Captive portal and squid non transparent

jopeme

In principle I have configured pfsense v2.3.4 with squid + squidguard and is running in non-transparent mode for all my interfaces. So I configure the proxy in the Web browsers of customers.
The case, is that on an interface I've configured dhcp and captive portal for users who connect by wifi. Rules in the wifi is obligated to use squid is also listening on this interface by the port 3128:

I see that as it takes control squid, website of the captive portal login does not jump and can therefore navigate freely. It only jumps if not configure the proxy in the browser.

Any one knows how to solve this?
Thanks.

marcelloc

Configure a start page on client's browser that is listed on do not use proxy for these ips/sites filed.

jopeme

What do you mean exactly when you type "client's browser that is listed" ?

My Wi-Fi clients are not corporate workers, they are temporary guests.

marcelloc

You need a page that does directly so captive portal can open authentication. Most Mobile devices alerts about captive login required.

How are you sending proxy configuration on these clients?

jopeme

Próxy  Dsettings  must be introduced manually and ip settings pfsense send it with dhcp

marcelloc

@jopeme:

Próxy  Dsettings  must be introduced manually and ip settings pfsense send it with dhcp

you may try to include on squid error page, a link to captive portal login.

I'm not sure mobile devices includes the 'do not use proxy for these destinations' field.

jopeme

I do not see sense to include a link in the squid error page because squid works and does not give error. What happens is that squid skip the captive portal.

marcelloc

You need a way to tell users that has proxy configured to go to captive. If you deny unauthenticated users, you can send info to they log on captive.

But if they go to captive url with squid ip or 127.0.0.1, the first users will allow everyone else that connects.

A hard workaround could be a url rewrite for non authenticated users interacting with a modified captive portal that uses x-forward info instead of squid ip.

Or

You can configure a wpad on clients instead of fixed proxy. This way you can tell what sites go directly and sites that goes with squid.

jopeme

First of all thank you very much for your help.
Could you be more concrete? If possible with some example. Sorry, but my English is not very good and it's difficult for me to understand. Regarding the configuration of wpad does not need to clarify anything because I have already worked on it and I understand what you want to tell me. I'd rather see what it would be like to do the other part you tell me.
Thanks again.

marcelloc

Try wpad first, it will be much easier to skip proxy for specific urls.

jopeme

So it is not possible for the captive portal and squid in non-transparent mode to work together?