Enter TV MAC address on CP login in page?
-
Hi
I'm have more and more issues with UK tvs, I run a caravan park, and I use a voucher and username to login to the pfsense captive portal ( all working great, no issues ), but UK TVs are moving to IP-based streaming for all channels, no TV aerial, just Wi-Fi. This means I have to manually input a MAC address into CP every time a user wants a TV to work; not every TV has a web browser built in.
My question is, is there a way I can add a webpage to my CP portal login page that a user can add their MAC address that links to a voucher or username? Or can anyone think of a fix? This will only get worse over time. All TV is going streaming in the UK.
Thank you for any help.
Adam
-
Hi All
I have been trying to look into getting the main ( default ) inidex.html captive portal page from my pfsense box, and using chatgpt to help. but im coming across issues before i even start, after copying the code from index.html using the file editor in web interface and pasting into a html editor, when I try and run the page its coming up all strange ( see pic ), what am i doing wrong? i have tried uploading the coped .html into pfsense captive portal ( using the add your own login page ) to see if it was looking for dependents looks the same.
I know im missing something very simple.
thanks for your help!
Adam
-
These TV's, you are the owner ? Or is it a TV that your guests (clients) bring along ?
I use a captive portal for a hotel. The TV's in the hotel rooms are 'ours', hotel clients don't have to bring one themselves (
).
Most OS's = Pads, phones, PC's and whatever are captive portal aware.
TV's ? I'm not sure ....
I've never had a client that came at the reception (hotel) and brought along its own device like a play station, TV or whatever. In that case, I'll ask him to connect the device to our portal network. This will generate a DHCP request, and I can find that request, so I found the MAC, and I have to add this MAC to the portal MAC list (see below).
This means 'manual' intervention.@Adamzsite said in Enter TV MAC address on CP login in page?:
This means I have to manually input a MAC address into CP every time a user wants a TV to work;
You add the MAC here :
right ?
What I would do :
Have the user login with a voucher code, or login code, whatever you want, in your captive portal.
Ones they have access, this makes also avaible a web page on a device on LAN, or even, why not, on pfSense, on a web page where the user can add the MAC of it's own TV.
I presume that the client knows the MAC addresses of the TV he brings with him.
It's often printed on the box (the big box no one keeps ^^) and maybe on the papers that came with the TV.
Normally, if I want to know the MAC of a device, I connect it to a known network like my pfSense LAN, and then I look it up in the DHCP server log. Or the DHCP leases page. But this is something your clients can't do by themselves.
Btw : your client will be able to add any MAC, so also the MAC of another phone, PC etc, as there is no way to be sure that that MAC is a MAC of a TV. This means that ones one user has access to add MAC, you have to limit his access to "add one MAC", otherwise he'll be adding the MAC of everybody ^^@Adamzsite said in Enter TV MAC address on CP login in page?:
Or can anyone think of a fix?
Well ... nothing is broken, so no fix needed ^^
You just have a very special need "not seen before", so its a feature request.If you know your 'PHP' (and html), and you've understood what happens here : /usr/local/captiveportal/index.php and here /etc/inc/captiveportal.inc as it's in these files where you can make it possible.
This means that you have to modify one or two pfSense PHP files.
It is possible .... and afaik, the only way. -
@Gertjan
Thank you for your help.
1, Our customers bring there own units ( caravans ) they have TV in the units. i can add $ do add tvs to mac address in captive portal but I was hoping for a easier way not needing a member of staff.- I was hoping to get the user to add tvs ip address ( hoping most people could understand that), then the script would take the mac address from the dhcp server.
I will let you know how i get on.
-
@Adamzsite said in Enter TV MAC address on CP login in page?:
i can add $ do add tvs to mac address in captive portal but I was hoping for a easier way not needing a member of staff.
What you could do :
If you have some one else - some one who is working for you - then give this person a limited pfSense
access : create a pfSense user - not an admin - that have only the rights to look / edit the captive portal settings (pages).
So, some one else ^^ can do just and only that.Give this person also the right to look at the DHCPv4 leases page, so he can check that the MAC he entered will eventually ask for an IP, which means the client gave the correct MAC.
-
@Gertjan
I do have users ready and setup to add mac address, its keeping tabs on this that is the issue, it becomes a mess when you have 40 mac address getting added every weekend for tvs and then need taking off. I have about 200 voucher and users using the pfsense CP system every weekend. How do I add this to a feature request for pfsense?
I guess this is just a UK thing with our TV's going IP streaming and slowly dumping over the air transmission ( aerials ).
Adamsite -
@Adamzsite Just spit balling here.. But why do the users not have a travel router, or why not just hotspot of their phone that is on your wifi. Or do their tvs/streamers not support captive portal?
Roku sticks can do this for example - many tvs have a web browser that can do the captive portal thing.
I bring a travel router with me just for this reason - I don't want to deal with hotel captive portal for all my devices. I connect the travel router to the wifi, now all my devices connect to the travel router wifi - no captive portal for any of the devices. Other added benefit all my devices know the travel router wifi so just auto connect.
How about just loaning/renting them a travel router, take a deposit for sure so they don't run off with it. But the travel router could be pre-configured even.
I have never seen a captive portal that allows for entering or adding multiple macs..
Other option use ppsk auth, where you can just give user their own unique psk to use for their devices - no captive portal needed then. Or just use normal psk and maybe change it every few days if you charge them for wifi.
Trying to automate or have users add a mac doesn't seem like a good solution to me. Users for sure not going to know the mac of their tv. Trying to auto find it dhcp lease request seems problematic - how do you know which mac is which users tv, etc.
I would think anyone with a camper that has multiple wifi devices for sure would have travel routers in them. Maybe sell them as a side money stream ;)
edit: I just took another look at ppsk via unifi, you can generate lists of ppsks. You can then download them as a csv, or you can import even. I would think as your users check in - just give them the ppsk, they use this for any of their devices. Easier solution for your users, unique, can be easy maintained. Don't have to worry about captive portal support on devices the users might want to use.
Looking about, ppsk is not something unique to unifi - many of the major players of APs now support this mode of operation.
-
@Adamzsite said in Enter TV MAC address on CP login in page?:
I guess this is just a UK thing with our TV's going IP streaming and slowly dumping over the air transmission ( aerials ).
Don't think so. It's a world wide process.
Example : my TV @home doesn't have its 'coaxial' aerial connection connected. No more antennas or Satellite dishes on the roof. No more "CAI' = coax cable network in the neighborhood. The classic french channels come in over adsl (being faced out, fiber now) to a so called "TV decoder" that produces a HDMI signal. And I even don't use this ISP TV device, as my TV has an 'app' that receives all the french national channels just fine.On the other hand : connecting TV over Wifi to a captive portal type network. That's totally new to me. And probably also for all the TV builders in the world, as, as far as I know, TV's don't have 'captive portal' support build into their OS. All other devices like pads, phones, PC and so on do.
My TV - mine is just 55 inch - isn't really transportable and really fragile.
BJOD = includes TVs now ?Suggestion : instead of using the pfSense captive portal, what about an 'open', classic LAN interface that feeds into AP based network.
I can set up my APs to expose an SSID for the TVs that is MAC Radius Authenticated. You still have to create a front end for your radius server where you handle all the connected devices with their MAC addresses.
This means : nothing has to be done on pfSense, you'll have to use another device (PC) with radius. This is actually world's most know solution : every phone/internet/whatever connection uses some kind of radius access. It's also worlds best kept secret : nearly nobody knows what 'radius' is. A web server ? We know. A DNS server : same thing. mail : everybody knows what it is. Radius is special.I played a bit with a couple of TV's I have here at my work (a hotel). I connected a smart TV to the SSID of the hotel clients, the network that has the pfSense captive portal. Even when I installed a web browser app on the TV, it wouldn't allow me to do anything, it 'knew' the Wifi was connected, it had an IPv4 and a gateway, but nothing else worked. Impossible to point it manually, by entering the pfSense captive portal's login page URL. With A TV remote control => a real PITA.
Note to @johnpoz : I used a 'off the mill' Samsung smart TV. Maybe I should get another app/browser ? Afaik, there is not such thing as portal detection in the TV OS (the classic http - not https ! - url detection whichmakes the OS firing up a browser so the login page shows up).
@johnpoz said in Enter TV MAC address on CP login in page?:
How about just loaning/renting them a travel router, take a deposit for sure so they don't run off with it. But the travel router could be pre-configured even.
But ... that's also a problem.
A travel router is also a device device can can bet set up easily, as it has a browser, is portal aware, so can be used with voucher etc.
It also permits the user to connect any number of devices behind the travel router.
The thing is : this is (probably) a $€£ issue, handing over / renting a travel router, and many potential 'clients' will be gone as they will 'hide' themselves behind the travel router.
@Adamzsite couldn't even mention the existence of such a device : he would lose most of his clients as soon as they understood the potential of the device.So it has to be a locked down travel router ... Hummm ...
@johnpoz said in Enter TV MAC address on CP login in page?:
I have never seen a captive portal that allows for entering or adding multiple macs..
pfSense allows this :
but this means : access to the pfSense GUI, and it's an all or nothing solution, no time limits, auto purge, etc.
This is why, imho, @Adamzsite ask for something better.@johnpoz said in Enter TV MAC address on CP login in page?:
Users for sure not going to know the mac of their tv.
That's another issue.
I could find it easily in the smart TV's menu. I'm probably also the only one here in town that knows what a MAC address is .....@johnpoz said in Enter TV MAC address on CP login in page?:
... just hotspot of their phone that is on your wifi
For myself, with 14,99 €/$, I've a flat phone/SMS rate : can call/SMS most of Europe, and have 200 Gbits (bytes) data allowance. The thing is : I don't need it, use maybe 2 % of it each month. @home : wifi (fiber) everywhere. @work : same thing. When I take my phone outside of France, I can still use 100 G as already paid for. One evening Netflix 4K can swallow this "100 G" in a day or two.
But this is France.
Maybe this isn't the case in the UK, or the case of the phones used by these people that carry along their own TV (I still have to see these people .... are they prisoners ? Foreign worker ? as I can't image these are tourist ...... but hey, all I know is that I don't know everything)@Adamzsite said in Enter TV MAC address on CP login in page?:
How do I add this to a feature request for pfSense?
See here : Redmine pfSense bug (and feature) tracker
-
@Gertjan said in Enter TV MAC address on CP login in page?:
but this means : access to the pfSense GUI, and it's an all or nothing solution, no time limits, auto purge, etc.
Dude not manually - that is given, I mean I have never seen a captive portal where the user could add additional macs. For one your typical user has no clue to what a mac address is, 2nd it goes against the typical point of a captive portal of control of who has access, which is typically used as revenue stream - and would charge by how many devices, etc
If it was me and I was running a site where I could provide wifi and wanted to make money off of it. I would just ask hey you want wifi.. Maybe even what sort of access X speed or Y speed - ok here is the ssid and psk you want to use. That will be $ per day, etc..
If you had free loaders, ie people in range of the wifi that have learned the psk - then I would use something like ppsk or change them now and then, etc. Every captive portal I have ever used normally just causes extra problems.. Either device has issues with it, be it they don't support or just horrible implementations.. I just ran into a horrible one when I had jury duty - but some other guy sitting next to me said here just use this ssid and psk, which was the staffs wifi ;)
edit:
I think he is trying to cater to the dumbest of the dumbest of users to be honest.. So they have this camper where their TV uses wifi, and they have never ran into captive portals before.. Either their TV or streaming device supports them - or they should of figured out a solution on their own by now. Travel router or hotspot off their phone.Either this is their first trip to a campsite with wifi, with their brand new camper and tv, or they are just insanely stupid?? Or maybe he is the only campsite in the UK that uses a captive portal? ;)
-
@johnpoz said in Enter TV MAC address on CP login in page?:
Every captive portal I have ever used normally just causes extra problems.
Time to get over here, test 'my' captive portal Wifi then ^^
I used the pfSense 'out of the box' captive portal. I did add one extra stand alone file, and added a DHCP option (using a new RFC, already supported by Microsoft, Apple and official Android devices). My opinion doesn't really count, but I know it rocks
My goal is : clients that want to connect should be able to connect. It should be 'simple' to do so, no complicated steps. Devices that play hard ball are nearly all gone now. Clients select the SSID, and 99,9 % knows how to do that, see the login page popping up right away with simple instruction : room number and a secret code shown on a huge poster in their room. If they can read, they can access my portal.
Ones in while, I try to hunt down clients that didn't manage to connect, and try figuring out why it didn't work (for them).On the other hand, we have a 3G/4G/5G nearby with all operators, so I guess most clients don't care, as we all have xxx G of data avaible, already being played for.
Btw : I don't charge for the Internet access. As a hotel, we pay 50 € a month, flat rate 2,5 Gbit/sec (includes TV a a phone line that we don't use) and that's france's most expensive operator, Orange.
When connected, clients can see and use two of our printers. So they can print their own plane and train tickets.
Anyway. Back to the device that can't connect : the TVs.
-
@Gertjan Does france still have the hotel requirements about wifi and identification and logging of traffic and logs of mac and IPs for like a year.. Or is that no longer a thing.
I wouldn't provide any wifi that is for sure if had to meet those requirements.
-
I guess it's still mandatory
It's also common knowledge that Europe has a strong 'protect the consumer' laws. Collecting loads of data from a person isn't allowed. Like : as a hotel we collect client names and some times phone numbers, addresses, mail, etc. These have to be protected. I'm not allowed to start a spam cycle with them. Etc.I thinks our national courts are now aware of the fact that people that
- use public wifi
- and have things to hide,
- use a VPN.
My point of view : as long as the government didn't made public a complete howto setup guide how to activate a complete MITM setup, where I can see and log all data as send and received by the 'client', I can't and won't spend my time doing so.
If I do, and I have the data, I risk to go to prison as I broke all the RGPD laws.
So .. what will it be ?
Today : the client uses an RFC1918 IP I assigned to them. The only unique ID I get back from the client is the MAC address, which is by default randomized, so 'worthless'.
I can 'see' where they go, true .... toctoc, facebook netflix google or some VPN end point, but this info is already RGPD protected.
Do I need to collect info that can be used against myself ?I'm from Holland, live in France and I've a 'personal' rule : I leave it up to the french to deal with France's rules/laws. It always takes time as they talk a lot, but they'll figure it out eventually.
-
Thank you for all your replys,
Yes having users enter there tvs MAC address is a little far fetched, could the ip address work, been the system uses ip address now to get mac address? e.g a user uses there phone to go the captive portal logon page enter these user or voucher code, then press a tick box or whatever to have get a input box appear so they can enter the tvs ip address, this could be easier to get from the tv wireless network page.
-
@Adamzsite said in Enter TV MAC address on CP login in page?:
this could be easier to get from the tv wireless network page.
Maybe, maybe not - this prob same spot where you would see the mac address ;)
Has this actually been a problem? I mean really - I don't see why this should be your problem to be honest.. I am having a hard time believing that users could be this dumb.. I have a wifi tv that I travel around with in my RV, and I don't know how to connect to a wifi network that uses captive portal? Is use of captive portal not a thing in UK in RV parks? I mean either the device/tv supports it.. Rokus for example have a specific hotel mode that allows for captive portal auth.
https://support.roku.com/en-gb/article/215058118
How do I use Hotel & Dorm Connect to connect to the internet?Or they would of come up with a better solution already, ie hotspot off phone or travel router.
If I had a RV, I for sure would have a travel router in it - for one just to provide a local network for my devices to use, even when not connected to the internet. Ie for example viewing media off a media server I would run in the RV ;) And this would also allow for all my devices would have with me, phones, tablets, laptops, console gaming systems, etc. etc. To just auto connect when I connected the travel router to some internet connection.
I can't image connecting multiple devices to a captive portal wifi, or even if not a captive portal every time I move around.. When me and the wife go to a hotel, we have our phones, tablets and normally a roku to plug into the tv in the hotel room.. And sometimes my work laptop, sometimes a chromebook etc. if I had to connect all of them to a captive portal, most likely require reauth ever 24 hours it would be horrible!!
I take a couple of minutes to setup the travel router, and boom all my devices auto connect to the known wifi.. Saves frustration and quite a bit of time. And normally provides for much better connectivity.
-
Thank you again for all your replays.
Again, it might not be every person's idea of what is needed, but for me, it's the only idea I could think of to make the captive portal work better for my situation.
I think the IP address might work because looking at most UK WiFi-enabled TVs when you connect to the network, it shows your Mac and IP address, i could easily instruct users to copy the ip address and enter it on a page, possible situation a tick box that opens a new entry box, and then you type the IP address, and then that would ask the script to get the Mac and enter it for that user or voucher.
I understand that it's never that easy to just do that, and not being a PHP or HTML coder, I don't have the skills to implement this myself.
Thank you again.
-
Maybe the real solution is to switch to a generally available wifi connection for all customers (either static or mobile). Maybe also use rate limiting so all users get a fair share.
Build in a nominal £ into your pricing, but make it reasonable & attractive.
Your time can then be better spent meeting & building customer relations, rather than helping non-techie customers with CP stuff.
Promote the fact that Internet is included as a reason to stay on your site & potentially increase occupancy.
Presumably you have electrical outlets for each plot ? Make sure they are metered & reflect current supplier costs.
-
Just been looking into other ways I could solve this issue. Could PPSK and RADIUS be the answer? Has anyone set up a RADIUS system on pfSense with PPSK codes that can act like a pre made voucher codes?
e.g., I make a list of PPSK codes that my OpenWRT access points use from my pfsense router to get the user on the wifi. I could then also use RADIUS for my long-term users and add MAC addresses for seasonal and TV, but temp users will just work; no web page needed.
Any help or pointer would be greatly appreciated.
-
Hi all.
I have looked into the FreeRADIUS server in pfSense and seem to hit a wall. I can use my OpenWrt access points to use PPSK and link to the FreeRADIUS server in pfSense, but I'm having trouble using the tunnel-password option in the pfSense GUI or user.conf file to just use a PPSK passcode.
I'm hoping to use just a passcode and not link it to a Mac; no VLANs needed.
the aim is
Staff passcode on staff SSID VLAN1
Guest (lots of unique passcodes) on Guest SSID VLAN 10: I can generate passcodes and import them into the user config file once I have a template to use.
Can anyone help?I'm not sure if I can use the PPSK option in OpenWrt and use a personal PSK or if I have to move over to an enterprise PSK to get it to work (enterprise PSKs are not TV or IoT friendly).
Thank you for any help.
-
@Adamzsite If you are using ppsk, why do you need a captive portal at all? Or radius? Your staff can use a ppsk that puts them on vlan X, and clients where you change and delete old ppsks go on vlan Y.
I just moved to ppsk, to allow me to trim down the number of ssids I was broadcasting. If you log in with ppsk A, you get put on vlan A, if you login with ppsk B you are on vlan B, etc..
I trimmed down 3 ssids to 1 this way.
-
@johnpoz Sorry didn't exsplain myself im not using ppsk at the moment I trying to get it to work, then i can turn captive portal off.
I was wondering if anyone has setup ppsk with tunnel-passcode as the login in freeradius and openwrt APs?
