Odd network activity

I’m at a hotel trying to use the wifi via a GL-MT1300 travel router- its worked fine when testing on a home wifi vlan and at two other hotels. It takes the hotel wifi, uses that as a WAN and makes a NAT/LAN with another SSID- in addition when you try to access the internet via a client the hotel’s captive portal will pop up, you do what it wants and now the GL’s MAC is saved and all other clients have internet access as well.

Welp at this new hotel its not working, the portal redirect keeps timing out. GL instructions were to turn off rebinding attack protection but still no joy.

I spun up wireshark and I don’t know what ot make of this.
My laptop: 192.168.8.167
Gateway the GL was given by hotel wifi: 10.40.0.1
IP address given to GL by hotel wifi: 10.40.5.30

No internet connectivity, I can’t ping google from CMD. But what the heck is getting all of this successful traffic?

How is my laptop able to get back and forth TCP traffic with 34.209.200.165 when I’m not able to get past the portal? Could that be an IP upstream of the portal of the hotel ISP?

Anyhow, is this the culptrit?

If so it doesn’t make much sense, nothing has been changed (travel router settings/default, Win laptop firewall etc).

This is just bent…

I used the travel routers feature to clone a clients MAC so it should have internet access with that.

It appears the router itself has internet access as the update tab populates, but clients still can’t access the web. Something about this hotel wifi/APs/portal really sucks…

Yep was able to install a package using my laptops MAC cloned to the router
image

but none of the clients can access the webz.

Sounds like the travel router isn’t doing NAT properly? Do a packet capture on the WAN interface while doing traffic from your pc. (Since this is openwrt based you should be able to install tcpdump).

2 Likes

Their captive portal has a support number so I called it. Sounds like they intentionally boink any auto portal generation if their gear detects its not a phone or computer as to not play nice with consoles, smart TVs etc.

I would have suspected the router was having a routing issue but it worked flawlessly at two other hotels with different providers so I’m leaning in agreement this current place’s network is purposely withholding the captive portal page when its seeing the router as an “other”.

I even took the URL that was timing out that had the router’s MAC and IP address, pasted it into the laptop browser while connected to their network and having already been prompted by the portal and accepted, and it reloaded a fresh portal. So something on their end is purposely timing it out or its a really funky compatibility issue with my router and their architecture.

I’m even running a beta firmware with comments on more portal compatibility but nada…

Imma have to rough it and just get a long HDMI cable to play things on the laptop to the TV…

Try re-setting TTL to 30 on outgoing packets, this was a thing at one of the staybridge suites years ago.

2 Likes

If they’re using Cisco clean air you’re boned.

Basically clean air can DOS unauthorised wifi networks by assuming the SSID name and broadcasting a disconnect on that network every 50ms.

As wireless disconnect command is entirely unauthenticated there’s not much you can do about it.

1 Like

You can enable PMF (Protected Management Frames) on your AP to prevent clients from listening to unauthenticated disconnect requests. Older clients may be unable to connect with PMF on but any modern laptop or phone should.

And WPA3 (finally) made PMF required, so that attack vector is dying.

4 Likes

Wasn’t aware of that, and glad to hear that flaw in the wifi protocol is fixed :smiley:

1 Like

Thanks all, will try those after work today.

Also found this tutorial I need to try in it’s entirety:

Gives me a bit of hope seeing how cloning an authenticated client’s MAC gave the router internet connectivity (could install an add block package via webUI) but still didn’t route client traffic.

Nothing helpful, but a slightly different view of the traveling equipment.

It would not be a better solution to have a sbc that would just run some regular linux distro desktop. And quietly made the internet available for laptop / phone.

Just be visible from the network side like some ordinary computer, if the hotel is actually trying to block routers or something…

2 Likes

That was running through my mind, a pfsense or nix based (cause bsd might not even make the filter) router for travel maybe further down the road.

I did some googling and there Are various things hotels are doing to squash these routers ranging from neat tricks to jamming.

I don’t want to jinx my efforts but when I get back to Wireshark (or just configure and cross my fingers) that it’s just a lazy trick they have the wifi to clients with TTL of 1. I saw HDhomeruns do this when trying to segment a buddies network- the TTL is set to 1 which sucked as his unifi router didn’t have an easy method of changing TTL.

If it’s TTL thankfully there is a tutorial of making a firewall rule that can fix this.

Yep, I think its TTL

image

upstream of that for the redirect URL I get and some other stuff is 128, 64 etc but where the source IP to my laptop’s IP changes from what I assume is an on-premise private IP to a offsite public IP serving the portal is TTL=1 and my tab with the redirect URL always times out (when via the travel router).

Time to setup the router to validate.

3 Likes

YESSSSSSS!!! Posting from successful NAT client of travel router with typical captive portal interaction.

Added to custom firewall option:

iptables -t mangle -I POSTROUTING 1 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING 1 -j TTL --ttl-set 65

a) I think the first line isn’t necessary
b) I want to change it over to ttl increment (–ttl-inc I think) and just increase by 1. I have a bad feeling its a very large flat network and my stuff could cause a ruckus. Thoughts?

Also next is to play around with the travelmate package to try and get auto relogin of the captive portal.

3 Likes

I’d suggest “-j POSTROUTING -o out-interface” so you only capture the traffic you need to modify.

If set works stick with it, though ttl-inc won’t do anything bad. The only purpose of TTL is to be decremented by routers, so if there is a routing loop packets eventually die. If you aren’t making a routing loop then it doesn’t matter.

2 Likes

Woot!! Through the web-GUI AdGuard installed and is up and running too.

This little GL-MT1300 Beryl is pretty awesome. And they have even more capable models of the same footprint like the A1300 and AXT1300.

2 Likes

So when I setup DNS over TLS with cloudflare it breaks getting the captive portal when the ‘lease’ expires for my MAC.

Thinking of ways of fixing this vs just going back to normie DNS

Second thing is maybe leaving the laptop on 24/7 with python (Jupiter?k running and following some tutorials to automate re-logging into the portal every 20 hours or so.

What interface cli / gui?
If gui is there, it could be clicked on quickly on android with macrodroid or automate.

Alternatively firefox + pageprobe which would watch the web and if a change occurs it will initiate a php action script which will initiate sh or another. Or something like “Automate Click”…

Laptop is a bit of an exaggeration for a longer journey… a small sbc with armbian and xfce + firefox, something like zeropi + powerbank just in case. :wink:

I tested on my zeropi, armbian (deb11) / xfce / ff-esr / xrdp… it can live even with 512MB RAM, but it will be a challenge for the nerves :wink: but for one script it should be “ok”.

Welcome to the world of “hotspot networks are a massive hack”.

I’d probably have a secondary browser using regular DNS, so when it times out you can just browse to a HTTP site, get the redirect, and login.

1 Like

Win 10 OS, captive portal via webUI. I’m avoiding using my phone for this as its on me/away from the room. A machine always in the room would be best.

I’ll need to look into this more. Unfortunately the Win10 via Chome and Edge does not get the login page as effectively as the phone and even the chromecast but if pageprobe can simply navigate to a URL and ‘check a box’ on a fixed timer, that would do the trick.

For sure. Just using what I got on hand but yeah its a great use-case for something that just sips electrons with a small footprint.

If that firefox extension doesn’t do the trick, its looking like one of those python tutorials using selelium and a browser inspection of the captive portal page coding: use selelium, go to this URL, check this box, click ‘ok’, repeat every 20 hours.

Nice. Seems simple enough. Unfortunately can’t use the “force every client to TLS DNS” option but this is an acceptable compromise. Or if I can get python to do the above, I suppose I can also specify DNS somewhere in that script as well?