Skip to content

Commit ed7d41f

Browse files
ranbelranbel
committed
PCX-14531
1 parent d1040a7 commit ed7d41f

File tree

1 file changed

+9
-16
lines changed
  • src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings

1 file changed

+9
-16
lines changed

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/captive-portals.mdx

Lines changed: 9 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -23,28 +23,21 @@ To allow users to connect through a captive portal, administrators can configure
2323

2424
## How captive portal detection works
2525

26-
If WARP cannot establish a connection to Cloudflare, it will:
26+
If WARP cannot establish a connection to Cloudflare, it will send a series of requests to the [Cloudflare captive portal URLs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#captive-portal) and other OS and browser-specific captive portal URLs. These requests are sent outside of the WARP tunnel.
2727

28-
1. Temporarily open the [system firewall](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic) so that the device can send traffic outside of the WARP tunnel. The firewall only allows the following traffic:
29-
30-
- HTTP/HTTPS on TCP ports `80`, `443`, `8080`, and `8443`
31-
- DNS on UDP port `53`
32-
33-
2. Send a series of requests to the [captive portal test URLs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#captive-portal). If the HTTPS request is intercepted, WARP assumes the network is behind a captive portal.
34-
35-
3. Open a browser window with the captive portal login screen if the captive portal sends a redirect HTTP response code (`302`, `303`, `307`, or `308`).
36-
37-
4. Automatically re-enable the firewall after the configured timeout period.
28+
If the HTTPS request is intercepted, WARP assumes the network is behind a captive portal and fully opens the [system firewall](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic). While the firewall is open, all device traffic will bypass WARP. The firewall is automatically re-enabled after the user successfully connects to the portal or after the timeout period expires.
3829

3930
```mermaid
4031
flowchart TB
4132
accTitle: Captive portal detection
4233
43-
44-
A[Send DNS request] -- Succeed --> B[Send HTTPS request]-- Fail --> C[Send HTTP request] -- Succeed --> D[Captive portal detected]-- Receive HTTP redirect -->I[Redirect to captive portal login]
45-
A -- Fail --> F(CF_NO_NETWORK error)
46-
C -- Fail --> F
47-
B -- Succeed --> G[No captive portal]--> H[Retry connection to Cloudflare]
34+
start[Unable to connect to Cloudflare] --> timerstart(Start captive portal timer)
35+
timerstart-->dns[Send DNS request to captive portal URLs] -- Succeed --> https[Send HTTPS request]-- Fail --> http[Send HTTP request] -- Succeed --> detected{Captive portal detected}-->open[Turn off firewall]
36+
open--Captive portal timeout expires--> close[Re-enable firewall]
37+
open--User logs in to captive portal--> close[Re-enable firewall]
38+
dns -- Fail --> error[CF_NO_NETWORK error]
39+
http -- Fail --> error
40+
https -- Succeed --> noportal{No captive portal}--> retry[Retry connection to Cloudflare]
4841
```
4942

5043
## Limitations

0 commit comments

Comments
 (0)