I'm trying to set up the captive portal on openwrt.
I did all the work. And when users connect to the router, they are automatically redirected to the index.html page.
But when the Internet is disconnected, a "internet my not be available" message appears. And Android devices can not detect the captive portal page.
file /etc/config/dhcp
root#OpenWrt:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option logqueries '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config domain
option name 'connectivitycheck.gstatic.com'
option ip '192.168.1.1'
config domain
option name 'apple.com'
option ip '192.168.1.1'
config domain
option name 'captive.apple.com'
option ip '192.168.1.1'
config domain
option name 'detectportal.firefox.com'
option ip '192.168.1.1'
config domain
option name 'gstatic.com'
option ip '192.168.1.1'
config domain
option name 'clients3.google.com'
option ip '192.168.1.1'
config domain
option name 'connectivitycheck.android.com'
option ip '192.168.1.1'
config domain
option name 'msftconnecttest.com'
option ip '192.168.1.1'
config domain
option name 'play.googleapis.com'
option ip '192.168.1.1'
config domain
option name 'spectrum.s3.amazonaws.com'
option ip '192.168.1.1'
config domain
option name 'mtalk.google.com'
option ip '192.168.1.1'
config domain
option name 'alt3-mtalk.google.com'
option ip '192.168.1.1'
config domain
option name 'alt4-mtalk.google.com'
option ip '192.168.1.1'
config domain
option name 'connectivity-check.ubuntu.com'
option ip '192.168.1.1'
I think that android devices send packet ICMP for check internet.
I using iptables drop all ICMP packet. But it did not work again.
Note
This problem occurs only when Android users connect. Ubuntu and Firefox recognize the index page.
Related
I am building a WiFi mesh network using Openwrt 802.11s and Tp-Link wr703n mini routers for my final year project. OLSR is running as a routing protocol. I am using Linux.
Total of 4 routers
LAN IP Adress Mac Mesh IP Adress
Node A 192.168.10.1 AO 192.168.5.1
Node B 192.168.11.1 6E 192.168.5.2
Node C 192.168.12.1 42 192.168.5.3
Node D 192.168.13.1 54 192.168.5.4
Above you can see the Lan IP address and the mesh addresses of each router.
So client X is connected to Node A with a cable and a node is assigned the IP address 192.168.10.100. Client Y is connected to D and is assigned the IP addresses 192.168.13.50.
When I try to ping X from Y, I cannot get it to work. Also, I can't ping the mesh IP addresses as well from the operating system terminal. But when I am logged to the OpenWrt via terminal, I am able to ping any IP addresses within the mesh.
I have captured some 802.11s beacon frame which I am adding to the post.
If you look at the very end:
Capability: 0x01
...
.... 0... = Mesh Forwarding: No
...
I feel like that's the problem because I have a previous thesis paper and the student that did that project has that setting to be Yes, and it was working.
So, does anybody have any idea?
Additionally, I checked with Wireshark that OLSR is working perfectly and transmits hello messages, to messages, etc.
One of the routers config files -- OLSRD ----network---wireless (they are all the same except the IP addresses):
root#OpenWrt:/etc/config# cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option macaddr '14:cf:92:3c:67:54'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option country 'IE'
option channel '11'
option txpower '7'
config wifi-iface
option device 'radio0'
option mesh_id 'mesh_OpenWrt'
option mode 'mesh'
option network 'mesh'
option encryption 'none'
root#OpenWrt:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.13.1'
option gateway '192.168.5.4'
config interface 'mesh'
option _orig_ifname 'wlan0'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.5.4'
option netmask '255.255.255.0'
root#OpenWrt:/etc/config# cat olsrd
config olsrd
option IpVersion '4'
option FIBMetric 'flat'
option LinkQualityLevel '2'
option LinkQualityAlgorithm 'etx_ff'
option OlsrPort '698'
option Willingness '3'
option NatThreshold '1.0'
config LoadPlugin
option library 'olsrd_arprefresh.so.0.1'
config LoadPlugin
option library 'olsrd_dyn_gw.so.0.5'
config LoadPlugin
option library 'olsrd_httpinfo.so.0.1'
option port '1978'
list Net '0.0.0.0 0.0.0.0'
config LoadPlugin
option library 'olsrd_nameservice.so.0.3'
config LoadPlugin
option library 'olsrd_txtinfo.so.0.1'
option accept '0.0.0.0'
config Interface
option ignore '0'
option Mode 'mesh'
option interface 'mesh'
config InterfaceDefaults
option Mode 'mesh'
I believe there will be one bridge interface, br-lan and two interfaces wlan0
, wlan1
In NODE A:
Add these two interfaces wlan0, wlan1 into the bridge br-lan.
wlan0<----[br-lan]--->wlan1
wlan0 make as a mesh point.
wlan1 make as AP.
Make the changes in /etc/cofig/network
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.13.1'
3. Run the dhcp server on br-lan of NodeA
Make the changes in /etc/config/network of other Nodes same as below:
option proto 'dhcp'
Now all NodeB,NodeC,NodeD are in same DHCP subnet IP series of NodeA.
192.168.13.x, DHCP clients are running on all NodeB/C/D and DHCP server is running NodeA.
It will resolve your end to end PING issue.
Another approach if you want to access the internet to all nodes.
Setup should be like this:
ISP<----ETH--->wan[NodeA]-wlan0<---mesh-->wlan0-[NodeB]<---mesh-->wlan0-[NodeC]<---mesh--->wlan0-[NodeD]-wlan1 <---wifi--->sta/pc
All nodes will get DHCP IP, in every br-lan of nodes we need to run dhcp client.
NodeA
wan interface eth0.2
-Add all interface eth0.2, wlan0, wlan1 into bridge br-lan.
- Make the changes in /etc/config/network
option type 'bridge'
option proto 'dhcp'
# option netmask '255.255.255.0' /* comment this line */
# option ipaddr '192.168.13.1' /* comment this line */
Rest of the nodes will same as previous.
This will resolve your end to end ping issue, even every nodes and STA has access to internet.
I have a server with 2 domain names (let's say domain1.com and domain2.com).
I can SSH into the server by ssh user#domain1.com and ssh user#domain2.com. I would like to be able to only allow ssh user#domain1.com and disable SSH acces to domain2.com.
Is that possible?
It does not seem possible to allow SSH connection only to specific domain name. The domain name is resolved by the DNS and there is no way for the SSH server to know which domain you are using. See also this answer to the same question.
One thing you might try to do is to configure a firewall (for example iptable) to drop connection to domain2.com on port 22.
A similar problem was discussed here, where they were trying to block a domain in iptables so that visitor could not access the http server using it.
Adjusting the iptables rule to your case ( and assuming that your ssh server is running on port 22) I would try this:
iptables -I INPUT -p tcp --dport 22 -m string --string "Host: domain2.com" --algo bm -j DROP
UPDATE:
As Dusan Bajic commented the rule above would only work for http traffic because it take advantage of the http header fields. This would not work for ssh traffic.
I m using railsinstaller
http://localhost:3000/wage
Next page
http://localhost:3000/wage/results?hours=23
I try to access
myip:3000/wage
But it shows ERR_CONNECTION_REFUSED
I get the myip from ipconfig-->ipv4
Is the url wrong or configuration problem?
You've started well, but for local LAN only.
For intranet only, you can use your LAN ip.
Test it from another local machine (same LAN). Hope it works.
If your firewall and machine settings allow you to view on intranet, than go to next step:
For internet,
first make sure you have your public internet address, by visiting http://api.ipify.org/ > you will see your public IP address. Use it to access your website http://<public_address>:3000/
If it works on intranet, but not on internet, you need to open the port 3000 in your router and forward it to your local machine. (If you have no access to router settings, ask your administrator to help you with this).
Give me more details for a more complete solution.
What OS are you using?
EDIT:
For Windows10 you have to make sure to open the port 3000 in your firewall.
Navigate to Control Panel, System and Security and Windows Firewall.
Select Advanced settings and highlight Inbound Rules in the left pane.
Right click Inbound Rules and select New Rule.
Add the port you need to open and click Next.
Add the protocol (TCP or UDP) and the port number into the next window and click Next.
On the "Profile" step select all 3 (Domain, Private, Public)
Select Allow the connection in the next window and hit Next.
Select the network type as you see fit and click Next.
Name the rule something meaningful (like: Allow incoming connections on port 3000) and click Finish.
To change the default 3000 port use:
rails server -p 8080 to change port
rails server -b 0.0.0.0 to bind 0.0.0.0 address
UPDATE:
When server starts will output to the console, the address:port it listens. example:
Listening on tcp://0.0.0.0:3000 as a development server it can be set to listen on localhost requests only.
To override that settings use:
rails server -p <3030> -b 0.0.0.0 this will listen to all incoming connections on port 3030
For more details on the -p, and -b consult the help:
$ rails server -h
Usage: rails server [mongrel, thin etc] [options]
-p, --port=port Runs Rails on the specified port.
Default: 3000
-b, --binding=IP Binds Rails to the specified IP.
Default: localhost
-c, --config=file Uses a custom rackup configuration.
-d, --daemon Runs server as a Daemon.
-e, --environment=name Specifies the environment to run this server under (test/development/production).
Default: development
-P, --pid=pid Specifies the PID file.
Default: tmp/pids/server.pid
-C, --[no-]dev-caching Specifies whether to perform caching in development.
true or false
-h, --help Shows this help message.
I'm trying to set up a captive portal with CoovaChilli. So far I can get my router to distribute IP address from the 10.1.0.0/24 subnet, but when I attempt to go to www.youtube.com the browser simply hangs. I can access the captive portal only by manually entering 10.1.0.1. The related files are below
cat /etc/chilli/config
HS_LANIF=eth1 # Subscriber Interface for client devices
HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.0.0 # HotSpot Network Netmask
HS_UAMLISTEN=10.1.0.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990 # HotSpot UAM Port (on subscriber network)
HS_UAMUIPORT=4990 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)
HS_NASID=localhost
HS_RADIUS=localhost
HS_RADIUS2=localhost
HS_RADSECRET=testing123 # Set to be your RADIUS shared secret
HS_UAMSECRET=greatsecret # Set to be your UAM secret
HS_UAMALIASNAME=chilli
HS_SSID="GreenEarth"
HS_NASIP=127.0.0.1 # To explicitly set NAS-IP-Address
HS_UAMSERVER=$HS_UAMLISTEN
HS_UAMFORMAT=http://\$HS_UAMLISTEN/cake2/rd_cake/dynamic_details/chilli_browser_detect/
HS_MACAUTH=on # To turn on MAC Authentication
HS_TCP_PORTS="80 23 8000"
HS_MODE=hotspot
HS_TYPE=chillispot
HS_WWWDIR=/etc/chilli/www
HS_WWWBIN=/etc/chilli/wwwsh
HS_PROVIDER=Coova
HS_PROVIDER_LINK=http://www.coova.org/
HS_LOC_NAME="My HotSpot" # WISPr Location Name and used in portal
HS_COAPORT=3799
cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.1.0.0
netmask 255.255.255.0
cat /etc/chilli/ipup.sh
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
cat /proc/sys/net/ipv4/ip_forward
1
Any help would be greatly appreciated. Thanks.
You need to enable https redirect in coovachilli config file:
HS_REDIRSSL=on
HS_SSLKEYFILE=/etc/chilli/key.pem
HS_SSLCERTFILE=/etc/chilli/cert.pem
To generate certificate files, see How to create a self-signed certificate with openssl?.
Also you'll need to have coovachilli build with SSL support enabled.
With this configuration your users should be redirected to the login page when entering https urls (like youtube one).
BUT they will get a browser warning because the certificate won't be the one the browser is waiting for...
I have an Asus RT-N13U and am running: BARRIER BREAKER (14.07, r42625) on it. I used TFTP to install the openwrt-ramips-rt305x-rt-n13u-squashfs-sysupgrade.bin image onto it. Everything has been working fine until I enabled the wan. All of a sudden my wired connections don't work. Any ideas or pointers on where to look? This is my network config:
root#OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:4553::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option macaddr '00:0c:43:41:46:32'
option ipaddr '192.168.7.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option macaddr '00:0c:43:xx:xx:xx'
config interface 'wan6'
option ifname '#wan'
option proto 'dhcpv6'
config switch
option name 'rt305x'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'rt305x'
option vlan '1'
option ports '0 1 2 3 5 6t'
config switch_vlan
option device 'rt305x'
option vlan '2'
option ports '4 6t'