0

I've set up a Raspberry Pi as a Wi-Fi access point. Everything works, including the captive portal. The web browser on each client is redirected to the login page, which functions correctly. I'm looking to modify the configuration of iptables and/or dnsmasq to make the client open a web browser on the captive portal automatically. Starbucks, McDonald's, etc. can all do it; I'm trying to figure out how to do it.

Here, here and here are partial explanations of how to achieve it, but I'm looking to understand it - not merely follow someone else's instructions - so that I can do it myself. I would like to write a HOWTO on the subject, partly because one doesn't exist yet (or if it does then I can't find it).

There are third-party apps such as Wifidog and Coovachilli, which seem to do the job, but I've failed to grasp how they do it. I believe it can be achieved by modifying the configuration of dnsmasq and iptables, but that's as far as I've gotten. it should do something like this:-

1) Regulate the data packets in such a way as to let the client's web browser realize that there's a captive portal; this will cause the client's web browser to open a window and direct it to the captive portal

2) Handle the captive portal; permit login; modify the settings of iptables to facilitate login; etc.

3) Redirect all traffic transparently after the login

Items 2 and 3 aren't a problem. I'm stuck on item 1. All advice is appreciated, including redirection to existing documentation. Thank you.

Community
  • 1
  • 1
Hugo R.
  • 1
  • 1
  • I am stuck with the same problem. Can you post your progress? What did you settle with? – 55597 May 05 '16 at 16:45
  • The solution was for the middlebox to stop trying to discover if it's in a captive portal or not, and just forward the data. The client (Mac, PC, whatever) will try to access the relevant page (apple.com/... or whatever) and will get redirected somewhere else (login page at Starbucks, for instance). It all happens automatically. The solution was to stop meddling. :) – Hugo R. May 07 '16 at 04:35

1 Answers1

0

I do not know how WifiDog and CoovaChilli do their thing, but ChilliSpot (which CoovaChilli was originally based on) did something along these lines:

  1. Open a raw socket bound to the internal interface
  2. Capture all traffic bound to that interface
  3. If it was authorized (eg. logged in), handle NAT and forward on out

  4. If not authorized, block traffic

    UNLESS

  5. If it was not authorized AND HTTP, use some custom code to reply to the HTTP GET request with a 301 Redirect to point to the portal page itself, which would then allow for login.

That's the very simplified version of it, but I expect that most other captive portals will use very similar methods (especially the 301 Redirect). The absolute best way to find out would be to read a lot of code :)

Best of luck!

Joel C
  • 2,503
  • 1
  • 13
  • 18