Captive Portal and state tables

  • Perhaps I am ignorant to how state tables work, but If i see a connection like this: -> ESTABLISHED:ESTABLISHED being a captive guest wireless ip address, secured by captive portal, and no users are listed as logged into the captive portal, am I right in assuming that someone has bypassed it?
    We are a public building, and currently I have aprox 30 DHCP leases on my captive portal, which is somewhat normal. No one has any logins though, so it is assumed it is just phones autoconnecting and getting an IP. But while tracing down another problem, I noticed that there are a lot of connections to china telecom. So i looked into the state table and sure enough, there are a bunch of "established" connections.

    A reset of the state table, and they come back. Turning off the interface for 30 minutes, turn it back on, they come back almost immediately. What is going on here? Do i mis understand what a state table is? shouldn't it be connections going through the firewall if it says "established:established". Am i right in assuming that someone has bypassed the captive portal in this situation?

    My next step is to see if i can get on there without authentication. However if they have some clever android app or something that I dont have… Anyone seen anything like this and can explain it? Once again, no users have authenticated, but i see many connections out of the firewall like the one above.