[SOLVED] About captive portal rules

[Kaxia]

Hi,all!
I am new user from Mongolia.
whether OPnsense can apply Captive portal rules:
# all account user idletime is 0
# but some ip or mac must idletime is  60 minute or etc

it is because usually personal pc and smartphone is fixed user, their idletime 0 is good, but public PC shoule be set idletime.

Thanks a lot!

[Kaxia]

Now captive portal only apply one interface all net same rules, can't set ip scope.

[franco]

Hi Kaxia,

welcome to OPNsense.  :)

I am not sure that I understand your requirement. User logins are tied to IP addresses. You can have vouchers time out while keeping the users from timing out, but if you want to time out their smart phones that can only be done by giving the PCs that shouldn't time out a manual MAC "pass through" so these don't have to authenticate at all.

Maybe that is what you are looking for?


Cheers,
Franco

[Kaxia]

Thanks franco!
Now i have a new more important error:
1. if i add user or set captive portal, after a while, whole network will  suspend, after reboot opnsense,then it is ok.
2. If set idletime=**minutes, for example 180 minutes, but so often(2s?) i have to input authentication again.If set idletime=0, all looks good.

My opsense is 15.1.9.2, is it a bug?

[Kaxia]

>User logins are tied to IP addresses. You can have vouchers time out while keeping the users from timing out, but if you want to time out their smart phones that can only be done by giving the PCs that shouldn't time out a manual MAC "pass through" so these don't have to authenticate at all.
Maybe that is what you are looking for?

No, i means, for example:
1. Lan(192.166.0.1--192.168.0.254) enable captive portal, idle timeout=0, hard timeout=0
2. but public pc (ip=192.168.0.4   or mac=************ ), idle timeout=2h

how can i do it ?

Now opnsense captive portal's method is Add a Zone, but whether it can：
Add rule 1: ip scope(not zone or whole interface) enable captive portal, with idle timeout=0
Add rule 2: certain ip or mac enable cap, with idle timeout=*minutes or *hours

it is what i am thing.Beg your pardon my poor english.
Thanks!

[franco]

I have added your timeout bug report as an issue in github: https://github.com/opnsense/core/issues/150

1. Lan(192.166.0.1--192.168.0.254) enable captive portal, idle timeout=0, hard timeout=0
2. but public pc (ip=192.168.0.4   or mac=************ ), idle timeout=2h

Do you mean LAN 192.166.0.1--192.166.0.254 or 192.168.0.1--192.168.0.254? The first one makes sense, the second one doesn't as 192.168.0.4 would be part of your LAN.

You can split up the captive portal instances over different ports with different configurations, one for LAN, one for OPT.

No worries about language. We're here to help and discuss. :)

[Kaxia]

Sorry, i type ip error.

split it over different ports is good, but my opnsense router's 6 ports all be used, and change  topology will bring other trouble to me.

So wish opnsense can do it later, after all it is even more flexible :)

Thanks!

[franco]

There's just no way to enforce different settings for the same network except separating them into different captive portal instances (and their routing). Adding exceptions in settings usually leads to code bloat, which leads to bugs and regressions and degrades user experience as there is potential for misconfiguration.

Yes, the captive portal will go through a few more transitions. Were already working on cleanups and a more flexible and intuitive design that incorporates better into today's business rules and requirements eventually. It'll take time, but we'll get there. :)

[Kaxia]

So thankful to you all!