delay access to website.

mikedod · June 11, 2024, 9:13am

Hi all,

I wonder if you could help me.
I am running a hotspot in the mikrotik with an external portal.
What i am trying to achieve is Iphone users to have access with a delay of the captive.apple.com e.g 10s so they can’t press the done/ok button on the Iphone browser when they authenticate,
I can block this permanently if i put a static dns, or on prerouting but that is not my target.
So,
What i have done is:

create an address list for the captive.apple.com
/ip firewall address-list
add address=captive.apple.com list=apple
create an address list for authenticated hotspot users (with a script: when a user is authenticated goes in to this list for 10s and then removed)
this is visible only for 10s but should be (for each user)
/ip firewall address-list
add address=10.5.63.254 list=hotspot_users
created a firewall rule on top of the chain that is a) forwarding, b) source address list hotspot users destination address list captive.apple.com c) drop
/ip firewall filter
add action=drop chain=forward dst-address-list=apple src-address-list=hotspot_users

When I am trying this with an android device, I can not reach captive.apple.com for the first 10s after the authentication (web/ping) , but when i do the same with an iPhone the communication doesn’t drop and can reach it.

Any ideas of what am I doing wrong or any solution?

Thank you in advance.

normis · June 11, 2024, 11:11am

What is the real objective here? Why do you need to delay people from using the web after they authenticate? If you want them to look at some ads, just don’t show the “login button” for X seconds via Javascript

mikedod · June 11, 2024, 11:32am

Hi normis,

The objective is iPhone devices to see the landing page and not press done before that, the login button is on the portal and already with a delay so ads are showing, there are also ads on the landing page and trying to maximise the revenue. When an iPhone goes online you can press the done button and close the browser, trying to delay that.
I want the user to have access to the web after the login but the device to realise that with a delay, so the done button to appear after they have been on the landing page for 5 sec e.g.
If this makes sense.

I also tried having a static DNS on captive.apple.com and disable it after 5sec and reenable it. This is working for iPhones with older version of IOS but not for new ones, and also is not a great solution as if there are multiple devices login in, this process will not be consistent.

normis · June 11, 2024, 11:37am

Why not show the stuff on the login page instead? Your approach seems very backwards

mikedod · June 11, 2024, 11:50am

Because the ads on the website are not static and the source every time is different. I can’t put all of them in the walled garden.

normis · June 11, 2024, 11:56am

Due to DNS cache and DNS propagation time, playing with captive.apple.com DNS entry is not going to work.

mikedod · June 11, 2024, 12:15pm

Yes, the DNS is not a great solution.
Should though the firewall with the address list work for all the devices? working for android and not for iPhone.