I have configured my OpenWrt system with PPPoE and ISP router in bridge mode. One day when I connected the phone to WiFi a ISP login page showed up with promoting a new feature from the ISP. My laptop that has been connected through the same SSID and the same interface does not show this message. How is this possible? Are the ISP still recognizing independent devices even though all traffic is routed through the OpenWrt NAT? I would like to hear your thoghts on this.
Do you have WiFi enabled on the isp provided device? If so, does it use the same ssid as the openwrt router?
Also, what form did this login page take? Was it an ad or did it actually require a user login? And, is it at all possible that it was a phishing attack -- not actually from your ISP, but rather some impostor page that was reached due to a web page redirect or DNS poisoning or other.
@psherman Given that it happened upon connecting to WiFi, I suspect the ISP is intercepting unencrypted http requests the cellphones send to detect captive portals on WiFis and ISP has displayed their own page (instead of captive portal login). Both Android phones and iPhones send documented requests, so it's not very difficult to implement.
@GasGas277 If I'm correct in my suspicion, I would recommend you at least switch to encrypted DNS requests -- by using https-dns-proxy and luci-app-https-dns-proxy (other solutions are available).
Yes! This was most likely the case My router is set up to use ISP DNS. They probably hijacked the DNS requests and inserted their own ad site. Thanks for the input. I will ASAP set up DNS-over-TLS.
The Swedish VPN provider Mullvad host encrypted DNS servers that everybody, not only their customers can use for free. This service seems like a good choice. https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
1 Like