Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Jan 2018 14:20:35 +0700
From:      Victor Sudakov <>
To:        Freddie Cash <>
Cc:, freebsd-net <>
Subject:   Re: Fwd: Re: Quasi-enterprise WiFi network
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Freddie Cash wrote:
> > One trouble I expect here is: if the client goes to https destination, it
> > will complain about your local apache certificate, as the client expects
> > next packet (SSL negotiation) to come from host it was going originally
> > to. I've seen quite a few of similar things. "Home brew" words come to my
> > mind, no offense intended. Even older or two WiFi setups central IT folks
> > at big university I work for did this setup that brakes when client goes
> > to SSL-ed URL. Next, what if client does not use web browser at all, and
> > just attempts to ssh to external host...
> That was an issue with our original setup that only used firewall redirect
> rules, without the mod_rewrite stuff. It only worked if we walked people
> through visiting a non-encrypted website, in order to bring up our login
> page. As more and more sites started defaulting to HTTPS, it became
> cumbersome.
> All mobile devices, including Windows/MacOS devices, include captive portal
> detection these days, where they attempt to connect to a specific set of
> HTTP sites after connecting to a network. The mod_rewrite rules intercept
> only these requests, and redirect them to the login page.

Your mod_rewrite rules are becoming more and more interesting. Please
do post them.

There is one more drawback however I have just thought about. If I go
for a WiFi solution, I can deploy just an AP at some remote branch as
a RADIUS client of the central FreeRADIUS server.

If I go for a captive portal solution, I would need to install captive
portals at every branch, or tunnel Internet traffic via the central

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN

Want to link to this message? Use this URL: <>