The Enhancement request number Is - FB17988268

App ([BUNDLEID) is using NEHotspotHelper API and it's unresponsive to API's evaluate command. The API gives 45 seconds to 3rd party apps to respond, and then it launches WebSheet to allow user to interact with the portal. // Captive state machine started 2024-09-20 19:39:35.722906-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] en0: SSID 'Costco Member Wifi' setting interface rank Never (no cache entry) // Captive evaluation started 2024-09-20 19:39:35.729462-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] CNPluginHandler en0: Evaluating 2024-09-20 19:39:35.803915-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] en0: Probing 'Costco Member Wifi' // Builtin completed its evaluation 2024-09-20 19:39:36.666749-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] en0: Redirect detected on 'Costco Member Wifi' // app acknowledged the evaluate command delivery 2024-09-20 19:39:36.669560-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] [com.xfinity.digitalhome] acknowledged the command delivery // evaluation timed out after 45 seconds 2024-09-20 19:40:20.807153-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] CNPluginHandler en0: Authenticating (BUILTIN)

Yes, inside of the PacketTunnel Provider we use sockets to bind to an interface. This is used for faster failover, avoiding bad networks and aggregating for speed. With include all networks set to on, we can successfully bind to pdp_ip0 when en0 is active however , attempting to use that socket it gets routed through the default en0 interface. You can test it out when binding to pdp_ip0 with include all networks on, sending a ping to ifconfig and it will return with the default interfaces IP.

One of the biggest issues is that if you set includeAllNetworks , then attempt to bind to a cellular adapter via sockets OR use NWConnection and prohibit WiFi and require Cellular but you are on a WiFi network, NECP will deny the cellular use. When binding, it will succeed, but then route traffic over the default route anyway. Ideally, with includeAllNetworks, we would like to bind to each adapter and decide when each should be used. Is this expected with includeAllNetworks?

I'm encountering issues with using includeAllNetworks where NECP is denying adapter usage, among other problems. Are you aware of any specific reasons why setting default routes wouldn't direct traffic through the tunnel? Additionally, it seems that with includeAllNetworks, enforcing routes may not function as expected. Any insights or guidance you could provide on these matters would be greatly appreciated.