Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense + Apple don't mix?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 7 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      PRNOHFT
      last edited by

      Hi all,

      Apologies if this is in the wrong thread but I have a few issues using pfsense + Apple.

      1.) iPad not able to go in Captive Portal
      The captive portal pretty much works with everything else. Even some iPads BUT there is a small number of iPads that are having issues with the captive portal. It would connect to the AP for a few seconds but the page does not load, then it would disconnect from the AP. This would go on UNTIL i restart the captive portal, which would then allow the captive portal page to load. I'm baffled.

      2.) Can't download stuff off iTunes
      I did a search but I don't think there has been a clear solution on how we can download and update applications from iTunes.

      Would appreciate the help, guys. Thanks.

      Also this is my first post and my first time using pfsense so be nice.  :-*

      Thanks again!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        What packages are you using? (Squid, snort, suricata, squidguard, etc.)??

        I've never seen any such thing and I routinely have thousands of simultaneous captive portal clients.

        Run updates from iTunes and the App Store too.  It's just packets.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          muswellhillbilly
          last edited by

          Not sure if this is the same issue, but we've had problems with some of our iPad users when trying to connect to our captive portal. The solution is to go to your iPad's settings, select 'Safari' and in the Safari settings make sure that 'Autofill' is set to 'off'. This may or may not solve your authentication problem, but it is a bit of a gotcha with our setup.

          The only reason I can think you might not be able to download from iTunes is if you're having an authentication problem, as above. Otherwise it ought to work once your device is connected and you've successfully logged into the session.

          1 Reply Last reply Reply Quote 0
          • The Computer GuyT Offline
            The Computer Guy
            last edited by

            I've had trouble in the past with Apple Devices going through the captive portal, an Apple device needs to see a certain page on the Apple website in order to initiate the connection, I generally just allow the host name through the captive portal and it works.

            I'm sure it came in on a certain iOS which may explain why some connect, are they running older versions of iOS?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              The apple devices make a connection to one of a few URLs maintained by apple.  They expect to see "Success" returned.  If that's what they get, they assume they are on the internet.  If they get anything else (like your captive portal page) they bring up a mini-browser and load again.  The user sees your portal and signs on.

              My main complaint is the timeout seems too short to enter a voucher, etc, after which the device gives up and switches back to another network.

              What we need is an IETF standard for portal discovery.  Maybe a DHCP option.  Maybe extend WPAD.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P Offline
                PRNOHFT
                last edited by

                I'm running on Squid + Squidguard. I believe the devices are updated to the latest version. I'm stumped.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  No squid/squidguard here.  Pretty sure that pretty much breaks captive portal.  Priorities.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    PRNOHFT
                    last edited by

                    We need to utilise squid +squidguard for web filtering. Running it in a school after all.

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      PRNOHFT
                      last edited by

                      OK so I turned off my Squid + Squidguard to see if iTunes would be able to update/install any apps on the tablet. No dice. :(

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Huh?  Dude it's just packets.  There is nothing special about iTunes.  If there's a portal you need to get through that before iTunes will be able to get out.

                        Or you need to identify every hostname and/or IP address iTunes uses and whitelist them in your CP.  (Good luck with that.)

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • GertjanG Offline
                          Gertjan
                          last edited by

                          @PRNOHFT:

                          OK so I turned off my Squid + Squidguard to see if iTunes would be able to update/install any apps on the tablet. No dice. :(

                          Because these packages (at least squid) break the pfSense core portal code.

                          Save your settings, reinstall a clean pfSense - import settings and you'll find out what I already found out many years ago:
                          Devices that work best with the Cpative Portal are ….. Apple devices.
                          Never had to 'touch' settings in these devices - they just work out of the box.

                          Better yet : when connecting to a Wifi network, they make a 'http' call to a random (the list is in iOS) site - as said, the result should be the text "Succes". (btw: Microsoft OS devices do the same thing also)
                          If no "Success", the iDevice presumes its behind a Portal, so it pops up a mini browser that will show ... by magic, the Captive Portal Login Page !

                          If you NEED squid etc, you should use the latest version that works (== doesn't break the portal).
                          I'm not using it myself, so no advise from me about that issue.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            PRNOHFT
                            last edited by

                            Gertjan -

                            Just to check again, i should install the latest version which is 4.3.9 (currently installed 2.7.9 pkg v. 4.3.6)
                            as well as squidguard's latest version which is 1.9.15 (currently installed is 1.9.14)

                            Thanks. Sorry for being so newbie at this.

                            1 Reply Last reply Reply Quote 0
                            • ? This user is from outside of this forum
                              Guest
                              last edited by

                              Apologies if this is in the wrong thread but I have a few issues using pfsense + Apple.

                              This can be, because many or all Apple devices are sending also a TOS signal from there devices, but
                              you can try out to disable this and see if its running then for you.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                Another option is a router doing captive portal duties then an upstream router doing your proxying/filtering.

                                pfSense is free, after all.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • T Offline
                                  tim.mcmanus
                                  last edited by

                                  Have you done a packet capture to see what Apple's software update is trying to reach and then checked the firewall logs to determine what is where it's being blocked?

                                  1 Reply Last reply Reply Quote 0
                                  • P Offline
                                    PRNOHFT
                                    last edited by

                                    Well I managed to fix the iTunes issue. Apparently you have to add in the IPs that is linked to iTunes under Target Categories and adding;
                                    54.214.28.210 17.158.28.83 17.172.116.74 17.172.116.75 17.158.10.52 17.172.116.36 17.154.66.156 23.9.237.102 150.101.152.240 17.173.255.108 17.167.138.24 150.101.98.211 150.101.98.200 150.101.98.226 150.101.98.211 150.101.98.234 150.101.213.173 150.101.98.211 17.151.36.30 17.142.160.7 208.72.242.165 173.192.76.134 66.235.139.206 150.101.96.224 150.101.96.232 17.154.66.11 69.54.181.89 17.111.65.223 23.37.139.27 23.37.139.27 150.101.98.200 23.7.18.217 17.151.36.30 17.149.240.70 151.101.152.219 150.101.152.234 17.154.66.38

                                    It worked fine after that.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.