Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal + WPAD + Squid

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nilux17
      last edited by

      Hi,
      i stuck on a Captive portal + WPAD + Squid implementation :

      • Captive portal is on a NetGate Device

      • list itemWPAD is hosted on another VM and behind the pf WAN interface

      • list itemSquid is also on another VM and hosted behind the pf WAN interface

      My issue is :

      • when wpad.dat is not accessible, clients are redirected on the login page but the wpad.dat is not applied and the workarround is to close the browser and open it again...

      • when the webserver is listed in "Allowed ip address", the wpad.dat is ok but the client are not redirected to the captive portal (because of the proxy configuration ?)

      I have a workarround for firefox with to :
      if (dnsDomainIs(host, "detectportal.firefox.com") {
      return "DIRECT";
      }
      so the wpad is loaded when the browser start and as firefox begin with checking "detectportal.firefox.com", the captive portal login page is opening (thanks to 302)...

      i've tested to hosting wpad and proxy on the pfsense but it was the same.
      Is somebody know what is happening ?

      Thanks
      NG

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @nilux17
        last edited by

        @nilux17 said in Captive portal + WPAD + Squid:

        when the webserver is listed in "Allowed ip address", the wpad.dat is ok ....

        The server that hosts the wpad file should be on the "Allowed ip address", otherwise the client couldn't even connect to this host, and retrieve the wpad file.
        But : how could a client know that he has to connect to this host first (to get a wpad file) ?
        How you do communicate the wapd location : by DHCP ( see https://www.davidpashley.com/articles/automatic-proxy-configuration-with-wpad/ ) ?

        If the browser found the wapd file, it will uses the proxy ( squid ) that it contains, but now, the client could not connect to that proxy, because the captive portal is blocking.
        Add that host ( IP ) also on the "Allowed ip address" list ?
        ( this is me just thinking about the subject, I never used a proxy like squid on a captive portal - I never found a reason why I should use squid )

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        N 1 Reply Last reply Reply Quote 0
        • N
          nilux17 @Gertjan
          last edited by

          @Gertjan Thanks for reply.

          • But : how could a client know that he has to connect to this host first (to get a wpad file) ?
            Thats why i put it in ""Allowed ip address" in the second case
            For WPAD, I use the DNS way and i use DNS Forwarder and it's ok

          *Add that host ( IP ) also on the "Allowed ip address" list ?
          if i declare the ip of the proxy and the wpad webserver in the "Allowed ip address", client get the wpad file, connect the proxy and can surf without getting the captive portal auth...

          Regards

          1 Reply Last reply Reply Quote 0
          • F
            free4 Rebel Alliance
            last edited by free4

            captive portals are not compatible with proxies, you are probably having a network design issue here

            possible options :

            • use an IDS (snort, suricata....) instead of proxy
            • use a "transparent proxy" instead of your current proxy server
            • use DNS logs to retrieve websites browsed by users instead
            N 1 Reply Last reply Reply Quote 0
            • N
              nilux17 @free4
              last edited by

              @free4
              thx,
              i've setup a transparent proxy + HTTPS/SSL Interception on the netgate itself and use my existant proxy as a peer proxy.
              it works

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.