Hello, I have a lot of questions about the configuration of an access point to a local router. I'm running an apache server on a laptop and want to provide local access to this server but no internet. I configured the original firmware of a TL-WR802Nv4 as AP and UPnP did the rest. DHCP handed out an IP for the server and the clients had to enter this IP in their address bar.
This works but is inconvenient for two reasons:
List item The server may change frequently and I have to use a new IP with every new server.
List item .The use of IPs as URLs is very unhandy.
This is where I decided to give a chance to openwrt.
The router has 1 lan port and would be nice to bind a static IP to that port rather than to the mac address. I was hoping for something like 'ifname eth0 -> IP=xxxxx' - I didn't find such an option in the 'host setting' section of the dhcp file. At present I bind the static IP to the mac address of the server and can attach a name to it. That better than using the IP itself but what i really want is an automatic redirect to the server when a client logs into the wlan net.
After searching quite a while I always find these 2 suggestions:
List item use NAT with something like iptables -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1
List item use a captive portal
The captive portal seems to be a bit over the tops since I don't need the authentification part.
So I worked on the IP redirect with no success and a lot of confusion! As suggested in the openwrt documentation the eth0 and wlan0 interface of the router are bridged and I'm left with a single 'br-lan' interface in the firewall zone lan - there is no wan at all. I thought of the apache server playing the wan part but that's not the case. Now the big question is what can a firewall do with only one zone? I tried to set up two interfaces with eth0 and wlan0 separated but that does not work and gives the error that wlan0 does not exists. Can anyone give me a helping hand or point me in the right direction?
I use a static IP for the server but I still have to reconfigure the the router for every new server.
I don't know what the layer3 function is but I'm aware of wifidog etc. and that's why I prefer the 'NAT' solution. However I can't get that to work.
Sorry for that - my mistake. I tried it with -t nat and no success. Meanwhile I got more information! I put that line in the firewall.user file and when I restart the firewall on the shell I see two hopefully useful messages
Warning: Unable to locate ipset utility, disabling ipset support
iptables: No chain/target/match by that name.
The second one is strange: when I type 'ipt' and hit 'TAB' 'iptable' is completed.
About the first one I have a stupid question: How can I install the iset package? When I plug the router to the Internet via lan I can reach the Internet but I can't ssh the router (192.168.1.1). Thanks for any advice!
I am not sure I understand correctly, but if what you are trying to is to provide access to the server from the local machines but prevent the server from accessing Internet or being accessed from Internet?
If so, then why not just set a static IP on the server NIC (outside the router's DHCP pool) and leave the DNS fields blank?
Captive portal is really the way to do this since the key functionality that you want is for ANY site a user requests to "bounce" and instead show the home page from your private server. This is already fully implemented in a captive portal.
Within OpenWrt you would have a captive network, which is only the wireless AP and (in the case of coova-chilli) it is managed in userspace by the portal software. The web server can be on the router's LAN or even a WAN network, which would let you better firewall users out of trying to hack into the router itself.
It should not be necessary to do any low-level tinkering with iptables.
Sorry but I'm new in this forum. mk24 describes what I want to achieve. The idea is that every traffic coming form a client (192.168.1.0) is directed to the server (192.168.191). As to the capture portal: I want to avoid doing the 'authentification ' staff. And I'm still not able install packages.
You'd set up a captive portal except your server never provides the user a button, payment, etc. to connect to the Internet-- because you're not providing Internet. You can have any number of pages in your site because once they have loaded the first page, the IP (or you can use a name, and set up OpenWrt to DNS it to a fixed IP) of your server will be in their browser, and all of your links will be relative within the same site.
The opkg installation system is intended for the router to be connected to the Internet during package installation. Then it can be disconnected.
This isn't a client. It's invalid as a client IP using a subnet of 255.255.255.0. It's a network address.
This is likely why your firewall rule doesn't work.
This doesn't explain why you want to install ipset; nor why you are creating a firewall rule with an invalid network address used as a client IP in the same subnet as the destination.
You need Internet, or Internet on another device to copy all the packages over. They don't magically appear.
It seems like you just need to make a domain name (e.g. example.com and/or www.example.com) in the OpenWrt's DNS for the server at 192.168.1.191 - and you're done! Traffic doesn't pass a firewall on the same network.
Obviously I'm not an expert in network stuff, that's the reason why I post my questions in this forum. I spent a few days to figure it out on my own but it is very time consuming to find each bit of information one needs. The iptables line is stolen from here:
You may believe it or not: I do know that packages need to be downloaded. And I do know that one needs the Internet for this. The problem seems to be that I have access to the Internet vie lan only. As mentioned earlier when plugin the router in my Internet switch I can't connect to the router anymore. I know one copy the packages to /tmp and install from there. I even managed to find out where the packages are and also the instruction set of my router. But there is not only one package but a number of them with slightly different names - which one to choose? Why I want to install ipset - well for me it sounds like set an ip and that's what I want to do.
It really works a lot better to connect to the Internet and have opkg find the packages for you.
With a single Ethernet port it is a little more difficult but still there are ways:
Set up a wifi AP on LAN, log into the router by wifi, reconfigure the Ethernet port as WAN
Set up a wifi STA as WAN (requires existing wifi network linked to Internet, or smartphone in hotspot mode). This configuration is also known as a routed client.
Reconfigure LAN network so OpenWrt box is an endpoint on the LAN and not the master of it. Then connect Ethernet to existing LAN. This is more difficult to undo than the options above, so should be considered mostly if you're going to permanently operate as a LAN device.
Don't you think this is quite confusing...when the OP already has a misconception that they can make a firewall rule in LAN to redirect to a LAN web server?
I just wanted to clarify this before we added to the confusion by assisting to get packages installed they likely don't need.
Hummmmmm...you've only described a LAN, this makes sense.
Where'd you plug it in?
Does that network also happen to be 192.168.1.0/24 (BTW /24 == 255.255.255.0)?
Do you try from the same location?
You should never loose connection
You have a responsibility to be clear as well to get the best responses. Listing you want to install IPset and you gleaned a firewall rule, but don't know why - doesn't help with that. It's just gonna be ignored - as it seems to frustrate you; as if we know why you mentioned them.
I only realized you must have a web server on LAN and improperly making a port forward
@mk24 made it clear that you had no intentions to use the Internet
Since you control this closed network (and they have no other DNS server to access), he (and I) assume you can make a DNS entry for this server
every number you mentioned thus far is in the 192.168.1.0/24 range - so again, I assume the same LAN
Hence they would be directed to it
If that won't work, let us know why. No packages or firewall configs are needed to implement this solution.
I really want to mention that I felt uncomfortable with eth0 and wlan0 in the same net and I wondered what a Firewall can do right in the beginning - read first and then complain.
However, I did the suggested changes in /etc/config/dhcp with 'example' replaced by 'umfrage'. I can now access my local server with 'umfrage.com'. That's a step in the right direction but no capturing yet. I guess I should try one of those capture portals. I can't download the package today since this reconfigure of the router seems to be to complicated for me. Tomorrow I can get the credentials of the wlan at the place I'm currently working.