Redirect all http traffic to static address in OpenWrt on Raspberry

I have an ISP router with IP 192.168.1.254.

I installed OpenWrt on my Raspberry PI 3 B.

Raspberry is connected to the ISP router via ethernet

On the Raspberry I configured 2 networks:

  1. wan
  2. wifi

WAN

  • DHCP client on the same ISP router network => can go on internet

WIFI

  • static ip on a different subnet 192.168.2.1
  • bridged network
  • DHCP server enabled

Firewall zone

I associated the following firewall zone to the wifi network:

input: accept
output: accept
forward: accept
destination zone: wan

In this way if I connect to the wifi network with a client I receive a 192.168.2.* address, and this is what I desire.

The connected client can reach internet through wan network.

Now I want to intercept all the traffic coming from a client connected to the wifi network 192.168.2.* and redirect it to a static address.

I tried several things but I can't make it working.

What is the right way to try?

What you need is called a "captive portal".

I thought about that but I'm not sure. Isn't captive portal used to serve a local page as splash page and then to force some login?

However, with my config, can you point me to some tutorial that I can follow please?

What do you want to achieve with this redirection of all client traffic to another IP?

I want to query a remote service that should serve a dynamic html.
For this reason I don't want to serve a static local (relative to my raspberry) html

Okay, but do you want to authenticate the users of the wifi? Should this redirect work for all protocols or only http/s?

No there is no need for authentication. I've created an unprotected wifi network. Then I could close all connection that not pass through http or https. I want that customers enter in a shop, they connect to the open network, open the browser and whatever they write in the query string they receive the same page returned from my remote service.

Then captive portal it is. You'll have to customize it to get the page from the remote server and what action will the users need to do to be able to use the internet.

1 Like

ok thank you, but I have difficulty in finding a tutorial that reflects my configuration. normally OpenWrt is installed directly on a router, but me I'm behind the ISP router with my Raspberry and I can't understand how to proceed. Do you casually know about tutorial covering my needs or something similar?

I have not dealt with that so I'll leave it to someone else to help you.

1 Like

Your clients connect to the wireless interface on a RPi, which is also connected to the LAN interface from the ISP's router, in a different network. Your RPi is routing between two networks. Your RPi is a router.

1 Like

but with this configuration what happens if the user requests for another page? the captive portal should block them?
If I've understood how it works, to be able to access a remote page I have to enable user internet connectivity. So if the user inserts a different address in the browser don't is he able to navigate everywhere?

Hi guys, I'm back again.
I tried the captive portal solution but I can confirm that is not what I need.
I've found a solution adding some custom traffic rules:

iptables -t nat -I PREROUTING -s 192.168.2.2/31 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.4/30 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.8/29 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.16/28 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.32/27 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.64/26 -j DNAT --to-destination 198.27.92.4
iptables -t nat -I PREROUTING -s 192.168.2.128/25 -j DNAT --to-destination 198.27.92.4

In this way, I can redirect all requests coming from IP in the range [192.168.2.2,192.168.2.255] excluding in this way the router.
I'm redirecting directly to a static IP (in this case I'm trying against ovh IP) and it partially works: I receive a 502.

I think the problem is that it can't query a DNS server using my wireless network, could it be the problem?

However now my real problem is that I want to query a service that does not have a static IP address, so I would use a DNS server in order to query the right address (e.g. www.myservice.com/api/myendpoint )

Can you point me in the right direction, please?

You're trying to re-invent the captive portal. Understand how captive portal software works and the system you want is already done for you.

A captive portal includes a captive DNS server. A not logged in user will receive the IP of your "bounce" page no matter what name he requests. This is mostly so the browser doesn't hang waiting for DNS. It is not the only mechanism to ensure the user only has access to your page. If he requested directly by IP any IP he requests will be redirected to the bounce page as well.

The captive portal also handles internally DNSing your page if you configure it by name instead of by number.

1 Like

All these rules were completely unnecessary. The RPi will not use the 192.168.2.1 IP as source for anything else other than directly communicating with the wifi clients.

You are rerouting everything to 198.27... so unless this can answer DNS queries, then you have a problem.
As @mk24 pointed out you are trying to reinvent the CP.