Home / Guides / Ubiquiti EdgeRouter
Router Setup Guide

Ubiquiti EdgeRouter: Captive Portal Setup

Intermediate ⏱ ~30 minutes EdgeOS 2.x / 3.x ER-4, ER-6P, ER-X, ER-10X tested

Overview

The captive portal flow:

Guest connects to WiFi
EdgeRouter intercepts HTTP
Redirects to Weird Network
Guest authenticates
Session granted, browses freely

The EdgeRouter runs EdgeOS, Ubiquiti's Debian-based routing OS. It has a built-in hotspot gateway that intercepts unauthenticated clients and redirects them to a captive portal. This guide walks through enabling that feature and pointing it at Weird Network's portal page.

ℹ️
No UniFi Controller needed. This guide uses the EdgeRouter's standalone CLI and Web UI. You do not need a UniFi Network Controller, Cloud Key, or anything else. Just the router and a browser.
💡
Isaac's config: Barn Yard Acres uses an ER-6P. The steps below work on any EdgeRouter model. Command syntax is identical across the lineup.

Prerequisites

Before starting, you need:

⚠️
Back up your config first. If you're replacing an existing router config, run mca-ctrl -t save-cfg via SSH or use System → Backup Config in the Web UI before making changes.

Step 1 — Factory Reset (Recommended)

If your EdgeRouter has a previous config loaded, do a factory reset to start clean. If it's brand new out of the box, skip to Step 2.

Option A: Web UI (easiest)

  1. Open 192.168.1.1 in your browser (default login: ubnt / ubnt)
  2. Go to System → Reset Configuration
  3. Check Reset to factory default
  4. Click Reset — router will reboot in ~2 minutes
  5. After reboot, access 192.168.1.1 again

Option B: CLI

Connect via SSH (ssh ubnt@192.168.1.1), then:

ubnt@ubnt:~$ configure
ubnt@ubnt# load mca-ctrl
ubnt@ubnt# commit
ubnt@ubnt# exit
ubnt@ubnt:~$ reset saved-config
ubnt@ubnt:~$ reboot
⚠️
After the factory reset, the default IP is 192.168.1.1 with DHCP server enabled on all ports. Connect your computer to any LAN port (eth1–eth5) and open 192.168.1.1 in your browser.

Step 2 — Initial Configuration

Connect your computer to a LAN port on the EdgeRouter (eth1). Open 192.168.1.1 in your browser and log in. The default credentials are ubnt / ubnt — change these immediately.

Basic Setup via Web UI

Set up the WAN interface (eth0) to receive DHCP from your ISP or use a static IP:

Dashboard → Wizards → WAN + 2 LAN (for 2-port routers)
Or: Firewall/NAT → NAT →Interfaces → Add Source NAT rule

Minimum config for a guest-only hotspot (single LAN bridge):

set interfaces bridge br0 address 10.10.10.1/24
set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth2 bridge-group bridge br0
# Or for ER-6P with built-in switch:
set interfaces switch sw0 switch-row 0 mirror
💡
Most EdgeRouters have a default switch config on ports eth1–4. If your router already has a LAN bridge (like switch0 on ER-6P), just use it. No need to recreate. Run show interfaces bridge to check.

Verify basic connectivity

Run these via CLI to confirm the LAN is up:

show ip route
show interfaces bridge br0
ping 8.8.8.8

Expected: Default route via eth0, LAN bridge with your chosen IP, successful ping to Google DNS.

Step 3 — Hotspot Profile

EdgeOS's hotspot system uses a walled garden + session timeout model. You define a hotspot profile, assign it to a LAN interface, and the router handles interception automatically.

3A — Create the Hotspot Profile

configure
# Replace "weirdtoo-networks" with your venue slug
set hotspot profile weirdtoo-networks \
  captive-portal interface br0 \
  captive-portal session-timeout 14400 \
  captive-portal timeout 3600 \
  captive-portal mac-address-mode ANY

# Enable MAC address passthrough for device tracking
set hotspot profile weirdtoo-networks captive-portal mac-address-passthrough enable

# Set the redirect (this is what intercepts unauthenticated users)
set hotspot profile weirdtoo-networks captive-portal redirect-url \
  "https://weird-network.io/portal/weirdtoo-networks"

commit
save
exit
ℹ️
Session timeout: 14400 seconds = 4 hours. This matches Weird Network's Free tier session duration. Adjust if your venue uses a different session length. Redirect URL: Replace weirdtoo-networks with your actual venue slug from your Weird Network dashboard.

3B — Create the Hotspot Instance on the LAN Bridge

configure
# Bind the hotspot profile to the LAN bridge
set hotspot interface hotspot0 profile weirdtoo-networks
set hotspot interface hotspot0 interface br0
set hotspot interface hotspot0 ipaddr 10.10.10.1

commit
save
exit

Verify the hotspot is running:

show hotspot
# or
show hotspot sessions
💡
Where is the captive portal? The redirect URL tells the EdgeRouter where to send unauthenticated users. The EdgeRouter intercepts HTTP traffic on the LAN bridge, adds its own redirect headers, and sends the browser to your Weird Network portal page. The portal handles authentication — the router just ferries traffic back and forth.

Step 4 — DHCP & DNS for Captive Portal Detection

For captive portals to work correctly, clients need to receive a proper DHCP lease with a real DNS server. Most captive portal detection systems (on iOS, Android, Windows) look for a specific HTTP redirect when they try to reach a known URL like captive.apple.com or connectivitycheck.gstatic.com.

DHCP Server on LAN Bridge

configure
# Set the DHCP server for the LAN bridge
set service dhcp-server shared-network-name BR0_POOL \
  subnet 10.10.10.0/24 \
  start 10.10.10.10 stop 10.10.10.200 \
  default-router 10.10.10.1 \
  lease 86400 \
  dns-server 10.10.10.1

# Tell the DHCP server to push Google's DNS
set service dhcp-server shared-network-name BR0_POOL \
  subnet 10.10.10.0/24 \
  dns-server 8.8.8.8

commit
save
exit

DNS Forwarder — Required for Portal Detection

configure
# Enable the DNS forwarder (dnsmasq)
set service dns forwarding \
  cache-size 1000 \
  listen-on br0 \
  name-server 8.8.8.8 \
  name-server 8.8.4.4

# Allow DNS to resolve the portal URL WITHOUT auth
# (Walled garden handles this — see Step 5)
set service dns forwarding options \
  address=/weird-network.polsia.app/10.10.10.1

commit
save
exit
ℹ️
DNS and the walled garden work together. The EdgeRouter must be able to resolve weird-network.polsia.app before a guest authenticates — otherwise they'll get a DNS error instead of the portal page. The walled garden (Step 5) handles this by allowing the traffic even when auth would normally block it.

Verify DHCP is handing out leases

show dhcp server leases
# Should show clients with IPs in 10.10.10.10–200

Step 5 — Walled Garden

The walled garden is the critical piece. It allows specific traffic to pass through without authentication — including DNS resolution, the portal page itself, and the Weird Network API. Without it, guests can't reach the portal to authenticate. 

configure
# Allow HTTP/HTTPS to the Weird Network portal
set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0

# Add explicit portal domain rules
set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination port 80,443

# Let the portal domain through (no auth needed)
set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain weird-network.polsia.app

# Allow the portal URL (covers the redirect)
set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain weird-network.polsia.app

# Allow CDN assets (fonts, stylesheets)
set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain fonts.googleapis.com

set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain fonts.gstatic.com

set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain polsia.app

# Allow captive portal detection endpoints
set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain connectivitycheck.gstatic.com

set hotspot profile weirdtoo-networks walled-garden \
  destination address 0.0.0.0/0 \
  destination domain captive.apple.com

# Allow DNS (required for resolution before auth)
set hotspot profile weirdtoo-networks walled-garden \
  destination port 53

commit
save
exit
🚫
Don't allow 0.0.0.0/0 without a domain rule. Setting destination address 0.0.0.0/0 alone opens everything. Always pair it with destination domain restrictions, or your guests will have full internet access before authenticating.

Show current walled garden rules

show hotspot profile weirdtoo-networks walled-garden

Step 6 — Verify the Redirect URL

The redirect URL tells the EdgeRouter where to send unauthenticated users. Make sure it matches your venue's slug exactly. 

# Check current redirect URL
show hotspot profile weirdtoo-networks | grep redirect

# Update if your venue slug has changed
configure
set hotspot profile weirdtoo-networks \
  captive-portal redirect-url "https://weird-network.io/portal/YOUR-SLUG-HERE"
commit
save
exit

URL Parameters (Device Tracking)

The EdgeRouter automatically appends Ubiquiti-specific query parameters to the redirect URL:

Parameter Description Used by Weird Network?
?ap= Access Point MAC address Yes — logged for venue analytics
?id= Client session / station MAC Yes — used for device tracking
?uri= Original requested URL Yes — for post-auth redirect
?ssid= SSID name Logged if present
💡
Weird Network captures ?ap= and ?id= automatically. You don't need to configure anything extra — just make sure the redirect URL is set and the EdgeRouter can reach weird-network.polsia.app through the walled garden.

Step 7 — Test the Flow

Once everything is configured, test the full flow from a guest device:

7A — Connect a Test Device

  1. Disconnect from any existing WiFi network
  2. Connect to your EdgeRouter's WiFi SSID (or plug into a LAN port)
  3. Open a browser and try to navigate to any HTTP site (e.g., http://example.com)
  4. You should be automatically redirected to the Weird Network portal
💡
HTTP redirect only works on HTTP sites. Most modern sites redirect to HTTPS before the EdgeRouter can intercept them. For testing, try http://neverssl.com — it's specifically designed for captive portal testing and never redirects to HTTPS.

7B — Authenticate

  1. Enter the guest's email address and name (or a voucher code)
  2. Click Connect
  3. Wait for the session confirmation with the live countdown timer
  4. Try navigating to a site — you should have full access

7C — Verify Session Tracking

# On the EdgeRouter, check active hotspot sessions
show hotspot sessions all

# Should show:
# IP               MAC               Session Start    Session End      Duration
# 10.10.10.45      AA:BB:CC:DD:EE:FF 2026-04-13     2026-04-14       4:00:00

Check your Weird Network dashboard to confirm the device appears in the Active Sessions list with the correct venue and AP info.

7D — End-to-End Test Checklist

Troubleshooting

🔴 Redirect not working — guest sees "connection refused" or blank page

Likely cause: The EdgeRouter can't reach weird-network.polsia.app because DNS is blocked or the walled garden doesn't include the domain.

Fix:

configure
# Verify DNS forwarder is on
show service dns forwarding

# Add a test rule — allow all DNS
set hotspot profile weirdtoo-networks walled-garden destination port 53
commit
save
exit

# Test resolution
ssh ubnt@192.168.1.1
ping weird-network.polsia.app

If ping fails, check your WAN uplink and DNS configuration on eth0.

🔴 HTTPS sites don't redirect — guest gets browser security warning

Likely cause: Captive portals can only intercept unencrypted HTTP traffic. HTTPS traffic passes through the EdgeRouter without interception.

Fix:

  1. Test with http://neverssl.com first (HTTP only)
  2. Modern iOS/Android devices use the Captive Network Detection system — they automatically check captive.apple.com on connect
  3. Make sure captive.apple.com and connectivitycheck.gstatic.com are in your walled garden
  4. On iOS: go to Settings → WiFi → tap the (i) icon → Auto-Login and toggle

🔴 DNS leak — guest bypasses portal by setting custom DNS (e.g., 8.8.8.8)

Likely cause: Without DNS hijacking, guests can set their own DNS server and bypass the captive portal entirely.

Fix — intercept DNS on the LAN bridge:

configure
# Intercept all DNS on the LAN bridge and forward to the router's DNS
set service dns forwarding options interface=br0
set service dns forwarding options bind-interfaces

# Force DNS through the EdgeRouter
set hotspot profile weirdtoo-networks walled-garden destination port 53

# Block external DHCP servers (DHCP spoofing protection)
set service dhcp-server static-arp disable
set service dhcp-server strict-match enable

commit
save
exit

🔴 Portal loads but authentication fails silently

Likely cause: The portal's API endpoint is blocked by the walled garden, or the session cookie is being set but the EdgeRouter doesn't recognize it.

Fix:

# Verify these domains are in the walled garden:
# weird-network.polsia.app   (portal + API)
# polsia.app                 (cookies, CDN, assets)

# Check the EdgeRouter's captive portal session table
show hotspot sessions all

# If the session was created but the client still can't browse,
# check if the client IP matches the session IP

🔴 EdgeRouter unreachable after config changes

Likely cause: A syntax error in the CLI config left the interface down or routing broken.

Fix:

# SSH in and run:
ssh ubnt@192.168.1.1
show configuration | grep br0

# If the bridge is missing, re-create it:
configure
set interfaces bridge br0 address 10.10.10.1/24
set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth2 bridge-group bridge br0
set service dhcp-server shared-network-name BR0_POOL subnet 10.10.10.0/24 start 10.10.10.10 stop 10.10.10.200 default-router 10.10.10.1
set service dns forwarding listen-on br0
commit
save
exit

# If you're completely locked out — factory reset (Step 1) and start over
# That's why we recommend backing up first

🔴 "Session already active" — same MAC gets re-redirected

Likely cause: MAC passthrough is enabled but the session isn't clearing when the guest disconnects.

Fix:

# Clear all hotspot sessions
clear hotspot sessions all

# Or clear by specific MAC:
clear hotspot session AA:BB:CC:DD:EE:FF

# To force re-authentication on every connect, set session timeout to a shorter window:
configure
set hotspot profile weirdtoo-networks captive-portal session-timeout 14400
# 14400 = 4 hours. Change to 7200 for 2 hours, etc.
commit
save
exit

Next Steps

EdgeRouter validated? Here's what's next:

Tested & Ready
  • ✅ Ubiquiti EdgeRouter
  • ✅ ER-6P (Barn Yard Acres)
Coming Soon
  • ⏳ MikroTik hEX (production)
  • ⏳ UniFi Dream Machine
  • ⏳ OpenWRT
💡
Need a MikroTik hEX guide? That's Isaac's production router at Barn Yard Acres. The EdgeRouter setup above is the template we'll use — hEX config follows the same flow (Hotspot → walled garden → redirect URL) but in RouterOS syntax. Check back soon or browse all guides.
Having trouble? Email us at weird-network@polsia.app — we respond fast.