To get started implementing a captive portal on your network, perform the following steps:

1. Navigate to Services | Captive Portal. This page displays a table with all of the defined captive portal zones. There is a green + Add button down and to the right of the table; pressing this button allows you to add a zone.
2. When you add a zone, you are initially directed to the Add Zone page. Here you are required to enter the Zone Name, which can only contain letters, digits, and underscores. You can also enter a brief (non-parsed) description in the Description field. Enter this information and press the Continue button.
3. Now we will be directed to the Configuration page, where we are presented with a warning that contains the following information:
   • Make sure you enable the DHCP server on the captive portal interface
   • Make sure the maximum DHCP lease time is longer than the captive portal hard timeout
   • Make sure the DNS forwarder or DNS resolver is enabled, or DNS lookups will not work for unauthenticated clients
4. To begin configuration, check the Enable Captive Portal checkbox. Once this box is checked, the other options will appear on the page.
5. Consider the options that must be changed in order for the captive portal to work. You must select at least one interface on which the captive portal will be enabled, and you can do this in the Interfaces list box. In most scenarios where you are setting up a captive portal, you probably want to have a separate interface or interfaces for captive portal users.

6. Scroll down to the Authentication section. Here you must select an authentication method: No Authentication, Local User Manager/Vouchers, or RADIUS Authentication:
   • If No Authentication is selected, the captive portal user will not be prompted for a username and password or a voucher code—usually, at most, they will be required to accept the network's terms of service.
   • Local User Manager/Vouchers covers the cases in which pfSense will handle authentication. Either the user will be prompted for a username/password combination for a user who was previously entered into the pfSense user manager, or the user will be prompted for a voucher code that was generated by pfSense.
   • In the case of RADIUS Authentication, the authentication will be done by an external RADIUS server. This will be covered in detail in a subsection, but we will note that, if you choose this option, at a minimum, you will have to enter the RADIUS protocol and the IP address of the primary RADIUS server.
7. The next section is HTML Page Contents. You will probably find it necessary to replace the portal page and contents page, and to upload a portal page that is appropriate for the type of authentication you selected. If you are don't require authentication, all you need is a form with a Submit button and a hidden field with the redirurl name and the $PORTAL_REDIRURL$ value. If you require authentication, then you need to have either auth_user and auth_pass or auth_voucher (or both if you support both username/password login and vouchers).
8. The pages you uploaded may contain images, and as you probably guessed, you're going to need a means of uploading these images. This is what the File Manager tab is for. Any files you upload via this tab with the filename prefix of captiveportal, will be made available in the root directory of the captive portal server. This is useful if you have files that you want to reference in your portal page (for example, a company logo). In addition, you can upload PHP files for execution. The total size limit for all files uploaded via this tab is 1 MB:
   • To add a file, click on the + Add button, which is below the Installed Files table and to the right. This loads a separate page where you can upload the file.
   • Click on the Browse button to launch a file dialog box.
   • Select a file, click on the Open button in the file dialog box, and then click on the Upload button.

The preceding guide should be enough to get a captive portal running on your network. There are, however, many other settings for captive portal configuration. Most of them can be kept at their default settings most of the time, but in certain circumstances, they can be altered to ensure the captive portal runs smoothly.

• On the main captive portal configuration page, under the Interfaces list box, is the Maximum concurrent connections edit box. This setting controls not how many users can be logged into the captive portal, but how many concurrent connections are allowed per IP address.
• The next two settings are Idle Timeout (Minutes) and Hard Timeout (Minutes). Idle Timeout (Minutes) controls how long it takes before an idle client is disconnected, while Hard Timeout (Minutes) controls how long it takes before a client is disconnected even if they are active. Both settings are optional and leaving them blank disables them.
• The next setting is Traffic quota (Megabytes). As the name implies, this sets a limit on the amount of data a captive portal user can use, inclusive of uploads and downloads. After they have reached this limit, they will be disconnected. They can, however, log back in immediately.
• The next setting is the Pass-through credits per MAC address edit box. Entering a number here allows a client to pass through the captive portal this number of times without being directed to the captive portal page. Once this number is exceeded, the user is directed to the captive portal login page again. As the name implies, this is done on a per-MAC address basis.
• There is also a Waiting period to restore pass-through credits (Hours). If pass-through credits are enabled, and this parameter is set to a value greater than zero, pass-through credits will be restored to their original count after this number of hours.
• The Reset waiting period checkbox, if checked, will result in a waiting period on login attempts being imposed on clients whose pass-through credits have been exhausted. If not checked, such users will be allowed to log in again immediately. The Logout popup window checkbox, if checked, will display a pop-up logout page when the users initially pass through the captive portal. This can be used to allow users to explicitly log out, but it also can be used if you want to display a page informing the user that they have successfully passed through the captive portal.
• There are three options covering URL redirects. You can specify a URL on another server by entering it in the Pre-authentication redirect URL edit box. After accessing this page, the user will be redirected to the login page. Normally, after login, the user will be able to access the URL they tried to access before logging in, but if you set After authentication Redirection URL, you can redirect them to a different page. If you want users whose MAC addresses were blocked to be informed of this, you can set the Blocked MAC address redirect URL.
• The next option, Disable Concurrent user logins, will, if enabled, cause only the most recent user login to be active. Devices currently logged in with the same username will be disconnected.
• If you check the Disable MAC filtering checkbox, the captive portal will not check to confirm that a user's MAC address remains the same during their session. This can be helpful in cases where pfSense cannot confirm the user's MAC address (for example, in cases where the user is separated from the pfSense system by several routers). The downside of this option is that, when MAC filtering is disabled, RADIUS MAC authentication is not possible.
• The Enable Pass-through MAC automatic additions option, if checked, will result in a MAC pass-through entry being added for every user who successfully authenticates (or, in cases where authentication is not required, every user who successfully passes through the captive portal). Users of the authenticated MAC address will not have to log in again, unless the MAC pass-through entry is removed from the table on the MAC tab.
• The Enable Pass-through MAC automatic addition with username option takes effect only if it is checked and the Enable Pass-through MAC automatic additions option is also checked. If both are checked, the username used during authentication will be saved.
• The Enable per-user bandwidth restriction option, if checked, allows you to restrict each user who logs in to a specified bandwidth. If you enable this option, you need to specify a Default download and Default upload in the next two edit boxes. RADIUS can override these default settings.