Difference between revisions of "OpenWRT: Setup NoDogSplash"

From OnnoWiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
  
Nodogsplash
+
Nodogsplash memberikan cara yang sederhana untuk membuka open free Hotspot (Wi-Fi) dan memberikan akses terbatas pada sambungan Internet. Tujuannya adalah untuk menggunakan sebuah wireless router untuk memberikan local secure wifi, dan share sebagian dari bandwidth kita sebagai free hotspot, dengan sebuah splash page untuk memberikan iklan (advertise) siapa yang memberikan hotspot.
  
Nodogsplash offers a simple way to open a free Hotspot (Wi-Fi) providing restricted access to an Internet connection.
+
Halaman ini akan menjelaskan cara membuat sebuah wireless hotspot sederhana dengan fitur berikut:
The goal was to use a single wireless router to both provide local secure wifi, and share a portion of our bandwidth as a free hotspot, with a splash page to advertise who is providing the hotspot, and the fact that secure, faster access is available for a small contribution towards costs.
 
  
This page describes setting up a simple wireless hotspot with the following features:
+
* Open access hotspot
 +
* Capture (splash) page
 +
* Pembatasan Port
 +
* Bandwidth Limit
 +
* Memisahkan, secure wireless access untuk penggunaan local. Secure wireless access di bridge ke port kabel, hotspot di pisah dan terisolasi dari local nerwork.
  
    Open access to the hotspot
 
    Capture (splash) page
 
    Port restrictions
 
    Bandwidth Limit
 
    Separate, secure wireless access for local use
 
  
The secure wireless is bridged to the hard-wired ports, the hotspot is separate and isolated from the local network.
+
==Installation==
IMQ is still in Backfire, but not in Attitude Adjustment any more
 
Installation
 
  
opkg
+
Secara manual instalasi dapat dilakukan dengan
  
opkg update
+
opkg
opkg install nodogsplash
+
opkg update
 +
opkg install nodogsplash
  
Configuration
+
Tapi bagi mereka yang bisa membuat sendiri firmware OpenWRT itu sendiri. Dapat memasukan langsung ke firmware.
Network
 
  
/etc/config/network
+
==Konfigurasi==
  
config 'interface' 'lan'
+
===Konfigurasi Network===
option 'type' 'bridge'
 
option 'ifname' 'eth0.0'
 
option 'proto' 'static'
 
option 'ipaddr' '10.10.10.1'
 
option 'netmask' '255.255.255.0'
 
  
config 'interface' 'wan'
+
/etc/config/network
option 'ifname' 'eth0.1'
+
option 'proto' 'dhcp'
+
config 'interface' 'lan'
 +
option 'type' 'bridge'
 +
option 'ifname' 'eth0.0'
 +
option 'proto' 'static'
 +
option 'ipaddr' '10.10.10.1'
 +
option 'netmask' '255.255.255.0'
 +
 +
config 'interface' 'wan'
 +
option 'ifname' 'eth0.1'
 +
option 'proto' 'dhcp'
 +
 +
config 'interface' 'wifi'
 +
option 'ifname' 'eth1.0'
 +
option 'proto' 'static'
 +
option 'ipaddr' '10.10.15.1'
 +
option 'netmask' '255.255.255.0'
  
config 'interface' 'wifi'
+
===Konfigurasi Wireless===
option 'ifname' 'eth1.0'
 
option 'proto' 'static'
 
option 'ipaddr' '10.10.15.1'
 
option 'netmask' '255.255.255.0'
 
  
Wireless
+
/etc/config/wireless
 +
 +
config 'wifi-device' 'wlan0'
 +
option 'type' 'mac80211'
 +
option 'channel' '11'
 +
option 'disabled' '0'
 +
 +
config 'wifi-iface'
 +
option 'device' 'wlan0'
 +
option 'network' 'lan'
 +
option 'mode' 'ap'
 +
option 'ssid' 'mywifi-secure'
 +
option 'encryption' 'psk2'
 +
option 'hidden' '0'
 +
option 'key' 'your%verylong.andsecure-pskkey'
 +
 +
config 'wifi-iface'
 +
option 'device' 'wlan0'
 +
option 'network' 'wifi'
 +
option 'mode' 'ap'
 +
option 'ssid' 'public-hotspot'
 +
option 'encryption' 'none'
 +
option 'hidden' '0'
  
/etc/config/wireless
+
===Konfigurasi dhcpd===
  
config 'wifi-device' 'wlan0'
+
/etc/config/dhcp
option 'type' 'mac80211'
+
option 'channel' '11'
+
config 'dhcp'
option 'disabled' '0'
 
 
 
config 'wifi-iface'
 
option 'device' 'wlan0'
 
option 'network' 'lan'
 
option 'mode' 'ap'
 
option 'ssid' 'mywifi-secure'
 
option 'encryption' 'psk2'
 
option 'hidden' '0'
 
option 'key' 'your%verylong.andsecure-pskkey'
 
 
 
config 'wifi-iface'
 
option 'device' 'wlan0'
 
option 'network' 'wifi'
 
option 'mode' 'ap'
 
option 'ssid' 'public-hotspot'
 
option 'encryption' 'none'
 
option 'hidden' '0'
 
 
 
dhcpd
 
 
 
/etc/config/dhcp
 
 
 
config 'dhcp'
 
 
         option 'interface' 'lan'
 
         option 'interface' 'lan'
 
         option 'start' '100'
 
         option 'start' '100'
 
         option 'limit' '150'
 
         option 'limit' '150'
 
         option 'leasetime' '12h'
 
         option 'leasetime' '12h'
 
+
config 'dhcp'
+
config 'dhcp'
 
         option 'interface' 'wan'
 
         option 'interface' 'wan'
 
         option 'ignore' '1'
 
         option 'ignore' '1'
 
+
config 'dhcp'
+
config 'dhcp'
 
         option 'interface' 'wifi'
 
         option 'interface' 'wifi'
 
         option 'start' '100'
 
         option 'start' '100'
Line 94: Line 94:
 
         option 'leasetime' '2h'
 
         option 'leasetime' '2h'
  
Firewall
+
===Konfigurasi Firewall===
  
Because nodogsplash uses iptables to mark/handle packets, you have to turn off the build-in firewall:
+
Karena nodogsplash menggunakan iptables untuk mark/handle packet, kita perlu mematikan build-in firewall:
  
/etc/init.d/firewall stop
+
/etc/init.d/firewall stop
/etc/init.d/firewall disable
+
/etc/init.d/firewall disable
  
Nodogsplash
+
===Konfigurasi Nodogsplash===
  
/etc/nodogsplash/nodogsplash.conf
+
/etc/nodogsplash/nodogsplash.conf
 +
 +
#
 +
# Nodogsplash Configuration File
 +
#
 +
 +
# Parameter: GatewayInterface
 +
# Default: NONE
 +
#
 +
# GatewayInterface is not autodetected, has no default, and must be set here.
 +
# Set GatewayInterface to the interface on your router
 +
# that is to be managed by Nodogsplash.
 +
# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
 +
# May be br-lan on OpenWrt Kamikaze.
 +
#
 +
GatewayInterface wlan0
 +
 +
# FirewallRuleSet: authenticated-users
 +
#
 +
# Control access for users after authentication.
 +
# These rules are inserted at the beginning of the
 +
# FORWARD chain of the router's filter table, and
 +
# apply to packets that have come in to the router
 +
# over the GatewayInterface from MAC addresses that
 +
# have authenticated with Nodogsplash, and that are
 +
# destined to be routed through the router. The rules are
 +
# considered in order, and the first rule that matches
 +
# a packet applies to it.
 +
# If there are any rules in this ruleset, an authenticated
 +
# packet that does not match any rule is rejected.
 +
# N.B.: This ruleset is completely independent of
 +
# the preauthenticated-users ruleset.
 +
#
 +
FirewallRuleSet authenticated-users {
 +
 +
  # You may want to open access to a machine on a local
 +
  # subnet that is otherwise blocked (for example, to
 +
  # serve a redirect page; see RedirectURL). If so,
 +
  # allow that explicitly here, e.g:
 +
  # FirewallRule allow tcp port 80 to 192.168.254.254
 +
 +
  # Your router may have several interfaces, and you
 +
  # probably want to keep them private from the GatewayInterface.
 +
  # If so, you should block the entire subnets on those interfaces, e.g.:
 +
    #FirewallRule block to 192.168.0.0/16
 +
    #FirewallRule block to 10.0.0.0/8
 +
 +
  # Typical ports you will probably want to open up include
 +
  # 53 udp and tcp for DNS,
 +
  # 80 for http,
 +
  # 443 for https,
 +
  # 22 for ssh:
 +
    #FirewallRule allow tcp port 53
 +
    #FirewallRule allow udp port 53
 +
    #FirewallRule allow tcp port 80
 +
    #FirewallRule allow tcp port 443
 +
    #FirewallRule allow tcp port 22
 +
    FirewallRule allow all
 +
 +
}
 +
# end FirewallRuleSet authenticated-users
 +
 
 +
 +
# FirewallRuleSet: preauthenticated-users
 +
#
 +
# Control access for users before authentication.
 +
# These rules are inserted in the PREROUTING chain
 +
# of the router's nat table, and in the
 +
# FORWARD chain of the router's filter table.
 +
# These rules apply to packets that have come in to the
 +
# router over the GatewayInterface from MAC addresses that
 +
# are not on the BlockedMACList or TrustedMACList,
 +
# are *not* authenticated with Nodogsplash. The rules are
 +
# considered in order, and the first rule that matches
 +
# a packet applies to it. A packet that does not match
 +
# any rule here is rejected.
 +
# N.B.: This ruleset is completely independent of
 +
# the authenticated-users and users-to-router rulesets.
 +
#
 +
FirewallRuleSet preauthenticated-users {
 +
  # For preauthenticated users to resolve IP addresses in their initial
 +
  # request not using the router itself as a DNS server,
 +
  # you probably want to allow port 53 udp and tcp for DNS.
 +
    FirewallRule allow tcp port 53
 +
    FirewallRule allow udp port 53
 +
  # For splash page content not hosted on the router, you
 +
  # will want to allow port 80 tcp to the remote host here.
 +
  # Doing so circumvents the usual capture and redirect of
 +
  # any port 80 request to this remote host.
 +
  # Note that the remote host's numerical IP address must be known
 +
  # and used here.
 +
  # FirewallRule allow tcp port 80 to 123.321.123.321
 +
}
 +
# end FirewallRuleSet preauthenticated-users 
 +
 +
 +
# FirewallRuleSet: users-to-router
 +
#
 +
# Control access to the router itself from the GatewayInterface.
 +
# These rules are inserted at the beginning of the
 +
# INPUT chain of the router's filter table, and
 +
# apply to packets that have come in to the router
 +
# over the GatewayInterface from MAC addresses that
 +
# are not on the TrustedMACList, and are destined for
 +
# the router itself. The rules are
 +
# considered in order, and the first rule that matches
 +
# a packet applies to it.
 +
# If there are any rules in this ruleset, a
 +
# packet that does not match any rule is rejected.
 +
#
 +
FirewallRuleSet users-to-router {
 +
  # Nodogsplash automatically allows tcp to GatewayPort,
 +
  # at GatewayAddress, to serve the splash page.
 +
  # However you may want to open up other ports, e.g.
 +
  # 53 for DNS and 67 for DHCP if the router itself is
 +
  # providing these services.
 +
    FirewallRule allow udp port 53
 +
    FirewallRule allow tcp port 53
 +
    FirewallRule allow udp port 67
 +
  # You may want to allow ssh, http, and https to the router
 +
  # for administration from the GatewayInterface. If not,
 +
  # comment these out.
 +
    FirewallRule allow tcp port 22
 +
    FirewallRule allow tcp port 23
 +
    FirewallRule allow tcp port 80
 +
    FirewallRule allow tcp port 443
 +
}
 +
# end FirewallRuleSet users-to-router
 +
 +
# EmptyRuleSetPolicy directives
 +
# The FirewallRuleSets that NoDogSplash permits are:
 +
#
 +
# authenticated-users
 +
# preauthenticated-users
 +
# users-to-router
 +
# trusted-users
 +
# trusted-users-to-router
 +
#
 +
# For each of these, an EmptyRuleSetPolicy can be specified.
 +
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
 +
# FirewallRuleSet is missing from this configuration file,
 +
# or if it exists but contains no FirewallRules.
 +
#
 +
# The possible values of an EmptyRuleSetPolicy are:
 +
# allow -- packets are accepted
 +
# block -- packets are rejected
 +
# passthrough -- packets are passed through to pre-existing firewall rules
 +
#
 +
# Default EmptyRuleSetPolicies are set as follows:
 +
# EmptyRuleSetPolicy authenticated-users passthrough
 +
# EmptyRuleSetPolicy preauthenticated-users block
 +
# EmptyRuleSetPolicy users-to-router block
 +
# EmptyRuleSetPolicy trusted-users allow
 +
# EmptyRuleSetPolicy trusted-users-to-router allow
  
#
+
# Nodogsplash Configuration File
+
# Parameter: GatewayName
#
+
# Default: NoDogSplash
 +
#
 +
# Set GatewayName to the name of your gateway. This value
 +
# will be available as variable $gatewayname in the splash page source
 +
# and in status output from ndsctl, but otherwise doesn't matter.
 +
# If none is supplied, the value "NoDogSplash" is used.
 +
#
 +
# GatewayName NoDogSplash
 +
 +
# Parameter: GatewayAddress
 +
# Default: Discovered from GatewayInterface
 +
#
 +
# This should be autodetected on an OpenWRT system, but if not:
 +
# Set GatewayAddress to the IP address of the router on
 +
# the GatewayInterface. This is the address that the Nodogsplash
 +
# server listens on.
 +
#
 +
# GatewayAddress 192.168.1.1 
 +
 +
# Parameter: ExternalInterface
 +
# Default: Autodetected from /proc/net/route
 +
#
 +
# This should be autodetected on a OpenWRT system, but if not:
 +
#  Set ExtrnalInterface to the 'external' interface on your router,
 +
# i.e. the one which provides the default route to the internet.
 +
# Typically vlan1 for OpenWRT.
 +
#
 +
# ExternalInterface vlan1
 +
 +
# Parameter: RedirectURL
 +
# Default: none
 +
#
 +
# After authentication, normally a user is redirected
 +
# to their initially requested page.
 +
# If RedirectURL is set, the user is redirected to this URL instead.
 +
#
 +
# RedirectURL http://www.ilesansfil.org/
 +
 +
# Parameter: GatewayPort
 +
# Default: 2050
 +
#
 +
# Nodogsplash's own http server uses GatewayAddress as its IP address.
 +
# The port it listens to at that IP can be set here; default is 2050.
 +
#
 +
# GatewayPort 2050
 +
 +
# Parameter: MaxClients
 +
# Default: 20
 +
#
 +
# Set MaxClients to the maximum number of users allowed to
 +
# connect at any time. (Does not include users on the TrustedMACList,
 +
# who do not authenticate.)
 +
#
 +
# MaxClients 20
 +
 +
# ClientIdleTimeout
 +
# Parameter: ClientIdleTimeout
 +
# Default: 10
 +
#
 +
# Set ClientIdleTimeout to the desired of number of minutes
 +
# of inactivity before a user is automatically 'deauthenticated'.
 +
#
 +
# ClientIdleTimeout 10
 +
 +
# Parameter: ClientForceTimeout
 +
# Default: 360
 +
#
 +
# Set ClientForceTimeout to the desired number of minutes before
 +
# a user is automatically 'deauthenticated', whether active or not
 +
#
 +
# ClientForceTimeout 360
 +
 +
# Parameter: AuthenticateImmediately
 +
# Default: no
 +
#
 +
# Set to yes (or true or 1), to immediately authenticate users
 +
# who make a http port 80 request on the GatewayInterface (that is,
 +
# do not serve a splash page, just redirect to the user's request,
 +
# or to RedirectURL if set).
 +
#
 +
# AuthenticateImmediately no
 +
 +
# Parameter: MACMechanism
 +
# Default: block
 +
#
 +
# Either block or allow.
 +
# If 'block', MAC addresses on BlockedMACList are blocked from
 +
# authenticating, and all others are allowed.
 +
# If 'allow', MAC addresses on AllowedMACList are allowed to
 +
# authenticate, and all other (non-trusted) MAC's are blocked.
 +
#
 +
# MACMechanism block
 +
 +
# Parameter: BlockedMACList
 +
# Default: none
 +
#
 +
# Comma-separated list of MAC addresses who will be completely blocked
 +
# from the GatewayInterface. Ignored if MACMechanism is allow.
 +
# N.B.: weak security, since MAC addresses are easy to spoof.
 +
#
 +
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
 +
 +
# Parameter: AllowedMACList
 +
# Default: none
 +
#
 +
# Comma-separated list of MAC addresses who will not be completely
 +
# blocked from the GatewayInterface. Ignored if MACMechanism is block.
 +
# N.B.: weak security, since MAC addresses are easy to spoof.
 +
#
 +
# AllowedMACList 00:00:12:34:56:78
 +
 +
# Parameter: TrustedMACList
 +
# Default: none
 +
#
 +
# Comma-separated list of MAC addresses who are not subject to
 +
# authentication, and are not restricted by any FirewallRuleSet.
 +
# N.B.: weak security, since MAC addresses are easy to spoof.
 +
#
 +
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
 +
 
 +
 +
# Parameter: PasswordAuthentication
 +
# Default: no
 +
# Set to yes (or true or 1), to require a password matching
 +
# the Password parameter to be supplied when authenticating.
 +
#
 +
#
 +
# PasswordAuthentication no
 +
 +
# Parameter: Password
 +
# Default: none
 +
# Whitespace delimited string that is compared to user-supplied
 +
# password when authenticating.
 +
#
 +
#
 +
# Password nodog
 +
 +
# Parameter: UsernameAuthentication
 +
# Default: no
 +
# Set to yes (or true or 1), to require a username matching
 +
# the Username parameter to be supplied when authenticating.
 +
#
 +
#
 +
# UsernameAuthentication no
 +
 +
# Parameter: Username
 +
# Default: none
 +
# Whitespace delimited string that is compared to user-supplied
 +
# username when authenticating.
 +
#
 +
#
 +
# Username guest
 +
 +
# Parameter: PasswordAttempts
 +
# Default: 5
 +
# Integer number of failed password/username entries before
 +
# a user is forced to reauthenticate.
 +
#
 +
#
 +
# PasswordAttempts 5
 +
 +
# Parameter: TrafficControl
 +
# Default: no
 +
#
 +
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
 +
#
 +
# TrafficControl no
 +
 +
# Parameter: DownloadLimit
 +
# Default: 0
 +
#
 +
# If TrafficControl is enabled, this sets the maximum download
 +
# speed to the GatewayInterface, in kilobits per second.
 +
# For example if you have an ADSL connection with 768 kbit
 +
# download speed, and you want to allow about half of that
 +
# bandwidth for the GatewayInterface, set this to 384.
 +
# A value of 0 means no download limiting is done.
 +
#
 +
# DownloadLimit 384
 +
 +
# Parameter: UploadLimit
 +
# Default: 0
 +
#
 +
# If TrafficControl is enabled, this sets the maximum upload
 +
# speed from the GatewayInterface, in kilobits per second.
 +
# For example if you have an ADSL connection with 128 kbit
 +
# upload speed, and you want to allow about half of that
 +
# bandwidth for the GatewayInterface, set this to 64.
 +
# A value of 0 means no upload limiting is done.
 +
#
 +
# UploadLimit 64
 +
 +
# Paramter: GatewayIPRange
 +
# Default: 0.0.0.0/0
 +
#
 +
# By setting this parameter, you can specify a range of IP addresses
 +
# on the GatewayInterface that will be responded to and managed by
 +
# Nodogsplash. Addresses outside this range do not have their packets
 +
# touched by Nodogsplash at all.
 +
# Defaults to 0.0.0.0/0, that is, all addresses.
 +
#
 +
# GatewayIPRange 0.0.0.0/0
 +
 +
==Membuka access email==
 +
 +
FirewallRuleSet authenticated-users {
 +
...
 +
FirewallRule allow tcp port 995
 +
FirewallRule allow tcp port 993
 +
FirewallRule allow tcp port 465
 +
FirewallRule allow tcp port 110
 +
FirewallRule allow tcp port 143
  
# Parameter: GatewayInterface
+
==Membatasi access ke gateway dari hotspot side==
# Default: NONE
 
#
 
# GatewayInterface is not autodetected, has no default, and must be set here.
 
# Set GatewayInterface to the interface on your router
 
# that is to be managed by Nodogsplash.
 
# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
 
# May be br-lan on OpenWrt Kamikaze.
 
#
 
GatewayInterface wlan0
 
  
# FirewallRuleSet: authenticated-users
+
FirewallRuleSet users-to-router {
#
+
...
# Control access for users after authentication.
+
#   FirewallRule allow tcp port 22
# These rules are inserted at the beginning of the
+
#   FirewallRule allow tcp port 80
# FORWARD chain of the router's filter table, and
+
#   FirewallRule allow tcp port 443
# apply to packets that have come in to the router
 
# over the GatewayInterface from MAC addresses that
 
# have authenticated with Nodogsplash, and that are
 
# destined to be routed through the router. The rules are
 
# considered in order, and the first rule that matches
 
# a packet applies to it.
 
# If there are any rules in this ruleset, an authenticated
 
# packet that does not match any rule is rejected.
 
# N.B.: This ruleset is completely independent of
 
# the preauthenticated-users ruleset.
 
#
 
FirewallRuleSet authenticated-users {
 
  
# You may want to open access to a machine on a local
+
==Kontrol Bandwidth==
# subnet that is otherwise blocked (for example, to
 
# serve a redirect page; see RedirectURL). If so,
 
# allow that explicitly here, e.g:
 
# FirewallRule allow tcp port 80 to 192.168.254.254
 
  
# Your router may have several interfaces, and you
+
Kita dapat membatasi ketersediaan bandwidth ke hotspot (silahkan di atur berdasarkan kebutuhan):
# probably want to keep them private from the GatewayInterface.
 
# If so, you should block the entire subnets on those interfaces, e.g.:
 
    #FirewallRule block to 192.168.0.0/16
 
    #FirewallRule block to 10.0.0.0/8
 
  
  # Typical ports you will probably want to open up include
+
  trafficControl yes
# 53 udp and tcp for DNS,
+
  ...
# 80 for http,
+
  DownloadLimit 200
# 443 for https,
+
  ...
  # 22 for ssh:
+
  UploadLimit 100
    #FirewallRule allow tcp port 53
 
    #FirewallRule allow udp port 53
 
    #FirewallRule allow tcp port 80
 
    #FirewallRule allow tcp port 443
 
    #FirewallRule allow tcp port 22
 
    FirewallRule allow all
 
 
 
}
 
# end FirewallRuleSet authenticated-users
 
 
 
 
 
# FirewallRuleSet: preauthenticated-users
 
#
 
# Control access for users before authentication.
 
# These rules are inserted in the PREROUTING chain
 
# of the router's nat table, and in the
 
# FORWARD chain of the router's filter table.
 
# These rules apply to packets that have come in to the
 
# router over the GatewayInterface from MAC addresses that
 
# are not on the BlockedMACList or TrustedMACList,
 
# are *not* authenticated with Nodogsplash. The rules are
 
# considered in order, and the first rule that matches
 
# a packet applies to it. A packet that does not match
 
# any rule here is rejected.
 
# N.B.: This ruleset is completely independent of
 
# the authenticated-users and users-to-router rulesets.
 
#
 
FirewallRuleSet preauthenticated-users {
 
  # For preauthenticated users to resolve IP addresses in their initial
 
# request not using the router itself as a DNS server,
 
# you probably want to allow port 53 udp and tcp for DNS.
 
    FirewallRule allow tcp port 53
 
    FirewallRule allow udp port 53
 
# For splash page content not hosted on the router, you
 
# will want to allow port 80 tcp to the remote host here.
 
# Doing so circumvents the usual capture and redirect of
 
# any port 80 request to this remote host.
 
# Note that the remote host's numerical IP address must be known
 
# and used here.
 
# FirewallRule allow tcp port 80 to 123.321.123.321
 
}
 
# end FirewallRuleSet preauthenticated-users
 
 
 
 
 
# FirewallRuleSet: users-to-router
 
#
 
# Control access to the router itself from the GatewayInterface.
 
# These rules are inserted at the beginning of the
 
# INPUT chain of the router's filter table, and
 
# apply to packets that have come in to the router
 
# over the GatewayInterface from MAC addresses that
 
# are not on the TrustedMACList, and are destined for
 
# the router itself. The rules are
 
# considered in order, and the first rule that matches
 
# a packet applies to it.
 
# If there are any rules in this ruleset, a
 
# packet that does not match any rule is rejected.
 
#
 
FirewallRuleSet users-to-router {
 
# Nodogsplash automatically allows tcp to GatewayPort,
 
  # at GatewayAddress, to serve the splash page.
 
# However you may want to open up other ports, e.g.
 
  # 53 for DNS and 67 for DHCP if the router itself is
 
# providing these services.
 
    FirewallRule allow udp port 53
 
    FirewallRule allow tcp port 53
 
    FirewallRule allow udp port 67
 
# You may want to allow ssh, http, and https to the router
 
# for administration from the GatewayInterface. If not,
 
# comment these out.
 
    FirewallRule allow tcp port 22
 
    FirewallRule allow tcp port 23
 
    FirewallRule allow tcp port 80
 
    FirewallRule allow tcp port 443
 
}
 
# end FirewallRuleSet users-to-router
 
 
 
# EmptyRuleSetPolicy directives
 
# The FirewallRuleSets that NoDogSplash permits are:
 
#
 
# authenticated-users
 
# preauthenticated-users
 
# users-to-router
 
# trusted-users
 
# trusted-users-to-router
 
#
 
# For each of these, an EmptyRuleSetPolicy can be specified.
 
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
 
# FirewallRuleSet is missing from this configuration file,
 
# or if it exists but contains no FirewallRules.
 
#
 
# The possible values of an EmptyRuleSetPolicy are:
 
# allow -- packets are accepted
 
# block -- packets are rejected
 
# passthrough -- packets are passed through to pre-existing firewall rules
 
#
 
# Default EmptyRuleSetPolicies are set as follows:
 
# EmptyRuleSetPolicy authenticated-users passthrough
 
# EmptyRuleSetPolicy preauthenticated-users block
 
# EmptyRuleSetPolicy users-to-router block
 
# EmptyRuleSetPolicy trusted-users allow
 
# EmptyRuleSetPolicy trusted-users-to-router allow
 
 
 
 
 
# Parameter: GatewayName
 
# Default: NoDogSplash
 
#
 
# Set GatewayName to the name of your gateway. This value
 
# will be available as variable $gatewayname in the splash page source
 
# and in status output from ndsctl, but otherwise doesn't matter.
 
# If none is supplied, the value "NoDogSplash" is used.
 
#
 
# GatewayName NoDogSplash
 
 
 
# Parameter: GatewayAddress
 
# Default: Discovered from GatewayInterface
 
#
 
# This should be autodetected on an OpenWRT system, but if not:
 
# Set GatewayAddress to the IP address of the router on
 
# the GatewayInterface. This is the address that the Nodogsplash
 
# server listens on.
 
#
 
# GatewayAddress 192.168.1.1
 
 
 
# Parameter: ExternalInterface
 
# Default: Autodetected from /proc/net/route
 
#
 
# This should be autodetected on a OpenWRT system, but if not:
 
# Set ExtrnalInterface to the 'external' interface on your router,
 
# i.e. the one which provides the default route to the internet.
 
# Typically vlan1 for OpenWRT.
 
#
 
# ExternalInterface vlan1
 
 
 
# Parameter: RedirectURL
 
# Default: none
 
#
 
# After authentication, normally a user is redirected
 
# to their initially requested page.
 
# If RedirectURL is set, the user is redirected to this URL instead.
 
#
 
# RedirectURL http://www.ilesansfil.org/
 
 
 
# Parameter: GatewayPort
 
# Default: 2050
 
#
 
# Nodogsplash's own http server uses GatewayAddress as its IP address.
 
# The port it listens to at that IP can be set here; default is 2050.
 
#
 
# GatewayPort 2050
 
 
 
# Parameter: MaxClients
 
# Default: 20
 
#
 
# Set MaxClients to the maximum number of users allowed to
 
# connect at any time. (Does not include users on the TrustedMACList,
 
# who do not authenticate.)
 
#
 
# MaxClients 20
 
 
 
# ClientIdleTimeout
 
# Parameter: ClientIdleTimeout
 
# Default: 10
 
#
 
# Set ClientIdleTimeout to the desired of number of minutes
 
# of inactivity before a user is automatically 'deauthenticated'.
 
#
 
# ClientIdleTimeout 10
 
 
 
# Parameter: ClientForceTimeout
 
# Default: 360
 
#
 
# Set ClientForceTimeout to the desired number of minutes before
 
# a user is automatically 'deauthenticated', whether active or not
 
#
 
# ClientForceTimeout 360
 
 
 
# Parameter: AuthenticateImmediately
 
# Default: no
 
#
 
# Set to yes (or true or 1), to immediately authenticate users
 
# who make a http port 80 request on the GatewayInterface (that is,
 
# do not serve a splash page, just redirect to the user's request,
 
# or to RedirectURL if set).
 
#
 
# AuthenticateImmediately no
 
 
 
# Parameter: MACMechanism
 
# Default: block
 
#
 
# Either block or allow.
 
# If 'block', MAC addresses on BlockedMACList are blocked from
 
# authenticating, and all others are allowed.
 
# If 'allow', MAC addresses on AllowedMACList are allowed to
 
# authenticate, and all other (non-trusted) MAC's are blocked.
 
#
 
# MACMechanism block
 
 
 
# Parameter: BlockedMACList
 
# Default: none
 
#
 
# Comma-separated list of MAC addresses who will be completely blocked
 
# from the GatewayInterface. Ignored if MACMechanism is allow.
 
# N.B.: weak security, since MAC addresses are easy to spoof.
 
#
 
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
 
 
 
# Parameter: AllowedMACList
 
# Default: none
 
#
 
# Comma-separated list of MAC addresses who will not be completely
 
# blocked from the GatewayInterface. Ignored if MACMechanism is block.
 
# N.B.: weak security, since MAC addresses are easy to spoof.
 
#
 
# AllowedMACList 00:00:12:34:56:78
 
 
 
# Parameter: TrustedMACList
 
# Default: none
 
#
 
# Comma-separated list of MAC addresses who are not subject to
 
# authentication, and are not restricted by any FirewallRuleSet.
 
# N.B.: weak security, since MAC addresses are easy to spoof.
 
#
 
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
 
 
 
 
 
# Parameter: PasswordAuthentication
 
# Default: no
 
# Set to yes (or true or 1), to require a password matching
 
# the Password parameter to be supplied when authenticating.
 
#
 
#
 
# PasswordAuthentication no
 
 
 
# Parameter: Password
 
# Default: none
 
# Whitespace delimited string that is compared to user-supplied
 
# password when authenticating.
 
#
 
#
 
# Password nodog
 
 
 
# Parameter: UsernameAuthentication
 
# Default: no
 
# Set to yes (or true or 1), to require a username matching
 
# the Username parameter to be supplied when authenticating.
 
#
 
#
 
# UsernameAuthentication no
 
 
 
# Parameter: Username
 
# Default: none
 
# Whitespace delimited string that is compared to user-supplied
 
# username when authenticating.
 
#
 
#
 
# Username guest
 
 
 
# Parameter: PasswordAttempts
 
# Default: 5
 
# Integer number of failed password/username entries before
 
# a user is forced to reauthenticate.
 
#
 
#
 
# PasswordAttempts 5
 
 
 
# Parameter: TrafficControl
 
# Default: no
 
#
 
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
 
#
 
# TrafficControl no
 
 
 
# Parameter: DownloadLimit
 
# Default: 0
 
#
 
# If TrafficControl is enabled, this sets the maximum download
 
# speed to the GatewayInterface, in kilobits per second.
 
# For example if you have an ADSL connection with 768 kbit
 
# download speed, and you want to allow about half of that
 
# bandwidth for the GatewayInterface, set this to 384.
 
# A value of 0 means no download limiting is done.
 
#
 
# DownloadLimit 384
 
 
 
# Parameter: UploadLimit
 
# Default: 0
 
#
 
# If TrafficControl is enabled, this sets the maximum upload
 
# speed from the GatewayInterface, in kilobits per second.
 
# For example if you have an ADSL connection with 128 kbit
 
# upload speed, and you want to allow about half of that
 
# bandwidth for the GatewayInterface, set this to 64.
 
# A value of 0 means no upload limiting is done.
 
#
 
# UploadLimit 64
 
 
 
# Paramter: GatewayIPRange
 
# Default: 0.0.0.0/0
 
#
 
# By setting this parameter, you can specify a range of IP addresses
 
# on the GatewayInterface that will be responded to and managed by
 
# Nodogsplash. Addresses outside this range do not have their packets
 
# touched by Nodogsplash at all.
 
# Defaults to 0.0.0.0/0, that is, all addresses.
 
#
 
# GatewayIPRange 0.0.0.0/0
 
 
 
Allow access to email:
 
 
 
FirewallRuleSet authenticated-users {
 
...
 
FirewallRule allow tcp port 995
 
FirewallRule allow tcp port 993
 
FirewallRule allow tcp port 465
 
FirewallRule allow tcp port 110
 
FirewallRule allow tcp port 143
 
 
 
Restrict access to the gateway from the hotspot side:
 
 
 
FirewallRuleSet users-to-router {
 
...
 
#    FirewallRule allow tcp port 22
 
#    FirewallRule allow tcp port 80
 
#    FirewallRule allow tcp port 443
 
 
 
Bandwidth Control
 
 
 
You can restrict bandwidth available to hotspot (adjust according to preference):
 
 
 
trafficControl yes
 
...
 
DownloadLimit 200
 
...
 
UploadLimit 100
 
  
 
In backfire 10.03.1rc5 you need to edit /etc/init.d/nodogsplash and uncomment last lines to make bandwidth control to work
 
In backfire 10.03.1rc5 you need to edit /etc/init.d/nodogsplash and uncomment last lines to make bandwidth control to work
  
    # if not using traffic control,
+
    # if not using traffic control,
    # you can comment out the following 3 lines:
+
    # you can comment out the following 3 lines:
    do_module_tests "imq" "numdevs=2"
+
    do_module_tests "imq" "numdevs=2"
    do_module_tests "ipt_IMQ"
+
    do_module_tests "ipt_IMQ"
    do_module_tests "sch_htb"
+
    do_module_tests "sch_htb"
  
 
Note: ipt_IMQ = xt_IMQ
 
Note: ipt_IMQ = xt_IMQ
Line 503: Line 503:
 
You also need to install some extra kernel modules:
 
You also need to install some extra kernel modules:
  
    opkg install iptables-mod-imq
+
opkg install iptables-mod-imq
    opkg install kmod-ipt-imq
+
opkg install kmod-ipt-imq
    opkg install kmod-sched
+
opkg install kmod-sched
  
 
And some utilities
 
And some utilities
  
    opkg install ip
+
opkg install ip
    opkg install tc
+
opkg install tc
  
 
NOTE: In Attitude Adjustment 12.09 there is no iptables-mod-imq package and so the above procedure will fail.
 
NOTE: In Attitude Adjustment 12.09 there is no iptables-mod-imq package and so the above procedure will fail.
Line 516: Line 516:
 
For bandwidth control in Attitude Adjustment 12.09 you can install WonderShaper (which also uses tc as its back-end):
 
For bandwidth control in Attitude Adjustment 12.09 you can install WonderShaper (which also uses tc as its back-end):
  
    opkg install wshaper
+
    opkg install wshaper
  
 
WonderShaper's UCI config file is stored in /etc/config/wshaper. A simple configuration for a guest network might look like this:
 
WonderShaper's UCI config file is stored in /etc/config/wshaper. A simple configuration for a guest network might look like this:
  
config wshaper 'settings'
+
config wshaper 'settings'
option network 'public'
+
option network 'public'
option downlink '64'
+
option downlink '64'
option uplink '512'
+
option uplink '512'
 
+
 
Note: The downlink and uplink maximum values will usually need to be reversed from what one might, at first glance, expect. Also note that due to overhead, actual speeds will be slightly lower.
 
Note: The downlink and uplink maximum values will usually need to be reversed from what one might, at first glance, expect. Also note that due to overhead, actual speeds will be slightly lower.
 
Check status
 
Check status
Line 530: Line 530:
 
Nodogsplash package provides the ndsctl binary to manage it. Run ndsctl without arguments to see the help.
 
Nodogsplash package provides the ndsctl binary to manage it. Run ndsctl without arguments to see the help.
  
root@openWrt:~# ndsctl       
+
root@openWrt:~# ndsctl       
Usage: ndsctl [options] command [arguments]
+
Usage: ndsctl [options] command [arguments]
 
+
options:
+
options:
  -s <path>        Path to the socket
+
  -s <path>        Path to the socket
  -h                Print usage
+
  -h                Print usage  
 
+
commands:
+
commands:
  status            View the status of nodogsplash
+
  status            View the status of nodogsplash
  clients          Display machine-readable client list
+
  clients          Display machine-readable client list
  stop              Stop the running nodogsplash
+
  stop              Stop the running nodogsplash
  auth ip          Authenticate user with specified ip
+
  auth ip          Authenticate user with specified ip
  deauth mac|ip    Deauthenticate user with specified mac or ip
+
  deauth mac|ip    Deauthenticate user with specified mac or ip
  block mac        Block the given MAC address
+
  block mac        Block the given MAC address
  unblock mac      Unblock the given MAC address
+
  unblock mac      Unblock the given MAC address
  allow mac        Allow the given MAC address
+
  allow mac        Allow the given MAC address
  unallow mac      Unallow the given MAC address
+
  unallow mac      Unallow the given MAC address
  trust mac        Trust the given MAC address
+
  trust mac        Trust the given MAC address
  untrust mac      Untrust the given MAC address
+
  untrust mac      Untrust the given MAC address
  loglevel n        Set logging level to n
+
  loglevel n        Set logging level to n
  password pass    Set gateway password
+
  password pass    Set gateway password
  username name    Set gateway username
+
  username name    Set gateway username
  
 
Customise splash page
 
Customise splash page
Line 557: Line 557:
 
Edit these files to customize the "splash page" / "error page":
 
Edit these files to customize the "splash page" / "error page":
  
    /etc/nodogsplash/htdocs/splash.html
+
    /etc/nodogsplash/htdocs/splash.html
    /etc/nodogsplash/htdocs/infoskel.html
+
    /etc/nodogsplash/htdocs/infoskel.html
  
 
Note, to include an external *.css file, put it in the images directory, and include as so:
 
Note, to include an external *.css file, put it in the images directory, and include as so:
  
@import url("$imagesdir/stylesheet.css");
+
@import url("$imagesdir/stylesheet.css");
  
 
Somewhere in splash.html you should include a link for the authentication, e.g:
 
Somewhere in splash.html you should include a link for the authentication, e.g:
  
<h3> Click <a href="$authtarget"> HERE</a> to start browsing </h3>
+
<h3> Click <a href="$authtarget"> HERE</a> to start browsing </h3>
  
 
Restrict access to domains
 
Restrict access to domains
Line 572: Line 572:
 
If you would want to restrict the access to the IP address 20.20.20.20 you can use this netfilter command (supposing 10.20.30.0/24 is your hotspot network and you redirect clients to your nodogsplash webserver)
 
If you would want to restrict the access to the IP address 20.20.20.20 you can use this netfilter command (supposing 10.20.30.0/24 is your hotspot network and you redirect clients to your nodogsplash webserver)
  
  iptables -t nat -I ndsOUT -p tcp -s 10.20.30.0/24 -d 20.20.20.20 --dport 80 -j DNAT --to 10.20.30.1:2050
+
  iptables -t nat -I ndsOUT -p tcp -s 10.20.30.0/24 -d 20.20.20.20 --dport 80 -j DNAT --to 10.20.30.1:2050
  
 
Restrict access to multiple domains
 
Restrict access to multiple domains
Line 614: Line 614:
 
after executing the script you can check if it works ok running "iptables -t nat -L -n" and you should get something like this:
 
after executing the script you can check if it works ok running "iptables -t nat -L -n" and you should get something like this:
  
Chain ndsOUT (1 references)
+
Chain ndsOUT (1 references)
target    prot opt source              destination         
+
target    prot opt source              destination         
DNAT      tcp  --  10.20.30.0/24        199.58.211.41      tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        199.58.211.41      tcp dpt:80 to:10.20.30.1:80  
DNAT      tcp  --  10.20.30.0/24        69.163.39.214      tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        69.163.39.214      tcp dpt:80 to:10.20.30.1:80  
DNAT      tcp  --  10.20.30.0/24        78.140.135.6        tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        78.140.135.6        tcp dpt:80 to:10.20.30.1:80  
DNAT      tcp  --  10.20.30.0/24        74.117.114.96      tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        74.117.114.96      tcp dpt:80 to:10.20.30.1:80  
DNAT      tcp  --  10.20.30.0/24        88.85.73.158        tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        88.85.73.158        tcp dpt:80 to:10.20.30.1:80  
DNAT      tcp  --  10.20.30.0/24        216.69.227.108      tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        216.69.227.108      tcp dpt:80 to:10.20.30.1:80  
DNAT      tcp  --  10.20.30.0/24        72.8.129.153        tcp dpt:80 to:10.20.30.1:80  
+
DNAT      tcp  --  10.20.30.0/24        72.8.129.153        tcp dpt:80 to:10.20.30.1:80  
  
 
External links
 
External links
Line 645: Line 645:
 
Configuration of the AP is as usual except that AP needs to have NAT for the hotspot segment only. To achieve this one needs to add custom iptables rule
 
Configuration of the AP is as usual except that AP needs to have NAT for the hotspot segment only. To achieve this one needs to add custom iptables rule
  
iptables -A POSTROUTING -t nat -j SNAT --to-source 192.168.1.3
+
iptables -A POSTROUTING -t nat -j SNAT --to-source 192.168.1.3
  
 
and delete all provided firewall rules fy using OpenWRT web interface.
 
and delete all provided firewall rules fy using OpenWRT web interface.
Line 666: Line 666:
 
This is a quick setup for Nodogsplash. It shows a splash page for any web acccess comming from br-lan.
 
This is a quick setup for Nodogsplash. It shows a splash page for any web acccess comming from br-lan.
  
/etc/nodogsplash/nodogsplash.conf
+
/etc/nodogsplash/nodogsplash.conf
 
+
GatewayInterface br-lan
+
GatewayInterface br-lan  
 
+
FirewallRuleSet preauthenticated-users {
+
FirewallRuleSet preauthenticated-users {
FirewallRule allow tcp port 53
+
  FirewallRule allow tcp port 53
FirewallRule allow udp port 53
+
  FirewallRule allow udp port 53
FirewallRule allow icmp
+
  FirewallRule allow icmp
}
+
}
  
EmptyRuleSetPolicy authenticated-users passthrough
+
EmptyRuleSetPolicy authenticated-users passthrough
EmptyRuleSetPolicy users-to-router passthrough
+
EmptyRuleSetPolicy users-to-router passthrough
EmptyRuleSetPolicy trusted-users allow
+
EmptyRuleSetPolicy trusted-users allow
EmptyRuleSetPolicy trusted-users-to-router passthrough
+
EmptyRuleSetPolicy trusted-users-to-router passthrough  
  
MaxClients 30
+
MaxClients 30
ClientIdleTimeout 10
+
ClientIdleTimeout 10
ClientForceTimeout 240
+
ClientForceTimeout 240
  
 
For the actual splash site place these example files as follows:
 
For the actual splash site place these example files as follows:
  
/etc/nodogsplash/htdocs/splash.html
+
/etc/nodogsplash/htdocs/splash.html
/etc/nodogsplash/htdocs/infoskel.html
+
/etc/nodogsplash/htdocs/infoskel.html
/etc/nodogsplash/htdocs/images/splash.jpg
+
/etc/nodogsplash/htdocs/images/splash.jpg
  
  

Latest revision as of 11:14, 19 July 2015

Sumber: http://wiki.openwrt.org/doc/howto/wireless.hotspot.nodogsplash



Nodogsplash memberikan cara yang sederhana untuk membuka open free Hotspot (Wi-Fi) dan memberikan akses terbatas pada sambungan Internet. Tujuannya adalah untuk menggunakan sebuah wireless router untuk memberikan local secure wifi, dan share sebagian dari bandwidth kita sebagai free hotspot, dengan sebuah splash page untuk memberikan iklan (advertise) siapa yang memberikan hotspot.

Halaman ini akan menjelaskan cara membuat sebuah wireless hotspot sederhana dengan fitur berikut:

  • Open access hotspot
  • Capture (splash) page
  • Pembatasan Port
  • Bandwidth Limit
  • Memisahkan, secure wireless access untuk penggunaan local. Secure wireless access di bridge ke port kabel, hotspot di pisah dan terisolasi dari local nerwork.


Installation

Secara manual instalasi dapat dilakukan dengan

opkg
opkg update
opkg install nodogsplash

Tapi bagi mereka yang bisa membuat sendiri firmware OpenWRT itu sendiri. Dapat memasukan langsung ke firmware.

Konfigurasi

Konfigurasi Network

/etc/config/network

config 'interface' 'lan' 
	option 'type'	'bridge'
	option 'ifname'	'eth0.0'
	option 'proto'	'static'
	option 'ipaddr'	'10.10.10.1'
	option 'netmask'	'255.255.255.0'

config 'interface' 'wan'
	option 'ifname'	'eth0.1'
	option 'proto'	'dhcp'

config 'interface' 'wifi'
	option 'ifname'	'eth1.0'
	option 'proto'	'static'
	option 'ipaddr'	'10.10.15.1'
	option 'netmask'	'255.255.255.0'

Konfigurasi Wireless

/etc/config/wireless

config 'wifi-device' 'wlan0' 
	option 'type'	'mac80211'
	option 'channel'	'11'
	option 'disabled'	'0'

config 'wifi-iface'
	option 'device'	'wlan0'
	option 'network'	'lan'
	option 'mode'	'ap'
	option 'ssid'	'mywifi-secure'
	option 'encryption'	'psk2'
	option 'hidden'	'0'
	option 'key'	'your%verylong.andsecure-pskkey'

config 'wifi-iface'
	option 'device'	'wlan0'
	option 'network'	'wifi'
	option 'mode'	'ap'
	option 'ssid'	'public-hotspot'
	option 'encryption'	'none'
	option 'hidden'	'0'

Konfigurasi dhcpd

/etc/config/dhcp

config 'dhcp'
       	option 'interface'	'lan'
       	option 'start'	'100'
       	option 'limit'	'150'
       	option 'leasetime'	'12h'

config 'dhcp'
       	option 'interface'	'wan'
       	option 'ignore'	'1'

config 'dhcp'
       	option 'interface'	'wifi'
       	option 'start'	'100'
       	option 'limit'	'150'
       	option 'leasetime'	'2h'

Konfigurasi Firewall

Karena nodogsplash menggunakan iptables untuk mark/handle packet, kita perlu mematikan build-in firewall:

/etc/init.d/firewall stop
/etc/init.d/firewall disable

Konfigurasi Nodogsplash

/etc/nodogsplash/nodogsplash.conf

#
# Nodogsplash Configuration File
#

# Parameter: GatewayInterface
# Default: NONE
#
# GatewayInterface is not autodetected, has no default, and must be set here.
# Set GatewayInterface to the interface on your router
# that is to be managed by Nodogsplash.
# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
# May be br-lan on OpenWrt Kamikaze.
#
GatewayInterface wlan0

# FirewallRuleSet: authenticated-users
#
# Control access for users after authentication.
# These rules are inserted at the beginning of the
# FORWARD chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# have authenticated with Nodogsplash, and that are
# destined to be routed through the router. The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, an authenticated
# packet that does not match any rule is rejected.
# N.B.: This ruleset is completely independent of
# the preauthenticated-users ruleset.
#
FirewallRuleSet authenticated-users {

 # You may want to open access to a machine on a local
 # subnet that is otherwise blocked (for example, to
 # serve a redirect page; see RedirectURL). If so,
 # allow that explicitly here, e.g:
 # FirewallRule allow tcp port 80 to 192.168.254.254

 # Your router may have several interfaces, and you
 # probably want to keep them private from the GatewayInterface.
 # If so, you should block the entire subnets on those interfaces, e.g.:
    #FirewallRule block to 192.168.0.0/16
    #FirewallRule block to 10.0.0.0/8

 # Typical ports you will probably want to open up include
 # 53 udp and tcp for DNS,
 # 80 for http,
 # 443 for https,
 # 22 for ssh:
    #FirewallRule allow tcp port 53
    #FirewallRule allow udp port 53
    #FirewallRule allow tcp port 80
    #FirewallRule allow tcp port 443
    #FirewallRule allow tcp port 22
    FirewallRule allow all

}
# end FirewallRuleSet authenticated-users
 

# FirewallRuleSet: preauthenticated-users
#
# Control access for users before authentication.
# These rules are inserted in the PREROUTING chain
# of the router's nat table, and in the
# FORWARD chain of the router's filter table.
# These rules apply to packets that have come in to the
# router over the GatewayInterface from MAC addresses that
# are not on the BlockedMACList or TrustedMACList,
# are *not* authenticated with Nodogsplash. The rules are
# considered in order, and the first rule that matches
# a packet applies to it. A packet that does not match
# any rule here is rejected.
# N.B.: This ruleset is completely independent of
# the authenticated-users and users-to-router rulesets.
#
FirewallRuleSet preauthenticated-users {
 # For preauthenticated users to resolve IP addresses in their initial
 # request not using the router itself as a DNS server,
 # you probably want to allow port 53 udp and tcp for DNS.
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 53
 # For splash page content not hosted on the router, you
 # will want to allow port 80 tcp to the remote host here.
 # Doing so circumvents the usual capture and redirect of
 # any port 80 request to this remote host.
 # Note that the remote host's numerical IP address must be known
 # and used here.
 # FirewallRule allow tcp port 80 to 123.321.123.321
}
# end FirewallRuleSet preauthenticated-users  


# FirewallRuleSet: users-to-router
#
# Control access to the router itself from the GatewayInterface.
# These rules are inserted at the beginning of the
# INPUT chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# are not on the TrustedMACList, and are destined for
# the router itself. The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, a
# packet that does not match any rule is rejected.
#
FirewallRuleSet users-to-router {
 # Nodogsplash automatically allows tcp to GatewayPort,
 # at GatewayAddress, to serve the splash page.
 # However you may want to open up other ports, e.g.
 # 53 for DNS and 67 for DHCP if the router itself is
 # providing these services.
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
 # You may want to allow ssh, http, and https to the router
 # for administration from the GatewayInterface. If not,
 # comment these out.
    FirewallRule allow tcp port 22
    FirewallRule allow tcp port 23
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
}
# end FirewallRuleSet users-to-router

# EmptyRuleSetPolicy directives
# The FirewallRuleSets that NoDogSplash permits are:
#
# authenticated-users
# preauthenticated-users
# users-to-router
# trusted-users
# trusted-users-to-router
#
# For each of these, an EmptyRuleSetPolicy can be specified.
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
# FirewallRuleSet is missing from this configuration file,
# or if it exists but contains no FirewallRules.
#
# The possible values of an EmptyRuleSetPolicy are:
# allow -- packets are accepted
# block -- packets are rejected
# passthrough -- packets are passed through to pre-existing firewall rules
#
# Default EmptyRuleSetPolicies are set as follows:
# EmptyRuleSetPolicy authenticated-users passthrough
# EmptyRuleSetPolicy preauthenticated-users block
# EmptyRuleSetPolicy users-to-router block
# EmptyRuleSetPolicy trusted-users allow
# EmptyRuleSetPolicy trusted-users-to-router allow 


# Parameter: GatewayName
# Default: NoDogSplash
#
# Set GatewayName to the name of your gateway. This value
# will be available as variable $gatewayname in the splash page source
# and in status output from ndsctl, but otherwise doesn't matter.
# If none is supplied, the value "NoDogSplash" is used.
#
# GatewayName NoDogSplash 

# Parameter: GatewayAddress
# Default: Discovered from GatewayInterface
#
# This should be autodetected on an OpenWRT system, but if not:
# Set GatewayAddress to the IP address of the router on
# the GatewayInterface. This is the address that the Nodogsplash
# server listens on.
#
# GatewayAddress 192.168.1.1  

# Parameter: ExternalInterface
# Default: Autodetected from /proc/net/route
#
# This should be autodetected on a OpenWRT system, but if not:
#  Set ExtrnalInterface to the 'external' interface on your router,
# i.e. the one which provides the default route to the internet.
# Typically vlan1 for OpenWRT.
#
# ExternalInterface vlan1 

# Parameter: RedirectURL
# Default: none
#
# After authentication, normally a user is redirected
# to their initially requested page.
# If RedirectURL is set, the user is redirected to this URL instead.
#
# RedirectURL http://www.ilesansfil.org/

# Parameter: GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses GatewayAddress as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
#
# GatewayPort 2050

# Parameter: MaxClients
# Default: 20
#
# Set MaxClients to the maximum number of users allowed to
# connect at any time. (Does not include users on the TrustedMACList,
# who do not authenticate.)
#
# MaxClients 20

# ClientIdleTimeout
# Parameter: ClientIdleTimeout
# Default: 10
#
# Set ClientIdleTimeout to the desired of number of minutes
# of inactivity before a user is automatically 'deauthenticated'.
#
# ClientIdleTimeout 10

# Parameter: ClientForceTimeout
# Default: 360
#
# Set ClientForceTimeout to the desired number of minutes before
# a user is automatically 'deauthenticated', whether active or not
#
# ClientForceTimeout 360

# Parameter: AuthenticateImmediately
# Default: no
#
# Set to yes (or true or 1), to immediately authenticate users
# who make a http port 80 request on the GatewayInterface (that is,
# do not serve a splash page, just redirect to the user's request,
# or to RedirectURL if set).
#
# AuthenticateImmediately no 

# Parameter: MACMechanism
# Default: block
#
# Either block or allow.
# If 'block', MAC addresses on BlockedMACList are blocked from
# authenticating, and all others are allowed.
# If 'allow', MAC addresses on AllowedMACList are allowed to
# authenticate, and all other (non-trusted) MAC's are blocked.
#
# MACMechanism block

# Parameter: BlockedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will be completely blocked
# from the GatewayInterface. Ignored if MACMechanism is allow.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D

# Parameter: AllowedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will not be completely
# blocked from the GatewayInterface. Ignored if MACMechanism is block.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
# AllowedMACList 00:00:12:34:56:78

# Parameter: TrustedMACList
# Default: none
#
# Comma-separated list of MAC addresses who are not subject to
# authentication, and are not restricted by any FirewallRuleSet.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
 

# Parameter: PasswordAuthentication
# Default: no
# Set to yes (or true or 1), to require a password matching
# the Password parameter to be supplied when authenticating.
#
#
# PasswordAuthentication no

# Parameter: Password
# Default: none
# Whitespace delimited string that is compared to user-supplied
# password when authenticating.
#
#
# Password nodog

# Parameter: UsernameAuthentication
# Default: no
# Set to yes (or true or 1), to require a username matching
# the Username parameter to be supplied when authenticating.
#
#
# UsernameAuthentication no

# Parameter: Username
# Default: none
# Whitespace delimited string that is compared to user-supplied
# username when authenticating.
#
#
# Username guest

# Parameter: PasswordAttempts
# Default: 5
# Integer number of failed password/username entries before
# a user is forced to reauthenticate.
#
#
# PasswordAttempts 5

# Parameter: TrafficControl
# Default: no
#
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
#
# TrafficControl no

# Parameter: DownloadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done.
#
# DownloadLimit 384

# Parameter: UploadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum upload
# speed from the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 128 kbit
# upload speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 64.
# A value of 0 means no upload limiting is done.
#
# UploadLimit 64

# Paramter: GatewayIPRange
# Default: 0.0.0.0/0
#
# By setting this parameter, you can specify a range of IP addresses
# on the GatewayInterface that will be responded to and managed by
# Nodogsplash. Addresses outside this range do not have their packets
# touched by Nodogsplash at all.
# Defaults to 0.0.0.0/0, that is, all addresses.
#
# GatewayIPRange 0.0.0.0/0

Membuka access email

FirewallRuleSet authenticated-users {
...
FirewallRule allow tcp port 995
FirewallRule allow tcp port 993
FirewallRule allow tcp port 465
FirewallRule allow tcp port 110
FirewallRule allow tcp port 143

Membatasi access ke gateway dari hotspot side

FirewallRuleSet users-to-router {
...
#    FirewallRule allow tcp port 22
#    FirewallRule allow tcp port 80
#    FirewallRule allow tcp port 443

Kontrol Bandwidth

Kita dapat membatasi ketersediaan bandwidth ke hotspot (silahkan di atur berdasarkan kebutuhan):

trafficControl yes
...
DownloadLimit 200
...
UploadLimit 100

In backfire 10.03.1rc5 you need to edit /etc/init.d/nodogsplash and uncomment last lines to make bandwidth control to work

    # if not using traffic control,
    # you can comment out the following 3 lines:
    do_module_tests "imq" "numdevs=2"
    do_module_tests "ipt_IMQ"
    do_module_tests "sch_htb"

Note: ipt_IMQ = xt_IMQ

You also need to install some extra kernel modules:

opkg install iptables-mod-imq
opkg install kmod-ipt-imq
opkg install kmod-sched

And some utilities

opkg install ip
opkg install tc

NOTE: In Attitude Adjustment 12.09 there is no iptables-mod-imq package and so the above procedure will fail.

For bandwidth control in Attitude Adjustment 12.09 you can install WonderShaper (which also uses tc as its back-end):

    opkg install wshaper

WonderShaper's UCI config file is stored in /etc/config/wshaper. A simple configuration for a guest network might look like this:

config wshaper 'settings'  
	option network 'public'
	option downlink '64'
	option uplink '512'

Note: The downlink and uplink maximum values will usually need to be reversed from what one might, at first glance, expect. Also note that due to overhead, actual speeds will be slightly lower. Check status

Nodogsplash package provides the ndsctl binary to manage it. Run ndsctl without arguments to see the help.

root@openWrt:~# ndsctl       
Usage: ndsctl [options] command [arguments]

options:
  -s <path>         Path to the socket
  -h                Print usage 

commands:
  status            View the status of nodogsplash
  clients           Display machine-readable client list
  stop              Stop the running nodogsplash
  auth ip           Authenticate user with specified ip
  deauth mac|ip     Deauthenticate user with specified mac or ip
  block mac         Block the given MAC address
  unblock mac       Unblock the given MAC address
  allow mac         Allow the given MAC address
  unallow mac       Unallow the given MAC address
  trust mac         Trust the given MAC address
  untrust mac       Untrust the given MAC address
  loglevel n        Set logging level to n
  password pass     Set gateway password
  username name     Set gateway username

Customise splash page

Edit these files to customize the "splash page" / "error page":

    /etc/nodogsplash/htdocs/splash.html
    /etc/nodogsplash/htdocs/infoskel.html

Note, to include an external *.css file, put it in the images directory, and include as so:

@import url("$imagesdir/stylesheet.css");

Somewhere in splash.html you should include a link for the authentication, e.g:

Click <a href="$authtarget"> HERE</a> to start browsing

Restrict access to domains

If you would want to restrict the access to the IP address 20.20.20.20 you can use this netfilter command (supposing 10.20.30.0/24 is your hotspot network and you redirect clients to your nodogsplash webserver)

  iptables -t nat -I ndsOUT -p tcp -s 10.20.30.0/24 -d 20.20.20.20 --dport 80 -j DNAT --to 10.20.30.1:2050

Restrict access to multiple domains

Some domains resolve to multiple different ip addresses so you need to ban all of them.

   Create /root/banned.txt with the domains to ban (do not add domains with www):
   root@openWrt:~# head /root/banned.txt 
   alice.cc
   malware.ru
   sersnkis.com
   superdupertorrent.com
   ultraload.com
   downloadmuch.com
   Create following script /root/ban-domains.sh:
   #!/bin/sh
    
   for domain in `cat /root/banned.txt`; do
   	dig @8.8.8.8 $domain | egrep [0-9] | grep IN| awk {'print $5'} >> /tmp/ips.txt
   	done
    
   for ip in `cat /tmp/ips.txt`; do
   	iptables -t nat -I ndsOUT -p tcp -s 10.20.30.0/24 -d $ip --dport 80 -j DNAT --to 10.20.30.1:80
   	done
    
   rm -fr /tmp/ips.txt
   run
   chmod +x /root/ban-domains.sh"
   install dig package:
   opkg install bind-dig
   add /root/ban-domains.sh to your /etc/rc.local file.

after executing the script you can check if it works ok running "iptables -t nat -L -n" and you should get something like this:

Chain ndsOUT (1 references)
target     prot opt source               destination         
DNAT       tcp  --  10.20.30.0/24        199.58.211.41       tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        69.163.39.214       tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        78.140.135.6        tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        74.117.114.96       tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        88.85.73.158        tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        216.69.227.108      tcp dpt:80 to:10.20.30.1:80 
DNAT       tcp  --  10.20.30.0/24        72.8.129.153        tcp dpt:80 to:10.20.30.1:80 

External links

   Original Nodogsplash project homepage
   Current Nodogsplash source repository
   Nodogsplash OpenWrt package

Misc.

If your configuration does NOT use NAT, you need to check "force connection tracking" in the firewall configuration of the zone nodogsplash is handling. Without connection tracking, the NAT tables of will not run and redirecting to the splash page does not work. NoDogSplash on OpenWRT 12.09+ Access Point

The following instructions are touching NoDogSplash configuration on the OpenWRT 12.09 and later firmwares with "router" configured as a switch or Access Point (AP). OpenWrt is not configured as a router here! This is a common setup where users want to add additional AP to extend their home WiFi coverage and do not want to mess with router from their Internet providers. Example setup:

   Non OpenWRT router for intranet with address 192.168.1.1
   OpenWRT AP with static address 192.168.1.3
   Clients get DHCP subnet range 192.168.1.200-250 by router
   Clients can connect to AP WiFi within secure SSID
   Guest hotspot SSID are getting their own 192.168.15.0/24 subnet and DHCP on isolated segment

Configuration of the AP is as usual except that AP needs to have NAT for the hotspot segment only. To achieve this one needs to add custom iptables rule

iptables -A POSTROUTING -t nat -j SNAT --to-source 192.168.1.3

and delete all provided firewall rules fy using OpenWRT web interface.

Detailed configuration for AP only OpenWRT is:

   Install package nodogsplash
   With web interface Network→WiFi create: additional ESSID named hotstpot and create additional network hotstpot along with existing lan and unused wan.
   Edit Network→Interfaces→HOTSPOT and select Protocol: Static address with IPv4 address 192.168.5.1 and Netmask: 255.255.255.0. Leave gateway, broadcast and DNS servers empty. Add DHCP server for this interface with default settings. This HOTSPOT interface is internally named as wlan0-1 and will be used as NoDogSplash gateway address.
   Edit Network→DHCP and DNS-Forwarder by unchecking Authoritative and add DNS forwardings: 192.168.1.1 to router DNS masquerading and/or external DNS servers from your internet provider.
   Remove all Network→Firewall Zones and add Network→Firewall→Custom Rules by adding iptables rule described above.
   Change /etc/nodogsplash/nodogsplash.conf affected lines to
       GatewayInterface wlan0-1
       ExternalInterface br-lan

FirewallRuleSet authenticated-users can remain unchanged. You can also start iptables SNAT command manually if not rebooted meanwhile. Check the presence of this rule by iptables -t nat -v -n -L. Enable and start NoDogSplash. After above setup everything should work. Trafic shapping due to the lack of IMQ currently does not work on OpenWrt 12.09 (Attitude Adjustment). One possibility is to install qos-scripts and luci-app-qos. Adding additional interface HOTSPOT to QOS configuration cannot separate between WAN and HOTSPOT bandwidth limit. One can choose to limit NoDogSplash and secure WiFi together to certain Upload and Download rate, but not separate! Quick NoDogSplash Setup Example

This is a quick setup for Nodogsplash. It shows a splash page for any web acccess comming from br-lan.

/etc/nodogsplash/nodogsplash.conf

GatewayInterface br-lan 

FirewallRuleSet preauthenticated-users {
 FirewallRule allow tcp port 53
 FirewallRule allow udp port 53
 FirewallRule allow icmp
}
EmptyRuleSetPolicy authenticated-users passthrough
EmptyRuleSetPolicy users-to-router passthrough
EmptyRuleSetPolicy trusted-users allow
EmptyRuleSetPolicy trusted-users-to-router passthrough 
MaxClients 30
ClientIdleTimeout 10
ClientForceTimeout 240

For the actual splash site place these example files as follows:

/etc/nodogsplash/htdocs/splash.html
/etc/nodogsplash/htdocs/infoskel.html
/etc/nodogsplash/htdocs/images/splash.jpg



Referensi