Redirect all traffic to one website

Hi Everyone,
I have spent the last few days looking for ways to setup this configuration. I really hope someone can help because I am stuck.
here is was im looking for:

people connect to the guest network, a captive page shows up which pushes it to one website. so for demonstration purposes I will say Google.com

So, people connect to Guest network, and they can only access Google.com, if they try to goto yahoo.com they get pushed back to Google.com, if they try msn.com they get pushed to google.com, however;
if google needs access to paypal.com, I need to be able to apply paypal.com to this filter so only google and paypal work.

another way of putting this example is; I need guests to be able to browse an e commerce site, and be able to checkout using a payment processor ip's but guests can only access the sites we allow and everything gets directed back to the main e commcerce site.

if someone could assist, please please please.... my eyes are kiling trying to search for dnsmasq, firewall fitlters etc..

That is not possible on the router level, all your router sees are DNS requests (if at all, e.g. DoH) and SSL encrypted traffic to various (usually CDN backed) IPs.

if its not possible on the router level would it be possible to do this on a server? a server where the router directs all traffic to?

Sounds like you’d need a proxy? Dunno if you can enforce that or if clients could override it if they knew how.

Alternatively , put all your guest clients in a separate subnet , then get the ip addresses of the sites you want to allow, then block everything else in firewall config. Seems simpler and probably more secure than faffing around with redirects (although not as polished/pretty)

Unless you control all connecting clients at root/ admin level, no. https/ ssl is made to prevent exactly this.

1 Like

Hi Sparks - could this be done on a router level?

The answer remains: "no".

In a world before https-everywhere, yes (via proxying), but those days are gone. Nowadays the clients verify the integrity of each server via their own CA storage (indirectly via the root CAs, but that's an implementation detail and doesn't really matter), you can't prevent that, unless you're root on all the individual clients (and that's before even considering client-side DoH and HSTS).

Firewall solution , absolutely.

Proxy solution, for internal private websites you control, it should work based on your description. https://openwrt.org/docs/guide-user/services/proxy/proxy.squid , no mention of redirecting stuff, and as slh mentioned you may run into issues with https sites breaking. Also, you’d be exposing yourself to liability if you got hacked and someone collected all the credit card info.

Even if I own the server I want to lock it to? I am no where near IP savvy.

So, I could technically Block all traffic except for the server IP, and use the captive page to notify everyone which page works?

You can block all internet access and redirect everything requested over plain unverified DNS (which is becoming less common) to your own server.

You can't selectively extend your whitelists based on the needs of your whitelisted pages (your google --> paypal example can't work). And you do need to be prepared that your redirects will fail hard (in the DoH or HSTS case, which is getting increasingly common), in the sense that your server's response will never be displayed at all and the user only receiving an error message.

That is before considering the legal implications (which aren't small, depending on your jurisdiction).

I was at an IKEA store once, and I was able to go through their entire inventory - through the wifi.and I was able to make purchases through it - I thought this concept was genius. I wasn't able to surf any other website.