Wifidog still allow internet after authentication denied

I already setup Wifidog on OpenWrt and it works perfectly on authentication. It blocks everything except:

I want to block everything if the user is not authenticated is there any solution for this? Can somebody help me?

This is my current configuration

GatewayID L1S1
ExternalInterface eth0
GatewayInterface br-lan
AuthServer {
Hostname mylocalauthenticationserver
HTTPPort 80
SSLAvailable no
Path /portal/
HTTPDMaxConn 253
ClientTimeout 10
PopularServers kernel.org,ieee.org, ask.com
FirewallRuleSet global {
#FirewallRule allow to
FirewallRuleSet validating-users {
FirewallRule allow to
FirewallRuleSet known-users {
FirewallRule allow to
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
FirewallRule block udp port 8000
FirewallRuleSet locked-users {
FirewallRule block to

#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D

hardware and Openwrt version?

what about ipv6 ?

I use mikrotik rb750gr3.

fine, but are you handling the ipv6 traffic as well ?

I am not exactly sure, I am new to network stuff.
I just install wifidog for captive portal to block everything for me.
I just follow this configuration like others did.
I start wifidog and then reboot.

no need to paste the same config twice ....

if you disable ipv4 on your client, does everything still work ?
if you disable ipv6, does everything stop ?

Other sites are block like baidu.com, stackoverflow and many more.
but it was not able to block sites like google, youtube and some popular sites.

try answering the question(s) ....

Wifidog has been broken since 2016 with no new releases since 2015.
It is broken because it assumes an ancient version of iptables
There have been some patches done to allow it to at least compile - but really it is now dead and should probably be removed from OpenWrt.

Appreciate the answer.
How about CoovaChilli, is it recommended to learn it.
I have no network knowledge, so I am dependent on packages like this.

based on the (old) comment here, you could run into the same issue ....

1 Like

May be, my old comment regarding coova and IPv6 is outdated, because new version(s) of coova available, which allow set up incl. IPv6. However, I never used it, and my comment regarding complexity of setup is still valid.


fair enough, rephrased - should => could :wink:

A little history:
Way back, because Wifidog was only being sparsely maintained, NoDogSplash was forked.
Again, for the same reason, in 2020, OpenNDS was forked from NoDogSplash.

OpenNDS is actively maintained so would be a good way forward.

1 Like

As captive portals must use dnat redirection to be compatible with the client based defacto CPD standard (aka canary probing) to give an "automatic popup", ipv6 support is very much a hack to the point of being more trouble than it is worth.
The upcoming rfc8910/8908 CPI standard will enable simple and reliable captive portal ipv6 support. This may take some time though as takeup of the CPI standard is slow as it is still very immature.
As far as I can see, ipv6 support in Coovachilli is flagged as "experimental" and does not have much code behind it as it predates CPI.


Thank you for this suggestion.
OpenNDS has a Forwarding Authentication Service (FAS) options, seems like this is a way to go.
I have a server which runs a nodejs application as authentication server.

You can write a FAS server in any language - php is the most common, but nodejs is fine.
Assuming you have an Internet hosted web server running your nodejs auth app, the simplest way forward is to use the standard fas-aes-https.php script on your Internet web server and modify it to use the node.js app to do the client credential verification.

If you have any questions or problems, open an issue at:


Thank you.
I am running my nodejs application on my local server.
I will try to do some experiment if it would work, if not I'll host on cloud.
I can write php application as well, I'll try to understand the inner working of opennds first.

is it possible to use my local server with ip
I am running my nodejs application at port 80.

Then you should start with fas-aes.php (the http:// version) and modify that.

1 Like