Unable to Access 192.168.1.1 and LuCI Interface After Authenticating with Nodogsplash on OpenWrt

Hi everyone,

I'm having an issue with Nodogsplash on OpenWrt. After successfully authenticating and gaining internet access, I'm unable to access the router's web interface at 192.168.1.1, as well as the LuCI interface. Could someone help me understand why this might be happening and how I can resolve it?

Thanks in advance!
My firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wg'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'lan5g'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan5g'

config forwarding
	option src 'lan5g'
	option dest 'vpn'

 

my network

 
 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd84:859d:b675::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'noob32'
	option password 'vnntinv222'
	option ipv6 '0'
	option peerdns '0'
	option sourcefilter '0'
	option delegate '0'
	list ip6class 'local'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'wireguard'
	list addresses '10.102.127.247/32'
	list dns '10.100.0.1'

config wireguard_wg
	option public_key 'wireguard'
	option private_key 'wireguard'
	option preshared_key 'wireguard'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '1xxx.xxx.xx.xx'
	option endpoint_port '253'
	option persistent_keepalive '25'

config interface 'lan5g'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

 

nodogsplash config


# The options available here are an adaptation of the settings used in nodogsplash.conf.
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf

config nodogsplash
  # Set to 0 to disable nodogsplash
  option enabled 1

  # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
  # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
  option fwhook_enabled '1'

  # WebRoot
  # Default: /etc/nodogsplash/htdocs
  #
  # The local path where the splash page content resides.
  # ie. Serve the file splash.html from this directory
  #option webroot '/etc/nodogsplash/htdocs'

  # Use plain configuration file
  #option config '/etc/nodogsplash/nodogsplash.conf'

  # Use this option to set the device nodogsplash will bind to.
  # The value may be an interface section in /etc/config/network or a device name such as br-lan.
  option gatewayinterface 'br-lan'

  # GatewayPort
  # Default: 2050
  #
  # Nodogsplash's own http server uses gateway address as its IP address.
  # The port it listens to at that IP can be set here; default is 2050.
  #
  #option gatewayport '2050'


  option gatewayname 'OpenWrt Nodogsplash'
  option maxclients '250'

  # Enables debug output (0-3)
  #option debuglevel '1'

  # Client timeouts in minutes
  option preauthidletimeout '30'
  option authidletimeout '120'
  # Session Timeout is the interval after which clients are forced out (a value of 0 means never)
  option sessiontimeout '1200'

  # The interval in seconds at which nodogsplash checks client timeout status
  option checkinterval '600'

  # Enable BinAuth Support.
  # If set, a program is called with several parameters on authentication (request) and deauthentication.
  # Request for authentication:
  # $<BinAuth> auth_client <client_mac> '<username>' '<password>'
  #
  # The username and password values may be empty strings and are URL encoded.
  # The program is expected to output the number of seconds the client
  # is to be authenticated. Zero or negative seconds will cause the authentification request
  # to be rejected. The same goes for an exit code that is not 0.
  # The output may contain a user specific download and upload limit in KBit/s:
  # <seconds> <upload> <download>
  #
  # Called on authentication or deauthentication:
  # $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
  #
  # "client_auth": Client authenticated via this script.
  # "client_deauth": Client deauthenticated by the client via splash page.
  # "idle_deauth": Client was deauthenticated because of inactivity.
  # "timeout_deauth": Client was deauthenticated because the session timed out.
  # "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
  # "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
  # "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
  #
  # Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
  #
  #option binauth '/bin/myauth.sh'
  # Enable PreAuth Support.
  #
  # A simple login script is provided in the package.
  # This generates a login page asking for usename and email address.
  # User logins are recorded in the log file /tmp/ndslog.log
  # Details of how the script works are contained in comments in the script itself.
  #
  # The Preauth program will output html code that will be served to the client by NDS
  # Using html GET the Preauth program may call:
  # /nodogsplash_preauth/ to ask the client for more information
  # or
  # /nodogsplash_auth/ to authenticate the client
  #
  # The Preauth program should append at least the client ip to the query string
  # (using html input type hidden) for all calls to /nodogsplash_preauth/
  # It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
  # for NDS authentication when calling /nodogsplash_auth/
  #
  #option preauth '/usr/lib/nodogsplash/login.sh'

  # Your router may have several interfaces, and you
  # probably want to keep them private from the gatewayinterface.
  # If so, you should block the entire subnets on those interfaces, e.g.:
  #list authenticated_users 'block to 192.168.0.0/16'
  #list authenticated_users 'block to 10.0.0.0/8'

  # Typical ports you will probably want to open up.
  #list authenticated_users 'allow tcp port 22'
  #list authenticated_users 'allow tcp port 53'
  #list authenticated_users 'allow udp port 53'
  #list authenticated_users 'allow tcp port 80'
  #list authenticated_users 'allow tcp port 443'
  # Or for happy customers allow all
  list authenticated_users 'allow all'

  # For preauthenticated users to resolve IP addresses in their
  # initial request not using the router itself as a DNS server,
  # Leave commented to help prevent DNS tunnelling
  #list preauthenticated_users 'allow tcp port 53'
  #list preauthenticated_users 'allow udp port 53'

  # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
  list users_to_router 'allow tcp port 22'
  list users_to_router 'allow tcp port 23'
  list users_to_router 'allow tcp port 53'
  list users_to_router 'allow udp port 53'
  list users_to_router 'allow udp port 67'
  list users_to_router 'allow tcp port 80'
  list users_to_router 'allow tcp port 81'

  # MAC addresses that are / are not allowed to access the splash page
  # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
  #option macmechanism 'allow'
  #list allowedmac '00:00:C0:01:D0:0D'
  #list allowedmac '00:00:C0:01:D0:1D'
  #list blockedmac '00:00:C0:01:D0:2D'

  # MAC addresses that do not need to authenticate
  



  # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
  # This mask can conflict with the requirements of other packages such as mwan3, sqm etc
  # Any values set here are interpreted as in hex format.
  #
  # List: fw_mark_authenticated
  # Default: 30000 (0011|0000|0000|0000|0000 binary)
  #
  # List: fw_mark_trusted
  # Default: 20000 (0010|0000|0000|0000|0000 binary)
  #
  # List: fw_mark_blocked
  # Default: 10000 (0001|0000|0000|0000|0000 binary)
  #
  #option fw_mark_authenticated '30000'
  #option fw_mark_trusted '20000'
  #option fw_mark_blocked '10000'

Are you using PBR?

I can remember reading in a post that there is an incompatibility between PBR and nodogsplash (using the same fwmark)

There is a work around described, will see if I can find that post, if I have time later today.

But it is possible that it is totally unrelated

2 Likes

yes,totally unrelated,because when i stop PBR,nothing change.

You seem to have disregarded the warnings you were given in your previous thread with regards to Nodogsplash. No matter what you may think, it is STILL incompatible with 23.05.xx and later, so expect one problem after another.

My previous comments on your previous thread:

3 Likes

I understand that using openNDS solves the conflict issue, but I still want to use NoDogSplash because I've already built a complete splash page. If I switch from NoDogSplash to openNDS, I would have to recreate the splash.html page. Is there any way to still use the splash page in HTML with openNDS?
i try this way but click continue not working.openNDS/community/themespec/theme_legacy at master · openNDS/openNDS (github.com)

Greetings to Vietnam :slight_smile: Will be on Phu Quoc again end of this year. Because NodogSplash heavily depends upon manipulation of the firewall, you might consider to build your own image, dropping fw4 completely. And use iptables rules directly, with org NodogSplash. This should work on 22.03., at least. ( I have done the same with coova-chilli). May be, after some expirience then, you are able to port NodogSplash to use nftables.

1 Like

This is moving away from the original topic of this thread, so probably you should open a new thread, but I will make a few constructive comments.

@reinerotto is correct, yes you could build your own custom firmware and revert back to iptables.

This is also possible, but, effectively, openNDS is a port of NoDogSplash to 100% nftables, with some 5 or 6 years of ongoing development on top.

This is a community provided function and is not officially supported, but should nevertheless work.

Have you succeeded in testing this to see if it is working?

There are some strict limitations on what is accepted by client devices when a captive portal is detected.
For example, downloads are prohibited and most javascript is blocked. This is not a function of NoDogSplash or openNDS, but enforced by user device operating systems for security reasons.

So you can see "i try this way but click continue not working" could be for many reasons.

Have you tried openNDS in its default configuration? This should give you a "click to continue" splash page sequence.
Once you see this working you can move on to either customising or running theme_legacy.

Back to the original question of this thread:
If you are running openNDS, accessing http://192.168.1.1 will give you the rfc8908 portal status page (things have moved on dramatically in many respects since NoDogSplash development stopped).

To access LuCi you would access https://192.168.1.1 - Note the "https".

2 Likes

https://github.com/openNDS/openNDS/tree/master/community/themespec/theme_legacy THIS WAY NOTWOKING 100%

Dude, fix your keyboard...

What would you like us to do with "not working"?

1 Like

To comply with the mandatory security requirements that the user devices insist upon, whilst being written for the legacy NoDogSplash template system, your complete html splash page should be no more than a few lines of simple html. So making a few changes should not be a problem......

Default "click to continue" is work but when use
"theme_click-to-continue-legacy.sh" and use "click to continue" splash.html not working

So you get the click to continue page? If so then it is working.
What do you expect to see?

When click "Continue' in " theme_click-to-continue-legacy.sh" nothing happend(dont have internet,dont closed splash page).You can try you seft by install opennds and setup theme_click-to-continue-legacy.sh

Remember what I said earlier:

I will, but I am very busy on other things for a while. It is quite possible that something in a recent release is preventing theme_legacy from working - We will see.

@VIETBACSEUCURITY
Yes, a fix was needed in the theme_legacy script to take account of changes in recent releases of openNDS.

See commit:

Reinstall this theme in the same way you did originally. It will overwrite the old version.

Try it and report back...

1 Like

Yes,It's work now! Thanks you for help,Now i ready use openNDS :smiley: !

To automate the process of declaring files in the /images/ directory, you can use a loop in the .sh file to scan the files in that directory and replace the corresponding paths in splash.html. Here is one approach:

How to do it
Scan the files in the directory: You can use the find command to find all the files in the /images/ directory.

Replace the path: For each file found, you will replace the corresponding path in splash.html.

Code example
Here is a code snippet that can be added to the click_to_continue function:

click_to_continue() {
    

    # Khai báo đường dẫn thư mục hình ảnh
    image_dir="/etc/opennds/htdocs/images"
    
    # Quét tất cả các tệp trong thư mục images
    for file in "$image_dir"/*; do
        filename=$(basename "$file")
        rel_path="\"/$filename\""
        abs_path="\"$gatewayurl/images/$filename\""
        sedstr="s|$rel_path|$abs_path|"
        sed -i "$sedstr" "$legacysplash"
    done

    
}

Explanation
for file in "$image_dir"/*: This loop will scan all files in the /images/ directory.
basename "$file": Get the file name from the full path.
sed: Perform the corresponding path replacement in splash.html.
Process Summary:
Adding Files to the /images/ Folder: You can add image, video, or HTML files without changing the code in the .sh file.

Re-Running the Code: When you re-run the code in theme_click-to-continue-legacy.sh, it will scan all the files in the /images/ folder and perform path replacements for all those files in splash.html.

Below is an updated version of the theme_click-to-continue-legacy.sh file as we discussed. It has been modified to automatically recognize files in the /images/ directory.

#!/bin/sh
#Copyright (C) The openNDS Contributors 2004-2022
#Copyright (C) BlueWave Projects and Services 2015-2024
#This software is released under the GNU GPL license.

# Warning - shebang sh is for compatibility with busybox ash (eg on OpenWrt)
# This should be changed to bash for generic Linux

# Title of this theme:
title="theme_click-to-continue-legacy"

# Description:
# This theme allows the legacy splash.html splash page to be used

# functions:

generate_splash_sequence() {
	click_to_continue
}

header() {
	type header &>/dev/null
}

click_to_continue() {
	legacy="/etc/opennds/htdocs/splash.html"
	legacysplash=$mountpoint/ndscids/$hid.html

	if [ -e "$legacy" ]; then
		cp $legacy $legacysplash

		get_option_from_config gatewayport
		if [ -z "$gatewayport" ]; then
			gatewayport="2050"
		fi

		sedstr="s|\$gatewayname|$gatewayname|"
		sed -i "$sedstr" "$legacysplash"

		htmlentitydecode $gatewayurl
		gatewayurl=$entitydecoded
		authaction="$gatewayurl/opennds_auth/"
		sedstr="s|\$authaction|$authaction|"
		sed -i "$sedstr" "$legacysplash"

		css_rel="\"/splash.css\""
		css_abs="\"$gatewayurl/splash.css\""
		sedstr="s|$css_rel|$css_abs|"
		sed -i "$sedstr" "$legacysplash"

		# Tự động thay thế tất cả các tệp trong thư mục /images/
		for file in /images/*; do
			base_file=$(basename "$file")
			rel_path="\"/$base_file\""
			abs_path="\"$gatewayurl/images/$base_file\""
			sedstr="s|$rel_path|$abs_path|"
			sed -i "$sedstr" "$legacysplash"
		done

		option="gatewayfqdn"
		get_option_from_config

		if [ -z "$gatewayfqdn" ]; then
			gatewayfqdn="status.client"
		fi

		redir="http://$gatewayfqdn"
		sedstr="s|\$redir|$redir|"
		sed -i "$sedstr" "$legacysplash"

		tok=$(printf "$hid$key" | sha256sum | awk -F' ' '{printf $1}')
		sedstr="s|\$tok|$tok|"
		sed -i "$sedstr" "$legacysplash"

		cat "$legacysplash"
		rm "$legacysplash"
		exit 0
	else
		exit 1
	fi
}

#### end of functions ####

#################################################
# Start - Main entry point for this Theme
#################################################

session_length="0"
upload_rate="0"
download_rate="0"
upload_quota="0"
download_quota="0"

quotas="$session_length $upload_rate $download_rate $upload_quota $download_quota"

ndscustomparams=""
ndscustomimages=""
ndscustomfiles=""

ndsparamlist="$ndsparamlist $ndscustomparams $ndscustomimages $ndscustomfiles"

additionalthemevars=""
fasvarlist="$fasvarlist $additionalthemevars"

userinfo="$title"

Explanation:
The code for file in /images/*; will iterate through all the files in the /images/ directory, replacing the corresponding path in the splash.html file.
Any files added to this directory will be automatically processed without having to be manually declared.

Glad it is working for you!

The user device will refuse to play video from a captive portal, as I mentioned before - for security reasons. You may get it to work on a desktop/laptop browser, but not on normal mobile apple/android/chromebook type devices.

I was tested on android 14, all works with my welcome splash page: guest watch 10 sec video then authenticate then accept internet, local video in /images/

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.