Pfsense + Apple don't mix?



  • Hi all,

    Apologies if this is in the wrong thread but I have a few issues using pfsense + Apple.

    1.) iPad not able to go in Captive Portal
    The captive portal pretty much works with everything else. Even some iPads BUT there is a small number of iPads that are having issues with the captive portal. It would connect to the AP for a few seconds but the page does not load, then it would disconnect from the AP. This would go on UNTIL i restart the captive portal, which would then allow the captive portal page to load. I'm baffled.

    2.) Can't download stuff off iTunes
    I did a search but I don't think there has been a clear solution on how we can download and update applications from iTunes.

    Would appreciate the help, guys. Thanks.

    Also this is my first post and my first time using pfsense so be nice.  :-*

    Thanks again!


  • Netgate

    What packages are you using? (Squid, snort, suricata, squidguard, etc.)??

    I've never seen any such thing and I routinely have thousands of simultaneous captive portal clients.

    Run updates from iTunes and the App Store too.  It's just packets.



  • Not sure if this is the same issue, but we've had problems with some of our iPad users when trying to connect to our captive portal. The solution is to go to your iPad's settings, select 'Safari' and in the Safari settings make sure that 'Autofill' is set to 'off'. This may or may not solve your authentication problem, but it is a bit of a gotcha with our setup.

    The only reason I can think you might not be able to download from iTunes is if you're having an authentication problem, as above. Otherwise it ought to work once your device is connected and you've successfully logged into the session.



  • I've had trouble in the past with Apple Devices going through the captive portal, an Apple device needs to see a certain page on the Apple website in order to initiate the connection, I generally just allow the host name through the captive portal and it works.

    I'm sure it came in on a certain iOS which may explain why some connect, are they running older versions of iOS?


  • Netgate

    The apple devices make a connection to one of a few URLs maintained by apple.  They expect to see "Success" returned.  If that's what they get, they assume they are on the internet.  If they get anything else (like your captive portal page) they bring up a mini-browser and load again.  The user sees your portal and signs on.

    My main complaint is the timeout seems too short to enter a voucher, etc, after which the device gives up and switches back to another network.

    What we need is an IETF standard for portal discovery.  Maybe a DHCP option.  Maybe extend WPAD.



  • I'm running on Squid + Squidguard. I believe the devices are updated to the latest version. I'm stumped.


  • Netgate

    No squid/squidguard here.  Pretty sure that pretty much breaks captive portal.  Priorities.



  • We need to utilise squid +squidguard for web filtering. Running it in a school after all.



  • OK so I turned off my Squid + Squidguard to see if iTunes would be able to update/install any apps on the tablet. No dice. :(


  • Netgate

    Huh?  Dude it's just packets.  There is nothing special about iTunes.  If there's a portal you need to get through that before iTunes will be able to get out.

    Or you need to identify every hostname and/or IP address iTunes uses and whitelist them in your CP.  (Good luck with that.)



  • @PRNOHFT:

    OK so I turned off my Squid + Squidguard to see if iTunes would be able to update/install any apps on the tablet. No dice. :(

    Because these packages (at least squid) break the pfSense core portal code.

    Save your settings, reinstall a clean pfSense - import settings and you'll find out what I already found out many years ago:
    Devices that work best with the Cpative Portal are ….. Apple devices.
    Never had to 'touch' settings in these devices - they just work out of the box.

    Better yet : when connecting to a Wifi network, they make a 'http' call to a random (the list is in iOS) site - as said, the result should be the text "Succes". (btw: Microsoft OS devices do the same thing also)
    If no "Success", the iDevice presumes its behind a Portal, so it pops up a mini browser that will show ... by magic, the Captive Portal Login Page !

    If you NEED squid etc, you should use the latest version that works (== doesn't break the portal).
    I'm not using it myself, so no advise from me about that issue.



  • Gertjan -

    Just to check again, i should install the latest version which is 4.3.9 (currently installed 2.7.9 pkg v. 4.3.6)
    as well as squidguard's latest version which is 1.9.15 (currently installed is 1.9.14)

    Thanks. Sorry for being so newbie at this.



  • Apologies if this is in the wrong thread but I have a few issues using pfsense + Apple.

    This can be, because many or all Apple devices are sending also a TOS signal from there devices, but
    you can try out to disable this and see if its running then for you.


  • Netgate

    Another option is a router doing captive portal duties then an upstream router doing your proxying/filtering.

    pfSense is free, after all.



  • Have you done a packet capture to see what Apple's software update is trying to reach and then checked the firewall logs to determine what is where it's being blocked?



  • Well I managed to fix the iTunes issue. Apparently you have to add in the IPs that is linked to iTunes under Target Categories and adding;
    54.214.28.210 17.158.28.83 17.172.116.74 17.172.116.75 17.158.10.52 17.172.116.36 17.154.66.156 23.9.237.102 150.101.152.240 17.173.255.108 17.167.138.24 150.101.98.211 150.101.98.200 150.101.98.226 150.101.98.211 150.101.98.234 150.101.213.173 150.101.98.211 17.151.36.30 17.142.160.7 208.72.242.165 173.192.76.134 66.235.139.206 150.101.96.224 150.101.96.232 17.154.66.11 69.54.181.89 17.111.65.223 23.37.139.27 23.37.139.27 150.101.98.200 23.7.18.217 17.151.36.30 17.149.240.70 151.101.152.219 150.101.152.234 17.154.66.38

    It worked fine after that.