER 8 Netgate

    Then that would be a pull request for that feature request :)



  • @Gertjan yes..Voucher being used ones not usable for a next (concurrent) login..is it possible ?



  • @Derelict well, maybe I should write it out again .... I'll have a try.

    He we go : the GUI part first :

    @ajmaltms :
    This looks good for you :

    d3d2a51f-2d57-44d9-a8b1-996bfa97204c-image.png

    Btw : writing this up will take some time for me.
    I'm writing this on a "live" system, and I'm not using Vouchers, but FreeRadius.


  • LAYER 8 Netgate

    This is not the forum for feature and pull requests.

    https://redmine.pfsense.org/
    https://github.com/pfsense/pfsense/



  • Don't worry, won't publish any PHP stuff here.
    Just want to be sure I'm writing something useful.

    When done and tested, I'll locate a feature request if one exists, and add my implementation as a pull request / review.


Log in to reply