WiFi redirect and traffic interception are the core technologies that make captive portals work. When a user connects to public WiFi, their internet traffic is intercepted by a firewall, redirected to a login page, and only released after authentication. Understanding this technology helps administrators implement secure, efficient WiFi systems.
What Is Traffic Interception?
Traffic interception is the process of blocking a user’s internet requests and redirecting them to a specific server (the captive portal) before granting access. It’s也称为 “Catch and Release” – the network catches your traffic, redirects you to authenticate, then releases you to the internet.
The Goal
-
Before authentication: Block all internet except HTTP (port 80) to captive portal
-
After authentication: Allow all traffic (HTTP, HTTPS, DNS, etc.)
How Traffic Interception Works: The Technical Flow
Step 1: User Connects to WiFi
User Device → Select SSID → AP → DHCP Request → IP Assigned (192.168.1.105)Step 2: Firewall Blocks Traffic
User Device → Browser → HTTP Request (google.com) → Firewall → BLOCK (default deny)Step 3: HTTP Redirection
HTTP Request (port 80) → Firewall → Redirect Rule → Captive Portal Server (192.168.1.1:80)Step 4: Portal Displays Login Page
Captive Portal → Serves HTML → User sees login pageStep 5: User Authenticates
User → Enter email → POST /login → Database Check → Session CreatedStep 6: Firewall Updates ACL
Firewall → Update Access Control List → Add Rule: User_MAC → Internet = ALLOWStep 7: Internet Access Granted
User Device → HTTP Request (google.com) → Firewall → ALLOW → InternetTechnical Implementation: Packet-Level Details
1. TCP Connection Flow
Client SYN → Firewall → DROP (port 80 exception)
Client SYN → Captive Portal → SYN-ACK → ACK → HTTP ConnectionPacket Headers:
SYN Packet:
Source IP: 192.168.1.105 (User)
Source Port: 54321 (Random)
Dest IP: 142.250.80.46 (google.com)
Dest Port: 80 (HTTP)
Flags: SYNHTTP Redirect Packet:
Source IP: 192.168.1.1 (Captive Portal)
Source Port: 80 (HTTP)
Dest IP: 192.168.1.105 (User)
Dest Port: 54321
Flags: SYN-ACK
HTTP Header: Location: http://192.168.1.1/login.php2. HTTP Header Manipulation
Firewall modifies HTTP headers to force redirect:
Original HTTP Request:
GET http://google.com/
Host: google.com
User-Agent: Mozilla/5.0HTTP/1.1 302 Redirect
Location: http://192.168.1.1/login.php
Content-Type: text/html
Linux iptables REDIRECT Rule:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080This redirects all HTTP traffic (port 80) to captive portal port 8080.
3. DNS Interception
Firewall also intercepts DNS queries to force captive portal:
Client DNS Query: "google.com" → DNS Server (192.168.1.1)
DNS Server → Before auth: Redirect to captive portal IP
DNS Server → After auth: Return real IP (142.250.80.46)DNS Hijacking Rule:
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.168.1.1:53All DNS queries go to firewall, which redirects to captive portal before authentication.
Firewall Rules: The Access Control List (ACL)
Default Deny (Before Authentication)
Rule 1: ALL → Internet = BLOCK (default deny)
Rule 2: HTTP → Captive Portal = ALLOW (port 80)
Rule 3: DNS → Any = ALLOW (port 53)
Rule 4: DHCP → Any = ALLOW (port 67/68)After Authentication (User Granted Access)
Rule 1: ALL → Internet = BLOCK (default deny)
Rule 2: HTTP → Captive Portal = ALLOW (port 80)
Rule 3: DNS → Any = ALLOW (port 53)
Rule 4: DHCP → Any = ALLOW (port 67/68)
Rule 5: [User_MAC] → Internet = ALLOW (added after auth)Linux iptables Implementation
# Default deny (all traffic blocked)
iptables -A FORWARD -j DROPiptables -A FORWARD -s 192.168.1.0/24 -p tcp –dport 80 -d 192.168.1.1 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p udp –dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p udp –dport 67 -j ACCEPT