Automatic redirect after connecting to open network
-
Hello community,
after searching the web and this forum for three days now without any proper results, I hope that maybe some of you can help me with my problem. But first a short introduction to my setup:
I've set up pfSense 2.0.3 as a captive portal, configured the DHCP relay agent and enabled DNS Forwarder. So far everything works just fine. If a client connects to the unsecured network it first gets authenticated and then an IP address is handed out to it by the DHCP server. When you then manually open the browser and type in an HTTP URI you get successfully redirected to the portal login page where a voucher code is required.
There is just that one thing that, unlike with every other public hotspot I have come across so far, the portal login page isn't displayed automatically after accessing the network (i.e. no browser window pops up). So I did some research on how the different OS detect whether they are behind a captive portal or not. For example a Windows system first tries to resolve the IP address for www.msftncsi.com and if that worked requests www.msftncsi.com/ncsi.txt. In case that attempt fails the system performs a DNS lookup on dns.msftncsi.com and compares the returned address to a value stored in its registry. Likewise iOS devices attempt to retrieve www.apple.com/library/test/success.html to decide whether there is a captive portal involved or not (i.e. the controller intercepts the TCP handshake and an HTTP 302 message is sent).
On my Windows PC I used Wireshark to look at the traffic sent to and from the pfSense CP and discovered that the CP doesn't intercept the HTTP requests and responses to and from msftncsi.com so there is no need for Windows to inform the user about a captive portal. Further there is a topic (http://forum.pfsense.org/index.php/topic,46796.0.html) covering that issue with iOS but the solution there is that this simply doesn't work with secured networks and that just isn't the case here. So my next thought was to simply block all outgoing traffic to a certain address with a firewall rule but that didn't help with Apple devices either. On the one hand then all traffic to www.apple.com would be blocked and on the other hand you can see in the firewall logs that TCP packets from Apples IP 2.18.173.15 are still not blocked by the firewall.
So please, if anyone has an idea what is going on here, what I do wrong, where I think wrong, what settings to configure, what firewall rules to set or whether this can't be achieved with pfSense at all, share your thoughts. I'm looking forward to learning something new today!
Thanks and best regards
scribe -
That could be only OS feature, not pfsense or any hotspot. You can't have autorun for network. (unless additional software is installed on the client, which doesn't work for guest network)
-
Thank you, nothing, for your response.
I know that the automatic opening of the web browser is an OS feature. But I thought maybe there is a way for pfSense to adhere to the procedure the different operating systems require respectively.
While experimenting with a different Windows PC, this time a Windows 8 system, everything worked like it should. But with Apple or Android devices nothing happens at all until I open a browser manually. Unfortunately I have no opportunity to use a packet sniffer on an OS X device so all I can say about network packets sent and received while e.g. an iPhone is connecting to the captive portal Wi-Fi I found out reading the firewall logs. These logs show that packets from Apples IP address I mentioned in my post above are not blocked. Usually when the answer from apple.com/library/test/success.html isn't received or is altered the device should open it's browser to follow the redirect of the CP.
But thanks anyway. Maybe someone else has experienced something similar and knows an answer to my question.
Best regards
scribe -
No, sorry. Once again, captive portals are broken by design as you've observed. And no, pfsense will not force any OS to launch a browser.