Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense + Apple don't mix?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 7 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • The Computer GuyT Offline
      The Computer Guy
      last edited by

      I've had trouble in the past with Apple Devices going through the captive portal, an Apple device needs to see a certain page on the Apple website in order to initiate the connection, I generally just allow the host name through the captive portal and it works.

      I'm sure it came in on a certain iOS which may explain why some connect, are they running older versions of iOS?

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        The apple devices make a connection to one of a few URLs maintained by apple.  They expect to see "Success" returned.  If that's what they get, they assume they are on the internet.  If they get anything else (like your captive portal page) they bring up a mini-browser and load again.  The user sees your portal and signs on.

        My main complaint is the timeout seems too short to enter a voucher, etc, after which the device gives up and switches back to another network.

        What we need is an IETF standard for portal discovery.  Maybe a DHCP option.  Maybe extend WPAD.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P Offline
          PRNOHFT
          last edited by

          I'm running on Squid + Squidguard. I believe the devices are updated to the latest version. I'm stumped.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            No squid/squidguard here.  Pretty sure that pretty much breaks captive portal.  Priorities.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P Offline
              PRNOHFT
              last edited by

              We need to utilise squid +squidguard for web filtering. Running it in a school after all.

              1 Reply Last reply Reply Quote 0
              • P Offline
                PRNOHFT
                last edited by

                OK so I turned off my Squid + Squidguard to see if iTunes would be able to update/install any apps on the tablet. No dice. :(

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Huh?  Dude it's just packets.  There is nothing special about iTunes.  If there's a portal you need to get through that before iTunes will be able to get out.

                  Or you need to identify every hostname and/or IP address iTunes uses and whitelist them in your CP.  (Good luck with that.)

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan
                    last edited by

                    @PRNOHFT:

                    OK so I turned off my Squid + Squidguard to see if iTunes would be able to update/install any apps on the tablet. No dice. :(

                    Because these packages (at least squid) break the pfSense core portal code.

                    Save your settings, reinstall a clean pfSense - import settings and you'll find out what I already found out many years ago:
                    Devices that work best with the Cpative Portal are ….. Apple devices.
                    Never had to 'touch' settings in these devices - they just work out of the box.

                    Better yet : when connecting to a Wifi network, they make a 'http' call to a random (the list is in iOS) site - as said, the result should be the text "Succes". (btw: Microsoft OS devices do the same thing also)
                    If no "Success", the iDevice presumes its behind a Portal, so it pops up a mini browser that will show ... by magic, the Captive Portal Login Page !

                    If you NEED squid etc, you should use the latest version that works (== doesn't break the portal).
                    I'm not using it myself, so no advise from me about that issue.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      PRNOHFT
                      last edited by

                      Gertjan -

                      Just to check again, i should install the latest version which is 4.3.9 (currently installed 2.7.9 pkg v. 4.3.6)
                      as well as squidguard's latest version which is 1.9.15 (currently installed is 1.9.14)

                      Thanks. Sorry for being so newbie at this.

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        Apologies if this is in the wrong thread but I have a few issues using pfsense + Apple.

                        This can be, because many or all Apple devices are sending also a TOS signal from there devices, but
                        you can try out to disable this and see if its running then for you.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          Another option is a router doing captive portal duties then an upstream router doing your proxying/filtering.

                          pfSense is free, after all.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • T Offline
                            tim.mcmanus
                            last edited by

                            Have you done a packet capture to see what Apple's software update is trying to reach and then checked the firewall logs to determine what is where it's being blocked?

                            1 Reply Last reply Reply Quote 0
                            • P Offline
                              PRNOHFT
                              last edited by

                              Well I managed to fix the iTunes issue. Apparently you have to add in the IPs that is linked to iTunes under Target Categories and adding;
                              54.214.28.210 17.158.28.83 17.172.116.74 17.172.116.75 17.158.10.52 17.172.116.36 17.154.66.156 23.9.237.102 150.101.152.240 17.173.255.108 17.167.138.24 150.101.98.211 150.101.98.200 150.101.98.226 150.101.98.211 150.101.98.234 150.101.213.173 150.101.98.211 17.151.36.30 17.142.160.7 208.72.242.165 173.192.76.134 66.235.139.206 150.101.96.224 150.101.96.232 17.154.66.11 69.54.181.89 17.111.65.223 23.37.139.27 23.37.139.27 150.101.98.200 23.7.18.217 17.151.36.30 17.149.240.70 151.101.152.219 150.101.152.234 17.154.66.38

                              It worked fine after that.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.