Wiki Search

Actions

Translations

You are here: OpenWrt Wiki » Documentation » HOWTOs » Nodogsplash
Table of Contents

Nodogsplash

Nodogsplash offers a simple way to open a free Hotspot (Wi-Fi) providing restricted access to an Internet connection.
The goal was to use a single wireless router to both provide local secure wifi, and share a portion of our bandwidth as a free hotspot, with a splash page to advertise who is providing the hotspot, and the fact that secure, faster access is available for a small contribution towards costs.

This page describes setting up a simple wireless hotspot with the following features:

  • Open access to the hotspot
  • Capture (splash) page
  • Port restrictions
  • Bandwidth Limit
  • Separate, secure wireless access for local use

The secure wireless is bridged to the hard-wired ports, the hotspot is separate and isolated from the local network.

IMQ is still in Backfire, but not in Attitude Adjustment any more

Installation

opkg 

opkg update
opkg install nodogsplash

Configuration

Network

/etc/config/network 

config 'interface' 'lan'
	option 'type'	'bridge'
	option 'ifname'	'eth0.0'
	option 'proto'	'static'
	option 'ipaddr'	'10.10.10.1'
	option 'netmask'	'255.255.255.0'

config 'interface' 'wan'
	option 'ifname'	'eth0.1'
	option 'proto'	'dhcp'

config 'interface' 'wifi'
	option 'ifname'	'eth1.0'
	option 'proto'	'static'
	option 'ipaddr'	'10.10.15.1'
	option 'netmask'	'255.255.255.0'

Wireless

/etc/config/wireless 

config 'wifi-device' 'wlan0'
	option 'type'	'mac80211'
	option 'channel'	'11'
	option 'disabled'	'0'

config 'wifi-iface'
	option 'device'	'wlan0'
	option 'network'	'lan'
	option 'mode'	'ap'
	option 'ssid'	'mywifi-secure'
	option 'encryption'	'psk2'
	option 'hidden'	'0'
	option 'key'	'your%verylong.andsecure-pskkey'

config 'wifi-iface'
	option 'device'	'wlan0'
	option 'network'	'wifi'
	option 'mode'	'ap'
	option 'ssid'	'public-hotspot'
	option 'encryption'	'none'
	option 'hidden'	'0'

dhcpd

/etc/config/dhcp 

config 'dhcp'
        	option 'interface'	'lan'
        	option 'start'	'100'
        	option 'limit'	'150'
        	option 'leasetime'	'12h'

config 'dhcp'
        	option 'interface'	'wan'
        	option 'ignore'	'1'

config 'dhcp'
        	option 'interface'	'wifi'
        	option 'start'	'100'
        	option 'limit'	'150'
        	option 'leasetime'	'2h'

Nodogsplash

/etc/nodogsplash/nodogsplash.conf

Note: Kamikaze 8.09 is recommended here, as nodogsplash didn't include anything in /etc/ until 8.09. Also, the init.d script for nodogsplash currently requires a few fixes, available here.
FIXME what :?:

(relevant changes only)

Tell nodogsplash to manage the public hotspot connection: 

GatewayInterface wlan0.1

Allow access to email: 

FirewallRuleSet authenticated-users {
...
FirewallRule allow tcp port 995
FirewallRule allow tcp port 993
FirewallRule allow tcp port 465
FirewallRule allow tcp port 110
FirewallRule allow tcp port 143

Restrict access to the gateway from the hotspot side: 

FirewallRuleSet users-to-router {
...
#    FirewallRule allow tcp port 22
#    FirewallRule allow tcp port 80
#    FirewallRule allow tcp port 443

Restrict bandwidth available to hotspot (adjust according to preference): 

trafficControl yes
...
DownloadLimit 200
...
UploadLimit 100

In backfire 10.03.1rc5 you need to edit /etc/init.d/nodogsplash and uncomment last lines to make bandwidth control to work 

    # if not using traffic control,
    # you can comment out the following 3 lines:
    do_module_tests "imq" "numdevs=2"
    do_module_tests "ipt_IMQ"
    do_module_tests "sch_htb"

You also need to install some extra kernel modules: 

    opkg install iptables-mod-imq
    opkg install kmod-ipt-imq
    opkg install kmod-sched

Check status

Nodogsplash package provides the ndsctl binary to manage it. Run ndsctl without arguments to see the help. 

root@openWrt:~# ndsctl       
Usage: ndsctl [options] command [arguments]

options:
  -s <path>         Path to the socket
  -h                Print usage

commands:
  status            View the status of nodogsplash
  clients           Display machine-readable client list
  stop              Stop the running nodogsplash
  auth ip           Authenticate user with specified ip
  deauth mac|ip     Deauthenticate user with specified mac or ip
  block mac         Block the given MAC address
  unblock mac       Unblock the given MAC address
  allow mac         Allow the given MAC address
  unallow mac       Unallow the given MAC address
  trust mac         Trust the given MAC address
  untrust mac       Untrust the given MAC address
  loglevel n        Set logging level to n
  password pass     Set gateway password
  username name     Set gateway username

Customise splash page

Edit these files to customize the "splash page" / "error page":

  • /etc/nodogsplash/htdocs/splash.html
  • /etc/nodogsplash/htdocs/infoskel.html

Note, to include an external *.css file, put it in the images directory, and include as so: 

@import url("$imagesdir/stylesheet.css");

Somewhere in splash.html you should include a link for the authentication, e.g: 

<h3> Click <a href="$authtarget"> HERE</a> to start browsing </h3>

Restrict access to domains

If you would want to restrict the access to the IP address 20.20.20.20 you can use this netfilter command (supposing 10.20.30.0/24 is your hotspot network and you redirect clients to your nodogsplash webserver) 

  iptables -t nat -I ndsOUT -p tcp -s 10.20.30.0/24 -d 20.20.20.20 --dport 80 -j DNAT --to 10.20.30.1:2050

Restrict access to multiple domains

Some domains resolve to multiple different ip addresses so you need to ban all of them.

  1. Create /root/banned.txt with the domains to ban (do not add domains with www):
    root@openWrt:~# head /root/banned.txt 
alice.cc
malware.ru
sersnkis.com
superdupertorrent.com
ultraload.com
downloadmuch.com
  2. Create following script /root/ban-domains.sh:
    #!/bin/sh
 
for domain in `cat /root/banned.txt`; do
	dig @8.8.8.8 $domain | egrep [0-9] | grep IN| awk {'print $5'} >> /tmp/ips.txt
	done
 
for ip in `cat /tmp/ips.txt`; do
	iptables -t nat -I ndsOUT -p tcp -s 10.20.30.0/24 -d $ip --dport 80 -j DNAT --to 10.20.30.1:80
	done
 
rm -fr /tmp/ips.txt
  3. run 
    chmod +x /root/ban-domains.sh"
  4. install dig package: 
    opkg install bind-dig
  5. add /root/ban-domains.sh to your /etc/rc.local file.

after executing the script you can check if it works ok running "iptables -t nat -L -n" and you should get something like this: 

Chain ndsOUT (1 references)
target     prot opt source               destination         
DNAT       tcp  --  10.20.30.0/24        199.58.211.41       tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        69.163.39.214       tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        78.140.135.6        tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        74.117.114.96       tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        88.85.73.158        tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        216.69.227.108      tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        72.8.129.153        tcp dpt:80 to:10.20.30.1:80

External links

Back to top

doc/howto/wireless.hotspot.nodogsplash.txt · Last modified: 2011/11/06 11:15 by orca