HTTPS problems with Captive Portal on Apple Devices

Started by I-am-Ghost, January 06, 2026, 12:49:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 06, 2026, 12:49:02 AM
Hey everyone,

first of all, sorry for my bad english, but i have a problem that i cant solve on my own and i'm in (desperate) need of help.

I operate a GuestWLAN on my OPNsense via Unifi APs in a seperate VLAN and its working like a charme - since now. I wanted to set up a captive portal for this specific WLAN.
Made a voucher-server, created a zone on that interface, saved it - you know how it works. iPhone connected to the captive portal, splash window showed up, i logged in - also working fine.

Problems started after enabling HTTPS with Let's Encrypt Certificate for the captive portal. What i've done so far:

- Generated a Certificate for the zone
- Enabled SSL and set the hostname matching my certificate
- Put a local DNS-Record on my Pi-Hole (no Unbound) pointing towards the interface gateway of the WLAN
- Enabled DHCP-Option 114 with the value needed value (https://subdomain.domain.tld/api/captiveportal/access/api)

On my windows client it works perfectly well.

Now the issues i don't really understand:

Sometimes the splash window didn't appear at all and sometimes it did, but the page was loading forever until failure. It tried to reach my URL, not captive.apple.com.
When i manually entered the URL in safari, it did lead me to my captive portal page.

I know that iOS CNA sends a http probe to captive.apple.com to validate if a captive portal or not is used, and at first glance, sending DHCP-Option 114 seemed to solve the problem.
But - of course - it didn't.

Research on that told me that iOS CNA only wants https 443 and not 8000 - 8002 of OPNsense captive portal ports.
I tried redirecting it with HAproxy and a webserver, but it didn't work. Guess the redirect to my URL with port 8000 happens before HAproxy can do anything.

Also it seems that is impossible to make the captive portal run on 443 (my WebGUI runs on a different port).

Someone in another forum with a pfsense got it running, probably, but i'll be honest, i don't understand how.
https://forum.netgate.com/topic/188402/captive-portal-not-working-on-ios-devices-only-dhcp-114


If theres anything - or everything - wrong about what i wrote or tried, please correct me. I'm glad for every help i can get from you since a migrated to OPNsense like to weeks ago.

Greetings from a new OPNsense user and thank you for your help!


My Setup:

OPNsense 25.7.10-amd64 on Sophos SG115 Rev. 3 for my WLANs
OPNsense 25.7.10-amd64 on Sophos SG320 Rev. 5 for my LANs
Print
Go Up Pages1
User actions