kennycrudup

That's actually a strength of their devices, though- the interface is 95% the same across their entire line.

SuperFlyBoy

I cannot find the following:

1. "TTL" or "TTL decrement".
2. "DNS Rebinding Protection".

Thanks in advance for any guidance - connected at other home with the same Slate router/device...

kennycrudup

GL-iNet devices don't have #1*, and I'm 90% sure #2 is under "Advanced", but I know it's there somewhere.







* - I have a Hotspot that gets slow speeds and counts the data against your cap unless the TTL is set to 64; for advanced users LuCI can be installed and you can add an iptables rule to set this, so I can get $20 unlimited (OK, soft cap at 50GB) data on T-Mo

SuperFlyBoy

Found #2: DNS Rebinding Protection and turned it off, under:

More Settings -> Custom DNS Server.

Thanks.

Maybe I should have separate DNS server entries too??

(Will have to try on my next flight though...not sure when that will be!)

kennycrudup

No, since most of your usage will be from "providers" that use captive portals, you want to ensure the DNS is that of the "ISP"; many times the HTTP redirect will go to a page that only resolves using the DNS of the network you're connected to. This is almost certainly what had happened in your case- "DNS Rebinding Protection" is a setting (ostensibly for security purposes) that doesn't bring over the ISP's DNS settings, proxying DNS via the GL-iNet. Problem is, doing it that way can't usually get to those captive portal pages, and without being able to resolve those and consent at least once, no traffic will flow through.

Also, ProTip: when connected pre-consent to a site like that, enter (best to bookmark on your home page) "neverssl.com" to begin the captive-portal consent process; SSL pages require a full connection to the internet for exchange and verification of the certificates, so most pages (as HTTPS is on most "meaningful" sites) either stall there or don't load all the way. NeverSSL is a straight page that doesn't use SSL and will trigger the portal. Of course, if you've already consented on another device behind the GL-iNet, you shouldn't have to do it again (but it never hurts).

You can try it on most public WiFi, like Starbucks or Mickey Ds, etc.

legalalien

The above should be pinned on top of this thread. It solves 90%+ of all connectivity issues when a local portal is needed to login.

One option that sometimes works is to hit the gateway server directly, that is, type the IP address into the browser window. In the above case, substituting 172.19.248.1 for unitedwifi.com might have brought up the portal and allowed purchase to go through. Alas, turning the DNS rebinding protection off is easier. While it is a legitimate security feature, the chances of someone hacking inflight network to intercept traffic are very low. ​​

StuckInYYZ

I don't understand how the DNS rebinding protection setting causes all these issues? I did read up a little about it a long time ago but I don't see the relevance... I'm not saying there is anything wrong, I just don't understand how it fouls things up.

So I guess the related question after that is, can you turn it back on after clearing the portal? There are other security issues that leaving one open isn't the greatest idea.

josephstern

AFAIK, these captive portals intercept DNS to direct you to their sign-in and payment pages. If you don't allow them to intercept your DNS, you'll never get through their process.

I really don't know if they then further block other DNS requests once connected - that could be different in different situations.

legalalien

The way unitedwifi.com portal works is that the name resolves to a private, non-routable IP address while in-flight, e.g., 172.19.x.x in the above screenshot. On the ground, the same unitedwifi.com name resolves to a public, routable IP address, e.g., 161.215.209.23, and brings up a generic "United WiFi" page. The setting in question "enables DNS rebind attack protection by discarding upstream RFC1918 responses" - basically, disallowing an internal IP address to be mapped to unitedwifi.com - and therefore preventing access to the portal page. For more information on DNS Rebinding attacks, see https://en.wikipedia.org/wiki/DNS_rebinding.

In my experience, the setting can be re-enabled after signing in to the portal. You will be able to use the internet, but won't be able to connect to the internal portal (e.g., to watch BYOD entertainment or check on flight's progress) - similar to being connected to a VPN.

StuckInYYZ

Good to know. Thanks! I had read the wikipedia page before, but never really put the information together properly. This really sucks. Personally when I travel (in the before times) I would bring my own "entertainment" and avoid the internet (as tempted as I would be from disconnect-anxiety) but there were a few times where things happen out of my control where I would want to be kept up to date even in flight. Moving forward, I was going to set up a router so I could connect multiple devices, even in flight (ala power bar)... If it's going to be a hassle, I'm going to have to changeup and simplify my setup for my next trip (whenever that will be). Ugh!

This kinda reminds me of my last few trips to China. My first trip I noticed that my DNS settings on my laptop kept on getting reset every time I connected to the internet... it wasn't until I put a personal router in-between and set up a VPN that things started working properly again.

KRSW

Another tip is to use a non-encrypted (http instead of https) website to trigger the portal page. I intentionally have my company's homepage set to http and often recommend a "dumb" webpage such as IPChicken.com for this. I have no doubt that the DNS rebinding setting is what was getting in the way here

kennycrudup

... yeah- "http://neverssl.com"

MStieb

Just bought two of these from Dell. I'm using one for me, and one for my next home Crypto mining home client. I can drop a wired network anywhere there is wireless that the client has access to. I'll let you know how it works! I've been trying out different brands of wireless bridges with marginal success. Being a bridge is a hidden feature of some range extenders.

TP-Link TL-WR902AC - Wireless router - 802.11a/b/g/n/ac - Dual Band

kennycrudup

FWIW, (and 'cause I'm addicted to "new and shiny" apparently), I just bought GL-iNet's new " " router, which is pretty much the "Slate" but has USB-C for power, which makes it easier for me when I'm on the road.

Only $45 (at least when I got mine). Forum page: https://forum.gl-inet.com/t/our-new-...-now-available

I don't expect many changes, but one thing about my Slate is I have to use a USB hub when plugging in a HotSpot device to its USB, else I get frequent disconnects and I'm curious to see if this one suffers from that (neither my AR-300M nor AR-750 do, though).

Xyzzy

It's so big...