I'm sure this has been documented in a number of threads, but I must be using the wrong terminology in my searches.
Let's say I have a single LAN that gives Internet access to its clients. What I would like to accomplish is this:
when a user connects to the LAN and gets assigned an IP, I want all of their traffic to redirect to a "login/registration" page before being allowed to access the Internet.
Basically, I want to do what hotels do, where a client opens a web browser, and they are redirected to an internal page until they enter, for example, a room number and a last name.
In reality, my setup will be much simpler, but it's more or less the same idea.
To start, I was trying to set up some iptables rules to redirect a particular client to an internal web page.
Here is my first attempt at the "/etc/firewall.user" rules:
iptables -t nat -A PREROUTING -m --mac-source xx:xx:xx:xx:xx:xx -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:81
iptables -t nat -A PREROUTING -m --mac-source xx:xx:xx:xx:xx:xx -p tcp ! --dport 80 -j DNAT --to-destination 192.168.1.1:82
iptables -t nat -A POSTROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j MASQUERADE
This works to some extent. While these rules are in effect, the mac address in question is redirected to my internal web page. For http traffic, it works a treat. For https traffic, the user is directed to the https port for my internal page, which prompts them that the certificates do not match.
This is why I bring up the hotel example. How do they manage to redirect all traffic to an internal page without doing masquerading. I have read that you have to use DNAT (as opposed to REDIRECT) to redirect external requests to a local address, but I don't want to do masquerading. I'd simply like to redirect all requests, http or https, to the internal page. Initially, I was not using MASQUERADE, and I seem to recall that the https redirects were not working at all. Now they do, but obviously the browser thinks that it is still on the original page and indicates that the certificate is untrusted.
I will test further without MASQUERADE when I get home, but I was surprised I couldn't find more information on accomplishing this commonly-employed mechanism in OpenWrt.
(Last edited by fecaleagle on 24 Aug 2015, 20:15)