Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:user-guide:services:wireless.hotspot.nodogsplash [2018/03/03 17:41] – ↷ Links adapted because of a move operation bobafetthotmaildocs:guide-user:services:captive-portal:wireless.hotspot.nodogsplash [2020/04/15 22:45] (current) – fixed internal wiki link bobafetthotmail
Line 1: Line 1:
-====== Nodogsplash ======+====== Nodogsplash (Outdated document) ====== 
 + 
 +<color #ed1c24>**!!!Warning!!!**</color>  
 +This document is VERY outdated and in some instances misleading due to its outdated nature. 
 +Please go to: 
 + 
 +[[docs:guide-user:services:captive-portal:opennds|OpenNDS]] 
 ''Nodogsplash'' offers a simple way to open a free [[wp>Hotspot (Wi-Fi)]] providing restricted access to an Internet connection.\\ ''Nodogsplash'' offers a simple way to open a free [[wp>Hotspot (Wi-Fi)]] providing restricted access to an Internet connection.\\
 The goal was to use a single wireless router to both provide local secure wifi, and share a portion of our bandwidth as a free hotspot, with a splash page to advertise who is providing the hotspot, and the fact that secure, faster access is available for a small contribution towards costs. The goal was to use a single wireless router to both provide local secure wifi, and share a portion of our bandwidth as a free hotspot, with a splash page to advertise who is providing the hotspot, and the fact that secure, faster access is available for a small contribution towards costs.
Line 12: Line 19:
 The secure wireless is bridged to the hard-wired ports, the hotspot is separate and isolated from the local network. The secure wireless is bridged to the hard-wired ports, the hotspot is separate and isolated from the local network.
  
 +Official documentation: https://nodogsplashdocs.readthedocs.io/en/stable/
  
-|{{:meta:icons:tango:48px-outdated.svg.png?nolink}}| IMQ is still in Backfire, but not in Attitude Adjustment any more |+===== Overview =====
  
 +The nodogsplash captive portal runs as a service that manages client traffic over a router by adjusting firewall rules based on client tracking tools that interact with a users browser and client network requests.
  
 +In order to fully setup user and password authentication or more complex configuration. You will need to read the linked documentation to gain better understanding of the layers that are involved.
 +
 +Usually this will require some basic script/web source editing and web server setup and modification. On Openwrt if user credentials are to be local to the router this will also need to be considered.
 + 
  
 ===== Installation ===== ===== Installation =====
-[[docs:user-guide:additional-software:opkg]]+[[docs:guide-user:additional-software:opkg]]
 <code> <code>
 opkg update opkg update
Line 24: Line 37:
 </code> </code>
  
-By default nodogsplash is disable after install; change "option enabled" in /etc/config/nodogsplash from 0 to to enable it. +In **/etc/config/nodogsplash** ensure option enabled is 1
- +
-Use "/etc/init.d/nodogsplash start" to try starting it now.  Use "/etc/init.d/nodogsplash enable" to auto start it in the future. +
- +
-Use "/usr/bin/ndsctl status" to check if it's up. +
- +
-See https://github.com/nodogsplash/nodogsplash#7-debugging-nodogsplash about how to debug start-up issues. +
-===== Configuration ===== +
- +
-==== Network ==== +
-''[[docs:user-guide:network:basics|/etc/config/network]]'' +
 <code> <code>
-config 'interface' 'lan' +  option enabled 1
- option 'type' 'bridge' +
- option 'ifname' 'eth0.0' +
- option 'proto' 'static' +
- option 'ipaddr' '10.10.10.1+
- option 'netmask' '255.255.255.0' +
- +
-config 'interface' 'wan' +
- option 'ifname' 'eth0.1' +
- option 'proto' 'dhcp' +
- +
-config 'interface' 'wifi' +
- option 'ifname' 'eth1.0' +
- option 'proto' 'static' +
- option 'ipaddr' '10.10.15.1' +
- option 'netmask' '255.255.255.0'+
 </code> </code>
  
- +Enable and start the nodogsplash ( NDS ) service.
-==== Wireless ==== +
-''[[docs:user-guide:network:wifi:basic|/etc/config/wireless]]'' +
 <code> <code>
-config 'wifi-device' 'wlan0' +/etc/init.d/nodogsplash enable 
- option 'type' 'mac80211' +/etc/init.d/nodogsplash start
- option 'channel' '11' +
- option 'disabled' '0' +
- +
-config 'wifi-iface' +
- option 'device' 'wlan0' +
- option 'network' 'lan' +
- option 'mode' 'ap' +
- option 'ssid' 'mywifi-secure' +
- option 'encryption' 'psk2' +
- option 'hidden' '0' +
- option 'key' 'your%verylong.andsecure-pskkey' +
- +
-config 'wifi-iface' +
- option 'device' 'wlan0' +
- option 'network' 'wifi' +
- option 'mode' 'ap' +
- option 'ssid' 'public-hotspot' +
- option 'encryption' 'none' +
- option 'hidden' '0'+
 </code> </code>
  
-==== dhcpd ==== +Some useful commands are listed below.
-''[[docs:user-guide:base-system:dhcp|/etc/config/dhcp]]'' +
 <code> <code>
-config 'dhcp' +/usr/bin/ndsctl status                 ( check if nodogsplash is up ) 
-         option 'interface' 'lan' +/usr/bin/ndsctl clients                ( list connected clients and status ) 
-         option 'start' '100' +/usr/bin/ndsctl deauth 192.168.1.10    ( useful for testing ) 
-         option 'limit' '150' +</code>
-        option 'leasetime' '12h'+
  
-config 'dhcp' +See https://github.com/nodogsplash/nodogsplash#7-debugging-nodogsplash about how to debug start-up issues.
-        option 'interface' 'wan' +
-        option 'ignore' '1'+
  
-config 'dhcp' +Documentation can be found online [[https://nodogsplash.readthedocs.io/en/latest/|here]].
-        option 'interface' 'wifi' +
-        option 'start' '100' +
-        option 'limit' '150' +
-        option 'leasetime' '2h' +
-</code>+
  
-==== Firewall ==== +===== Configuration =====
-Because nodogsplash uses iptables to mark/handle packets, you have to turn off the build-in firewall: +
-<code> +
-/etc/init.d/firewall stop +
-/etc/init.d/firewall disable +
-</code>+
  
 ==== Nodogsplash Configuration File ==== ==== Nodogsplash Configuration File ====
  
-Older versions (?) use ''/etc/nodogsplash/nodogsplash.conf'', the 0.9_beta9.9.9-5 in Chaos Calmer 15.05 uses ''/etc/config/nodogsplash''.+Older versions use ''/etc/nodogsplash/nodogsplash.conf'', while versions starting at 0.9_beta9.9.9-5 in Chaos Calmer 15.05 use UCI with ''/etc/config/nodogsplash''.
  
-The "/etc/config/nodogsplash" config file is here- +The "/etc/config/nodogsplash" config file can be seen [[https://github.com/openwrt-routing/packages/blob/master/nodogsplash/files/nodogsplash.config|here]] or [[https://raw.githubusercontent.com/nodogsplash/nodogsplash/master/openwrt/nodogsplash/files/etc/config/nodogsplash|here]], and is documented below.
-https://github.com/openwrt-routing/packages/blob/master/nodogsplash/files/nodogsplash.config+
  
-It contains an option to use the older style file.+Below is a documented version of the "/etc/config/nodogsplash" file. This UCI file is automatically turned into a temporary config file with the old format when nodogsplash starts. That file can be viewed in /tmp/etc/
  
-Here is the older "nodogsplash.conf" file- 
 <code> <code>
-# +config nodogsplash 
-Nodogsplash Configuration File +  Set to 1 to enable nodogsplash 
-#+  option enabled 0
  
-Parameter: GatewayInterface +  Use plain configuration file 
-Default: NONE +  #option config '/etc/nodogsplash/nodogsplash.conf'
-+
-# GatewayInterface is not autodetected, has no default, and must be set here. +
-# Set GatewayInterface to the interface on your router +
-# that is to be managed by Nodogsplash. +
-# Typically br0 for the wired and wireless lan on OpenWrt White Russian. +
-# May be br-lan on OpenWrt Kamikaze. +
-+
-GatewayInterface wlan0+
  
-FirewallRuleSet: authenticated-users +  The network the users are connected to - if you connect to 'br-lan', enter 'lan' here. 
-# +  option network 'lan' 
-# Control access for users after authentication. +   
-These rules are inserted at the beginning of the +  Set GatewayName to the name of your gateway. This value 
-FORWARD chain of the router's filter table, and +  will be available as variable $gatewayname in the splash page source 
-apply to packets that have come in to the router +  and in status output from ndsctl, but otherwise doesn't matter. 
-over the GatewayInterface from MAC addresses that +  If none is supplied, the value "NoDogSplash" is used. 
-# have authenticated with Nodogsplash, and that are +  option gatewayname 'OpenWrt Nodogsplash' 
-destined to be routed through the router. The rules are +   
-considered in order, and the first rule that matches +  Set MaxClients to the maximum number of users allowed to 
-a packet applies to it+  connect at any time. (Does not include users on the TrustedMACList, 
-If there are any rules in this ruleset, an authenticated +  who do not authenticate.) 
-packet that does not match any rule is rejected+  option maxclients '250' 
-# N.B.: This ruleset is completely independent of +   
-# the preauthenticated-users ruleset. +  Set ClientIdleTimeout to the desired of number of minutes 
-+  of inactivity before a user is automatically 'deauthenticated'
-FirewallRuleSet authenticated-users {+  option clientidletimeout '1200' 
 +   
 +  Set ClientForceTimeout to the desired number of minutes before 
 +  a user is automatically 'deauthenticated', whether active or not 
 +  # option clientforcetimeout '1200'
  
- # You may want to open access to a machine on a local +  ########################### 
- # subnet that is otherwise blocked (for example, to +  # ## authenticated_users ## 
- # serve a redirect page; see RedirectURL). If so, +  ########################### 
- # allow that explicitly here, e.g: +  # Control access for users after authentication. 
- # FirewallRule allow tcp port 80 to 192.168.254.254+  # These rules are inserted at the beginning of the 
 +  # FORWARD chain of the router's filter table, and 
 +  # apply to packets that have come in to the router 
 +  # over the GatewayInterface from MAC addresses that 
 +  # have authenticated with Nodogsplash, and that are 
 +  # destined to be routed through the router. The rules are 
 +  # considered in order, and the first rule that matches 
 +  # a packet applies to it. 
 +  # If there are any rules in this ruleset, an authenticated 
 +  # packet that does not match any rule is rejected. 
 +  # N.B.: This ruleset is completely independent of 
 +  # the preauthenticated-users ruleset. 
 +   
 +  # You may want to open access to a machine on a local 
 +  # subnet that is otherwise blocked (for example, to 
 +  # serve a redirect page; see RedirectURL). If so, 
 +  # allow that explicitly, e.g: 
 +  list authenticated_users 'allow tcp port 80 to 192.168.254.254'
  
- # Your router may have several interfaces, and you +  # Your router may have several interfaces, and you 
- # probably want to keep them private from the GatewayInterface+  # probably want to keep them private from the network/gatewayinterface
- # If so, you should block the entire subnets on those interfaces, e.g.: +  # If so, you should block the entire subnets on those interfaces, e.g.: 
-    #FirewallRule block to 192.168.0.0/16 +  list authenticated_users 'block to 192.168.0.0/16' 
-    #FirewallRule block to 10.0.0.0/8+  list authenticated_users 'block to 10.0.0.0/8'
  
- # Typical ports you will probably want to open up include +  # Typical ports you will probably want to open up. 
- # 53 udp and tcp for DNS, +  list authenticated_users 'allow tcp port 22' 
- # 80 for http, +  list authenticated_users 'allow tcp port 53' 
- # 443 for https, +  list authenticated_users 'allow udp port 53' 
- # 22 for ssh: +  list authenticated_users 'allow tcp port 80' 
-    #FirewallRule allow tcp port 53 +  list authenticated_users 'allow tcp port 443'
-    #FirewallRule allow udp port 53 +
-    #FirewallRule allow tcp port 80 +
-    #FirewallRule allow tcp port 443 +
-    #FirewallRule allow tcp port 22 +
-    FirewallRule allow all+
  
-} +  ############################## 
-end FirewallRuleSet authenticated-users+  ## preauthenticated_users ## 
 +  ############################## 
 +  # Control access for users before authentication. 
 +  # These rules are inserted in the PREROUTING chain 
 +  # of the router's nat table, and in the 
 +  # FORWARD chain of the router's filter table. 
 +  # These rules apply to packets that have come in to the 
 +  # router over the GatewayInterface from MAC addresses that 
 +  # are not on the BlockedMACList or TrustedMACList, 
 +  # are *not* authenticated with Nodogsplash. The rules are 
 +  # considered in order, and the first rule that matches 
 +  # a packet applies to it. A packet that does not match 
 +  # any rule here is rejected. 
 +  # N.B.: This ruleset is completely independent of 
 +  # the authenticated-users and users-to-router rulesets. 
 +  
 +  # For splash page content not hosted on the router, you 
 +  # will want to allow port 80 tcp to the remote host here. 
 +  # Doing so circumvents the usual capture and redirect of 
 +  # any port 80 request to this remote host. 
 +  # Note that the remote host's numerical IP address must be known 
 +  # and used here. 
 +  # list preauthenticated_users 'allow tcp port 80 to 123.321.123.321' 
 +  
 +  # For preauthenticated users to resolve IP addresses in their 
 +  # initial request not using the router itself as a DNS server, 
 +  list preauthenticated_users 'allow tcp port 53' 
 +  list preauthenticated_users 'allow udp port 53'
  
  
-FirewallRuleSet: preauthenticated-users +  ######################
-+  # ## users_to_router #
-# Control access for users before authentication+  ####################### 
-# These rules are inserted in the PREROUTING chain +  # Control access to the router itself from the GatewayInterface
-of the router's nat table, and in the +  # These rules are inserted at the beginning of the 
-FORWARD chain of the router's filter table. +  INPUT chain of the router's filter table, and 
-These rules apply to packets that have come in to the +  # apply to packets that have come in to the router 
-router over the GatewayInterface from MAC addresses that +  # over the GatewayInterface from MAC addresses that 
-# are not on the BlockedMACList or TrustedMACList, +  # are not on the TrustedMACList, and are destined for 
-are *not* authenticated with Nodogsplash. The rules are +  the router itself. The rules are considered 
-considered in order, and the first rule that matches +  # in order, and the first rule that matches a packet applies 
-a packet applies to it. packet that does not match +  # to it. 
-any rule here is rejected. +  # If there are any rules in this ruleset, a 
-# N.B.: This ruleset is completely independent of +  # packet that does not match any rule is rejected. 
-the authenticated-users and users-to-router rulesets. +   
-+  Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS 
-FirewallRuleSet preauthenticated-users { +  list users_to_router 'allow tcp port 22' 
- # For preauthenticated users to resolve IP addresses in their initial +  list users_to_router 'allow tcp port 23' 
- # request not using the router itself as a DNS server, +  list users_to_router 'allow tcp port 53' 
- # you probably want to allow port 53 udp and tcp for DNS. +  list users_to_router 'allow udp port 53' 
-    FirewallRule allow tcp port 53 +  list users_to_router 'allow udp port 67' 
-    FirewallRule allow udp port 53 +  list users_to_router 'allow tcp port 80' 
- # For splash page content not hosted on the router, you +  list users_to_router 'allow tcp port 443'
- # will want to allow port 80 tcp to the remote host here. +
- # Doing so circumvents the usual capture and redirect of +
- # any port 80 request to this remote host. +
- # Note that the remote host's numerical IP address must be known +
- # and used here. +
- # FirewallRule allow tcp port 80 to 123.321.123.321 +
-+
-# end FirewallRuleSet preauthenticated-users+
  
 +  # MAC addresses that are / are not allowed to access the splash page
 +  # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
 +  #option macmechanism 'allow'
 +  #list allowedmac '00:00:C0:01:D0:0D'
 +  #list allowedmac '00:00:C0:01:D0:1D'
 +  #list blockedmac '00:00:C0:01:D0:2D'
  
-FirewallRuleSet: users-to-router +  #MAC addresses that do not need to authenticate 
-+  #list trustedmac '00:00:C0:01:D0:1D'
-# Control access to the router itself from the GatewayInterface. +
-# These rules are inserted at the beginning of the +
-# INPUT chain of the router's filter table, and +
-# apply to packets that have come in to the router +
-# over the GatewayInterface from MAC addresses that +
-# are not on the TrustedMACList, and are destined for +
-# the router itself. The rules are +
-# considered in order, and the first rule that matches +
-# a packet applies to it. +
-If there are any rules in this ruleset, a +
-# packet that does not match any rule is rejected. +
-+
-FirewallRuleSet users-to-router { +
- # Nodogsplash automatically allows tcp to GatewayPort, +
- # at GatewayAddress, to serve the splash page. +
- # However you may want to open up other ports, e.g. +
- # 53 for DNS and 67 for DHCP if the router itself is +
- # providing these services. +
-    FirewallRule allow udp port 53 +
-    FirewallRule allow tcp port 53 +
-    FirewallRule allow udp port 67 +
- # You may want to allow ssh, http, and https to the router +
- # for administration from the GatewayInterface. If not, +
- # comment these out. +
-    FirewallRule allow tcp port 22 +
-    FirewallRule allow tcp port 23 +
-    FirewallRule allow tcp port 80 +
-    FirewallRule allow tcp port 443 +
-+
-# end FirewallRuleSet users-to-router+
  
-# EmptyRuleSetPolicy directives +  # EmptyRuleSetPolicy directives 
-# The FirewallRuleSets that NoDogSplash permits are: +  # The FirewallRuleSets that NoDogSplash permits are: 
-+  
-# authenticated-users +  # authenticated-users 
-# preauthenticated-users +  # preauthenticated-users 
-# users-to-router +  # users-to-router 
-# trusted-users +  # trusted-users 
-# trusted-users-to-router +  # trusted-users-to-router 
-+  
-# For each of these, an EmptyRuleSetPolicy can be specified. +  # For each of these, an EmptyRuleSetPolicy can be specified. 
-# An EmptyRuleSet policy applies to a FirewallRuleSet if the +  # An EmptyRuleSet policy applies to a FirewallRuleSet if the 
-# FirewallRuleSet is missing from this configuration file, +  # FirewallRuleSet is missing from this configuration file, 
-# or if it exists but contains no FirewallRules. +  # or if it exists but contains no FirewallRules. 
-+  
-# The possible values of an EmptyRuleSetPolicy are: +  # The possible values of an EmptyRuleSetPolicy are: 
-# allow -- packets are accepted +  # allow -- packets are accepted 
-# block -- packets are rejected +  # block -- packets are rejected 
-# passthrough -- packets are passed through to pre-existing firewall rules +  # passthrough -- packets are passed through to pre-existing firewall rules 
-+  
-# Default EmptyRuleSetPolicies are set as follows: +  # Default EmptyRuleSetPolicies are set as follows: 
-# EmptyRuleSetPolicy authenticated-users passthrough +  # EmptyRuleSetPolicy authenticated-users passthrough 
-# EmptyRuleSetPolicy preauthenticated-users block +  # EmptyRuleSetPolicy preauthenticated-users block 
-# EmptyRuleSetPolicy users-to-router block +  # EmptyRuleSetPolicy users-to-router block 
-# EmptyRuleSetPolicy trusted-users allow +  # EmptyRuleSetPolicy trusted-users allow 
-# EmptyRuleSetPolicy trusted-users-to-router allow+  # EmptyRuleSetPolicy trusted-users-to-router allow
  
 +  # This should be autodetected on an OpenWRT system, but if not:
 +  # Set GatewayAddress to the IP address of the router on
 +  # the GatewayInterface. This is the address that the Nodogsplash
 +  # server listens on.
 +  # option gatewayaddress '192.168.1.1'
  
-Parameter: GatewayName +  This should be autodetected from /proc/net/route on a OpenWRT system, but if 
-DefaultNoDogSplash +  notset ExtrnalInterface to the 'external' interface on your router, 
-+  i.e. the one which provides the default route to the internet
-# Set GatewayName to the name of your gateway. This value +  Typically vlan1 for OpenWRT
-will be available as variable $gatewayname in the splash page source +  option externalinterface 'vlan1'
-# and in status output from ndsctl, but otherwise doesn't matter+
-If none is supplied, the value "NoDogSplash" is used+
-# +
-# GatewayName NoDogSplash+
  
-# Parameter: GatewayAddress 
-# Default: Discovered from GatewayInterface 
-# 
-# This should be autodetected on an OpenWRT system, but if not: 
-# Set GatewayAddress to the IP address of the router on 
-# the GatewayInterface. This is the address that the Nodogsplash 
-# server listens on. 
-# 
-# GatewayAddress 192.168.1.1 
  
-Parameter: ExternalInterface +  After authentication, normally user is redirected 
-# Default: Autodetected from /proc/net/route +  # to their initially requested page. 
-+  If RedirectURL is set, the user is redirected to this URL instead
-# This should be autodetected on OpenWRT system, but if not: +  option redirecturl 'http://www.ilesansfil.org/'
-Set ExtrnalInterface to the 'external' interface on your router, +
-i.e. the one which provides the default route to the internet+
-Typically vlan1 for OpenWRT. +
-+
-# ExternalInterface vlan1+
  
-Parameter: RedirectURL +  Nodogsplash's own http server uses GatewayAddress as its IP address. 
-# Default: none +  The port it listens to at that IP can be set here; default is 2050
-+  option gatewayport '2050'
-# After authentication, normally a user is redirected +
-# to their initially requested page. +
-# If RedirectURL is set, the user is redirected to this URL instead+
-# +
-# RedirectURL http://www.ilesansfil.org/+
  
-# Parameter: GatewayPort 
-# Default: 2050 
-# 
-# Nodogsplash's own http server uses GatewayAddress as its IP address. 
-# The port it listens to at that IP can be set here; default is 2050. 
-# 
-# GatewayPort 2050 
  
-# Parameter: MaxClients +  # Set to yes (or true or 1), to immediately authenticate users 
-# Default: 20 +  who make a http port 80 request on the GatewayInterface (that is
-+  # do not serve a splash page, just redirect to the user's request, 
-# Set MaxClients to the maximum number of users allowed to +  or to RedirectURL if set). 
-connect at any time. (Does not include users on the TrustedMACList+  option authenticateimmediately 'no'
-who do not authenticate.) +
-+
-MaxClients 20+
  
-ClientIdleTimeout +  Either block or allow. 
-Parameter: ClientIdleTimeout +  If 'block', MAC addresses on BlockedMACList are blocked from 
-Default: 10 +  authenticating, and all others are allowed. 
-# +  If 'allow', MAC addresses on AllowedMACList are allowed to 
-# Set ClientIdleTimeout to the desired of number of minutes +  authenticate, and all other (non-trusted) MAC's are blocked
-of inactivity before a user is automatically 'deauthenticated'. +  option macmechanism 'block'
-# +
-# ClientIdleTimeout 10+
  
-Parameter: ClientForceTimeout +  Set to yes (or true or 1), to require a password matching 
-Default: 360 +  the Password parameter to be supplied when authenticating. 
-+  option passwordauthentication 'no'
-# Set ClientForceTimeout to the desired number of minutes before +
-a user is automatically 'deauthenticated', whether active or not +
-+
-# ClientForceTimeout 360+
  
-Parameter: AuthenticateImmediately +  Whitespace delimited string that is compared to user-supplied 
-# Default: no +  password when authenticating
-+  option password 'nodog'
-# Set to yes (or true or 1), to immediately authenticate users +
-# who make a http port 80 request on the GatewayInterface (that is+
-# do not serve a splash page, just redirect to the user's request, +
-or to RedirectURL if set)+
-# +
-# AuthenticateImmediately no+
  
-Parameter: MACMechanism +  Set to yes (or true or 1)to require a username matching 
-# Default: block +  the Username parameter to be supplied when authenticating. 
-+  option usernameauthentication 'no'
-# Either block or allow. +
-# If 'block'MAC addresses on BlockedMACList are blocked from +
-# authenticating, and all others are allowed+
-If 'allow', MAC addresses on AllowedMACList are allowed to +
-# authenticate, and all other (non-trusted) MAC's are blocked. +
-+
-# MACMechanism block+
  
-Parameter: BlockedMACList +  Whitespace delimited string that is compared to user-supplied 
-# Default: none +  username when authenticating
-+  option username 'guest'
-# Comma-separated list of MAC addresses who will be completely blocked +
-from the GatewayInterfaceIgnored if MACMechanism is allow. +
-# N.B.: weak security, since MAC addresses are easy to spoof. +
-# +
-BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D+
  
-Parameter: AllowedMACList +  Integer number of failed password/username entries before 
-# Default: none +  a user is forced to reauthenticate
-+  option passwordattempts '5'
-# Comma-separated list of MAC addresses who will not be completely +
-blocked from the GatewayInterface. Ignored if MACMechanism is block. +
-# N.B.: weak security, since MAC addresses are easy to spoof+
-# +
-# AllowedMACList 00:00:12:34:56:78+
  
-# Parameter: TrustedMACList +  # By setting this parameter, you can specify a range of IP addresses 
-# Default: none +  # on the GatewayInterface that will be responded to and managed by 
-+  # Nodogsplash. Addresses outside this range do not have their packets 
-# Comma-separated list of MAC addresses who are not subject to +  # touched by Nodogsplash at all. 
-# authentication, and are not restricted by any FirewallRuleSet. +  # Defaults to 0.0.0.0/0, that is, all addresses. 
-# N.B.: weak security, since MAC addresses are easy to spoof. +  option gatewayiprange '0.0.0.0/0'
-+
-# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D +
- +
- +
-# Parameter: PasswordAuthentication +
-# Default: no +
-# Set to yes (or true or 1), to require a password matching +
-# the Password parameter to be supplied when authenticating. +
-+
-+
-# PasswordAuthentication no +
- +
-# Parameter: Password +
-# Default: none +
-# Whitespace delimited string that is compared to user-supplied +
-# password when authenticating. +
-+
-+
-# Password nodog +
- +
-# Parameter: UsernameAuthentication +
-# Default: no +
-# Set to yes (or true or 1), to require a username matching +
-# the Username parameter to be supplied when authenticating. +
-+
-+
-# UsernameAuthentication no +
- +
-# Parameter: Username +
-# Default: none +
-# Whitespace delimited string that is compared to user-supplied +
-# username when authenticating. +
-+
-+
-# Username guest +
- +
-# Parameter: PasswordAttempts +
-# Default: 5 +
-# Integer number of failed password/username entries before +
-# a user is forced to reauthenticate. +
-+
-+
-# PasswordAttempts 5 +
- +
-# Parameter: TrafficControl +
-# Default: no +
-+
-# Set to yes (or true or 1), to enable traffic control in Nodogsplash. +
-+
-# TrafficControl no +
- +
-# Parameter: DownloadLimit +
-# Default: 0 +
-+
-# If TrafficControl is enabled, this sets the maximum download +
-# speed to the GatewayInterface, in kilobits per second. +
-# For example if you have an ADSL connection with 768 kbit +
-# download speed, and you want to allow about half of that +
-# bandwidth for the GatewayInterface, set this to 384. +
-# A value of 0 means no download limiting is done. +
-+
-# DownloadLimit 384 +
- +
-# Parameter: UploadLimit +
-# Default: 0 +
-+
-# If TrafficControl is enabled, this sets the maximum upload +
-# speed from the GatewayInterface, in kilobits per second. +
-# For example if you have an ADSL connection with 128 kbit +
-# upload speed, and you want to allow about half of that +
-# bandwidth for the GatewayInterface, set this to 64. +
-# A value of 0 means no upload limiting is done. +
-+
-# UploadLimit 64 +
- +
-# Paramter: GatewayIPRange +
-# Default: 0.0.0.0/0 +
-+
-# By setting this parameter, you can specify a range of IP addresses +
-# on the GatewayInterface that will be responded to and managed by +
-# Nodogsplash. Addresses outside this range do not have their packets +
-# touched by Nodogsplash at all. +
-# Defaults to 0.0.0.0/0, that is, all addresses. +
-# +
-# GatewayIPRange 0.0.0.0/0+
 </code> </code>
  
Line 485: Line 294:
  
 <code> <code>
-FirewallRuleSet authenticated-users { +  list authenticated_users 'allow tcp port 995' 
-... +  list authenticated_users 'allow tcp port 993' 
-FirewallRule allow tcp port 995 +  list authenticated_users 'allow tcp port 465' 
-FirewallRule allow tcp port 993 +  list authenticated_users 'allow tcp port 110' 
-FirewallRule allow tcp port 465 +  list authenticated_users 'allow tcp port 143'
-FirewallRule allow tcp port 110 +
-FirewallRule allow tcp port 143+
 </code> </code>
  
  
 Restrict access to the gateway from the hotspot side: Restrict access to the gateway from the hotspot side:
- 
 <code> <code>
-FirewallRuleSet users-to-router { +  list users_to_router 'allow tcp port 22' 
-... +  list users_to_router 'allow tcp port 80' 
-#    FirewallRule allow tcp port 22 +  list users_to_router 'allow tcp port 443'
-#    FirewallRule allow tcp port 80 +
-#    FirewallRule allow tcp port 443+
 </code> </code>
  
 +==== mwan3 Compatibility ====
  
-==== Bandwidth Control ====+NDS and mwan3 both mess with iptables. As such they need a little extra configuration sometimes to work together.
  
-You can restrict bandwidth available to hotspot (adjust according to preference):+**NDS 0.9** 
  
 +Add the following lines to /etc/nodogsplash/nodogsplash.conf:
 <code> <code>
-trafficControl yes +FW_MARK_AUTHENTICATED 262144 
-... +FW_MARK_TRUSTED 131072 
-DownloadLimit 200 +FW_MARK_BLOCKED 65536
-... +
-UploadLimit 100+
 </code> </code>
  
-**In backfire 10.03.1rc5 you need to edit /etc/init.d/nodogsplash and uncomment last lines to make bandwidth control to work**+**NDS 1.0**
  
-<code> +Make the following changes per [[https://github.com/nodogsplash/nodogsplash/issues/218|this]] issue.
-    # if not using traffic control, +
-    # you can comment out the following 3 lines: +
-    do_module_tests "imq" "numdevs=2" +
-    do_module_tests "ipt_IMQ" +
-    do_module_tests "sch_htb" +
-</code> +
-Note: //ipt_IMQ = xt_IMQ// +
- +
-**You also need to install some extra kernel modules:**+
  
 +In /etc/config/nodogsplash:
 <code> <code>
-    opkg install iptables-mod-imq +list fw_mark_authenticated '30000' 
-    opkg install kmod-ipt-imq +list fw_mark_trusted '20000' 
-    opkg install kmod-sched +list fw_mark_blocked '10000'
-</code> +
-And some utilities +
-<code> +
-    opkg install ip +
-    opkg install tc+
 </code> </code>
  
- +In /etc/config/mwan3:
-**NOTE: In Attitude Adjustment 12.09 there is no ''iptables-mod-imq'' package and so the above procedure will fail.** +
- +
-For bandwidth control in **Attitude Adjustment 12.09** you can install [[http://lartc.org/wondershaper/|WonderShaper]] (which also uses [[docs:user-guide:network:traffic-shaping:packet.scheduler|tc]] as its back-end): +
 <code> <code>
-    opkg install wshaper+config globals 'globals'
 </code> </code>
  
-WonderShaper's UCI config file is stored in ''/etc/config/wshaper''. A simple configuration for a guest network might look like this: +**NDS 2.0** 
- +//(compatible by default)//
-<code> +
-config wshaper 'settings' +
- option network 'public' +
- option downlink '64' +
- option uplink '512' +
-</code> +
- +
-**Note:** The ''downlink'' and ''uplink'' maximum values will usually need to be reversed from what one might, at first glance, expect. Also note that due to overhead, actual speeds will be slightly lower.+
  
 ==== Check status ==== ==== Check status ====
Line 571: Line 350:
  
 options: options:
-  -s <path>         Path to the socket +  -s <path>           Path to the socket 
-  -h                Print usage+  -h                  Print usage
  
 commands: commands:
-  status            View the status of nodogsplash +  status              View the status of nodogsplash 
-  clients           Display machine-readable client list +  clients             Display machine-readable client list 
-  stop              Stop the running nodogsplash +  json                Display machine-readable client list in json format 
-  auth ip           Authenticate user with specified ip +  stop                Stop the running nodogsplash 
-  deauth mac|ip     Deauthenticate user with specified mac or ip +  auth mac|ip|token   Authenticate user with specified mac, ip or token 
-  block mac         Block the given MAC address +  deauth mac|ip|token Deauthenticate user with specified macip or token 
-  unblock mac       Unblock the given MAC address +  block mac           Block the given MAC address 
-  allow mac         Allow the given MAC address +  unblock mac         Unblock the given MAC address 
-  unallow mac       Unallow the given MAC address +  allow mac           Allow the given MAC address 
-  trust mac         Trust the given MAC address +  unallow mac         Unallow the given MAC address 
-  untrust mac       Untrust the given MAC address +  trust mac           Trust the given MAC address 
-  loglevel n        Set logging level to n +  untrust mac         Untrust the given MAC address 
-  password pass     Set gateway password +  loglevel n          Set logging level to n 
-  username name     Set gateway username +  password pass       Set gateway password 
-</code>+  username name       Set gateway username
  
 +</code>
  
  
Line 614: Line 394:
  
 ===== Restrict access to domains ===== ===== Restrict access to domains =====
-If you would want to restrict the access to the IP address 20.20.20.20 you can use this [[docs:user-guide:firewall:netfilter]] command (supposing 10.20.30.0/24 is your hotspot network and you redirect clients to your nodogsplash webserver)+If you would want to restrict the access to the IP address 20.20.20.20 you can use this [[docs:guide-user:firewall:netfilter-iptables:netfilter]] command (supposing 10.20.30.0/24 is your hotspot network and you redirect clients to your nodogsplash webserver)
  
 <code> <code>
Line 713: Line 493:
 **Added by NetoMX (2016/03/30): In my case, I needed to add in the default firewall rules, FORWARD->ACCEPT to make this work. I didn't make point 4 and it still works. For bandwitdh limit, use WShaper. **Added by NetoMX (2016/03/30): In my case, I needed to add in the default firewall rules, FORWARD->ACCEPT to make this work. I didn't make point 4 and it still works. For bandwitdh limit, use WShaper.
  
-===== Quick NoDogSplash Setup Example =====+==== Legacy NDS - Bandwidth Control ====
  
-This is a quick setup for NodogsplashIt shows a splash page for any web acccess comming from br-lan.+In backfire 10.03.1rc5, you need to edit /etc/init.d/nodogsplash and uncomment last lines to make bandwidth control to work**
  
-/etc/nodogsplash/nodogsplash.conf 
 <code> <code>
-GatewayInterface br-lan+    # if not using traffic control, 
 +    # you can comment out the following 3 lines: 
 +    do_module_tests "imq" "numdevs=2" 
 +    do_module_tests "ipt_IMQ" 
 +    do_module_tests "sch_htb" 
 +</code> 
 +Note: //ipt_IMQ = xt_IMQ//
  
-FirewallRuleSet preauthenticated-users { +**You also need to install some extra kernel modules:**
- FirewallRule allow tcp port 53 +
- FirewallRule allow udp port 53 +
- FirewallRule allow icmp +
-}+
  
-EmptyRuleSetPolicy authenticated-users passthrough +<code> 
-EmptyRuleSetPolicy users-to-router passthrough +    opkg install iptables-mod-imq 
-EmptyRuleSetPolicy trusted-users allow +    opkg install kmod-ipt-imq 
-EmptyRuleSetPolicy trusted-users-to-router passthrough+    opkg install kmod-sched 
 +</code> 
 +And some utilities 
 +<code> 
 +    opkg install ip 
 +    opkg install tc 
 +</code>
  
-MaxClients 30 +NOTE: In Attitude Adjustment 12.09 there is no ''iptables-mod-imq'' package and so traffic control no longer works. 
-ClientIdleTimeout 10 + 
-ClientForceTimeout 240+For bandwidth control in **Attitude Adjustment 12.09** you can install [[http://lartc.org/wondershaper/|WonderShaper]] (which also uses [[docs:guide-user:network:traffic-shaping:packet.scheduler|tc]] as its back-end): 
 + 
 +<code> 
 +    opkg install wshaper
 </code> </code>
  
-For the actual splash site place these [[https://github.com/nodogsplash/nodogsplash/tree/master/resources|example files]] as follows:+WonderShaper's UCI config file is stored in ''/etc/config/wshaper''A simple configuration for a guest network might look like this:
  
 <code> <code>
-/etc/nodogsplash/htdocs/splash.html +config wshaper 'settings' 
-/etc/nodogsplash/htdocs/infoskel.html + option network 'public' 
-/etc/nodogsplash/htdocs/images/splash.jpg+ option downlink '64' 
 + option uplink '512'
 </code> </code>
 +
 +**Note:** The ''downlink'' and ''uplink'' maximum values will usually need to be reversed from what one might, at first glance, expect. Also note that due to overhead, actual speeds will be slightly lower.
 +
  • Last modified: 2020/04/15 22:45
  • by bobafetthotmail