Hi Guys,
Currently i have successfull run opennds with br-lan and its fine with my pc but my requirement to run it on wlan0 2.4ghz wifi with a Guest account not on whole network. but when i apply option gatewayinterface 'wlan0' its stopped working from everywhere not on pc and wireless.
Please suggest.
also not able to open Luci (http://192.168.1.1/cgi-bin/luci/) it says: # Error 404 - Not Found
Thanks.
You need to configure a second bridge interface, for example br-guest, with its own ip subnet, dhcp and dns. Then associate the wlan0 with it instead of with br-lan.
Finally configure openNDS to manage br-guest.
Port 80 on the openNDS interface is reserved and used by openNDS for the built in rfc8910 CPI support.
You should be able to access Luci on https://192.168.1.1
Thanks @bluewavenet for your support, I'll try it. Is this possible to assign opennds to another ip like 192.168.1.2 please share the process if possible.
Thanks
Sorry, I have tried https://192.168.1.1, it's has same error also it's redirecting me to /cgi-bin/
Also https is not working, url showing not secure.
Thanks
OpenNDS, or indeed any captive portal, will manage internet access for an ip address subnet.
To do this it must be located on the ip gateway address for the subnet.
So in answer to this question - No.
Yes it will ask you to make an exception and accept the self signed TLS certificate of Luci.
Alternatively you could change the port that Luci uses.
Do the following:
uci set uhttpd.main.listen_http='0.0.0.0:81'
uci commit uhttpd
service uhttpd restart
You should then be able to access Luci at http://192.168.1.1:81
Thanks @bluewavenet, still I am struggling with https, can you provide me a set of commands to make it working.
Thanks
Dear @bluewavenet, I've tried, but no luck, i have followed https://www.youtube.com/watch?v=b7vTY1k8iGo
but here i've unable to found one configuration only that's below screenshot
and i am using 2.4g wifi which is wlan0
i am using latest openwrt version 22.03
from my network config:
config interface 'guestwifi'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '1.1.1.1'
Please advise,
Thanks
You are bringing up 2 issues that are nothing to do with openNDS.
ie:
There are many "Howtos" or "tutorials" on both of these, but unfortunately most of these have been outdated since the release of OpenWrt 21.02.0.
Also you are not using an official stable release of OpenWrt, instead you are using an undisclosed release candidate. This is probably fine, but you have not indicated anything about the hardware you are using.
With regard to the hardware, it may not even support a guest network at the same time as a "private" network.
I do understand you are on a steep learning curve, so to help you, we need at least the following information:
uci show wirelessuci show networkuci show firewalluci show openndsuci show uhttpd
Dear @bluewavenet , I am using stable release, I am using DIR-2640 with 22.03 it's a stable version
Thanks
If this will work after downgrade version to 21, I can do, Please advise
Thanks
It is a release candidate. To quote the openwrt downloads page:
OpenWrt 22.03 will be the successor of the 21.02 series. It is currently in the release candidate phase and will replace the current stable release once finalized.
It is probably ok for you to use. No need to downgrade at this stage, unless we find a real problem.
What about sharing the configuration information I requested? We might be able to help if you do.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd41:88f9:ebbc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guestwifi'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '1.1.1.1'
@bluewavenet ,OpenNDS
config opennds
# enabled
# Set to 0 to disable opennds
option enabled 1
# Use deprecated generic configuration file (not recommended)
#option config '/etc/opennds/opennds.conf'
# debuglevel
# Set Debug Level (0-3)
# Default: 1
# 0 : Silent (only initial startup, LOG_ERR and LOG_EMERG LOG_CRIT messages will be seen, otherwise there will be no logging.)
# 1 : LOG_ERR, LOG_EMERG, LOG_CRIT, LOG_WARNING and LOG_NOTICE (this is the default level).
# 2 : debuglevel 1 + LOG_INFO
# 3 : debuglevel 2 + LOG_DEBUG
#option debuglevel '1'
# fwhook_enabled
# Firewall Restart hook
# Set to 0 to disable hook that makes opennds restart when the firewall restarts.
# This hook is needed as a restart of Firewall overwrites opennds iptables entries.
option fwhook_enabled '1'
# ndsctlsocket
# The socket name to use for ndsctl socket access, relative to the tmpfs mountpoint.
# Any directory/folder specified must exist.
# Default: ndsctl.sock (Do not add a leading "/")
# Full default socket path would be /tmp/ndsctl.sock in OpenWrt
# In the following example, the socket path would be /tmp/sockets/ndsctl.sock
#option ndsctlsocket 'sockets/ndsctl.sock'
# log_mountpoint
# Local Log Mountpoint
# Default: router's volatile tmpfs storage eg on OpenWrt '/tmp'
#
# Local logging can be directed to any storage accessible to the router eg USB drive, SSD etc
#
# **WARNING** - you cannot use the router's built in flash storage as this would cause
# excessive wear and eventual flash failure
#
# Example:
#option log_mountpoint '/logs'
# Login Option
# Default: 1
# Integer value sent to PreAuth script as login mode
#
# opennds comes preconfigured for three basic modes of operation
#
# 0. If FAS is not enabled, then this functions as mode 1
#
# 1.Default Dynamic Click to Continue
# The pre-installed dynamic login page is enabled by setting option login_option_enabled = '1'.
# It generates a Click to Continue page followed by a info/advertising page.
# User clicks on “Continue” are recorded in the log file /[tmpfs_dir]/ndslog/ndslog.log
#
# 2. Username/Emailaddress Dynamic Login
# The pre-installed dynamic login page is enabled by setting option login_option_enabled = '2'.
# It generates a login page asking for username and email address followed by an info/advertising page.
# User logins are recorded in the log file /[tmpfs_dir]/ndslog/ndslog.log
#
# 3. Use Theme defined in ThemeSpec path (option themespec_path)
#
#option login_option_enabled '1'
# Allow Preemptive Authentication
# Default: 0 - Disabled
# Enable by setting to 1
# This allows the ndsctl utility to preemptively authorise **connected** clients
# that have not entered the preauthenticated state.
# This is useful for example with IoT devices that do not have CPD (captive portal detection)
# or for a FAS to manage inter-captive-portal roaming by making use of a centralised database of client validations.
#
#option allow_preemptive_authentication '1'
# ThemeSpec Path
# Default: None
# Required when when login_option_enabled is set to '3'
#
# Note: /usr/lib/opennds/theme_click-to-continue.sh is used for login_option_enabled '1'
# and: /usr/lib/opennds/theme_user_email_login.sh is used for login_option_enabled '2'
#
# Sets the ThemeSpec file path to be used when login_option_enabled '3'
#
# The ThemeSpec script makes use of lists of custom parameters, custom variables, custom image urls and custom files.
# and is used to generate the dynamic splash page sequence
#
# The ThemeSpec file will normally reside in /usr/lib/opennds/ but can be anywhere accessible to openNDS.
# The file must be flagged as executable and have the correct shebang for the default shell.
#
#option themespec_path '/usr/lib/opennds/<filename>'
# Define Custom Parameters
# Custom parameters are sent as fixed values to FAS
# Default None
#
# Custom Parameters listed in the form of param_name=param_value
# param_name and param_value must be urlencoded if containing white space or single quotes
# eg replace spaces with %20 - replace single quotes with %27
#
# Parameters should be configured one per line to prevent possible parsing errors.
# eg:
#list fas_custom_parameters_list '<param_name1=param_value1>'
#list fas_custom_parameters_list '<param_name2=param_value2>'
# etc.
#
# The following Working Example applies to the installed ThemeSpec Files:
# theme_click-to-continue-custom-placeholders
# and
# theme_user-email-login-custom-placeholders
#
#list fas_custom_parameters_list 'logo_message=openNDS:%20Perfect%20on%20OpenWrt!'
#list fas_custom_parameters_list 'banner1_message=BlueWave%20-%20Wireless%20Network%20Specialists'
#list fas_custom_parameters_list 'banner2_message=HMS%20Pickle'
#list fas_custom_parameters_list 'banner3_message=SeaWolf%20Cruiser%20Racer'
# Define Custom Variables
# Custom Variables are used by FAS to dynamically collect information from clients
# Default None
#
# Custom Variables are listed in the form of var_name=var_type
# var_name and var_type must be urlencoded if containing white space or single quotes
# eg replace spaces with %20 - replace single quotes with %27
#
# Variables should be configured one per line to prevent possible parsing errors.
# eg:
#list fas_custom_variables_list '<var_name1=var_type1>'
#list fas_custom_variables_list '<var_name2=var_type2>'
# etc.
#
# FAS Generic Variables - a custom FAS or ThemeSpec must be written to make use of FAS Generic Variables
#-------------------------------------------------------------------------------------------------------
# eg:
#list fas_custom_variables_list 'membership_number=number'
#list fas_custom_variables_list 'access_code=password'
#
# ThemeSpec Dynamically generated Form Fields
#--------------------------------------------
# ThemeSpec scripts can dynamically generate Form Field html and inject into the dynamic splash page sequence.
# This is achieved using a SINGLE line containing the keyword "input",
# in the form: fieldname:field-description:fieldtype
#
# Numerous fields can be defined in this single "input=" line, separated by a semicolon (;).
#
# The following Working Example applies to the installed ThemeSpec Files:
# theme_click-to-continue-custom-placeholders
# and
# theme_user-email-login-custom-placeholders
#
# this example inserts Phone Number and Home Post Code fields:
#
#list fas_custom_variables_list 'input=phone:Phone%20Number:text;postcode:Home%20Post%20Code:text'
#
# Define Custom Images
# Custom Images are served by a local FAS where required in dynamic portal pages
# Default None
#
# Custom images will be copied from the URL to the openNDS router
#
# Custom Images are listed in the form of image_name_type=image_url
# image_name and image_url must be urlencoded if containing white space or single quotes
# The image url must begin with http:// https:// or file://
# Custom images will be copied from the URL to the openNDS router
#
# Images should be configured one per line to prevent possible parsing errors.
#
#list fas_custom_images_list '<image_name1_[type]=image_url1>'
#list fas_custom_images_list '<image_name2_[type]=image_url2>'
# etc.
#
# "type" can be any recognised image file extension eg jpg, png, ico, etc.
#
# The following Working Example applies to the installed ThemeSpec Files:
# theme_click-to-continue-custom-placeholders
# and
# theme_user-email-login-custom-placeholders
#
#list fas_custom_images_list 'logo_png=https://openwrt.org/_media/logo.png'
#list fas_custom_images_list 'banner1_jpg=https://raw.githubusercontent.com/openNDS/openNDS/v9.5.0/resources/bannerbw.jpg'
#list fas_custom_images_list 'banner2_jpg=https://raw.githubusercontent.com/openNDS/openNDS/v9.5.0/resources/bannerpickle.jpg'
#list fas_custom_images_list 'banner3_jpg=https://raw.githubusercontent.com/openNDS/openNDS/v9.5.0/resources/bannerseawolf.jpg'
#
# Define Custom Files
# Custom Files are served by a local FAS where required in dynamic portal pages
# Default None
#
# Custom files will be copied from the URL to the openNDS router
#
# Images should be configured one per line to prevent possible parsing errors.
#
# Custom files are listed in the form of file_name_type=file_url
# file_name and file_url must be urlencoded if containing white space or single quotes
# The file url must begin with http:// https:// or file://
# Custom files will be copied from the URL to the openNDS router
#
#list fas_custom_files_list '<file_name1_[type]=file_url1>'
#list fas_custom_files_list '<file_name2_[type]=file_url2>'
# "type" can be any recognised file extension that can be used to display web content eg txt, htm etc.
#
# The following Working Example applies to the installed ThemeSpec Files:
# theme_click-to-continue-custom-placeholders
# and
# theme_user-email-login-custom-placeholders
#
#list fas_custom_files_list 'advert1_htm=https://raw.githubusercontent.com/openNDS/openNDS/v9.5.0/resources/bannerpickle.htm'
#
# Set refresh interval for downloaded remote files (in minutes)
# Seting to 0 (zero) means refresh is disabled
# Default 0
#
#option remotes_refresh_interval '720'
#
# Use outdated libmicrohttpd (MHD)
# Default 0
#
# Warning, this may be unstable or fail entirely - it would be better to upgrade MHD.
# Use at your own risk
#
# Older versions of MHD convert & and + characters to spaces when present in form data
# This can make a PreAuth or BinAuth impossible to use for a client if form data contains either of these characters
# eg. in username or password
#
# MHD versions earlier than 0.9.71 are detected.
#
# If this option is set to 0 (default), NDS will terminate if MHD is earlier than 0.9.71
# If this option is set to 1, NDS will attempt to start and log an error.
#
#option use_outdated_mhd '0'
# Maximum Page Size to be served by MHD
# Default 10240 bytes
# Minimum value 1024 bytes
# Maximum - limited only by free RAM in the router
#
# This sets the maximum number of bytes that will be served per page by the MHD web server
# Setting this option is useful:
# 1. To reduce memory requirements on a resource constrained router
# 2. To allow large pages to be served where memory usage is not a concern
#
#option max_page_size '4096'
# Maximum number of Local Log Entries
# Default 100
# Minimum value 0
# Maximum value - limited only be free storage space on the logging mountpoint
#
# If set to '0' there is no limit
#
# This is the maximum number of local log entries allowed before log rotation begins
# Both ThemeSpec and Binauth log locally if they are enabled
#
# **WARNING** - local logging is by default written to the tmpfs volatile storage
# If this option were to be set too high the router could run out of tmpfs storage and/or free RAM
#
# Non-volatile storage, such as a USB storage device may be defined using the log_mountpoint option
#
# Example:
#option max_log_entries '1000'
# MHD Unescape callback - This is an advanced option
# Default 0
#
# MHD has a built in unescape function that urldecodes incoming queries from browsers
#
# This option allows an external unescape script to be enabled and replace the built in decoder
#
# The script must be named unescape.sh, be present in /usr/lib/opennds/ and be executable.
#
# A very simple standard unescape.sh script is installed by default
# Set to 1 to enable this option, 0 to disable
# default is disabled
#
#option unescape_callback_enabled '0'
# WebRoot
#Default: /etc/opennds/htdocs
#
# The local path where the system css file, and legacy splash page content resides.
# ie. Serve the file splash.html from this directory
option webroot '/etc/opennds/htdocs'
# GateWayInterface
# Default br-lan
# Use this option to set the device opennds will bind to.
# The value may be an interface section in /etc/config/network or a device name such as br-lan.
# The selected interface must be allocated an IPv4 address.
# In OpenWrt this is normally br-lan, in generic Linux it might be wlan0
#
option gatewayinterface 'br-lan'
# GatewayPort
# Default: 2050
#
# openNDS's own http server uses gateway address as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
#
option gatewayport '2050'
# GatewayName
# Default: openNDS
#
# gatewayname is used as an identifier for the instance of openNDS
#
# It is displayed on the default static splash page and the default preauth login script.
#
# It is particularly useful in the case of a single remote FAS server that serves multiple
# openNDS sites, allowing the FAS to customise its response for each site.
#
# Note: The single quote (or apostrophe) character ('), cannot be used in the gatewayname.
# If it is required, use the htmlentity ' instead.
#
# For example:
# option gatewayname 'Bill's WiFi' is invalid.
# Instead use:
# option gatewayname 'Bill's WiFi'
#
option gatewayname 'Open Wifi'
# Serial Number Suffix Enable
# Appends a serial number suffix to the gatewayname string.
#
# openNDS constructs a serial number based on the router mac address and adds it to the gatewayname
#
# Default 1 (enabled)
#
# To disable, set to 0
#
# Example:
#
#option enable_serial_number_suffix '0'
# GatewayFQDN
# Default: status.client
# This is the simulated FQDN used by a client to access the Client Status Page
# If not set, the Status page can be accessed at: http://gatewayaddress:gatewayport/
#
# Warning - if set, services on port 80 of the gateway will no longer be accessible (eg Luci AdminUI)
#
# By default, the Error511/Status page will be found at http://status.client/ by a redirection
# of port 80 to http://gatewayaddress:gatewayport/
#
# Disable GatewayFQDN by setting the option to 'disable'
# ie:
#option gatewayfqdn 'disable'
#
# Alternate Useful Example:
#option gatewayfqdn 'login.page'
# StatusPath
# Default: /usr/lib/opennds/client_params.sh
# This is the script used to generate the GatewayFQDN client status and Error511 pages
#
#option statuspath '/mycustomscripts/custom_client_params.sh'
# MaxClients
# Default 250
# The maximum number of clients allowed to connect
# This should be less than or equal to the number of allowed DHCP leases
# For example:
option maxclients '250'
# Client timeouts in minutes
#
# preauthidletimeout is the time in minutes after which a client is disconnected if not authenticated
# ie the client has not attempted to authenticate for this period
# Default 30 minutes
option preauthidletimeout '2'
# authidletimeout is the time in minutes after which an idle client is disconnected
# ie the client has not used the network access for this period
# Default 120 minutes
#option authidletimeout '120'
# Session Timeout is the interval after which clients are forced out (a value of 0 means never)
# Clients will be deauthenticated at the end of this period
# Default 1440 minutes (24 hours)
# Example: Set to 20 hours (1200 minutes)
option sessiontimeout '2'
# The interval in seconds at which opennds checks client timeout and quota status
# Default 15 seconds
# Example: Set to 30 seconds
#option checkinterval '30'
# Rate Quotas
# Note: upload means to the Internet, download means from the Internet
# Defaults 0
# Integer values only
#
# If the client average data rate exceeds the value set here, the client will be rate limited
# Values are in kb/s
# If set to 0, there is no upper limit
#
# Quotas and rates can also be set by FAS via Authmon Daemon, ThemeSpec scripts, BinAuth, and ndsctl auth.
# Values set by these methods, will override values set in this config file.
#
# Rates:
#option uploadrate '0'
#option downloadrate '0'
#
# Bucket Ratio
# Default 10
#
# Upload and Download bucket ratios can be defined.
# Allows control of upload rate limit threshold overrun per client.
# Used in conjunction with MaxDownloadBucketSize and MaxUploadBucketSize
# Facilitates calculation of a dynamic "bucket size" or "queue length" (in packets)
# to be used for buffering upload and download traffic to achieve rate restrictions
# defined in this config file or by FAS for individual clients.
# If a bucket becomes full, packets will overflow and be dropped to maintain the rate limit.
#
# To minimise the number of dropped packets the bucket ratio can be increased whilst
# still maintaining the configured rate restriction.
#
# ***CAUTION*** Large values may consume large amounts of memory per client.
#
# If the client's average rate does not exceed its configured value within the
# ratecheck window interval (See RateCheckWindow option), no memory is consumed.
#
# If the rate is set to 0, the Bucket Ratio setting has no meaning
# and no memory is consumed.
#
# option upload_bucket_ratio '1'
# option download_bucket_ratio '5'
# MaxDownloadBucketSize
# Allows control over download rate limiting packet loss at the expense of increased latency
# ***CAUTION*** Large values may consume large amounts of memory per client.
# Default 250
# Allowed Range 5 to 10000
#option max_download_bucket_size '100'
# MaxUploadBucketSize
# Allows control over upload rate limiting packet loss at the expense of increased latency
# ***CAUTION*** Large values may consume large amounts of memory per client.
# Default 250
# Allowed Range 5 to 10000
#
#option max_upload_bucket_size '100'
# DownLoadUnrestrictedBursting
# Default 0
# Enables / disables unrestricted bursting
# Setting to 0 disables
# Setting to 1 enables
#
# If enabled, a client is allowed unrestricted bursting until its average download
# rate exceeds the set download rate threshold.
# Unrestricted bursting minimises memory consumption
# at the expense of potential short term bandwidth hogging
#
# If disabled, a client is not allowed unrestricted bursting.
#
# option download_unrestricted_bursting '1'
# UpLoadUnrestrictedBursting
# Default 0
# Enables / disables unrestricted bursting
# Setting to 0 disables
# Setting to 1 enables
#
# If enabled, a client is allowed unrestricted bursting until its average upload
# rate exceeds the set upload rate threshold.
# Unrestricted bursting minimises memory consumption
# at the expense of potential short term bandwidth hogging
#
# If disabled, a client is not allowed unrestricted bursting.
#
# option upload_unrestricted_bursting '1'
# RateCheckWindow
# Default 2
#
# The client data rate is calculated using a moving average.
#
# The moving average window size (or bursting interval) is equal to ratecheckwindow times checkinterval (seconds)
#
# All rate limits can be globally disabled by setting this option to 0 (zero)
#
# Example: Disable all rate quotas for all clients, overriding settings made in FAS via Authmon Daemon,
# ThemeSpec scripts, BinAuth, and ndsctl auth:
#option ratecheckwindow '0'
#
# Example: Set to 3 checkinterval periods:
#option ratecheckwindow '3'
# Volume Quotas:
# If the client data quota exceeds the value set here, the client will be forced out
# Defaults 0
# Integer values only
#
# Values are in kB
# If set to 0, there is no limit
#
#option uploadquota '0'
#option downloadquota '0'
# Enable BinAuth Support. BinAuth enables POST AUTHENTICATION PROCESSING
# and is useful in particular when a FAS is configured remotely
# Default disabled
#
# If set, a BinAuth program or script is triggered by several possible methods
# and is called with several arguments on both authentication and deauthentication:
#
#
# Possible methods
#
# Authentication:
# "auth_client": Request for authentication received from the captive portal splash page.
# "client_auth": Acknowledgement that Client was authenticated via this script.
# "ndsctl_auth": Client was authenticated by ndsctl auth command.
#
# Deauthentication:
# "client_deauth": Client deauthenticated by the client via captive portal splash page.
# "idle_deauth": Client was deauthenticated because of inactivity.
# "timeout_deauth": Client was deauthenticated because the session timed out.
# "ndsctl_deauth": Client was deauthenticated by ndsctl deauth command.
# "uprate_deauth": Client was deauthenticated because its average upload rate exceeded the allowed value
# "downrate_deauth": Client was deauthenticated because its average download rate exceeded the allowed value
# "upquota_deauth": Client was deauthenticated because its upload quota exceeded the allowed value
# "downquota_deauth": Client was deauthenticated because its download quota exceeded the allowed value
# "shutdown_deauth": Client was deauthenticated by openNDS terminating.
#
# A fully functional BinAuth script is pre-installed and provides local logging
# of client activity. This is enabled by uncommenting the following line:
#option binauth '/usr/lib/opennds/binauth_log.sh'
# Set Fasport
# This is the Forwarding Authentication Service (FAS) port number
# Redirection is changed to the IP port of a FAS (provided by the system administrator)
# Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used.
#
# Typical Remote Shared Hosting Example:
#option fasport '80'
#
# Typical Locally Hosted example (ie fasremoteip not set):
#option fasport '2080'
# Option: fasremotefqdn
# Default: Not set
# If set, this is the remote fully qualified domain name (FQDN) of the FAS.
# The protocol must NOT be prepended to the FQDN (ie http:// or https://)
# To prevent CPD or browser security errors NDS prepends the required http:// or https://
# before redirection, depending upon the fas_secure_enabled option.
#
# If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
#
# Typical Remote Shared Hosting Example (replace this with your own FAS FQDN):
#option fasremotefqdn 'onboard-wifi.net'
#
# Note: For a CDN (Content Delivery Network) hosted server,
# you must also add fasremotefqdn to the Walled Garden list of FQDNs
#
# Option: fasremoteip
# Default: GatewayAddress (the IP of NDS)
# If set, this is the remote ip address of the FAS.
#
# Typical Remote Shared Hosting Example (replace this with your own remote FAS IP):
#option fasremoteip '46.32.240.41'
# Option: faspath
# Default: /
# This is the path from the FAS Web Root to the FAS login page
# (not the file system root).
#
# In the following examples, replace with your own values for faspath
#
# Typical Remote Shared Hosting Example (if fasremotefqdn is not specified):
#option faspath '/remote_host_fqdn/fas/fas-hid.php'
#
# Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set):
#option faspath '/fas/fas-hid.php'
#
# Typical Locally Hosted Example (ie fasremoteip not set):
#option faspath '/fas/fas-hid.php'
# Option: faskey
# Default: 1234567890
# A key phrase for NDS to encrypt the query string sent to FAS
# Can be any text string with no white space
#
# Option faskey must be pre-shared with FAS.
#
#option faskey '1234567890'
# Option: fas_secure_enabled
# Default: 1
# ****If set to "0"****
# The FAS is enforced by NDS to use http protocol.
# The client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir.
# Note: This level is insecure and can be easily bypassed
# ****If set to "1"****
# The FAS is enforced by NDS to use http protocol.
# The client token will be hashed and sent to the FAS along with other relevent information in a base 64 encoded string
#
# FAS must return the sha256sum of the concatenation of hid(the hashed original token), and faskey to be used by NDS for client authentication.
# This is returned to FAS for authentication
#
# ****If set to "2"****
# The FAS is enforced by NDS to use http protocol.
#
# The parameters clientip, clientmac, gatewayname, hid(the hashed original token), gatewayaddress, authdir, originurl and clientif
# are encrypted using faskey and passed to FAS in the query string.
#
# The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
#
# The cipher used is "AES-256-CBC".
#
# The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2 and 3.
#
# openNDS does not depend on this package and module, but will exit gracefully
# if this package and module are not installed when this level is set.
#
# The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
# An example FAS level 2 php script (fas-aes.php) is included in the /etc/opennds directory and also supplied in the source code.
# ****If set to "3"****
# The FAS is enforced by NDS to use https protocol.
#
# Level 3 is the same as level 2 except the use of https protocol is enforced for FAS.
#
# In addition, the "authmon" daemon is loaded.
# This allows the external FAS, after client verification, to effectively traverse inbound firewalls and address translation
# to achieve NDS authentication without generating browser security warnings or errors.
# An example FAS level 3 php script (fas-aes-https.php) is included in the /etc/opennds directory and also supplied in the source code.
#
# Note: Option faskey must be pre shared with the FAs script in use (including any ThemeSpec local file) if fas secure is set to levels 1, 2 and 3.
#option fas_secure_enabled '1'
# PreAuth
# Default Not set, or automatically set by "option login_option_enabled"
# PreAuth support allows FAS to call a local program or script with html served by the built in NDS web server
# If the option is set, it points to a program/script that is called by the NDS FAS handler
# All other FAS settings will be overidden.
#
#option preauth '/path/to/myscript/myscript.sh'
# Block Access For Authenticated Users (block):
# Default: None
#
# If Block Access is specified, an allow or passthrough must be specified afterwards
# as any entries set here will override the access default
#
# Examples:
#
# You might want to block entire IP subnets. e.g.:
#list authenticated_users 'block to 123.2.3.0/24'
#list authenticated_users 'block to 123.2.0.0/16'
#list authenticated_users 'block to 123.0.0.0/8'
#
# or block access to a single IP address. e.g.:
#
#list authenticated_users 'block to 123.2.3.4'
#
# Do not forget to add an allow or passthrough if the default only is assumed (see Grant Access)
#
# Grant Access For Authenticated Users (allow and passthrough):
#
# Access can be allowed by openNDS directly, overriding the operating system firewall rules
# or Access can be allowed by openNDS but the final decision can be passed on to the operating system firewall.
#
# Default: list authenticated_users 'passthrough all'
#
# Any entries set here, or above in Block Access, will override the default
#
# Example: Grant access overriding operating system firewall
#list authenticated_users 'allow all'
#
# Example:
# Grant access to https web sites, subject to the operating system firewall rules
#list authenticated_users 'passthrough tcp port 443'
#
# Grant access to http web sites, overriding the operating system firewall rules.
#list authenticated_users 'allow tcp port 80'
#
# Grant access to udp services at address 123.1.1.1, on port 5000, overriding the operating system firewall rules.
#list authenticated_users 'allow udp port 5000 to 123.1.1.1'
#
# For preauthenticated users:
#
# *****IMPORTANT*****
#
# To support RFC8910 Captive Portal Identification
# AND to help prevent DNS tunnelling, DNS Hijacking and generally improve security,
#
# ****DO NOT ALLOW ACCESS TO EXTERNAL DNS SERVICES****
#
# Walled Garden
# Allow preauthenticated users to access external services
# This is commonly referred to as a Walled Garden.
#
# A Walled Garden can be configured either:
# 1. Manually for known ip addresses
# or
# 2. Autonomously from a list of FQDNs and ports
#####
# Manual Walled Garden configuration requires research to determine the ip addresses of the Walled Garden site(s)
# This can be problematic as sites can use many dynamic ip addresses.
# However, manual configuration does not require any additional dependencies (ie additional installed packages)
#
# Manual configuration example:
#
#list preauthenticated_users 'allow tcp port 80 to 112.122.123.124'
#list preauthenticated_users 'allow udp port 8020 to 112.122.123.124'
#
#####
# Autonomous Walled Garden configuration using a list of FQDNs and Ports.
#
# This has the advantage of discovering all ip addresses used by the Walled Garden sites.
# But it does require the ipset and dnsmasq-full packages to be installed
# by running the following commands:
#
# opkg update
# opkg install ipset
# opkg remove dnsmasq
# opkg install dnsmasq-full
#
# Configuration is then a simple matter of adding two lists as follows:
#
# list walledgarden_fqdn_list 'fqdn1 fqdn2 fqdn3 .... fqdnN'
# list walledgarden_port_list 'port1 port2 port3 .... portN'
#
# Note: If walledgarden_port_list is NOT specified, then Walled Garden access is granted
# for all protocols (tcp, udp, icmp) on ALL ports for each fqdn specified in walledgarden_fqdn_list.
#
# Note: If walledgarden_port_list IS specified, then:
# 1. Specified port numbers apply to ALL FQDN's specified in walledgarden_fqdn_list.
# 2. Only tcp protocol Walled Garden access is granted.
# Autonomous configuration examples:
#
# 1. To add Facebook to the Walled Garden, the list entries would be:
# list walledgarden_fqdn_list 'facebook.com fbcdn.net'
# list walledgarden_port_list '443'
#
# 2. To add Paypal to the Walled Garden, the list entries would be:
# list walledgarden_fqdn_list 'paypal.com paypalobjects.com'
# list walledgarden_port_list '443'
# User access to the router
#
# Essential - Allow ports for DNS and DHCP (disabling these will soft brick your router):
list users_to_router 'allow tcp port 53'
list users_to_router 'allow udp port 53'
list users_to_router 'allow udp port 67'
# Optional - Allow ports for SSH/HTTP/HTTPS:
list users_to_router 'allow tcp port 22'
list users_to_router 'allow tcp port 80'
list users_to_router 'allow tcp port 443'
# MAC addresses that do not need to authenticate
#list trustedmac '00:00:C0:01:D0:1D'
# dhcp_default_url_enable
# Sends "default_url" (dhcp option 114) with all replies to dhcp requests
# Required for RFC8910 Captive Portal Identification
# Default 1 (enabled)
# To disable, set to 0
#option dhcp_default_url_enable '1'
I have downgraded it to 21.02.0 and tried this tab, still this tab is not available.
now i am again going to upgrade it 22 (stable) as per your suggestion
Please follow the simple instructions I gave you.
Here it is again.
Please show the outputs of:
uci show wireless
uci show network
uci show firewall
uci show opennds
and
uci show uhttpd
22.03.0-rc6 is not "stable", it is a release candidate.
I suggested that as it was what you had installed already, it was probably ok to continue with it for now.
uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio0.channel='1'
wireless.radio0.band='2g'
wireless.radio0.htmode='HT20'
wireless.radio0.country='IN'
wireless.radio0.cell_density='3'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.mode='ap'
wireless.default_radio0.encryption='none'
wireless.default_radio0.ssid='Open-Guest'
wireless.default_radio0.isolate='1'
wireless.default_radio0.network='guestwifi'
wireless.default_radio0.ifname='wlan0'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio1.channel='36'
wireless.radio1.band='5g'
wireless.radio1.htmode='VHT80'
wireless.radio1.disabled='1'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='OpenWrt'
wireless.default_radio1.encryption='none'
@bluewavenet
uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio0.channel='1'
wireless.radio0.band='2g'
wireless.radio0.htmode='HT20'
wireless.radio0.country='IN'
wireless.radio0.cell_density='3'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.mode='ap'
wireless.default_radio0.encryption='none'
wireless.default_radio0.ssid='Open-Guest'
wireless.default_radio0.isolate='1'
wireless.default_radio0.network='guestwifi'
wireless.default_radio0.ifname='wlan0'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio1.channel='36'
wireless.radio1.band='5g'
wireless.radio1.htmode='VHT80'
wireless.radio1.disabled='1'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='OpenWrt'
wireless.default_radio1.encryption='none'
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fda2:8cb6:e23f::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.guestwifi=interface
network.guestwifi.proto='static'
network.guestwifi.ipaddr='192.168.8.1'
network.guestwifi.netmask='255.255.255.0'
network.guestwifi.dns='8.8.8.8' '1.1.1.1'
@bluewavenet
uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='guestwifi'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='guestwifi'
firewall.@zone[2].input='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='guestwifi'
firewall.@forwarding[1].dest='wan'
firewall.@rule[9]=rule
firewall.@rule[9].name='Guest-DHCP'
firewall.@rule[9].proto='udp'
firewall.@rule[9].src='guestwifi'
firewall.@rule[9].dest_port='67'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Guest-DNS'
firewall.@rule[10].src='guestwifi'
firewall.@rule[10].dest_port='53'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Guest-Block-All'
firewall.@rule[11].src='guestwifi'
firewall.@rule[11].target='DROP'
firewall.opennds=include
firewall.opennds.type='script'
firewall.opennds.path='/usr/lib/opennds/restart.sh'