OpenWrt Forum Archive

Topic: nocatsplash on guest wifi

The content of this topic has been archived on 4 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all

I want to redirect my guest user on a guest wifi network using nocatsplash.

Currently I get an IP (dnsmasq is working as expected), I can ping to several websites. But I see some strange behaviour
1. When I surf to www.c2root.be it works as expected and lets me run through.
2. When I surf to e.g. www.homerecording.be it redirects me to the splash page.
3. when I don't accept and surf to another website, it appears to be stuck???
4. When I open a browser (restarted the services) and surf to https://www.Facebook.com it does not redirect and keep waiting for a server reply.

I have added my /etc/config/firewall

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    option network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT

config zone
    option name        wan
    option network        'wan'
    option input        REJECT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1
    
config zone 
    option name    guest
    option network  'guest'
    option input    ACCEPT
    option output    ACCEPT
    option forward     REJECT

config forwarding
    option src        lan
    option dest        wan
    
config forwarding
    option src        guest
    option dest        wan
    

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name        Allow-DHCPv6
    option src        wan
    option proto        udp
    option src_ip        fe80::/10
    option src_port        547
    option dest_ip        fe80::/10
    option dest_port    546
    option family        ipv6
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Input
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    list icmp_type        router-advertisement
    list icmp_type        neighbour-advertisement
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Forward
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

config rule
    option src         guest
    option dest_port    53
    option proto        tcpudp
    option target        ACCEPT
    
config rule
    option src        guest
    option src_port        67-68
    option dest_port    67-68
    option proto        udp
    option target    ACCEPT

config rule
    option src        guest
    option src_port        5280    
    option dest_port    5280
    option proto        tcp
    option target    ACCEPT

### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option dest        wan
#    option proto    tcp
#    option target    REJECT

# block a specific mac on wan
#config rule
#    option dest        wan
#    option src_mac    00:11:22:33:44:66
#    option target    REJECT

# block incoming ICMP traffic on a zone
#config rule
#    option src        lan
#    option proto    ICMP
#    option target    DROP

# port redirect port coming in on wan to lan
#config redirect
#    option src            wan
#    option src_dport    80
#    option dest            lan
#    option dest_ip        192.168.16.235
#    option dest_port    80
#    option proto        tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#    option src        wan
#    option src_dport    22001
#    option dest        lan
#    option dest_port    22
#    option proto        tcp

# allow IPsec/ESP and ISAKMP passthrough
#config rule
#    option src        wan
#    option dest        lan
#    option protocol        esp
#    option target        ACCEPT

#config rule
#    option src        wan
#    option dest        lan
#    option src_port        500
#    option dest_port    500
#    option proto        udp
#    option target        ACCEPT

### FULL CONFIG SECTIONS
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port    80
#    option dest        wan
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp
#    option target    REJECT

my nocat.conf looks like this

###### General settings.
#
# See the bottom of this file for options for logging to syslog.

##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
#   on the splash and status pages. Any short string of text will do.
#
GatewayName    Studentmesh Options
##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
#   values are:
#   
#   Open    - Simply require a user to view a splash page and accept 
#            a use agreement.
#
# Only Open mode is currently supported.
#
GatewayMode    Open

##
# GatewayLog -- Optional.  If unset, messages will go to STDERR.
# (currently unused!)
#
#GatewayLog    /tmp/nocat.log

##
# LoginTimeout - Number of seconds after a client's last
#   login/renewal to terminate their connection. Probably
#   don't want to set this to less than 60 or a lot of 
#   bandwidth is likely to get consumed by the client's
#   renewal attempts. 
#
# For Open Mode portals, you probably want to comment out
#   the preceding and set LoginTimeout to 
#   something large (like 86400, for one notification
#   per day).
#
LoginTimeout    86400

###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
#   redirect.
#
HomePage    http://www.c2root.be/

# DocumentRoot -- Where all of the application templates (including
#   SplashForm) are hiding. Can be different from Apache's DocumentRoot.
#   Defaults to /usr/share/nocat/htdocs via compile-time option.
#
# DocumentRoot    /usr/share/nocat/htdocs    

# SplashForm -- Form displayed to users on capture.
#
SplashForm    splash.html

# SplashURL -- URL to fetch remote splash page from. You must compile
#   with --with-remote-splash for this to work. SplashTimeout specifies
#   the reload period of the remote splash page.
#
# SplashURL    http://example.com/get_splash_page.cgi?node=$NodeID
# 
# SplashTimeout    21600

###### Active/Passive Portal settings. 
# None of these settings affect open mode operation.
#
# TrustedGroups - A list of groups registered with the auth server
#   that a user may claim membership in order to gain Member-class
#   access through this portal. The default magic value "Any" indicates
#   that a member of *any* group is granted member-class access from
#   this gateway. NOT YET IMPLEMENTED.
#
# TrustedGroups    NoCat NYCWireless PersonalTelco
#
TrustedGroups Any

##
# Owners - Optional.  List all local "owner" class users here, separated 
#   by spaces.  Owners typically get full bandwidth, and unrestricted
#   access to all network resources. NOT YET IMPLEMENTED.
#
# Owners rob@nocat.net schuyler@nocat.net

##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
#   your authentication service. You must use an IP address
#   if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#

##
# AuthServiceURL - HTTPS URL to the login script at the authservice. 
#

##
# LogoutURL - HTTP URL to redirect user after logout.
#

##
# PGPKeyPath -- The directory in which PGP keys are stored.
#   NoCat tries to find this in the pgp/ directory above
#   the bin/ parent directory. Set this only if you put it
#   somewhere that NoCat doesn't expect.
#
# PGPKeyPath    /usr/share/nocat/pgp


### Network Topology
#
# FirewallPath - Where to find the firewall scripts.
#   Defaults to /usr/lib/nocat via compile-time option.
#
# FirewallPath    /usr/lib/nocat

#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
#   from looking at your routing tables and picking the interface
#   that carries the default route. Must be set to the interface
#   connected to the Internet. Usually 'eth0' or 'eth1'
#   under Linux, or maybe even 'ppp0' if you're running
#   PPP or PPPoE.
#
# ExternalDevice    eth0

##
# InternalDevice - Required if and only if your machine has more than two
#   network interfaces. Must be set to the interface connected to your local
#   network, normally your wireless card.
#
InternalDevice    br-guest
##
# LocalNetwork - Required if and only if NoCatSplash can't figure it out
#   by polling the InternalDevice. Must be set to the network
#   address and net mask of your internal network. You
#   can use the number of bits in the netmask (e.g. /16, /24, etc.)
#   or the full x.x.x.x specification.
#
 LocalNetwork    10.0.0.0/24

##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
#   specify the address(es) of one or more domain name server on the Internet
#   that wireless clients can use to get out. Should be the same DNS that your
#   DHCP server hands out.
#
 DNSAddr 8.8.8.8
##
# AllowedWebHosts - Optional.  List any domains that you would like to
#   allow web access (TCP port 80 and 443) BEFORE logging in (this is the
#   pre-'skip' stage, so be careful about what you allow.)
#
AllowedWebHosts    www.c2root.be www.linux.com

##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. 
#   Uncomment this only if you're running a strictly routed network, and
#   don't need the gateway to enable NAT for you.
#
# RouteOnly    1

##
# MembersOnly - Optional.  Uncomment this if you want to disable public
#   access (i.e. unauthenticated 'skip' button access).  You'll also want to
#   point AuthServiceURL somewhere that doesn't include a skip button (like
#   at your own Auth server.)
#
# MembersOnly    1

##
# IncludePorts - Optional.  Specify TCP ports to allow access to when 
#   public class users login.  All others will be denied.
#
#   For a list of common services and their respective port numbers, see 
#   your /etc/services file. Depending on your firewall, you might even
#   be able to specify said services here, instead of using port numbers.
#
#IncludePorts    80 443

##
# ExcludePorts - Optional.  Specify TCP ports to denied access to when
#   public class users login.  All others will be allowed.
#
#   Note that you should use either IncludePorts or ExcludePorts, but not
#   both.  If neither is specified, access is granted to all ports to
#   public class users.
#
#   You should *always* exclude port 25, unless you want to run an portal
#   for wanton spam sending. Users should have their own way of sending
#   mail. It sucks, but that's the way it is. Comment this out *only if*
#   you're using IncludePorts instead.
#
 ExcludePorts 23 25 111
#
#ExcludePorts    25

####### Syslog Options
#
# Log Facility - syslog or internal.  "internal" sends log messages
#    using STDERR. "syslog" sends all messages to the system log.

 LogFacility    syslog
##
# SyslogIdent - The ident of the program that is calling syslog.  This will
#    be prepended to every log entry made by NoCat.  Defaults to NoCat.
#
 SyslogIdent NoCat

###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
#   open and close the firewall. You probably don't need to
#   change these.
#
# ResetCmd    initialize.fw
# PermitCmd    access.fw permit $MAC $IP $Class 
# DenyCmd    access.fw deny $MAC $IP $Class 

##
# GatewayPort - The TCP port to bind the gateway 
#   service to. 5280 is de-facto standard for NoCatAuth.
#   Change this only if you absolutely need to.
#
# GatewayPort     5280

##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
#   for expiration of idle clients. NOT YET IMPLEMENTED.
#
# MaxMissedARP -- How many times a client can be missing from
#   the ARP cache before we assume they've gone away, and log them
#   out. Set to 0 to disable logout based on ARP cache expiration.
# 
# MaxMissedARP    2
#
# IdleTimeout   300

### Fin!

I copied a startup script for this forum (from a post very long time ago)

#!/bin/sh
#
# start/stop splashd super server.
case "$1" in
    start)
            echo -n "Starting NoCat splash server:"
                    echo -n " splashd" ;
                            /usr/sbin/splashd -D &
                                    echo "."
                                            ;;
                                                stop)
                                                        echo -n "Stopping NoCat splash server:"
                                                                echo -n " splashd" ;
                                                                        killall splashd
                                                                                echo "."
                                                                                        ;;
                                                                                            restart)
                                                                                                    echo -n "Restarting NoCat splash server:"
                                                                                                            echo -n " splashd"
                                                                                                                    $0 stop
                                                                                                                            $0 start
                                                                                                                                    echo "."
                                                                                                                                            ;;
                                                                                                                                                *)
                                                                                                                                                        echo "Usage: $0 {start|stop|restart}"
                                                                                                                                                                exit 1
                                                                                                                                                                        ;;
                                                                                                                                                                        esac
                                                                                                                                                                        exit 0

Any clues on why it is not always redirecting?

my /etc/config/network looks like the following

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    
config interface 'guest'
    option 'proto' 'static'
    option type 'bridge'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'
    
config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 4'

Any clues welcome

Kind regards

Steve

Nobody?

In case some of you might come into the same problem:
You can overcome this problem as follows
1. use ipset in dnsmasq to add some domains to an allowed_ips set
2. mark (using prerouting) all the packages which are running from the guest to this set
3. redirect all packages which are not marked.

Use both https and http on your redirection server as it will redirect port 80 / 443 to the new destination server.

Compare it to a reversed DMZ system

Hi Countcobolt, i have the same problem but i'm a novice to router programming, is it possible to explain the three steps in detail?

I also want to use splash file but struggling with nodogsplash url redirect on chaos calmer
I have not install nocatsplash, it seems not available

chiakhoavang.vn wrote:

I also want to use splash file but struggling with nodogsplash url redirect on chaos calmer
I have not install nocatsplash, it seems not available

follow my guide here https://www.youtube.com/watch?v=RFMEczxlxxA

The discussion might have continued from here.