Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:captive-portal:wireless.hotspot.nodogsplash [2018/03/04 16:14] – ↷ Links adapted because of a move operation | docs:guide-user:services:captive-portal:wireless.hotspot.nodogsplash [2019/04/30 10:59] – [Nodogsplash Configuration File] someothertime | ||
|---|---|---|---|
| Line 12: | Line 12: | ||
| The secure wireless is bridged to the hard-wired ports, the hotspot is separate and isolated from the local network. | The secure wireless is bridged to the hard-wired ports, the hotspot is separate and isolated from the local network. | ||
| + | Official documentation: | ||
| - | |{{: | + | ===== Overview ===== |
| + | The nodogsplash captive portal runs as a service that manages client traffic over a router by adjusting firewall rules based on client tracking tools that interact with a users browser and client network requests. | ||
| + | In order to fully setup user and password authentication or more complex configuration. You will need to read the linked documentation to gain better understanding of the layers that are involved. | ||
| + | |||
| + | Usually this will require some basic script/web source editing and web server setup and modification. On Openwrt if user credentials are to be local to the router this will also need to be considered. | ||
| + | |||
| ===== Installation ===== | ===== Installation ===== | ||
| Line 24: | Line 30: | ||
| </ | </ | ||
| - | By default nodogsplash is disable after install; change " | + | In **/ |
| - | + | ||
| - | Use "/ | + | |
| - | + | ||
| - | Use "/ | + | |
| - | + | ||
| - | See https:// | + | |
| - | ===== Configuration ===== | + | |
| - | + | ||
| - | ==== Network ==== | + | |
| - | '' | + | |
| < | < | ||
| - | config ' | + | |
| - | option | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | + | ||
| - | config ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | + | ||
| - | config ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| </ | </ | ||
| - | + | Enable and start the nodogsplash ( NDS ) service. | |
| - | ==== Wireless ==== | + | |
| - | '' | + | |
| < | < | ||
| - | config ' | + | / |
| - | option ' | + | /etc/init.d/ |
| - | option ' | + | |
| - | option ' | + | |
| - | + | ||
| - | config ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | + | ||
| - | config ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| </ | </ | ||
| - | ==== dhcpd ==== | + | Some useful commands are listed below. |
| - | '' | + | |
| < | < | ||
| - | config ' | + | / |
| - | | + | / |
| - | | + | / |
| - | | + | </ |
| - | option ' | + | |
| - | config ' | + | See https:// |
| - | option ' | + | |
| - | option ' | + | |
| - | config ' | + | Documentation can be found online [[https:// |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | option ' | + | |
| - | </code> | + | |
| - | ==== Firewall | + | ===== Configuration ===== |
| - | Because nodogsplash uses iptables to mark/handle packets, you have to turn off the build-in firewall: | + | |
| - | < | + | |
| - | / | + | |
| - | / | + | |
| - | </ | + | |
| ==== Nodogsplash Configuration File ==== | ==== Nodogsplash Configuration File ==== | ||
| - | Older versions | + | Older versions use ''/ |
| - | The "/ | + | The "/ |
| - | https:// | + | |
| - | It contains an option to use the older style file. | + | Below is a documented version of the "/ |
| - | Here is the older " | ||
| < | < | ||
| - | # | + | config nodogsplash |
| - | # Nodogsplash Configuration File | + | # Set to 1 to enable nodogsplash |
| - | # | + | |
| - | # Parameter: GatewayInterface | + | |
| - | # Default: NONE | + | #option config '/ |
| - | # | + | |
| - | # GatewayInterface is not autodetected, | + | |
| - | # Set GatewayInterface to the interface on your router | + | |
| - | # that is to be managed by Nodogsplash. | + | |
| - | # Typically br0 for the wired and wireless lan on OpenWrt White Russian. | + | |
| - | # May be br-lan on OpenWrt Kamikaze. | + | |
| - | # | + | |
| - | GatewayInterface wlan0 | + | |
| - | # FirewallRuleSet: | + | |
| - | # | + | |
| - | # Control access for users after authentication. | + | |
| - | # These rules are inserted at the beginning | + | # Set GatewayName to the name of your gateway. This value |
| - | # FORWARD chain of the router' | + | # will be available as variable $gatewayname in the splash page source |
| - | # apply to packets that have come in to the router | + | # and in status output from ndsctl, but otherwise doesn' |
| - | # over the GatewayInterface from MAC addresses that | + | # If none is supplied, |
| - | # have authenticated with Nodogsplash, and that are | + | |
| - | # destined | + | |
| - | # considered in order, and the first rule that matches | + | |
| - | # a packet applies to it. | + | # connect at any time. (Does not include users on the TrustedMACList, |
| - | # If there are any rules in this ruleset, an authenticated | + | # who do not authenticate.) |
| - | # packet that does not match any rule is rejected. | + | |
| - | # N.B.: This ruleset is completely independent of | + | |
| - | # the preauthenticated-users ruleset. | + | |
| - | # | + | # of inactivity before a user is automatically ' |
| - | FirewallRuleSet authenticated-users { | + | |
| + | | ||
| + | # Set ClientForceTimeout to the desired number of minutes before | ||
| + | # a user is automatically ' | ||
| + | # option clientforcetimeout ' | ||
| - | # You may want to open access to a machine on a local | + | ########################### |
| - | # subnet that is otherwise blocked (for example, to | + | # ## authenticated_users ## |
| - | # serve a redirect page; see RedirectURL). If so, | + | ########################### |
| - | # allow that explicitly | + | # Control access for users after authentication. |
| - | # | + | # These rules are inserted at the beginning of the |
| + | # FORWARD chain of the router' | ||
| + | # apply to packets that have come in to the router | ||
| + | # over the GatewayInterface from MAC addresses that | ||
| + | # have authenticated with Nodogsplash, | ||
| + | # destined to be routed through the router. The rules are | ||
| + | # considered in order, and the first rule that matches | ||
| + | # a packet applies to it. | ||
| + | # If there are any rules in this ruleset, an authenticated | ||
| + | # packet that does not match any rule is rejected. | ||
| + | # N.B.: This ruleset is completely independent of | ||
| + | # the preauthenticated-users ruleset. | ||
| + | |||
| + | # You may want to open access to a machine on a local | ||
| + | # subnet that is otherwise blocked (for example, to | ||
| + | # serve a redirect page; see RedirectURL). If so, | ||
| + | # allow that explicitly, e.g: | ||
| + | # list authenticated_users 'allow tcp port 80 to 192.168.254.254' | ||
| - | # Your router may have several interfaces, and you | + | |
| - | # probably want to keep them private from the GatewayInterface. | + | # probably want to keep them private from the network/ |
| - | # If so, you should block the entire subnets on those interfaces, e.g.: | + | # If so, you should block the entire subnets on those interfaces, e.g.: |
| - | # | + | list authenticated_users 'block to 192.168.0.0/ |
| - | # | + | list authenticated_users 'block to 10.0.0.0/8' |
| - | # Typical ports you will probably want to open up include | + | |
| - | # 53 udp and tcp for DNS, | + | list authenticated_users ' |
| - | # 80 for http, | + | list authenticated_users 'allow tcp port 53' |
| - | # 443 for https, | + | list authenticated_users 'allow udp port 53' |
| - | # | + | list authenticated_users 'allow tcp port 80' |
| - | # | + | list authenticated_users 'allow tcp port 443' |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | FirewallRule allow all | + | |
| - | } | + | ############################## |
| - | # end FirewallRuleSet | + | # ## preauthenticated_users ## |
| + | ############################## | ||
| + | # Control access for users before authentication. | ||
| + | # These rules are inserted in the PREROUTING chain | ||
| + | # of the router' | ||
| + | # FORWARD chain of the router' | ||
| + | # These rules apply to packets that have come in to the | ||
| + | # router over the GatewayInterface from MAC addresses that | ||
| + | # are not on the BlockedMACList or TrustedMACList, | ||
| + | # are *not* authenticated with Nodogsplash. The rules are | ||
| + | # considered in order, and the first rule that matches | ||
| + | # a packet applies to it. A packet that does not match | ||
| + | # any rule here is rejected. | ||
| + | # N.B.: This ruleset is completely independent of | ||
| + | # the authenticated-users | ||
| + | |||
| + | # For splash page content not hosted on the router, you | ||
| + | # will want to allow port 80 tcp to the remote host here. | ||
| + | # Doing so circumvents the usual capture and redirect of | ||
| + | # any port 80 request to this remote host. | ||
| + | # Note that the remote host's numerical IP address must be known | ||
| + | # and used here. | ||
| + | # list preauthenticated_users 'allow tcp port 80 to 123.321.123.321' | ||
| + | |||
| + | # For preauthenticated users to resolve IP addresses in their | ||
| + | # initial request not using the router itself as a DNS server, | ||
| + | list preauthenticated_users 'allow tcp port 53' | ||
| + | list preauthenticated_users 'allow udp port 53' | ||
| - | # FirewallRuleSet: | + | ###################### |
| - | # | + | # ## users_to_router ## |
| - | # Control access | + | ####################### |
| - | # These rules are inserted | + | |
| - | # of the router' | + | # These rules are inserted |
| - | # FORWARD | + | # INPUT chain of the router' |
| - | # These rules apply to packets that have come in to the | + | # apply to packets that have come in to the router |
| - | # router | + | # over the GatewayInterface from MAC addresses that |
| - | # are not on the BlockedMACList or TrustedMACList, | + | # are not on the TrustedMACList, |
| - | # are *not* authenticated with Nodogsplash. The rules are | + | # the router itself. The rules are considered |
| - | # considered | + | # in order, and the first rule that matches a packet applies |
| - | # a packet applies to it. A packet that does not match | + | # to it. |
| - | # any rule here is rejected. | + | # If there are any rules in this ruleset, a |
| - | # N.B.: This ruleset is completely independent of | + | # packet that does not match any rule is rejected. |
| - | # the authenticated-users and users-to-router rulesets. | + | |
| - | # | + | # Allow ports for SSH/Telnet/DNS/ |
| - | FirewallRuleSet preauthenticated-users { | + | list users_to_router 'allow tcp port 22' |
| - | # For preauthenticated users to resolve IP addresses in their initial | + | list users_to_router ' |
| - | # request not using the router itself as a DNS server, | + | list users_to_router 'allow tcp port 53' |
| - | # you probably want to allow port 53 udp and tcp for DNS. | + | list users_to_router 'allow udp port 53' |
| - | | + | list users_to_router 'allow udp port 67' |
| - | | + | list users_to_router 'allow tcp port 80' |
| - | # For splash page content not hosted on the router, you | + | list users_to_router |
| - | # will want to allow port 80 tcp to the remote host here. | + | |
| - | # Doing so circumvents the usual capture and redirect of | + | |
| - | # any port 80 request to this remote host. | + | |
| - | # Note that the remote host's numerical IP address must be known | + | |
| - | # and used here. | + | |
| - | # FirewallRule | + | |
| - | } | + | |
| - | # end FirewallRuleSet preauthenticated-users | + | |
| + | # MAC addresses that are / are not allowed to access the splash page | ||
| + | # Value is either ' | ||
| + | #option macmechanism ' | ||
| + | #list allowedmac ' | ||
| + | #list allowedmac ' | ||
| + | #list blockedmac ' | ||
| - | # FirewallRuleSet: | + | |
| - | # | + | #list trustedmac ' |
| - | # Control access to the router itself from the GatewayInterface. | + | |
| - | # These rules are inserted at the beginning of the | + | |
| - | # INPUT chain of the router' | + | |
| - | # apply to packets that have come in to the router | + | |
| - | # over the GatewayInterface from MAC addresses that | + | |
| - | # are not on the TrustedMACList, | + | |
| - | # the router itself. The rules are | + | |
| - | # considered in order, and the first rule that matches | + | |
| - | # a packet applies | + | |
| - | # If there are any rules in this ruleset, a | + | |
| - | # packet that does not match any rule is rejected. | + | |
| - | # | + | |
| - | FirewallRuleSet users-to-router { | + | |
| - | # Nodogsplash automatically allows tcp to GatewayPort, | + | |
| - | # at GatewayAddress, | + | |
| - | # However you may want to open up other ports, e.g. | + | |
| - | # 53 for DNS and 67 for DHCP if the router itself is | + | |
| - | # providing these services. | + | |
| - | FirewallRule allow udp port 53 | + | |
| - | FirewallRule allow tcp port 53 | + | |
| - | FirewallRule allow udp port 67 | + | |
| - | # You may want to allow ssh, http, and https to the router | + | |
| - | # for administration from the GatewayInterface. If not, | + | |
| - | # comment these out. | + | |
| - | FirewallRule allow tcp port 22 | + | |
| - | FirewallRule allow tcp port 23 | + | |
| - | FirewallRule allow tcp port 80 | + | |
| - | FirewallRule allow tcp port 443 | + | |
| - | } | + | |
| - | # end FirewallRuleSet users-to-router | + | |
| - | # EmptyRuleSetPolicy directives | + | |
| - | # The FirewallRuleSets that NoDogSplash permits are: | + | # The FirewallRuleSets that NoDogSplash permits are: |
| - | # | + | # |
| - | # authenticated-users | + | # authenticated-users |
| - | # preauthenticated-users | + | # preauthenticated-users |
| - | # users-to-router | + | # users-to-router |
| - | # trusted-users | + | # trusted-users |
| - | # trusted-users-to-router | + | # trusted-users-to-router |
| - | # | + | # |
| - | # For each of these, an EmptyRuleSetPolicy can be specified. | + | # For each of these, an EmptyRuleSetPolicy can be specified. |
| - | # An EmptyRuleSet policy applies to a FirewallRuleSet if the | + | # An EmptyRuleSet policy applies to a FirewallRuleSet if the |
| - | # FirewallRuleSet is missing from this configuration file, | + | # FirewallRuleSet is missing from this configuration file, |
| - | # or if it exists but contains no FirewallRules. | + | # or if it exists but contains no FirewallRules. |
| - | # | + | # |
| - | # The possible values of an EmptyRuleSetPolicy are: | + | # The possible values of an EmptyRuleSetPolicy are: |
| - | # allow -- packets are accepted | + | # allow -- packets are accepted |
| - | # block -- packets are rejected | + | # block -- packets are rejected |
| - | # passthrough -- packets are passed through to pre-existing firewall rules | + | # passthrough -- packets are passed through to pre-existing firewall rules |
| - | # | + | # |
| - | # Default EmptyRuleSetPolicies are set as follows: | + | # Default EmptyRuleSetPolicies are set as follows: |
| - | # EmptyRuleSetPolicy authenticated-users passthrough | + | # EmptyRuleSetPolicy authenticated-users passthrough |
| - | # EmptyRuleSetPolicy preauthenticated-users block | + | # EmptyRuleSetPolicy preauthenticated-users block |
| - | # EmptyRuleSetPolicy users-to-router block | + | # EmptyRuleSetPolicy users-to-router block |
| - | # EmptyRuleSetPolicy trusted-users allow | + | # EmptyRuleSetPolicy trusted-users allow |
| - | # EmptyRuleSetPolicy trusted-users-to-router allow | + | # EmptyRuleSetPolicy trusted-users-to-router allow |
| + | # This should be autodetected on an OpenWRT system, but if not: | ||
| + | # Set GatewayAddress to the IP address of the router on | ||
| + | # the GatewayInterface. This is the address that the Nodogsplash | ||
| + | # server listens on. | ||
| + | # option gatewayaddress ' | ||
| - | # Parameter: GatewayName | + | |
| - | # Default: NoDogSplash | + | # not: set ExtrnalInterface |
| - | # | + | # i.e. the one which provides the default route to the internet. |
| - | # Set GatewayName | + | # Typically vlan1 for OpenWRT. |
| - | # will be available as variable $gatewayname in the splash page source | + | # option externalinterface ' |
| - | # and in status output from ndsctl, but otherwise doesn' | + | |
| - | # If none is supplied, the value " | + | |
| - | # | + | |
| - | # GatewayName NoDogSplash | + | |
| - | # Parameter: GatewayAddress | ||
| - | # Default: Discovered from GatewayInterface | ||
| - | # | ||
| - | # This should be autodetected on an OpenWRT system, but if not: | ||
| - | # Set GatewayAddress to the IP address of the router on | ||
| - | # the GatewayInterface. This is the address that the Nodogsplash | ||
| - | # server listens on. | ||
| - | # | ||
| - | # GatewayAddress 192.168.1.1 | ||
| - | # Parameter: ExternalInterface | + | |
| - | # Default: Autodetected from / | + | # to their initially requested page. |
| - | # | + | # If RedirectURL is set, the user is redirected |
| - | # This should be autodetected on a OpenWRT system, but if not: | + | # option redirecturl ' |
| - | # Set ExtrnalInterface | + | |
| - | # i.e. the one which provides | + | |
| - | # Typically vlan1 for OpenWRT. | + | |
| - | # | + | |
| - | # ExternalInterface vlan1 | + | |
| - | # Parameter: RedirectURL | + | |
| - | # Default: none | + | # The port it listens |
| - | # | + | # option gatewayport ' |
| - | # After authentication, | + | |
| - | # to their initially requested page. | + | |
| - | # If RedirectURL is set, the user is redirected to this URL instead. | + | |
| - | # | + | |
| - | # RedirectURL http:// | + | |
| - | # Parameter: GatewayPort | ||
| - | # Default: 2050 | ||
| - | # | ||
| - | # Nodogsplash' | ||
| - | # The port it listens to at that IP can be set here; default is 2050. | ||
| - | # | ||
| - | # GatewayPort 2050 | ||
| - | # Parameter: MaxClients | + | |
| - | # Default: 20 | + | # who make a http port 80 request |
| - | # | + | # do not serve a splash page, just redirect to the user's request, |
| - | # Set MaxClients | + | # or to RedirectURL if set). |
| - | # connect at any time. (Does not include users on the TrustedMACList, | + | # option authenticateimmediately ' |
| - | # who do not authenticate.) | + | |
| - | # | + | |
| - | # MaxClients 20 | + | |
| - | # ClientIdleTimeout | + | |
| - | # Parameter: ClientIdleTimeout | + | # If ' |
| - | # Default: 10 | + | # authenticating, |
| - | # | + | # If ' |
| - | # Set ClientIdleTimeout | + | # authenticate, |
| - | # of inactivity before a user is automatically ' | + | # option macmechanism ' |
| - | # | + | |
| - | # ClientIdleTimeout 10 | + | |
| - | # Parameter: ClientForceTimeout | + | |
| - | # Default: 360 | + | # the Password parameter |
| - | # | + | # option passwordauthentication |
| - | # Set ClientForceTimeout | + | |
| - | # a user is automatically | + | |
| - | # | + | |
| - | # ClientForceTimeout 360 | + | |
| - | # Parameter: AuthenticateImmediately | + | |
| - | # Default: no | + | # password when authenticating. |
| - | # | + | # option password ' |
| - | # Set to yes (or true or 1), to immediately authenticate users | + | |
| - | # who make a http port 80 request on the GatewayInterface (that is, | + | |
| - | # do not serve a splash page, just redirect | + | |
| - | # or to RedirectURL if set). | + | |
| - | # | + | |
| - | # AuthenticateImmediately no | + | |
| - | # Parameter: MACMechanism | + | |
| - | # Default: block | + | # the Username parameter to be supplied when authenticating. |
| - | # | + | # option usernameauthentication |
| - | # Either block or allow. | + | |
| - | # If ' | + | |
| - | # authenticating, and all others are allowed. | + | |
| - | # If 'allow', MAC addresses on AllowedMACList are allowed to | + | |
| - | # authenticate, | + | |
| - | # | + | |
| - | # MACMechanism block | + | |
| - | # Parameter: BlockedMACList | + | |
| - | # Default: none | + | # username when authenticating. |
| - | # | + | # option username ' |
| - | # Comma-separated list of MAC addresses who will be completely blocked | + | |
| - | # from the GatewayInterface. Ignored if MACMechanism is allow. | + | |
| - | # N.B.: weak security, since MAC addresses are easy to spoof. | + | |
| - | # | + | |
| - | # BlockedMACList 00: | + | |
| - | # Parameter: AllowedMACList | + | |
| - | # Default: none | + | # a user is forced |
| - | # | + | # option passwordattempts ' |
| - | # Comma-separated list of MAC addresses who will not be completely | + | |
| - | # blocked from the GatewayInterface. Ignored if MACMechanism | + | |
| - | # N.B.: weak security, since MAC addresses are easy to spoof. | + | |
| - | # | + | |
| - | # AllowedMACList 00: | + | |
| - | # Parameter: TrustedMACList | + | |
| - | # Default: none | + | # on the GatewayInterface that will be responded to and managed by |
| - | # | + | # Nodogsplash. Addresses outside this range do not have their packets |
| - | # Comma-separated list of MAC addresses who are not subject to | + | # touched by Nodogsplash at all. |
| - | # authentication, | + | # Defaults to 0.0.0.0/0, that is, all addresses. |
| - | # N.B.: weak security, since MAC addresses are easy to spoof. | + | # option gatewayiprange '0.0.0.0/0' |
| - | # | + | |
| - | # TrustedMACList 00: | + | |
| - | + | ||
| - | + | ||
| - | # Parameter: PasswordAuthentication | + | |
| - | # Default: no | + | |
| - | # Set to yes (or true or 1), to require a password matching | + | |
| - | # the Password parameter to be supplied when authenticating. | + | |
| - | # | + | |
| - | # | + | |
| - | # PasswordAuthentication no | + | |
| - | + | ||
| - | # Parameter: Password | + | |
| - | # Default: none | + | |
| - | # Whitespace delimited string that is compared to user-supplied | + | |
| - | # password when authenticating. | + | |
| - | # | + | |
| - | # | + | |
| - | # Password nodog | + | |
| - | + | ||
| - | # Parameter: UsernameAuthentication | + | |
| - | # Default: no | + | |
| - | # Set to yes (or true or 1), to require a username matching | + | |
| - | # the Username parameter to be supplied when authenticating. | + | |
| - | # | + | |
| - | # | + | |
| - | # UsernameAuthentication no | + | |
| - | + | ||
| - | # Parameter: Username | + | |
| - | # Default: none | + | |
| - | # Whitespace delimited string that is compared to user-supplied | + | |
| - | # username when authenticating. | + | |
| - | # | + | |
| - | # | + | |
| - | # Username guest | + | |
| - | + | ||
| - | # Parameter: PasswordAttempts | + | |
| - | # Default: 5 | + | |
| - | # Integer number of failed password/ | + | |
| - | # a user is forced to reauthenticate. | + | |
| - | # | + | |
| - | # | + | |
| - | # PasswordAttempts 5 | + | |
| - | + | ||
| - | # Parameter: TrafficControl | + | |
| - | # Default: no | + | |
| - | # | + | |
| - | # Set to yes (or true or 1), to enable traffic control in Nodogsplash. | + | |
| - | # | + | |
| - | # TrafficControl no | + | |
| - | + | ||
| - | # Parameter: DownloadLimit | + | |
| - | # Default: 0 | + | |
| - | # | + | |
| - | # If TrafficControl is enabled, this sets the maximum download | + | |
| - | # speed to the GatewayInterface, | + | |
| - | # For example if you have an ADSL connection with 768 kbit | + | |
| - | # download speed, and you want to allow about half of that | + | |
| - | # bandwidth for the GatewayInterface, | + | |
| - | # A value of 0 means no download limiting is done. | + | |
| - | # | + | |
| - | # DownloadLimit 384 | + | |
| - | + | ||
| - | # Parameter: UploadLimit | + | |
| - | # Default: 0 | + | |
| - | # | + | |
| - | # If TrafficControl is enabled, this sets the maximum upload | + | |
| - | # speed from the GatewayInterface, | + | |
| - | # For example if you have an ADSL connection with 128 kbit | + | |
| - | # upload speed, and you want to allow about half of that | + | |
| - | # bandwidth for the GatewayInterface, | + | |
| - | # A value of 0 means no upload limiting is done. | + | |
| - | # | + | |
| - | # UploadLimit 64 | + | |
| - | + | ||
| - | # Paramter: GatewayIPRange | + | |
| - | # Default: 0.0.0.0/0 | + | |
| - | # | + | |
| - | # By setting this parameter, you can specify a range of IP addresses | + | |
| - | # on the GatewayInterface that will be responded to and managed by | + | |
| - | # Nodogsplash. Addresses outside this range do not have their packets | + | |
| - | # touched by Nodogsplash at all. | + | |
| - | # Defaults to 0.0.0.0/0, that is, all addresses. | + | |
| - | # | + | |
| - | # GatewayIPRange | + | |
| </ | </ | ||
| Line 485: | Line 287: | ||
| < | < | ||
| - | FirewallRuleSet authenticated-users { | + | list authenticated_users 'allow tcp port 995' |
| - | ... | + | list authenticated_users 'allow tcp port 993' |
| - | FirewallRule | + | list authenticated_users 'allow tcp port 465' |
| - | FirewallRule | + | list authenticated_users 'allow tcp port 110' |
| - | FirewallRule | + | list authenticated_users 'allow tcp port 143' |
| - | FirewallRule | + | |
| - | FirewallRule | + | |
| </ | </ | ||
| Restrict access to the gateway from the hotspot side: | Restrict access to the gateway from the hotspot side: | ||
| - | |||
| < | < | ||
| - | FirewallRuleSet users-to-router { | + | list users_to_router 'allow tcp port 22' |
| - | ... | + | list users_to_router 'allow tcp port 80' |
| - | # FirewallRule | + | list users_to_router 'allow tcp port 443' |
| - | # FirewallRule | + | |
| - | # FirewallRule | + | |
| </ | </ | ||
| + | ==== mwan3 Compatibility ==== | ||
| - | ==== Bandwidth Control ==== | + | NDS and mwan3 both mess with iptables. As such they need a little extra configuration sometimes to work together. |
| - | You can restrict bandwidth available to hotspot (adjust according to preference): | + | **NDS 0.9** |
| + | Add the following lines to / | ||
| < | < | ||
| - | trafficControl yes | + | FW_MARK_AUTHENTICATED 262144 |
| - | ... | + | FW_MARK_TRUSTED 131072 |
| - | DownloadLimit 200 | + | FW_MARK_BLOCKED 65536 |
| - | ... | + | |
| - | UploadLimit 100 | + | |
| </ | </ | ||
| - | **In backfire 10.03.1rc5 you need to edit / | + | **NDS 1.0** |
| - | < | + | Make the following |
| - | # if not using traffic control, | + | |
| - | # you can comment out the following | + | |
| - | do_module_tests " | + | |
| - | do_module_tests " | + | |
| - | do_module_tests " | + | |
| - | </code> | + | |
| - | Note: //ipt_IMQ = xt_IMQ// | + | |
| - | + | ||
| - | **You also need to install some extra kernel modules:** | + | |
| + | In / | ||
| < | < | ||
| - | opkg install iptables-mod-imq | + | list fw_mark_authenticated ' |
| - | opkg install kmod-ipt-imq | + | list fw_mark_trusted ' |
| - | opkg install kmod-sched | + | list fw_mark_blocked ' |
| - | </ | + | |
| - | And some utilities | + | |
| - | < | + | |
| - | opkg install ip | + | |
| - | opkg install tc | + | |
| </ | </ | ||
| - | + | In /etc/config/mwan3: | |
| - | **NOTE: | + | |
| - | + | ||
| - | For bandwidth control in **Attitude Adjustment 12.09** you can install [[http://lartc.org/wondershaper/ | + | |
| < | < | ||
| - | opkg install wshaper | + | config globals ' |
| </ | </ | ||
| - | WonderShaper' | + | **NDS 2.0** |
| - | + | //(compatible by default)// | |
| - | < | + | |
| - | config wshaper ' | + | |
| - | option network ' | + | |
| - | option downlink ' | + | |
| - | option uplink ' | + | |
| - | </code> | + | |
| - | + | ||
| - | **Note:** The '' | + | |
| ==== Check status ==== | ==== Check status ==== | ||
| Line 571: | Line 343: | ||
| options: | options: | ||
| - | -s < | + | -s < |
| - | -h Print usage | + | -h Print usage |
| commands: | commands: | ||
| - | status | + | status |
| - | clients | + | clients |
| - | stop Stop the running nodogsplash | + | json |
| - | auth ip | + | stop Stop the running nodogsplash |
| - | deauth mac|ip | + | auth mac|ip|token |
| - | block mac | + | deauth mac|ip|token |
| - | unblock mac | + | block mac |
| - | allow mac | + | unblock mac |
| - | unallow mac | + | allow mac |
| - | trust mac | + | unallow mac |
| - | untrust mac | + | trust mac |
| - | loglevel n Set logging level to n | + | untrust mac |
| - | password pass | + | loglevel n Set logging level to n |
| - | username name | + | password pass |
| - | </ | + | username name |
| + | </ | ||
| Line 713: | Line 486: | ||
| **Added by NetoMX (2016/ | **Added by NetoMX (2016/ | ||
| - | ===== Quick NoDogSplash Setup Example ===== | + | ==== Legacy NDS - Bandwidth Control |
| - | This is a quick setup for Nodogsplash. It shows a splash page for any web acccess comming from br-lan. | + | In backfire 10.03.1rc5, you need to edit / |
| - | / | ||
| < | < | ||
| - | GatewayInterface br-lan | + | # if not using traffic control, |
| + | # you can comment out the following 3 lines: | ||
| + | do_module_tests " | ||
| + | do_module_tests " | ||
| + | do_module_tests " | ||
| + | </ | ||
| + | Note: //ipt_IMQ = xt_IMQ// | ||
| - | FirewallRuleSet preauthenticated-users { | + | **You also need to install some extra kernel modules:** |
| - | | + | |
| - | | + | |
| - | | + | |
| - | } | + | |
| - | EmptyRuleSetPolicy authenticated-users passthrough | + | < |
| - | EmptyRuleSetPolicy users-to-router passthrough | + | opkg install iptables-mod-imq |
| - | EmptyRuleSetPolicy trusted-users allow | + | opkg install kmod-ipt-imq |
| - | EmptyRuleSetPolicy trusted-users-to-router passthrough | + | opkg install kmod-sched |
| + | </ | ||
| + | And some utilities | ||
| + | < | ||
| + | opkg install ip | ||
| + | opkg install tc | ||
| + | </ | ||
| - | MaxClients 30 | + | NOTE: In Attitude Adjustment 12.09 there is no '' |
| - | ClientIdleTimeout 10 | + | |
| - | ClientForceTimeout 240 | + | For bandwidth control in **Attitude Adjustment 12.09** you can install [[http:// |
| + | |||
| + | < | ||
| + | opkg install wshaper | ||
| </ | </ | ||
| - | For the actual splash site place these [[https://github.com/ | + | WonderShaper' |
| < | < | ||
| - | / | + | config wshaper ' |
| - | / | + | option network ' |
| - | / | + | option downlink ' |
| + | option uplink ' | ||
| </ | </ | ||
| + | |||
| + | **Note:** The '' | ||
| + | |||