home  wiki   index.php

MWRPHotspot

Ready for Beta users.

If you have a WRT and want to run it as a hotspot

and know a little about iptables ( or want to )

then install the package and give it a try

leave any questions or feedback at the bottom of this page

Hotspot

 This is a package for Melbourne Wireless Nodes to implement a simple light-weight captive portal. The majority of existing captive portal applications are more comercially oriented and often require the setup of a radius server.

This implementation is based on a few simple concepts:

There is a default splash page that lists terms and conditions of network access. A user may connect to the network if they agree with the T&Cs. There is also a check box to indicate if you are a Melbourne Wireless member.

The Node owner can decide what level of access (full, restricted or none) they want to grant the public and a MW member. Restricted levels of access can be set up that allow only specified services ( e.g. POP3, SSH, certain web sites).

Disclaimer

 This package is not for everyone. If you know your way around iptables then you probably don't need it. It is intended for people that are not comfortable tweaking these things but want to open their node up in a controlled manner.

Also, if you try this and things go wrong I'll try to get you going again, but you may have to wait until I have time to do it. I offer no warrenty or suitability of purpose etc. etc.

If you are unsure then don't install it just now, wait until the beta testing has worked out the remaining bugs.

How it works

 On boot up an init script ( S45firewall ) sets up your firewall. In the PREROUTING table it redirects all http traffic from the wireless interface to the access port of the patched httpd. This is the capture. All other traffic from the wireless interface is REJECTED.

The user is presented with a splash page (like this ). If they do not accept the T&Cs then they get a page requesting they dis-associate form the network. They will not be able to do anything as the firewall will DROP their packets.

If the user is a MW member and check the option, they will get a redirect to the MW web site and get a sign-on page. If they correctly sign on then the firewall will be modified to allow them through.

A member of the public does not have to sign-on, once they accept the T&Cs they get re-directed to a welcome page ( like this ) that lets then know what access they have.

Once the user has been added to either the public_users or member_users table then they are able to access the network and services as defined for the group they are in.

What is involved

Firewall

 If you are running the hotspot package then it becomes your firewall. It is configured using iptables and is very tight. You choose what ports and services you want to allow each class of user. See MWRPfirewall for a more detailed description and hints on how to set it up if you have a different arrangement of ports and interfaces.

Platforms

OpenWrt package

 The Beta version is available to download. You can downlaod it and install from a local machine or run 
 ipkg install http://melbournewireless.org.au/files/wrt54/Packages/mwhotspot_0.8_mipsel.ipk

Once installed it will add Melb Wireless to your packages and you can install updates easily by entering
ipkg update
ipkg mwhotspot

Other Linux

 There is a general tarball that you can download and install. There are only a few moving parts so it's not that dificult. Included is a tiny httpd for x86 that will be installed with the tarball. This can be run on a non-standard port allowing the "captured" http requests to be processed correctly while signed-on users cold access web content from a regular (un-modified) web server.

Non-Linux

 Sorry, this is based around manipulating the netfilter parameters using iptables.

Customization and configuration

 Once the package is installed there is a simple shell script menu ( /bin/hotpot/menuconfig ). Running this script will generate your hotspot configuration data.

You can run the script as may times as you want, at any time. The changes will not come into effect until the S45firewall is reloaded ( either by running it from the command line or rebooting ). 
Melbourne Wireless hotspot

Configuration Menu
------------------
1. Select Zones
2. Configure Zone
3. Manage ACL
4. Configure ports
5. Exit, Save changes
6. Quit Don't save
-------------------

make selection (1-6)

1. Select Zones

 You are presented with the names of the four configurable zones here:

2. Configure Zone

 For each of the zones you selected in part 1. of the menu there are a number of configuration parameters that need to be captured. A simple set of questions ask for the name of the interface (i.e. br0, vlan1, eth1) IP addresses and other configuration information needed for the hotspot and firewall only. This will not do any configuration of the NVRAM variables, interfaces or routing and bridging.

3. Manage ACL

 A privileged user is one that does not have to go through the capture process, i.e. your own laptop machine. Using this mechanism I have turned of the AP I was using internally as my laptop can now just pass through my MW Node instead.

Privileged users information is maintained in the file /etc/hotspot/hotspot.acl. A line in this file looks like this:
 <mac address>        <hostname>   <group>  <access>
 00:03:23:d3:b1:34    myhotspot1    owner    allow
 00:30:45:ea:2d:f7    badguy        public   deny

4. Configure ports

 In this menu section you are able to select the access to grant MW members and the general public ( full, restricted, none). If restricted access is selected then you are prompted for ports that should be open for this group of users.

A future enhancement will make this a bit easier to use and allow you to capture IP addresses or address ranges.

Moving capture httpd to non standard port

 The httpd that is provided in the package is a very lightweight one. For a full linux distribution you probably want to keep using your existing web server and should just run the tiny httpd on a different port.

Using menuconfig select Configure Zones and LAN zone. One of the options there will be for setting the port used by the capture httpd. Changing this option to another number will set an environment variable 'HS_LAN_CAPTURE_PORT that is used by both the S45firewall and the S50httpd scripts.

In the S45firewall script
 $IPT -t nat -A PREROUTING -p tcp --destport 80 
  -j DNAT --to ${NETIP}:${HS_LAN_CAPTURE_PORT:-80}


In the S50httpd script
 /usr/sbin/httpd -p ${HS_LAN_CAPTURE_PORT:-80} -b /www -d MW Hotspot


All unauthorized user traffic will get captured in PREROUTING and redirected to port 8086. Once the user is authorized then they will get ACCEPTed in PREROUTING before this line so their port 80 traffic will be unaffected.

Problems

Internet connection

 WHen configuring the script if you are not connected to the internet then you may not be able to correctly resolve names. The router should be configured as a DNS proxy and the DHCP server should have the appropriate options configured to tell DHCP clients to use the router as the DNS resolver. The firewall script is set up to allow icmp, dhcp and dns traffic from the public LAN segment to the router rather than forward it to other devices.

limited set of ports able to be opened for members and public users

 This was a first pass list any ports you think should be included in the menu and I'll add them. I could also add a little bit of code to add any port I suppose.

Beta testing comments & questions

Version 3 (old) modified Mon, 26 Jul 2021 12:49:29 +0000 by Dan
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]
© Melbourne Wireless Inc. 2012
> home> about> events> files> members> maps> wiki board   > home   > categories   > search   > changes   > formatting   > extras> site map

Username
Password

 Remember me.
>

> forgotten password?
> register?
currently 0 users online
Node Statistics
building132
gathering192
interested515
operational242
testing216