Hi all
I want to redirect my guest user on a guest wifi network using nocatsplash.
Currently I get an IP (dnsmasq is working as expected), I can ping to several websites. But I see some strange behaviour
1. When I surf to www.c2root.be it works as expected and lets me run through.
2. When I surf to e.g. www.homerecording.be it redirects me to the splash page.
3. when I don't accept and surf to another website, it appears to be stuck???
4. When I open a browser (restarted the services) and surf to https://www.Facebook.com it does not redirect and keep waiting for a server reply.
I have added my /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config zone
option name guest
option network 'guest'
option input ACCEPT
option output ACCEPT
option forward REJECT
config forwarding
option src lan
option dest wan
config forwarding
option src guest
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config rule
option src guest
option dest_port 53
option proto tcpudp
option target ACCEPT
config rule
option src guest
option src_port 67-68
option dest_port 67-68
option proto udp
option target ACCEPT
config rule
option src guest
option src_port 5280
option dest_port 5280
option proto tcp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
# allow IPsec/ESP and ISAKMP passthrough
#config rule
# option src wan
# option dest lan
# option protocol esp
# option target ACCEPT
#config rule
# option src wan
# option dest lan
# option src_port 500
# option dest_port 500
# option proto udp
# option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
my nocat.conf looks like this
###### General settings.
#
# See the bottom of this file for options for logging to syslog.
##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
# on the splash and status pages. Any short string of text will do.
#
GatewayName Studentmesh Options
##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
# values are:
#
# Open - Simply require a user to view a splash page and accept
# a use agreement.
#
# Only Open mode is currently supported.
#
GatewayMode Open
##
# GatewayLog -- Optional. If unset, messages will go to STDERR.
# (currently unused!)
#
#GatewayLog /tmp/nocat.log
##
# LoginTimeout - Number of seconds after a client's last
# login/renewal to terminate their connection. Probably
# don't want to set this to less than 60 or a lot of
# bandwidth is likely to get consumed by the client's
# renewal attempts.
#
# For Open Mode portals, you probably want to comment out
# the preceding and set LoginTimeout to
# something large (like 86400, for one notification
# per day).
#
LoginTimeout 86400
###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
# redirect.
#
HomePage http://www.c2root.be/
# DocumentRoot -- Where all of the application templates (including
# SplashForm) are hiding. Can be different from Apache's DocumentRoot.
# Defaults to /usr/share/nocat/htdocs via compile-time option.
#
# DocumentRoot /usr/share/nocat/htdocs
# SplashForm -- Form displayed to users on capture.
#
SplashForm splash.html
# SplashURL -- URL to fetch remote splash page from. You must compile
# with --with-remote-splash for this to work. SplashTimeout specifies
# the reload period of the remote splash page.
#
# SplashURL http://example.com/get_splash_page.cgi?node=$NodeID
#
# SplashTimeout 21600
###### Active/Passive Portal settings.
# None of these settings affect open mode operation.
#
# TrustedGroups - A list of groups registered with the auth server
# that a user may claim membership in order to gain Member-class
# access through this portal. The default magic value "Any" indicates
# that a member of *any* group is granted member-class access from
# this gateway. NOT YET IMPLEMENTED.
#
# TrustedGroups NoCat NYCWireless PersonalTelco
#
TrustedGroups Any
##
# Owners - Optional. List all local "owner" class users here, separated
# by spaces. Owners typically get full bandwidth, and unrestricted
# access to all network resources. NOT YET IMPLEMENTED.
#
# Owners rob@nocat.net schuyler@nocat.net
##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
# your authentication service. You must use an IP address
# if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#
##
# AuthServiceURL - HTTPS URL to the login script at the authservice.
#
##
# LogoutURL - HTTP URL to redirect user after logout.
#
##
# PGPKeyPath -- The directory in which PGP keys are stored.
# NoCat tries to find this in the pgp/ directory above
# the bin/ parent directory. Set this only if you put it
# somewhere that NoCat doesn't expect.
#
# PGPKeyPath /usr/share/nocat/pgp
### Network Topology
#
# FirewallPath - Where to find the firewall scripts.
# Defaults to /usr/lib/nocat via compile-time option.
#
# FirewallPath /usr/lib/nocat
#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
# from looking at your routing tables and picking the interface
# that carries the default route. Must be set to the interface
# connected to the Internet. Usually 'eth0' or 'eth1'
# under Linux, or maybe even 'ppp0' if you're running
# PPP or PPPoE.
#
# ExternalDevice eth0
##
# InternalDevice - Required if and only if your machine has more than two
# network interfaces. Must be set to the interface connected to your local
# network, normally your wireless card.
#
InternalDevice br-guest
##
# LocalNetwork - Required if and only if NoCatSplash can't figure it out
# by polling the InternalDevice. Must be set to the network
# address and net mask of your internal network. You
# can use the number of bits in the netmask (e.g. /16, /24, etc.)
# or the full x.x.x.x specification.
#
LocalNetwork 10.0.0.0/24
##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
# specify the address(es) of one or more domain name server on the Internet
# that wireless clients can use to get out. Should be the same DNS that your
# DHCP server hands out.
#
DNSAddr 8.8.8.8
##
# AllowedWebHosts - Optional. List any domains that you would like to
# allow web access (TCP port 80 and 443) BEFORE logging in (this is the
# pre-'skip' stage, so be careful about what you allow.)
#
AllowedWebHosts www.c2root.be www.linux.com
##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT.
# Uncomment this only if you're running a strictly routed network, and
# don't need the gateway to enable NAT for you.
#
# RouteOnly 1
##
# MembersOnly - Optional. Uncomment this if you want to disable public
# access (i.e. unauthenticated 'skip' button access). You'll also want to
# point AuthServiceURL somewhere that doesn't include a skip button (like
# at your own Auth server.)
#
# MembersOnly 1
##
# IncludePorts - Optional. Specify TCP ports to allow access to when
# public class users login. All others will be denied.
#
# For a list of common services and their respective port numbers, see
# your /etc/services file. Depending on your firewall, you might even
# be able to specify said services here, instead of using port numbers.
#
#IncludePorts 80 443
##
# ExcludePorts - Optional. Specify TCP ports to denied access to when
# public class users login. All others will be allowed.
#
# Note that you should use either IncludePorts or ExcludePorts, but not
# both. If neither is specified, access is granted to all ports to
# public class users.
#
# You should *always* exclude port 25, unless you want to run an portal
# for wanton spam sending. Users should have their own way of sending
# mail. It sucks, but that's the way it is. Comment this out *only if*
# you're using IncludePorts instead.
#
ExcludePorts 23 25 111
#
#ExcludePorts 25
####### Syslog Options
#
# Log Facility - syslog or internal. "internal" sends log messages
# using STDERR. "syslog" sends all messages to the system log.
LogFacility syslog
##
# SyslogIdent - The ident of the program that is calling syslog. This will
# be prepended to every log entry made by NoCat. Defaults to NoCat.
#
SyslogIdent NoCat
###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
# open and close the firewall. You probably don't need to
# change these.
#
# ResetCmd initialize.fw
# PermitCmd access.fw permit $MAC $IP $Class
# DenyCmd access.fw deny $MAC $IP $Class
##
# GatewayPort - The TCP port to bind the gateway
# service to. 5280 is de-facto standard for NoCatAuth.
# Change this only if you absolutely need to.
#
# GatewayPort 5280
##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
# for expiration of idle clients. NOT YET IMPLEMENTED.
#
# MaxMissedARP -- How many times a client can be missing from
# the ARP cache before we assume they've gone away, and log them
# out. Set to 0 to disable logout based on ARP cache expiration.
#
# MaxMissedARP 2
#
# IdleTimeout 300
### Fin!
I copied a startup script for this forum (from a post very long time ago)
#!/bin/sh
#
# start/stop splashd super server.
case "$1" in
start)
echo -n "Starting NoCat splash server:"
echo -n " splashd" ;
/usr/sbin/splashd -D &
echo "."
;;
stop)
echo -n "Stopping NoCat splash server:"
echo -n " splashd" ;
killall splashd
echo "."
;;
restart)
echo -n "Restarting NoCat splash server:"
echo -n " splashd"
$0 stop
$0 start
echo "."
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
Any clues on why it is not always redirecting?
my /etc/config/network looks like the following
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'guest'
option 'proto' 'static'
option type 'bridge'
option 'ipaddr' '10.0.0.1'
option 'netmask' '255.255.255.0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
Any clues welcome
Kind regards
Steve