Access point for local server

Do I understand correctly that you want to put a web server on your LAN, and then you want this all isolated from the internet... anyone who connects to the LAN and tries to browse any site at all gets connected to the web-server you put on your LAN?

The first thing you will notice about this situation is that without the internet a client will browse to something... say http://www.buzzfeed.com and then the browser will send a DNS request to the OpenWrt router for A and AAAA records for "www.buzzfeed.com" and ... then nothing because without the internet there will be no DNS lookup.

If you figure out a way to get dnsmasq to respond to random internet domain names with the IP address of your LAN server then problem solved. However I don't know if dnsmasq is capable of having some "catch all" DNS response? If you can't figure out how to do that catch-all response, then it'll never work because the browser will never get to the point where it even initiates a port 80 connection.

Finally, most sites are https, and go over port 443 these days, and there is no way to spoof that, your redirection will just fail with invalid certificates.

1 Like

Well, I try to explain the use case more clearly. The whole project is about the education of teachers. The idea is to do a survey in the classroom at the end of a lesson. So we have a teacher with his private laptop. We provide a USB stick with the necessary software (LAMP stack) installed and we provide the router. The part with the USB stick is done and works well.
The part with the router is the thing I'm trying to do now. Since every teacher uses is own laptop the mac address of the server changes frequently and I'm looking for a way to avoid to configure the the router for every new mac address. That's why I asked if a static IP can be associated with an interface (eth0) rather then with a mac address. Persons who tried the procedure as it is implemented presently report that the pupils need more time to connect to server than to actually answer the questions. I'm looking for a way to speed up the login procedure, i.e. something like a capture. There is the explicit wish not to use the Internet (and indeed some schools even don't have a public Internet) and I don't have to care about https.

Hopefully this helps to understand my questions.

Whoa, this is the first time I understood that - not possible as described...but...

  • you can make a VLAN/SSID...that only assigns one IP address for the teacher
    • it only provides access to the teacher; and
    • you only give the teacher instructions/credentials to join
  • then, the other VLAN/SSID can be for the survey participants to use/join

This obviously requires:

  • making another (V)LAN; and
  • allowing the survey participants' VLAN/network access to the HTTP server - via that Port Forward (well actually, in this case - a Traffic Rule) you've been desiring to make :wink:
1 Like

It is possible to make a reserved DHCP entry by hostname instead of MAC address. This is generally preferable because it will still work if hardware is replaced. I note that only in passing, now forget it because I wouldn't even do that here.

The USB stick should be configured so the server it runs has a static IP. I would put the server on the wan side of OpenWrt and configure the wan interface static as well to link to the server. The users of the AP are on the lan side and get DHCP addresses from OpenWrt conventionally. This network will be a different IP subnet than the WAN. This is the default OpenWrt or other home router configuration other than making WAN static.

The web server will be a device on the WAN not a gateway. In this world the "Internet" is one website.

As shown above you can then set a fixed DNS entry in OpenWrt so that some easy to remember name resolves to the IP of the server. And / or you could use captive portal technology to force all attempted web access to your server. That is not really required if the users can enter the name into their browser.

The "fakeinternet" package may help with "No Internet" warnings on mobile devices. It lets your local unconnected network pass the Android and iOS tests for a live Internet connection.

1 Like

Hi there, nice to meet you again!

I see my clarification of the situation was helpful. The picture with the apache server as wan was in my head when I started the whole thing. At present the router is configured as AP and eth0 and wlan0 are bridged and i haven't wlan at all.
I configured the custom local domain which is much easier for the pupils then work with IPs.
The static IP for the server is achieved by configure a static lease for it. That is acceptable but in my opinion still somewhat inconvenient.
For the time being, the whole thing works and will be tested again on Tuesday. If the solution with the local domain is fast enough there's no need for capturing - I will report the result.
I really didn't understand the use of the two lans. How does that removes the need to enter the actual mac address into the router - can you explain in some more detail?
Is issue with 'no Internet' was a problem and 'fakeinternet' may help. Unfortunately, due to corona, I still have no wifi.

The "server" is configured on the USB stick to have a static IP... let's call it 192.168.10.2

the "clients" are all on the LAN which uses 192.168.1.0/24 and hands out DHCP to them.

the router on its WAN interface has 192.168.10.1

the router has a host entry: 192.168.10.2 is called "classserver.lan" or whatever you want.

now anyone on the LAN who goes to http://classserver.lan will look up the ip address 192.168.10.2 and try to connect. Such connections go "through" the router from the LAN side to the WAN side and talk to the teacher's server.

voila, end of story. no MAC required, nothing fancy.

1 Like

I'm sorry but I still don't understand!

The "server" is configured on the USB stick to have a static IP... let's call it 192.168.10.2
How do I do this, I think the IPs are managed in the router.

the "clients" are all on the LAN which uses 192.168.1.0/24 and hands out DHCP to them
I understand that.

the router on its WAN interface has 192.168.10.1
As mentioned above, in the present AP configuration I don't have a WAN interface.

Please stay patient with me.

In the server's OS, configure the Ethernet interface to have a static IP instead of being a DHCP client. The IP should be 192.168.10.2/24 (or 192.168.10.2 with netmask 255.255.255.0). It doesn't need a gateway or DNS server. (If the server so configured is inadvertently connected to a network leading to the Internet, with no gateway configured it won't be able to reach the Internet. That could be billed as more of a desirable security feature than a problem.)

Then in OpenWrt log in by wifi (since you're going to re-assign the Ethernet port) and add a wan network. Name this network exactly 'wan' (lower case) since the firewall already has that name set up. The proto is static IP, the IP address 192.168.10.1, and the physical port is eth0.

config network wan
   option proto 'static'
   option ifname 'eth0'
   option ipaddr '192.168.10.1/24'

Remove eth0 from the lan network.

If you want to leave the server as a DHCP client you can set up another DHCP server on the wan network, with a reserved address for the server. Do this by hostname so the MAC of the server does not matter.


I would look to migrate this project to a single box solution such as Pi 4 or a mini PC (with Linux / OpenWrt compatible wifi card). It seems hugely uncertain counting on the teacher to provide a compatible laptop in every situation. OpenWrt can run a LAMP stack given enough memory (about 1 GB RAM and flash).

1 Like

I start to understand. But doesn't that mean that the teacher has to change the network settings on his computer? That is something we don't really want - leave the teachers laptop as it is.

I would look to migrate this project to a single box solution such as Pi 4

That is exactly that what tried in the first place. It turned out that the Pi couldn't handle the IPs of lets say 30 pupils - the same thing with network cards. Personally I would prefer an ad hoc network made up by the laptop of the teacher, but this approach failed in the past.

We are aware of the compatibility problem! We just about to start the whole project and for now we assume that the teachers laptop is a window machine.

EDIT: Maybe the best solution would be a Pi for the software (with a fixed max address) and the router.

Since there's only ever going to be one PC on the wan port, it's simple. Set up a DHCP server that only is allowed to hand out one IP, which is thus guaranteed to always be the same IP.

config dhcp 'wan'
   option interface 'wan'
   option start '2'
   option limit '1'
   option leasetime '2m'

This is in /etc/config/dhcp in addition to the standard DHCP server on lan which offers 150 IPs. The lease will expire in 2 minutes if for some reason the teacher PC is changed. In this use case, shorter leases than 12h are also a good idea for lan.

Yes I wouldn't trust the built in wifi on a Pi 4 to serve a room full of people, without actually trying it. A budget of $250 could get a mini x86 with PCIe ath9k wifi having the same performance as a router.

2 Likes

That sounds good. I guess I can also set the hostname. Give me some time to try configuring all the new stuff.

I Pi 4 will handle this no problem on wired but you will want a wifi access point to be separate, the Pi built-in wifi is junk. Still a Tp-link eap 224 is ~ $60 or so? it will handle 30 students I believe.

1 Like

Hello out there, I'm back (after a few failsaves and restarts)

The network file looks like this now:

config interface 'lan'        
       option type 'bridge' 
       option ifname 'eth0'    # I'm missing wlan0 here
       option proto 'static'
       option ipaddr '192.168.1.1'        
       option netmask '255.255.255.0'           
       option ip6assign '60' 
                              
config device 'lan_eth0_dev'
       option name 'eth0'
       option macaddr 'xx:xx:xx:xx:xx:xx'
                         
config interface 'wan'    
       option ifname 'eth0'  
       option proto 'static' 
       option ipaddr '192.168.10.2'
       option netmask '255.255.255.0'
       option ip6assign '60'

The 'wan' part is new. I know that I should remove eth0 from the 'lan' but when I do so 'service network restart' just sits there and nothing happens and nothing can be done. However, this is what I observe:

  • LUCI shows two interfaces. One is called lan (br-lan) and greenish and the other one is called wan (eth0) and is reddish. We have two firewall zones! This seems to be good

  • When I set the IP on the server to 192.168.10.2 I can connect to 192.168.10.2 and I see the home page. good

  • On the wlan-side (aka lan) I can ssh to 192.168.1.1 and I can open LUCI in a browser (same IP) good

  • When I go to 192.168.10.2 I see LUCI again! Not good

This seems to be an error in the settings for the 'lan' interface. What shall I put there? I need to keep 192.168.1.1 to reach the router and the network must be restartable. Can someone help me out?

Log in by wifi before removing the eth0 port from lan. All subsequent login will have to be by wifi.

Attaching the wifi to the lan network is done in /etc/config/wireless with option network. There will be no option ifname in the lan section of /etc/config/network once the eth0 port is removed.

The router (wan) would be 10.1 and the server 10.2. Don't set two devices to have the same IP address.

Do you really mean

config interface 'lan'        
       option type 'bridge'            
       option ip6assign '60' 

and that's it?

No just take option ifname eth0 out, since you're moving the Ethernet port to wan. LAN still needs an IP address etc.

Same thing:

server side:
192.168.10.2 -> home page
192.168.10.1 -> nothing
192.168.1.1 -> nothing

wlan side:
192.168.10.2 -> LUCI
192.168.1.1 -> LUCI
192.168.10.1 -> nothing

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.10.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

I even did a reboot.

???

this is the server IP address.. you want the address for hte router here, that's 192.168.10.1

Finally I got it right! GREAT. On the wlan side 192.168.10.1 -> LUCI and 192.168.10.2 -> home page.
I'm tired and will try to do the dhcp settings tomorrow.

Good night

Sorry, sorry, sorry. I thought that should be easy, but the second dhcp server for wan does not work as expected. I did it exactly the way @mk24 suggested but I can't connect. On Linux I can set the IP 192.168.10.2 manually without specifying a gateway and a DNS server. For some reasons I can't do it on a Windows10 machine. But when specifying those entries a can't connect from the wlan side.
So, what's going wrong here? In syslog I can see that dhcp services the ID 192.168.10.2. I guess it's some general setting - I don't know.

thanks in advance