Hey guys, sorry to revive an old topic but I had another question regarding this so I thought I should just post it here rather than creating a new topic. So far the config I posted above has been working like a charm for my purposes.
Recently, I came to a hotel and the WiFi is unencrypted but they have a captive portal for getting access to the WiFi. How can I extend this config to be able to login to the captive portal?
Thanks for the help!
@openwrt_newbie999 - In my experience (which is obviously not going to cover all cases), I've found that I can authenticate to a captive portal using the browser on my computer or mobile device, connected though my travel router. Often the captive portal page comes up once when I try to navigate to a page on the internet, and then after authenticating/agreeing, it lets all my devices connect through my router (and in turn through to the internet) without issue. Sometimes the captive portal page doesn't load, for whatever reason... in those cases, I'll bypass my router and connect to the wifi/ethernet at the location directly with one of my devices, at which point the captive portal usually comes up without an issue. I'll copy the captive portal web address, reconnect to my router, and then visit the portal page again (this time actively navigating to it).
Also, at least initially, it is important that your travel router allows traffic from LAN > WAN and that the VPN is not enabled prior to captive portal authentication/agreement (or more accurately attempting to connect). Once the captive portal auth is finished, you can enable your VPN, if desired, and you can disable the firewall forwarding rule from LAN > WAN in favor of LAN > VPN.
One last thought -- make sure that the upstream network is on a different subnet than your travel router's LAN. If they are the same, you will obviously not be able to connect since different subnets on each side of the NAT layer is absolutely necessary.
@psherman
Thanks for the response.
In my case since the router is going to be connected to the hotel wifi on the 5 GHz band and then my devices are going to be connected to the router on the 2.4 GHz band to get access to the WiFi.
So are you saying when I try to use one of my 2.4 GHz devices, it will automatically direct me to the captive portal for authentication? And then once authenticated through one of those devices, it will automatically be authenticated for all devices?
Shouldn't the hotel wifi be authenticated through the router? Feel free to correct me if I am wrong.
In short, yes... the hotel captive portal will only authenticate your router’s MAC address.
All your connecting devices to your router are behind the NAT and no need to be authenticated. The hotel will not know or care what or how many devices are hiding behind the router, maybe if they start stripping out the headers of every packets, which I think they won’t bother at all.
Biggest issue would be if you get an ipv6 connection and your router isn't doing NAT. The ipv4 connection with NAT means all the packets from behind the router seem to be coming from the router itself.
I am a frequent travelller and I have never being assigned an IPv6 address at the hotels or public hotspots cos we are already under layers and layers of IPV4 private NATs. I think IPv6 is an off topic in this thread.
Will some Gurus care to comment to point me right?
In my experience, most of the time this works. From time to time, as I mentioned earlier, the captive portal doesn't automatically come up, but I described my workflow for those rare situations in that same response.
Thanks for the responses guys, unfortunately going to the authentication URL didn't work. What I ended up doing was I spoofed the MAC address on one of my devices and authenticated that device. Then I changed my router's MAC address to that of my device's MAC and then connected the router to the hotel WiFi. Now it works.
Great & quick thinking there! Some operators are infamously known for scanning for rouge APs in the vicinity and might have blacklisted your router's first 4 pairs of MAC addresses.
Also, other possibilities...
Rebind protection (in DHCP and DNS) or Enable SYN-flood protection (in Firewall) are enabled. These might prevent the captive portal to show up. I traveled also a far bit previously and had my router to the fullest security, enabling anything I thought to be useful. Then, I encountered no captive portal or the captive portal would appear every time I used a different client through the router. Disabled the above and never had problem since.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.