Wifidog still allow internet after authentication denied

xreyc · August 1, 2022, 7:28am

I already setup Wifidog on OpenWrt and it works perfectly on authentication. It blocks everything except:

I want to block everything if the user is not authenticated is there any solution for this? Can somebody help me?

This is my current configuration

GatewayID L1S1
ExternalInterface eth0
GatewayInterface br-lan
AuthServer {
Hostname mylocalauthenticationserver
HTTPPort 80
SSLAvailable no
Path /portal/
}
HTTPDMaxConn 253
ClientTimeout 10
PopularServers kernel.org,ieee.org, ask.com
FirewallRuleSet global {
#FirewallRule allow to 9.9.9.9
}
FirewallRuleSet validating-users {
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet known-users {
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
FirewallRule block udp port 8000
}
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}

#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D

KOA · August 1, 2022, 7:32am

hardware and Openwrt version?

frollic · August 1, 2022, 7:38am

what about ipv6 ?

xreyc · August 1, 2022, 7:55am

I use mikrotik rb750gr3.

frollic · August 1, 2022, 8:01am

fine, but are you handling the ipv6 traffic as well ?

xreyc · August 1, 2022, 8:06am

I am not exactly sure, I am new to network stuff.
I just install wifidog for captive portal to block everything for me.
I just follow this configuration like others did.
I start wifidog and then reboot.

frollic · August 1, 2022, 8:08am

no need to paste the same config twice ....

if you disable ipv4 on your client, does everything still work ?
if you disable ipv6, does everything stop ?

xreyc · August 1, 2022, 8:11am

Other sites are block like baidu.com, stackoverflow and many more.
but it was not able to block sites like google, youtube and some popular sites.

frollic · August 1, 2022, 8:12am

try answering the question(s) ....

bluewavenet · August 1, 2022, 8:19am

Wifidog has been broken since 2016 with no new releases since 2015.
It is broken because it assumes an ancient version of iptables
There have been some patches done to allow it to at least compile - but really it is now dead and should probably be removed from OpenWrt.

xreyc · August 1, 2022, 8:27am

Appreciate the answer.
How about CoovaChilli, is it recommended to learn it.
I have no network knowledge, so I am dependent on packages like this.

frollic · August 1, 2022, 8:34am

based on the (old) comment here, you could run into the same issue ....

reinerotto · August 1, 2022, 8:45am

May be, my old comment regarding coova and IPv6 is outdated, because new version(s) of coova available, which allow set up incl. IPv6. However, I never used it, and my comment regarding complexity of setup is still valid.

frollic · August 1, 2022, 8:47am

fair enough, rephrased - should => could

bluewavenet · August 1, 2022, 8:47am

A little history:
Way back, because Wifidog was only being sparsely maintained, NoDogSplash was forked.
Again, for the same reason, in 2020, OpenNDS was forked from NoDogSplash.

OpenNDS is actively maintained so would be a good way forward.

bluewavenet · August 1, 2022, 9:12am

As captive portals must use dnat redirection to be compatible with the client based defacto CPD standard (aka canary probing) to give an "automatic popup", ipv6 support is very much a hack to the point of being more trouble than it is worth.
The upcoming rfc8910/8908 CPI standard will enable simple and reliable captive portal ipv6 support. This may take some time though as takeup of the CPI standard is slow as it is still very immature.
As far as I can see, ipv6 support in Coovachilli is flagged as "experimental" and does not have much code behind it as it predates CPI.

xreyc · August 1, 2022, 10:26am

Thank you for this suggestion.
OpenNDS has a Forwarding Authentication Service (FAS) options, seems like this is a way to go.
I have a server which runs a nodejs application as authentication server.

bluewavenet · August 1, 2022, 10:37am

You can write a FAS server in any language - php is the most common, but nodejs is fine.
Assuming you have an Internet hosted web server running your nodejs auth app, the simplest way forward is to use the standard fas-aes-https.php script on your Internet web server and modify it to use the node.js app to do the client credential verification.

If you have any questions or problems, open an issue at:

xreyc · August 1, 2022, 10:52am

Thank you.
I am running my nodejs application on my local server.
I will try to do some experiment if it would work, if not I'll host on cloud.
I can write php application as well, I'll try to understand the inner working of opennds first.

is it possible to use my local server with ip 10.0.0.22?
I am running my nodejs application at port 80.

bluewavenet · August 1, 2022, 10:55am

Then you should start with fas-aes.php (the http:// version) and modify that.