How to Make a Start Page When Connected to WiFi: Creating a Captive Portal

Creating a login page, or Captive Portal, is one of the most effective ways to manage wireless network access in cafes, hotels, coworking spaces, and even smart homes. This technology redirects users to a dedicated web interface immediately after connecting to an access point, requiring them to enter a password, phone number, or accept the terms of use. Without this setup, the guest network remains vulnerable, and the owner is unable to collect statistics or display advertising content.

Implementing this feature requires the interaction of several components: the router itself, the DNS server, and the web server that will display the content. Unlike standard WPA2 encryption, which blocks access at the Wi-Fi driver level, this feature uses an HTTP request interception mechanism. This means that even if the user hasn't opened the browser, the system will forcibly replace their request with your page's address. Understanding this principle is critical for proper hardware configuration.

In this guide, we'll cover the technical aspects of setup, hardware selection, and software solutions that will allow you to deploy a fully functional authorization system. We'll cover both the built-in capabilities of consumer routers and more complex solutions based on specialized software. You'll learn how to set up user validation and secure your network from unauthorized access.

How Captive Portal Technology Works

The start page mechanism is based on intercepting unencrypted HTTP requests from the client. When the user's device, for example, smartphone When your device or laptop connects to Wi-Fi, it attempts to check for an internet connection by contacting system servers (e.g., apple.com or android.com). The router, configured as an authentication gateway, intercepts this request and redirects the browser to the local IP address where your start page.

However, on the modern internet, where over 90% of traffic is encrypted using HTTPS, this method faces challenges. Browsers flag such redirects as insecure unless special domains are used to verify the connection. Therefore, modern implementations use DNS spoofing or send special packets to trigger the authorization window on the client device. This requires precise configuration. DNS servers.

After successful authorization, the router adds the user's device's MAC address to the whitelist. From this point on, all requests from this address are allowed without restrictions until the session timer expires. If the user leaves the coverage area and returns, the process may repeat if the session has expired. This is why it's important to properly configure timeouts and session storage parameters.

Selecting equipment and compatible routers

Not all consumer routers have built-in functionality for creating custom login pages. Standard models from TP-Link or D-Link Entry-level solutions often limit themselves to simply changing the WPA2 password. To implement a full-fledged Captive Portal, you'll need business-class equipment or specialized solutions. The leader in this segment is MikroTik, whose RouterOS operating system provides the most flexible customization options.

Routers can be an alternative Keenetic, which in the latest OS versions have received a "Guest Wi-Fi Network" module with redirection capabilities. Solutions from Ubiquiti UniFi, where access point management and portal configuration are handled through a single controller, which is convenient for scaling networks in hotels or large offices. Processor performance is important, as processing HTTP requests and logging create additional load.

If your equipment doesn't support the native function, you can use an external server. In this case, the router merely forwards traffic, while the authorization logic itself runs on a separate computer or Raspberry Pi connected to the network. This allows you to use any web scripts and databases, without depending on the router's firmware limitations.

📊 What equipment do you plan to use for setup?
MikroTik (RouterOS)
Keenetic (KeeneticOS)
Ubiquiti/TP-Link Omada
OpenWrt on a regular router
External server + any router

MikroTik Setup: Hotspot and Server

In the ecosystem MikroTik This feature is called Hotspot. To activate it, you need to run the setup wizard. IP → Hotspot → Hotspot SetupDuring the process, you'll need to select an interface (usually bridge-local or VLAN), define an address pool for clients, and configure DNS. A critical step is selecting a page template, which will be stored in the router's file system.

The authorization page files are located in the directory FilesYou can upload your HTML, CSS and JS files there, after renaming them according to the system requirements (for example, login.html). The router will automatically substitute variables such as $(username) or $(password), allowing for dynamic content generation. This provides complete freedom in design and functionality.

For proper operation, you need to configure firewall rules that will redirect all HTTP traffic to the hotspot port. This is usually done automatically by the wizard, but in complex networks with port forwarding, conflicts may arise. Make sure that ports 80 and 443 (if SSL is used) are correctly handled by the rule. DST-NAT.

☑️ Checking Hotspot settings on MikroTik

Completed: 0 / 5

Implementation on Keenetic and other platforms

In routers Keenetic The functionality is implemented through the "Guest Network" component. You need to go to the menu Apps → Guest Wi-Fi Network and activate the "Redirect to website" mode. Here, you can specify the URL of an external authorization page or use the built-in options for entering the access code. The interface is more user-friendly, but less flexible than MikroTik's.

If you are using firmware OpenWrt, which is installed on many routers (Xiaomi, Asus, TP-Link), you will need a package nodogsplash or openNDSThese daemons create a lightweight login portal. Installation is via the command line or the LuCI interface: opkg update And opkg install openndsAfter installation, you need to edit the configuration file. /etc/config/opennds.

For corporate networks, a combination of FreeRADIUS and an external web server (Nginx/Apache) is often used. In this case, the router acts only as an access point, sending authorization requests to the RADIUS server. This allows for centralized management of thousands of users, detailed traffic monitoring, and integration with CRM or billing systems.

Why doesn't redirection work on HTTPS sites?

Modern browsers block redirects from HTTP to HTTPS within captive portals due to security policies. The solution is to use dedicated verification domains (captive.apple.com, generate_success.google.com) or configure an SSL certificate for the portal itself.

Creating and editing an HTML page template

The appearance of the start page is determined by the HTML code. The standard template often looks utilitarian, so it is recommended to customize it. The main elements that should be present are a login and password (or just password) input form, a login button, and the organization logo. The form code should send data via a POST request to the address $(link-login-only).

It's important to use a responsive layout, as 95% of connections will be from mobile devices. CSS styles should be inlined in the HTML or stored in the same directory to minimize the number of requests. Avoid using heavy scripts and external advertising, which can block page loading until authorization.

Below is the basic structure of the MikroTik template form, which is the de facto standard for many systems:

Login:
Password:

Comparison of authentication methods and security

There are several methods for user identification, each with its own pros and cons in terms of security and convenience. The choice of method depends on the purpose of your network: a commercial access point, a corporate office, or a home network for guests.

Method Security level User friendliness Difficulty of implementation
Voucher / Code Medium (code can be transferred) High (no email required) Low
SMS authorization High (linked to number) Average (requires cell phone signal) High (requires gateway)
Social networks (OAuth) Medium (depending on platform) Very high (one click) Medium (API keys)
Simple password Low (common to all) High Minimum

Using a pre-shared key on the login page is convenient for cafes, but it doesn't provide any personalization. SMS authentication is considered the "gold standard" in some countries, as it allows for user identification by phone number, which is required by law. However, this requires purchasing an SMS gateway and integrating with the operator's API.

The security of data transmitted through the start page should also be a priority. If you collect personal data, ensure the connection is secure. Otherwise, an attacker on the same Wi-Fi network could intercept traffic (a Man-in-the-Middle attack) and steal entered credentials. Use WPA2-Enterprise in conjunction with the portal for maximum protection.

⚠️ Please note: In some jurisdictions, the collection of user data (MAC addresses, phone numbers) via public Wi-Fi networks is regulated by privacy laws. Be sure to check local laws before launching a commercial hotspot.

Common errors and problem diagnostics

When setting up a Captive Portal, users often encounter a page that simply doesn't appear. The most common cause is the DNS or browser cache. The device "remembers" that this IP has no internet access and doesn't make repeated requests. Solution: forget the network on the client device and reconnect, or try accessing the site via HTTP (e.g., neverssl.com).

Another problem is IP address conflicts. The hotspot gateway address should not overlap with the addresses of other router interfaces. Also, make sure that the client device doesn't have a static DNS (e.g., 8.8.8.8), as this could bypass the redirection mechanism if the router isn't configured to intercept DNS requests at the firewall level.

If the page loads but the "Login" button doesn't respond, check your router logs. The error may be due to an incorrect variable name in the form (username instead of user) or script blocking by the antivirus on the client. In MikroTik, it's useful to enable hotspot logging: /ip hotspot debug enableto see the authorization process in real time.

What to do if iPhone doesn't show the login window?

Apple devices sometimes don't open the portal automatically. Try opening Safari and visiting any HTTP site, such as http://apple.com/library/test/success.html. This will force a redirect.

Questions and Answers (FAQ)

Is it possible to create a start page without buying an expensive router?

Yes, it's possible. You can install the firmware. OpenWrt to a compatible budget router and use the openNDS package. Alternatively, you can set up forwarding on any router, as long as there's a constantly running computer (Linux or Windows) on the network with a web server and authorization software installed that will accept requests from the router.

Will Captive Portal work if the user has JavaScript disabled?

Basic authentication will work, as the form is submitted via a standard POST request. However, if your page design or verification logic (such as hidden tokens or CAPTCHA) relies on JavaScript, login may fail. It is recommended to create a fallback version of the page for older devices.

How to limit access time for a guest?

This is configured in the user profile or hotspot settings. In MikroTik, this field Uptime Limit or Limit UptimeYou can set the limit in the format 1h (one hour) or 30mAfter the time expires, the session will be terminated, and re-authorization will be required the next time you connect.

Is internet access required for the authorization page to work?

No, the login page must be accessible locally. The router redirects requests to its internal web server. Internet access is only required once the user enters the correct credentials, and the router opens access to the external network. If you host the page on an external server, access to that server must be allowed (Walled Garden) before login.