Android Bringing Up Captive Portal

Ryu945 · January 22, 2024, 4:05am

I use an EA8500. I updated it from version 21.x.x to 23.05.0 . Ever since that update, phones that either have a normal android install or phones installed with LineageOS now mention that the wifi has a sign in and bring up a Captive Portal. These devices did not update and only the EA8500 was updated. That is what started this. This Captive Portal prompt does not occur on a GrapheneOS phone.

The captive portal is nothing more then a black screen with a title bar. The title bar says "Sign in to (RouterName)." Below it is the URL www.google.com . To the right is a three dot menu. If you click on it then it gives the option to connect or to not connect.

The internet works regardless of doing any action with the Captive Portal. The Captive Portal does prevent auto-connect from working on android phones unless you turn off the notification. Thus you have to manually connect so that the phones connect to the wifi if the notification is left on.

I have been trying to figure out what is causing this captive portal so I could stop it. I was told by S1h that the forums would be the best place to bring this up since this sounds like a rarer bug.

psherman · January 22, 2024, 4:17am

Did you install a captive portal on your router?
Or is there one on your upstream connection?
Likewise, do you have any DNS filtering (adblock, etc.) happening?

On the surface, this doesn't seem like an OpenWrt bug, but with more information, maybe we can figure out what is happening.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Ryu945 · January 22, 2024, 4:43am

There is no captive portal installed on the router. There is an adblock on a more upstream router. I was told if the phone thinks it has no internet it can throw a captive portal. I have never seen this in practice though. I do have the issue with my phones thinking they have no internet because they do the check before the VPN on the phones connects. I do not think this problem is just phone related though. The captive portal never came up until after I updated the router. The captive portal prevents auto-connecting to wifi.

ubus call system board




{
	"kernel": "5.15.134",
	"hostname": "Router",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Linksys EA8500 WiFi Router",
	"board_name": "linksys,ea8500",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ipq806x/generic",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fdd0:a3d0:fc0a::/48'

config interface 'lan'
	option _orig_ifname 'eth0.1 wlan0 wlan1'
	option _orig_bridge 'true'
	option proto 'dhcp'
	option delegate '0'
	option hostname 'Router'
	option device 'br-lan'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'b6:b5:b4:b3:b2:b1'

config interface 'wan'
	option proto 'dhcp'
	option auto '0'
	option device 'eth0.2'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'b6:b5:b4:b3:b2:b1'

config interface 'wan6'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	list ports 'eth0.2'

cat /etc/config/wireless

	config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option country 'US'
	option cell_density '0'
	option noscan '1'
	option channel '1'
	option htmode 'HT40'
	option txpower '10'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Router2.4'
	option key 'obvisoulyedited'
	option network 'lan'
	option macfilter 'allow'
	option wpa_disable_eapol_key_retries '1'
	option encryption 'sae-mixed'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'
	

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'
	option channel '149'
	option txpower '14'
	option disabled '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Router5'
	option key 'obviouslyedited'
	option network 'lan'
	option encryption 'sae-mixed'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	option disabled '1'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'
	list maclist '66:55:44:33:22:11'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra_management '1'
	option ignore '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

cat /etc/config/firewall

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user



### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

psherman · January 22, 2024, 4:55am

It appears that you kept your configuration from 21.02 (or maybe even from something earlier), and that config is actually completely invalid.

I can conclusively say that the problem you are experiencing is due to an invalid configuration, not a bug with OpenWrt.

You need to reset your device to defaults -- once that is done, things should start working again.

Ryu945 · January 22, 2024, 5:01pm

I reset the router and I am trying to figure out what I did to turn it into a AP that extends an existing network. Essentially trying to make all wireless and lan clients acting like their connecting to main router and not OpenWRT router. OpenWRT connects to main router via ethernet.

psherman · January 22, 2024, 5:07pm

Use the dumb AP configuration:

mk24 · January 22, 2024, 5:58pm

Try adding a DHCP(v4) option 114 to the server that serves the phone, advertising that the network is not captive.
list dhcp_option '114, urn:ietf:params:capport:unrestricted'
A recent OS receiving this option should treat the connection as always having Internet and not probe for captive portals. This of course is not implemented on all OS.

psherman · January 22, 2024, 6:00pm

I don't think that this should be necessary.... the original configuration was very much invalid, so it would have produced entirely unexpected results. Now that the OP has reset the device and is working towards a dumb AP config, it should be fine.

Ryu945 · January 22, 2024, 6:52pm

I see in the guide it talked about connecting LAN to LAN which is what I am not doing. I am connecting the WAN port of OpenWRT to the LAN port of the network. I am using and EA8500 so I am trying to figure out which configuration applies.

psherman · January 22, 2024, 6:56pm

Based on your description:

you should be connecting lan-lan.

If you want to use the wan port (physically speaking, to have an extra port), that can be done, but let's focus on the lan-lan connection now and then we'll address that later.

No, as above, please connect lan-lan if you want this to be a dumb AP.

The dumb AP guide applies to almost all APs, including the EA8500.

Ryu945 · January 22, 2024, 7:09pm

I was addresing connecting up the WAN port now since I need every single port in my setup.

psherman · January 22, 2024, 7:12pm

ok... if you need the extra port, that is fine. But we'll do that after the rest is working. We want to reduce variables in the configuratoin.

Follow the guide and use the lan port for now. Let me know when it is working and we'll move on to the wan port process.

Ryu945 · January 22, 2024, 8:19pm

I tried setting up the LAN portion. I can get internet and access other devices on the network through the OpenWRT router but the OpenWRT router itself becomes unreachable.

psherman · January 22, 2024, 8:48pm

Did you set the IP address of your OpenWrt device?

what IP did you set?
what is the main router's IP?

Ryu945 · January 22, 2024, 8:58pm

Main router has OpenWRT router set to a static IP. OpenWRT router is set to same IP under LAN interface. DHCP server turn off on OpenWRT. DNS set to main router ip.

I essentially did this:

psherman · January 22, 2024, 8:59pm

ok... that all looks good.

What is the IP address of your main router?
And are any other devices using the same 192.168.1.2 address?

Ryu945 · January 22, 2024, 9:20pm

Apparently taking the power down on my entire network fixed it. I can now access the OpenWRT router again. I have everything working as I want it now except for the WAN port acting like another LAN port.

psherman · January 22, 2024, 9:24pm

Great.
Now we can get the wan port working as you want...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network

Ryu945 · January 22, 2024, 9:36pm

I disable firewall, dnsmasq and odhcpd services. Then turned off WAN and WAN6 on boot. Then I typed this command and here are the results.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'AB12:CD34:AD15::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config device
	option name 'eth1.1'
	option macaddr 'A1:B2:C3:D4:A1:B2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.100'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'eth0.2'
	option macaddr 'A1:B2:C3:D4:A1:B2'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

psherman · January 22, 2024, 9:37pm

Edit these two stanzas

remove port 5 from vlan2, and add it to vlan1 so that it looks like this:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t'

Then reboot the device and the wan pot should behave just like all the others.