Spelling: MWRPHotspot
This is a package for Melbourne Wireless Nodes to implement a simple
LIGHT-WEIGHT captive portal. The majority of existing captive portal
applications are more comercially oriented and often require the setup
of a radius server.
Latest released version is v0.8.1. Released 14/08/2006.
* Typical Setup [1]
* Dan\'s Suggested Development Roadmap [2]
* After version 0.8.1... [3]
* Solve double-NAT issue [4]
* Simple Config option [5]
* Ready for Beta users. [6]
* Hotspot [7]
* Disclaimer [8]
* How it works [9]
* What is involved [10]
* Firewall [11]
* Platforms [12]
* OpenWrt package [13]
* Other Linux [14]
* CVS access [15]
* Non-Linux [16]
* Customization and configuration [17]
* 1. Select Zones [18]
* 2. Configure Zone [19]
* 3. Manage ACL [20]
* 4. Configure ports [21]
* Moving capture httpd to non standard port [22]
* Problems [23]
* Internet connection [24]
* Limited set of ports able to be opened for members and public
users [25]
* Beta testing comments & questions [26]
TYPICAL SETUP
----------- | DHCP | | Client | | (Laptop)| | | ----------- | |-WiFi
- 'melbournewireless.org.au' Adhoc SSID (Behind NAT) |-10.10.x.x |
------------ | Melb | | Wireless | | Node | | running | | MWHotspot|
------------ | |-Node Owner's wired LAN (Behind NAT) |-192.168.x.x |
------------ | Node | | Owner's | | Internet | | NAT | | Router |
------------ | |-Broadband ISP connection |-To Node Owner's Premesis |
////// / Internet / / / ////// | |-Authentication between Hotspot node
and wireless.org.au server | ----------- | WoA [27] | | Server | |
running | | MW User | | Database| -----------
DAN\'S SUGGESTED DEVELOPMENT ROADMAP
AFTER VERSION 0.8.1...
SOLVE DOUBLE-NAT ISSUE
* Most Hotspot routers will not be directly connectedto the Internet
- they will be on a LAN behind a NAT router. To complete
authentication, the WoA [28] server must communicate with the Hotspot
router. If the Hotspot router is behind NAT, the WoA [29] server can't
reach it. The Node Owner must set up port-forwarding on their Internet
Router to allow the the WoA [30] server access. This requirement is
undesirable as it detracts from the "plug-and-playability" of the
Hotspot router. To make a MW Node as easy as possible to install, it
is important be able to "drop-in" the Hotspot onto any
Internet-connected LAN without any configuration. We could do this two
ways:
* Implement an unencrypted IP tunnel between Hotspot node and WoA
[31] Server. CIPE or OpenVPN [32] seem good options but the Linux
kernels on the node and WoA [33] server will need support compiled in.
* Set up the Hotspot so it initiates all connections with the WoA
[34] server - after the username and password have been sent by the
DHCP Client, the Hotspot contacts the WoA [35] server with the
Client's MAC address and asks if it has been authenticated.
SIMPLE CONFIG OPTION
* When used with the Melbourne Wireless Firmware - at the download
stage and also inside the firmware itself, there should be a simple
Yes/No question: "Do you want to share your Internet Access with
Melbourne Wireless members?".
* If YES:
* OLSR Dynamic Gateway plugin is activated
* If Internet is really available:
* Hotspot prompts DHCP clients with username/password
* If Internet not actually available:
* Hotspot displays Internet Not Available page
* If NO:
* OLSR Dynamic Gateway plugin is deactivated
* Hotspot displays Internet Not Available page
* Node owner can still manually add entries to the Access Control
List to allow specified DHCP Clients access to the Internet
* Obviously we would need to include one or two pre-packaged
configurations and answering Yes or No activates the appropriate
config
* At all times (if Internet is available or not), a Guest Access
option should be available - this allows a DHCP client to browse the
Melbourne Wireless network. The Hotspot should only enforce this upon
local DHCP clients. Routed traffic from other nodes with a 10.10.x.x
destination should be allowed to pass without any splash page being
displayed to them - this stops people being multi-splashed on multihop
paths.
READY FOR BETA USERS.
If you have a WRT and want to run it as a hotspot and know a little
about iptables ( or want to ) then install the package and give it a
try leave any questions or feedback at the bottom of this page
HOTSPOT
This implementation is based on a few simple concepts:
* Use of MW website sign-on to authenticate users, so you do need to
have a route to the Intenet.
* Interception of incoming http requests from connected but
not-signed-on users
* Modification of web server to return a 301 (redirect) instead of a
404 (Not Found) messages to "capture" a user trying to access a web
page that they cannot get to because of the Node firewall.
There is a default SPLASH page that lists terms and conditions of
network access. A user may connect to the network if they agree with
the T&Cs. There is also a check box to indicate if you are a Melbourne
Wireless member.
The Node owner can decide what level of access (full, restricted or
none) they want to grant the public and a MW member. Restricted levels
of access can be set up that allow only specified services ( e.g.
POP3, SSH, certain web sites).
DISCLAIMER
This package is not for everyone. If you know your way around
iptables then you probably don't need it. It is intended for people
that are not comfortable tweaking these things but want to open their
node up in a controlled manner.
Also, if you try this and things go wrong I'll try to get you going
again, but you may have to wait until I have time to do it. I offer no
warrenty or suitability of purpose etc. etc.
If you are unsure then don't install it just now, wait until the beta
testing has worked out the remaining bugs.
HOW IT WORKS
On boot up an init script ( S45firewall ) sets up your firewall. In
the PREROUTING table it redirects all http traffic from the wireless
interface to the access port of the patched httpd. This is the
capture. All other traffic from the wireless interface is REJECTED.
The user is presented with a splash page (like this ). If they do not
accept the T&Cs then they get a page requesting they dis-associate
form the network. They will not be able to do anything as the firewall
will DROP their packets.
If the user is a MW member and check the option, they will get a
redirect to the MW web site and get a sign-on page. If they correctly
sign on then the firewall will be modified to allow them through.
A member of the public does not have to sign-on, once they accept the
T&Cs they get re-directed to a welcome page ( like this ) that lets
then know what access they have.
Once the user has been added to either the PUBLIC_USERS or
MEMBER_USERS table then they are able to access the network and
services as defined for the group they are in.
WHAT IS INVOLVED
* Simple init script to set up the firewall
* Some commands for adding and removing users from iptables
* Some web pages and some cgi-scripts
* A modified (tiny) httpd to handle the captured users
* You will need the ip-tables mac module in your Linux distribution.
There are two parts of this, 1) the kernel module ipt_mac.o and 2) the
iptables loadable module
FIREWALL
If you are running the hotspot package then it becomes your firewall.
It is configured using iptables and is very tight. You choose what
ports and services you want to allow each class of user. See
MWRPfirewall for a more detailed description and hints on how to set
it up if you have a different arrangement of ports and interfaces.
PLATFORMS
OPENWRT PACKAGE
The Beta version is available to download. You can download it and
install from a local machine or run
ipkg install
http://melbournewireless.org.au/files/wrt54/Packages/mwhotspot_0.8.1_mipsel.ipk
Once installed it will add Melb Wireless to your packages and you can
install updates easily by entering
ipkg update ipkg mwhotspot
OTHER LINUX
There is a general tarball that you can download and install. There
are only a few moving parts so it's not that dificult. Included is a
tiny httpd for x86 that will be installed with the tarball. This can
be run on a non-standard port allowing the "captured" http requests to
be processed correctly while signed-on users cold access web content
from a regular (un-modified) web server.
CVS ACCESS
CVS access is available. Use the following:
$ export CVSROOT=:pserver:anoncvs@wireless.org.au:/var/cvs $ cvs
checkout mwrp
NON-LINUX
Sorry, this is based around manipulating the netfilter parameters
using iptables.
CUSTOMIZATION AND CONFIGURATION
Once the package is installed there is a simple shell script menu (
/bin/hotpot/menuconfig ). Running this script will generate your
hotspot configuration data.
* /etc/hotspot/hotspot.cfg, configuration env vars used by
S45firewall
* /etc/hotspot/hotspot.acl, pre-defined mac addresses and their
acess groups
* /etc/hotspot/hotspot.ports, open ports for member and public
groups
You can run the script as may times as you want, at any time. The
changes will not come into effect until the S45firewall is reloaded (
either by running it from the command line or rebooting ).
Melbourne Wireless hotspot
Configuration Menu ------------------ 1. Select Zones 2. Configure
Zone 3. Manage ACL 4. Configure ports 5. Exit, Save changes 6. Quit
Don't save -------------------
make selection (1-6)
1. SELECT ZONES
You are presented with the names of the four configurable zones here:
* LAN, the PUBLIC zone your hotspot will expose
* WAN, the zone of the Internet connection if connected directly
* PRI, your private LAN zone if the node is connected to one
* DMZ, your DMZ segment if you have one ( this is not coded out yet)
You need to select the zones you want first before doing any further
configuration.
2. CONFIGURE ZONE
For each of the zones you selected in part 1. of the menu there are a
number of configuration parameters that need to be captured. A simple
set of questions ask for the name of the interface (i.e. br0, vlan1,
eth1) IP addresses and other configuration information NEEDED FOR THE
HOTSPOT AND FIREWALL ONLY. This will not do any configuration of the
NVRAM variables, interfaces or routing and bridging. If you try to
configure a zone and get a message indicating the zone is not
configured go back to !. Select Zones and re-select the zone.
3. MANAGE ACL
A privileged user is one that does not have to go through the capture
process, i.e. your own laptop machine. Using this mechanism I have
turned of the AP I was using internally as my laptop can now just pass
through my MW Node instead.
Privileged users information is maintained in the file
/etc/hotspot/hotspot.acl. A line in this file looks like this:
00:03:23:d3:b1:34 myhotspot1 owner allow 00:30:45:ea:2d:f7
badguy public deny
4. CONFIGURE PORTS
In this menu section you are able to select the access to grant MW
members and the general public ( full, restricted, none). If
RESTRICTED access is selected then you are prompted for ports that
should be open for this group of users.
A future enhancement will make this a bit easier to use and allow you
to capture IP addresses or address ranges.
MOVING CAPTURE HTTPD TO NON STANDARD PORT
The httpd that is provided in the package is a very lightweight one.
For a full linux distribution you probably want to keep using your
existing web server and should just run the tiny httpd on a different
port.
Using menuconfig select CONFIGURE ZONES and LAN ZONE. One of the
options there will be for setting the port used by the capture httpd.
Changing this option to another number will set an environment
variable \'HS_LAN_CAPTURE_PORT that is used by both the S45firewall
and the S50httpd scripts.
In the S45firewall script
$IPT -t nat -A PREROUTING -p tcp --destport 80 -j DNAT --to
${NETIP}:${HS_LAN_CAPTURE_PORT:-80}
In the S50httpd script
grr- example here breaks wiki page formatting
All unauthorized user traffic will get captured in PREROUTING and
redirected to port 8086. Once the user is authorized then they will
get ACCEPTed in PREROUTING before this line so their port 80 traffic
will be unaffected.
PROBLEMS
INTERNET CONNECTION
When configuring the script if you are not connected to the internet
then you may not be able to correctly resolve names. The router should
be configured as a DNS proxy and the DHCP server should have the
appropriate options configured to tell DHCP clients to use the router
as the DNS resolver. The firewall script is set up to allow icmp, dhcp
and dns traffic from the public LAN segment to the router rather than
forward it to other devices.
LIMITED SET OF PORTS ABLE TO BE OPENED FOR MEMBERS AND PUBLIC USERS
This was a first pass list any ports you think should be included in
the menu and I'll add them. I could also add a little bit of code to
add any port I suppose.
BETA TESTING COMMENTS & QUESTIONS
Excellent work Dave - I've just installed it on a WRT54G v3.1 running
WhiteRussian [36] RC4. Just one thing - RC4 now has it's own web
interface "webif" that also uses /www/index.html on the default port.
I had to remove the "webif" package before I could install
MWRPhotspot._OK, There is no reason we need to re-direct to
index.html, will try it out with a different name to avoid confusion_
The splash page should probably appear on port 80 on the wireless
interface whilst the admin webpage should appear on port 80 the lan
interface. Likewise, port 8086 could be used as an "obscure port" to
allow the admin to see the admin webpage via the wireless interface,
and to preview the splash page on the LAN port _ will make this
configurable _
To summarise my recommended defaults:
On the Public WIFI (and maybe WAN) interface:
Port 80 - mwhotspot (redirect to 8086), Port 8080 webif
On the Private LAN interface:
Port 80 - webif, Port 8086 mwhotspot - no redirect
* Another thing - the scripts are in /bin/hotspot, but the package
does not append /bin/hostpot to the $PATH, so the menuconfig script
fails unless you modify $PATH manually. _ I was wondering if they
should just be in /bin or /usr/bin to avoid this issue _
* With the Select Zones bit - perhaps have preset defaults already
set, and display these zones at the top menu. _ once you have runit
the first timethere are default values for each parameter. Perhaps I
should include a DEFAULT/EXAMPLE hotspot.cfg so there are defaults the
first time through_
* With Configure Zones - everything I select says "XXX zone not
configured" - do I need to do something else before configuring zones?
Other than that, I like the submenu structure here. _ You need to
select the zones under option 1. first, then you can configure the
ones you selected_
* What does ACL mean? Access Control List I suppose, but this might
be intimidating for some users - perhaps some docs here _. Also, when
you display this page, show the existing ACL entries - or maybe even
on a "status" page that displays all the current settings. once you
have configured some then you get walked through the list with a
keep/discard choice. May be able to make this clearer _
* Can we have a menu option to change the IP address/web address
that the user is redirected to? At the moment it wants to go to
10.10.1.65 and it's hard-coded into index.html. _ The address is in
index.html but that should get patched during the install. In the
postinstall script as part of ipkg your lan_addr should be set from
the nvram variable. I probably need to run this patch each time you
run the configuration script_
Since OpenWRT [37] now has a web interface, It'd be nice if these
menuconfig scripts were web-based also. I believe webif has been
designed for "plug-in" interfaces for other packages. _ The script
based menu was easy for me- non-web person to offer configuration for
the masses. All it does is set variables in files that are used by the
other parts of the package. A web knowledgable person should be able
to do the same in a few hours using the script as a template_
In general, this package is a corker - it is already much better than
NoCatSplash [38] - which I've used and had all sorts of trouble with.
It'd be nice if the config scripts could do a bit of autoconfiguring
- i.e. doing ifconfig and iwconfig and working out what interface is
what - and presenting these interfaces to the user and ask him/her
which is public or private. Under Openwrt, having the public wireless
interface separate from the LAN would require breaking the bridge -
perhaps we could distribute a package that does this automatically by
setting the appropriate NVRAM vars - with the appropriate warnings and
"are you sure" dialogs. _ yeah, We almost ask all the right questions.
I can do the auto config in the next pass. Wanted to get this bit
locked down before moving forward though._
A package like this raises a couple of political points too - do we
want to say that Internet access is being provided by Melbourne
Wireless? I notice that the terms and conditions are a bit of a cut
and paste job - but that's OK I understand it's beta software. We
should sit down and discuss what we want the splash page to say. _ I
Defer to the comittee on this. It can say whatever they want it to
say. I will add a choice of splash to the config menu so we can have
the theemes as you have suggested_
My personal view is that perhaps in the future the package should be
"themeable" - and that the Melb Wireless look should be one of many
themes. the default theme should be a generic splash page with generic
T&Cs. _ yep - will do_
But once again, great job! _thanks! - happy to help move the ball
forward here_
Links:
------
[1] http://melbournewireless.org.au/#typical_setup
[2]
http://melbournewireless.org.au/#dan_s_suggested_development_roadmap
[3] http://melbournewireless.org.au/#after_version_0_8_1___
[4] http://melbournewireless.org.au/#solve_double_nat_issue
[5] http://melbournewireless.org.au/#simple_config_option
[6] http://melbournewireless.org.au/#ready_for_beta_users__
[7] http://melbournewireless.org.au/#hotspot
[8] http://melbournewireless.org.au/#disclaimer
[9] http://melbournewireless.org.au/#how_it_works
[10] http://melbournewireless.org.au/#what_is_involved
[11] http://melbournewireless.org.au/#firewall
[12] http://melbournewireless.org.au/#platforms
[13] http://melbournewireless.org.au/#openwrt_package
[14] http://melbournewireless.org.au/#other_linux
[15] http://melbournewireless.org.au/#cvs_access
[16] http://melbournewireless.org.au/#non_linux
[17] http://melbournewireless.org.au/#customization_and_configuration
[18] http://melbournewireless.org.au/#1__select_zones
[19] http://melbournewireless.org.au/#2__configure_zone
[20] http://melbournewireless.org.au/#3__manage_acl
[21] http://melbournewireless.org.au/#4__configure_ports
[22]
http://melbournewireless.org.au/#moving_capture_httpd_to_non_standard_port
[23] http://melbournewireless.org.au/#problems
[24] http://melbournewireless.org.au/#internet_connection
[25]
http://melbournewireless.org.au/#limited_set_of_ports_able_to_be_opened_for_members_and_public_users
[26]
http://melbournewireless.org.au/#beta_testing_comments___questions
[27] http://melbournewireless.org.au/?WoA
[28] http://melbournewireless.org.au/?WoA
[29] http://melbournewireless.org.au/?WoA
[30] http://melbournewireless.org.au/?WoA
[31] http://melbournewireless.org.au/?WoA
[32] http://melbournewireless.org.au/?OpenVPN
[33] http://melbournewireless.org.au/?WoA
[34] http://melbournewireless.org.au/?WoA
[35] http://melbournewireless.org.au/?WoA
[36] http://melbournewireless.org.au/?WhiteRussian
[37] http://melbournewireless.org.au/?OpenWRT
[38] http://melbournewireless.org.au/?NoCatSplash
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]