Captive portal + WPAD + Squid



  • Hi,
    i stuck on a Captive portal + WPAD + Squid implementation :

    • Captive portal is on a NetGate Device

    • list itemWPAD is hosted on another VM and behind the pf WAN interface

    • list itemSquid is also on another VM and hosted behind the pf WAN interface

    My issue is :

    • when wpad.dat is not accessible, clients are redirected on the login page but the wpad.dat is not applied and the workarround is to close the browser and open it again...

    • when the webserver is listed in "Allowed ip address", the wpad.dat is ok but the client are not redirected to the captive portal (because of the proxy configuration ?)

    I have a workarround for firefox with to :
    if (dnsDomainIs(host, "detectportal.firefox.com") {
    return "DIRECT";
    }
    so the wpad is loaded when the browser start and as firefox begin with checking "detectportal.firefox.com", the captive portal login page is opening (thanks to 302)...

    i've tested to hosting wpad and proxy on the pfsense but it was the same.
    Is somebody know what is happening ?

    Thanks
    NG



  • @nilux17 said in Captive portal + WPAD + Squid:

    when the webserver is listed in "Allowed ip address", the wpad.dat is ok ....

    The server that hosts the wpad file should be on the "Allowed ip address", otherwise the client couldn't even connect to this host, and retrieve the wpad file.
    But : how could a client know that he has to connect to this host first (to get a wpad file) ?
    How you do communicate the wapd location : by DHCP ( see https://www.davidpashley.com/articles/automatic-proxy-configuration-with-wpad/ ) ?

    If the browser found the wapd file, it will uses the proxy ( squid ) that it contains, but now, the client could not connect to that proxy, because the captive portal is blocking.
    Add that host ( IP ) also on the "Allowed ip address" list ?
    ( this is me just thinking about the subject, I never used a proxy like squid on a captive portal - I never found a reason why I should use squid )



  • @Gertjan Thanks for reply.

    • But : how could a client know that he has to connect to this host first (to get a wpad file) ?
      Thats why i put it in ""Allowed ip address" in the second case
      For WPAD, I use the DNS way and i use DNS Forwarder and it's ok

    *Add that host ( IP ) also on the "Allowed ip address" list ?
    if i declare the ip of the proxy and the wpad webserver in the "Allowed ip address", client get the wpad file, connect the proxy and can surf without getting the captive portal auth...

    Regards


  • Rebel Alliance

    captive portals are not compatible with proxies, you are probably having a network design issue here

    possible options :

    • use an IDS (snort, suricata....) instead of proxy
    • use a "transparent proxy" instead of your current proxy server
    • use DNS logs to retrieve websites browsed by users instead


  • @free4
    thx,
    i've setup a transparent proxy + HTTPS/SSL Interception on the netgate itself and use my existant proxy as a peer proxy.
    it works


Log in to reply