Redirect all http traffic to static address in OpenWrt on Raspberry

firegloves · June 3, 2020, 9:41am

I have an ISP router with IP 192.168.1.254.

I installed OpenWrt on my Raspberry PI 3 B.

Raspberry is connected to the ISP router via ethernet

On the Raspberry I configured 2 networks:

wan
wifi

WAN

DHCP client on the same ISP router network => can go on internet

WIFI

static ip on a different subnet 192.168.2.1
bridged network
DHCP server enabled

Firewall zone

I associated the following firewall zone to the wifi network:

input: accept
output: accept
forward: accept
destination zone: wan

In this way if I connect to the wifi network with a client I receive a 192.168.2.* address, and this is what I desire.

The connected client can reach internet through wan network.

Now I want to intercept all the traffic coming from a client connected to the wifi network 192.168.2.* and redirect it to a static address.

I tried several things but I can't make it working.

What is the right way to try?

eduperez · June 3, 2020, 9:56am

What you need is called a "captive portal".

firegloves · June 3, 2020, 10:09am

I thought about that but I'm not sure. Isn't captive portal used to serve a local page as splash page and then to force some login?

However, with my config, can you point me to some tutorial that I can follow please?

trendy · June 3, 2020, 11:09am

What do you want to achieve with this redirection of all client traffic to another IP?

firegloves · June 3, 2020, 12:01pm

I want to query a remote service that should serve a dynamic html.
For this reason I don't want to serve a static local (relative to my raspberry) html

trendy · June 3, 2020, 12:32pm

Okay, but do you want to authenticate the users of the wifi? Should this redirect work for all protocols or only http/s?

firegloves · June 3, 2020, 12:42pm

No there is no need for authentication. I've created an unprotected wifi network. Then I could close all connection that not pass through http or https. I want that customers enter in a shop, they connect to the open network, open the browser and whatever they write in the query string they receive the same page returned from my remote service.

trendy · June 3, 2020, 12:47pm

Then captive portal it is. You'll have to customize it to get the page from the remote server and what action will the users need to do to be able to use the internet.

firegloves · June 3, 2020, 12:54pm

ok thank you, but I have difficulty in finding a tutorial that reflects my configuration. normally OpenWrt is installed directly on a router, but me I'm behind the ISP router with my Raspberry and I can't understand how to proceed. Do you casually know about tutorial covering my needs or something similar?

trendy · June 3, 2020, 12:59pm

I have not dealt with that so I'll leave it to someone else to help you.

eduperez · June 3, 2020, 1:23pm

Your clients connect to the wireless interface on a RPi, which is also connected to the LAN interface from the ISP's router, in a different network. Your RPi is routing between two networks. Your RPi is a router.

firegloves · June 3, 2020, 7:15pm

but with this configuration what happens if the user requests for another page? the captive portal should block them?
If I've understood how it works, to be able to access a remote page I have to enable user internet connectivity. So if the user inserts a different address in the browser don't is he able to navigate everywhere?

firegloves · June 20, 2020, 12:48pm

Hi guys, I'm back again.
I tried the captive portal solution but I can confirm that is not what I need.
I've found a solution adding some custom traffic rules:

iptables -t nat -I PREROUTING -s 192.168.2.2/31 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.4/30 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.8/29 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.16/28 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.32/27 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.64/26 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.128/25 -j DNAT --to-destination 198.27.92.4

In this way, I can redirect all requests coming from IP in the range [192.168.2.2,192.168.2.255] excluding in this way the router.
I'm redirecting directly to a static IP (in this case I'm trying against ovh IP) and it partially works: I receive a 502.

I think the problem is that it can't query a DNS server using my wireless network, could it be the problem?

However now my real problem is that I want to query a service that does not have a static IP address, so I would use a DNS server in order to query the right address (e.g. www.myservice.com/api/myendpoint )

Can you point me in the right direction, please?

mk24 · June 20, 2020, 3:10pm

You're trying to re-invent the captive portal. Understand how captive portal software works and the system you want is already done for you.

A captive portal includes a captive DNS server. A not logged in user will receive the IP of your "bounce" page no matter what name he requests. This is mostly so the browser doesn't hang waiting for DNS. It is not the only mechanism to ensure the user only has access to your page. If he requested directly by IP any IP he requests will be redirected to the bounce page as well.

The captive portal also handles internally DNSing your page if you configure it by name instead of by number.

trendy · June 20, 2020, 5:16pm

All these rules were completely unnecessary. The RPi will not use the 192.168.2.1 IP as source for anything else other than directly communicating with the wifi clients.

You are rerouting everything to 198.27... so unless this can answer DNS queries, then you have a problem.
As @mk24 pointed out you are trying to reinvent the CP.