When you connect to Wi-Fi at a hotel, cafe, or airport, a special window with terms of use or a password entry form often appears before you can access the internet. This mechanism is called Captive Portal, and it's this page that redirects the user to the home page. For business owners or network administrators, creating such a page isn't just a way to protect traffic but also a powerful marketing tool.
Setting up a Wi-Fi start page allows you to collect customer contact information, display current promotions, or simply provide basic security for your guest network. Unlike a traditional password, which requires prior knowledge, authorization occurs through a browser immediately after connecting to the access point. This can be implemented on a variety of equipment, from professional controllers to affordable home routers.
In this article, we'll examine the technical aspects of implementing an authorization gateway. You'll learn which protocols are used to intercept traffic, how to prepare the HTML page file itself, and the nuances that arise when working with HTTPS sites. Understanding these processes is essential for properly organizing public access.
How traffic interception and DNS work
The start page mechanism works by intercepting all HTTP requests from a client attempting to access an external resource. The router or Wi-Fi controller analyzes the incoming packets and, if the device hasn't yet been authorized, redirects the request to the local gateway IP address. This is why the desired window opens in the browser, even if the user entered a different website address.
However, with the introduction of widespread encryption HTTPS The process has become more complex. Browsers no longer simply redirect secure requests without security warnings. To address this, operating systems (Android, iOS, Windows) use special verification requests to known servers. If the router sees such a request, it understands that it needs to display the start page.
⚠️ Attention: Modern browsers can block redirects by marking the connection as insecure. This is normal behavior when working with self-signed certificates or HTTP redirects within a secure environment.
The key element here is DNS spoofing Or DHCP-level redirection. The client device receives the gateway and DNS server addresses from the router. All domain name requests are routed through the local DNS, which returns the homepage address to unauthorized clients instead of the actual IP address of the site.
Selecting equipment for implementing a gateway
Not all routers are equally capable of setting up a hotspot. Basic home models often have limited functionality, only allowing you to set a simple WPA2 password. Creating a full-fledged start page with design and data collection requires hardware that supports it. Hotspot or Captive Portal.
The equipment is considered the leader in this segment Mikrotik, which offers the most flexible configuration through the RouterOS system. Solutions from Keenetic (Extra and Peak series), Ubiquiti UniFi and corporate lines TP-Link OmadaThe choice depends on the budget and scale of the network.
Below is a comparison table of capabilities of popular vendors:
| Vendor / Series | HTML/CSS support | User base | Difficulty of setup |
|---|---|---|---|
| Mikrotik (RouterOS) | Full | Local / RADIUS | High |
| Keenetic (Extra/Peak) | Limited | Local | Average |
| Ubiquiti UniFi | Full (via controller) | Local / External | Average |
| TP-Link Omada | Full | Local | Average |
When choosing, it's important to consider not only the hardware but also the software ecosystem. Some systems require a dedicated controller (physical or virtual), while others operate standalone. Scalability The decision also plays a role if you plan to expand the network in the future.
Creating an HTML layout for the start page
The visual component is what the user sees. To make a Wi-Fi start page attractive, you need to create an HTML file. It can be simple, containing only a password field, or complex, with a company logo, news, and an email collection form.
The page code must be responsive, as 90% of users will access it from smartphones. Use standard HTML5 and CSS3 tags.
<!DOCTYPE html><html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body { font-family: Arial, sans-serif; text-align: center; }
.login-box { padding: 20px; border: 1px solid #ccc; }
</style>
</head>
<body>
<div>
<h2>Welcome</h2>
<form action="$(link-login-only)" method="post">
<input type="text" name="username" placeholder="Login">
<input type="password" name="password" placeholder="Papol">
<button type="submit">Login</button>
</form>
</div>
</body>
</html>
The example above uses special variables (macros) that depend on the router. For example, in Mikrotik this is $(link-login-only), which specifies where to submit the form data. For Keenetic or TP-Link The syntax will vary, so always check the manufacturer's documentation.
Setting up Mikrotik Hotspot
The most flexible tool for creating a start page is Hotspot in RouterOS. The process begins with creating an address pool for clients and configuring the interface on which the hotspot will operate. Typically, this is a bridge or a specific LAN port.
Next, you need to upload the page files to the router's file system. Mikrotik comes with a standard set of files that you can edit or replace with your own archive. login.html is the main entry point. After uploading files, you need to activate the Hotspot server in the menu. IP → Hotspot.
☑️ Setting up Mikrotik Hotspot
An important step is the setup Walled GardenThis is a list of addresses available to users without authorization. It's essential to include addresses of popular services (such as Apple or Google update portals) so that phones can check for internet access and correctly open the login window.
⚠️ Attention: Avoid adding domains with dynamic content (such as the Yandex homepage) to Walled Garden, as their IP addresses are constantly changing. Add specific static addresses or use domain names if your software version allows it.
To manage users, you can create a local database or connect an external RADIUS server. The local method is simpler for small networks: you simply create login and password cards in the menu. IP → Hotspot → Users.
Organizing guest access on Keenetic
Routers Keenetic Offer a more user-friendly interface for setting up a guest network. The "Guest Network" feature allows you to isolate clients from your main local network, increasing security. To enable the start page, go to the section Applications → Guest Network.
Here you can select the authorization type: one-time codes, time-based, or via an external page. Keenetic allows you to upload your own HTML file, but its layout capabilities may be limited compared to Mikrotik. The system will automatically populate the necessary data entry forms.
Keenetic Guest Network Limitations
Some Keenetic router models limit the number of simultaneous connections in guest mode to 10-15 devices. For larger workloads, a business-class model is required.
After enabling the feature, the router will prompt you to configure the following settings: network name (SSID), Wi-Fi password (if needed), and the welcome page itself. You can configure a session timeout, after which the user will be redirected to the login page.
The interface allows you to see who's connected in real time and block access to specific devices if necessary. This makes it convenient for administration without extensive technical knowledge.
HTTPS Issues and Modern Browsers
The most common problem with setup is that the page doesn't open automatically. This happens because browsers no longer trust HTTP redirects within HTTPS sessions. If a user tries to open https://google.com, the router cannot display its page securely.
The solution is proper configuration Captive Portal APIOperating systems themselves query special addresses (for example, captive.apple.com or connectivitycheck.gstatic.com). The router must respond to these requests in a special way, signaling to the system: “Authorization required.”
In your device settings, ensure that HTTPS is enabled for the login page itself, if a certificate can be installed. If not, users will see a "Not secure" warning, but will be able to log in after confirmation.
It's also worth checking whether the antivirus software on the user's phone is blocking redirects. Sometimes manually launching any HTTP site (for example, http://neverssl.com), which forcibly initiates the authorization process.
FAQ: Frequently Asked Questions
Is it possible to create a start page on a regular TP-Link or D-Link home router?
Most budget home models lack this feature. They only support basic WPA2 encryption. Implementing this feature requires upgrading to OpenWrt or purchasing a business model with hotspot support.
Is internet access required for the login page to work?
No, the page itself is stored in the router's memory. However, loading heavy graphics from external CDNs or sending form data to an external server (for example, for SMS authentication) requires an internet connection.
Is it safe to enter social media passwords on a page like this?
If the page uses HTTPS and the certificate is valid, yes. However, it's always better to use two-factor authentication on public Wi-Fi. The Wi-Fi start page itself doesn't steal data if it's configured honestly.
How to limit access time for one user?
This is configured in the user profile. You set the parameter Uptime Limit or Session TimeoutAfter the time expires, the session is terminated, and the next time you connect, you will need to enter your data again.