Captive portal swallowing / on redirect

Daniel Cox

Alert to captive portal users that do not have "After authentication Redirection URL" and are on pfsense 2.0.2

I just upgraded to pfsense 2.0.2 and my iphone users were getting
“Error Opening Page.”
“Hotspot login cannot open the page because the server cannot be found.”

It appears that the captive portal would tell them to go to www.apple.comlibary (no that is not a typo)

So this is what I think is happening and the fix until the captive portal gets patched.

1.  iphone gets on an open ssid and trys to check http://www.apple.com/library/test/success.html
2.  the pfsense spoofs www.apple.com and sends you to captive portal.
3.  you login and now the captive portal redirects you to http://www.apple.comlibrary/test/success.html instead of http://www.apple.com/library/test/success.html.  For some reason the captive portal seems to swallow the forward slash.  This happens on other websites that have a uri on the end.  I actually tested a windows machine and it was swallowing the / to anywebsite.

To fix the issue I added the following to After authentication Redirection URL to http://www.kentucky.gov.  After this all is working properly now.

Here is the contents of the packet coming back with the / swallowed

No.    Time                      Source                Destination          Protocol Length Info
    235 2013-01-10 14:02:45.836906 192.168.63.134        192.168.20.12        TCP      465    8000 > 59810 [PSH, ACK] Seq=1128 Ack=1462 Win=65664 Len=399 TSval=2243140061 TSecr=1262444100

Frame 235: 465 bytes on wire (3720 bits), 465 bytes captured (3720 bits)
Ethernet II, Src: 00:16:35:68:93:5b (00:16:35:68:93:5b), Dst: 00:04:38:90:ce:7c (00:04:38:90:ce:7c)
Internet Protocol Version 4, Src: 192.168.63.134 (192.168.63.134), Dst: 192.168.20.12 (192.168.20.12)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 451
    Identification: 0xb8f8 (47352)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x0000 [incorrect, should be 0xab59 (may be caused by "IP checksum offload"?)]
    Source: 192.168.63.134 (192.168.63.134)
    Destination: 192.168.20.12 (192.168.20.12)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 8000 (8000), Dst Port: 59810 (59810), Seq: 1128, Ack: 1462, Len: 399
    Source port: 8000 (8000)
    Destination port: 59810 (59810)
    [Stream index: 7]
    Sequence number: 1128    (relative sequence number)
    [Next sequence number: 1527    (relative sequence number)]
    Acknowledgment number: 1462    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
    Window size value: 513
    [Calculated window size: 65664]
    [Window size scaling factor: 128]
    Checksum: 0x93e7 [validation disabled]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [SEQ/ACK analysis]
Data (399 bytes)

0000  48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75  HTTP/1.1 302 Fou
0010  6e 64 0d 0a 45 78 70 69 72 65 73 3a 20 53 61 74  nd..Expires: Sat
0020  2c 20 31 32 20 4a 61 6e 20 32 30 31 33 20 32 31  , 12 Jan 2013 21
0030  3a 30 32 3a 34 35 20 47 4d 54 0d 0a 45 78 70 69  :02:45 GMT..Expi
0040  72 65 73 3a 20 30 0d 0a 43 61 63 68 65 2d 43 6f  res: 0..Cache-Co
0050  6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 31  ntrol: max-age=1
0060  38 30 30 30 30 0d 0a 43 61 63 68 65 2d 43 6f 6e  80000..Cache-Con
0070  74 72 6f 6c 3a 20 6e 6f 2d 73 74 6f 72 65 2c 20  trol: no-store,
0080  6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72  no-cache, must-r
0090  65 76 61 6c 69 64 61 74 65 0d 0a 43 61 63 68 65  evalidate..Cache
00a0  2d 43 6f 6e 74 72 6f 6c 3a 20 70 6f 73 74 2d 63  -Control: post-c
00b0  68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63  heck=0, pre-chec
00c0  6b 3d 30 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d  k=0..Pragma: no-
00d0  63 61 63 68 65 0d 0a 43 6f 6e 6e 65 63 74 69 6f  cache..Connectio
00e0  6e 3a 20 63 6c 6f 73 65 0d 0a 4c 6f 63 61 74 69  n: close..Locati
00f0  6f 6e 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 61  on: http://www.a
0100  70 70 6c 65 2e 63 6f 6d 6c 69 62 72 61 72 79 2f  pple.comlibrary/
0110  74 65 73 74 2f 73 75 63 63 65 73 73 2e 68 74 6d  test/success.htm
0120  6c 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a  l..Content-type:
0130  20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74    text/html..Cont
0140  65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 44  ent-Length: 0..D
0150  61 74 65 3a 20 54 68 75 2c 20 31 30 20 4a 61 6e  ate: Thu, 10 Jan
0160  20 32 30 31 33 20 31 39 3a 30 32 3a 34 35 20 47    2013 19:02:45 G
0170  4d 54 0d 0a 53 65 72 76 65 72 3a 20 6c 69 67 68  MT..Server: ligh
0180  74 74 70 64 2f 31 2e 34 2e 33 32 0d 0a 0d 0a      ttpd/1.4.32….
    Data: 485454502f312e312033303220466f756e640d0a45787069...
    [Length: 399]

Daniel Cox

Here is a capture of the failed users trying to resolve the wrong name via dns
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0_vlan1338, link-type EN10MB (Ethernet), capture size 96 bytes
14:37:35.077551 IP 192.168.1.90.60674 > 192.168.63.134.53: 17521+ A? www.apple.comlibrary. (38)
14:37:56.825700 IP 192.168.1.226.55796 > 192.168.63.134.53: 11008+ A? www.apple.comlibrary. (38)
14:38:21.308515 IP 192.168.2.246.56377 > 192.168.63.134.53: 2172+ A? www.apple.comlibrary. (38)
14:38:36.611244 IP 192.168.20.84.62654 > 192.168.63.134.53: 64365+ A? www.apple.comlibrary. (38)
14:38:43.787810 IP 192.168.7.103.57958 > 192.168.63.134.53: 49668+ A? www.apple.comlibrary. (38)
14:39:01.358047 IP 192.168.2.246.55667 > 192.168.63.134.53: 28366+ A? www.apple.comlibrary. (38)
14:39:07.659715 IP 192.168.7.103.54761 > 192.168.63.134.53: 41092+ A? www.apple.comlibrary. (38)
14:39:14.174862 IP 192.168.20.130.58177 > 192.168.63.134.53: 34253+ A? www.apple.comlibrary. (38)
14:40:03.408464 IP 192.168.5.44.54587 > 192.168.63.134.53: 57117+ A? www.apple.comlibrary. (38)
14:40:08.338005 IP 192.168.5.44.57999 > 192.168.63.134.53: 62020+ A? www.apple.comlibrary. (38)
14:47:20.954863 IP 192.168.0.66.65481 > 192.168.63.134.53: 28431+ A? www.apple.comlibrary. (38)
14:47:48.844877 IP 192.168.1.111.54874 > 192.168.63.134.53: 46863+ A? www.apple.comlibrary. (38)
14:47:53.951181 IP 192.168.1.111.56513 > 192.168.63.134.53: 34757+ A? www.apple.comlibrary. (38)
14:47:58.110212 IP 192.168.3.0.56160 > 192.168.63.134.53: 19515+ A? www.apple.comlibrary. (38)
14:48:00.355678 IP 192.168.0.66.60697 > 192.168.63.134.53: 28225+ A? www.apple.comlibrary. (38)
14:48:12.454276 IP 192.168.7.35.54833 > 192.168.63.134.53: 5205+ A? www.apple.comlibrary. (38)
14:48:16.794245 IP 192.168.7.35.56830 > 192.168.63.134.53: 22176+ A? www.apple.comlibrary. (38)
14:48:29.787748 IP 192.168.7.135.63951 > 192.168.63.134.53: 43719+ A? www.apple.comlibrary. (38)
14:48:34.263623 IP 192.168.6.71.53966 > 192.168.63.134.53: 45747+ A? www.apple.comlibrary. (38)

Gertjan

Hummm.

Good details here.
I guess you found this http://forum.pfsense.org/index.php/topic,56812.msg303237.html#msg303237  ;)

edit: Better yet: it's in the oven : https://github.com/bsdperimeter/pfsense/commit/f89afb4765f317a532cb71f3b3883e8f897cfebb and will be served when ready.