Nodogsplash for OpenWrt

I am currently working on something like a Captive Portal with my TP-Link TD-W8980 v1 running v18.06.1 using Nodogsplash. The setup and config itself seems pretty straightforward but there is some problem with the connectivity to internet.

If I stop the NDS I can just connect fine to internet on the system but with NDS running my phone asks me to sign in to the WiFi but when I click on Continue button on the splash page it shows as authenticated in the logs but it fails trying to access the redirect page and so does not finish the login process. Now if I forcefully ask it to use the connection it lets me connect to internet but it should be a more streamlined process as it tries to check for connectivity it should not fail there.

My config for NDS is here:


# The options available here are an adaptation of the settings used in nodogsplash.conf.
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf

config nodogsplash
  # Set to 0 to disable nodogsplash
  option enabled 1

  # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
  # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
  option fwhook_enabled '1'

  # Serve the file splash.html from this directory
  option webroot '/etc/nodogsplash/htdocs'

  # Use plain configuration file
  #option config '/etc/nodogsplash/nodogsplash.conf'

  # Use this option to set the device nogogsplash will bind to.
  # The value may be an interface section in /etc/config/network or a device name such as br-lan.
  option gatewayinterface 'br-guest'

  option gatewayname 'Internet Point for Public'
  option maxclients '5'

  # Enables debug output (0-7)
  option debuglevel '7'

  # Client timeouts in minutes
  option preauthidletimeout '30'
  option authidletimeout '120'
  # Session Timeout is the interval after which clients are forced out (a value of 0 means never)
  option sessiontimeout '120'

  # The interval in seconds at which nodogsplash checks client timeout status
  option checkinterval '600'

  # Your router may have several interfaces, and you
  # probably want to keep them private from the network/gatewayinterface.
  # If so, you should block the entire subnets on those interfaces, e.g.:
  #list authenticated_users 'block to 192.168.0.0/16'
  #list authenticated_users 'block to 10.0.0.0/8'

  # Typical ports you will probably want to open up.
  #list authenticated_users 'allow tcp port 22'
  #list authenticated_users 'allow tcp port 53'
  #list authenticated_users 'allow udp port 53'
  #list authenticated_users 'allow tcp port 80'
  #list authenticated_users 'allow tcp port 443'
  # Or for happy customers allow all
  list authenticated_users 'allow all'

  # For preauthenticated users to resolve IP addresses in their
  # initial request not using the router itself as a DNS server,
  # Leave commented to help prevent DNS tunnelling
  #list preauthenticated_users 'allow tcp port 53'
  #list preauthenticated_users 'allow udp port 53'

  # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
  list users_to_router 'allow tcp port 22'
  list users_to_router 'allow tcp port 23'
  list users_to_router 'allow tcp port 53'
  list users_to_router 'allow udp port 53'
  list users_to_router 'allow udp port 67'
  list users_to_router 'allow tcp port 80'
  # Allow ports for SMB
  #list users_to_router 'allow tcp port 0'

  # MAC addresses that are / are not allowed to access the splash page
  # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
  #option macmechanism 'allow'
  #list allowedmac '00:00:C0:01:D0:0D'
  #list allowedmac '00:00:C0:01:D0:1D'
  #list blockedmac '00:00:C0:01:D0:2D'

  # MAC addresses that do not need to authenticate
  #list trustedmac '1C:3E:84:5D:D2:CF'
  list trustedmac '3C:CD:5D:55:2F:66'
  list trustedmac '74:86:7A:0B:7A:C3'
  #list trustedmac ''

  # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
  # This mask can conflict with the requirements of other packages such as mwan3, sqm etc
  # Any values set here are interpreted as in hex format.
  #
  # List: fw_mark_authenticated
  # Default: 30000 (0011|0000|0000|0000|0000 binary)
  #
  # List: fw_mark_trusted
  # Default: 20000 (0010|0000|0000|0000|0000 binary)
  #
  # List: fw_mark_blocked
  # Default: 10000 (0001|0000|0000|0000|0000 binary)
  #
  #list fw_mark_authenticated '30000'
  #list fw_mark_trusted '20000'
  #list fw_mark_blocked '10000'

  # This should be autodetected from /proc/net/route on a OpenWRT system, but if
  # not: set ExtrnalInterface to the 'external' interface on your router,
  # i.e. the one which provides the default route to the internet.
  # Typically vlan1 for OpenWRT.
  #option externalinterface 'pppoe-wan'

  # After authentication, normally a user is redirected
  # to their initially requested page.
  # If RedirectURL is set, the user is redirected to this URL instead.
  #option redirecturl 'http://www.google.com/'

  # Nodogsplash's own http server uses GatewayAddress as its IP address.
  # The port it listens to at that IP can be set here; default is 2050.
  # option gatewayport '2050'

  # Set to yes (or true or 1), to immediately authenticate users
  # who make a http port 80 request on the GatewayInterface (that is,
  # do not serve a splash page, just redirect to the user's request,
  # or to RedirectURL if set).
  # option authenticateimmediately 'no'

Can anyone suggest something to fix this?

An update: There's no connectivity at all through NDS whatsoever although I can connect to internet if I stop NDS. NDS displays the splash page but after hitting continue there's no internet access. Looks to me there's probably a bug in NDS, most likely in firewall rules maybe.

Hi frend, I also encountered the same problem in the release of 18.06.1. Moreover, during the study of the problem, I tried to release Lede and compared the conclusion iptables -L and noticed that one rule was missing in the firewall in the fresh release. Now I have assembled the firmware with nodogsplash2. I will test, I will unsubscribe about results.

Everything works great! 18.06.1 nodogsplas2.

2 Likes

What did you do to make it work? What is your config?

it should work fine with the default config.

the page of description

1 Like

Do you need to authorize users? I managed to implement authorization via SMS. I wrote my php code.

I dont really need it now but please share it in case of future use. Thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.