Questions[captive-portal](server)

I am trying to create a captive portal wifi hotspot.

Aim of the setup:

1. Users connecting to hotspot through wlan0 should never be allowed to access the internet through eth1.

2. For the "Sign into wifi network" to appear on android, iphone and any device that would connect, i am trying to route the requests that go to
   http://clients1.google.com/generate_204 and other url for other operating systems, i havent figured out yet, to my local server and return what the real servers would return.

I use dnsmasq and hostapd to achieve this.

The Problem : when I use address=/#/127.24.2.1 in dnsmasq.conf, the internet requests that go from internal scripts also fail. I think I am following the dnsmasq config man page that says how to use dnsmasq to filter only wlan0 interface traffic.

what should I do further.

The machine has these interfaces

    eth1      Link encap:Ethernet  HWaddr 00:1e:06:30:5b:03
          inet addr:192.168.0.107  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:6ff:fe30:5b03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37047 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3351437 (3.1 MiB)  TX bytes:176100 (171.9 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:284838 (278.1 KiB)  TX bytes:284838 (278.1 KiB)

wlan0     Link encap:Ethernet  HWaddr 98:de:d0:1b:95:5a
          inet addr:172.24.1.1  Bcast:172.24.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9ade:d0ff:fe1b:955a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:576 (576.0 B)

The DNSMASQ looks like this

interface=wlan0      # Use interface wlan0
listen-address=172.24.1.1 # Explicitly specify the address to listen on
#bind-interfaces      # Bind to the interface to make sure we aren't sending things elsewher$
server=8.8.8.8       # Forward DNS requests to Google DNS
domain-needed        # Don't forward short names
bogus-priv           # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24$
address=/#/172.24.1.1
except-interface=eth1

I use a nodejs express server and do this

 app.get('/generate_204', function(req, res) {
        console.log('generate 204 hit');
        res.statusCode = 302;
        res.setHeader("Location", "/");
        res.end();
    });

I created the hotspot using hostapd, the config is

    # This is the name of the WiFi interface we configured above
interface=wlan0

# Use the nl80211 driver with the brcmfmac driver
driver=nl80211

# This is the name of the network
ssid=Pi3-AP

# Use the 2.4GHz band
hw_mode=g

# Use channel 6
channel=6

# Enable 802.11n
ieee80211n=1

# Enable WMM
wmm_enabled=1

# Enable 40MHz channels with 20ns guard interval
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]

# Accept all MAC addresses
macaddr_acl=0

# Use WPA authentication
auth_algs=1

# Require clients to know the network name
ignore_broadcast_ssid=0

# Use WPA2
wpa=2

# Use a pre-shared key
wpa_key_mgmt=WPA-PSK

# The network passphrase
wpa_passphrase=raspberry

# Use AES, instead of TKIP
rsn_pairwise=CCMP

I have tried to explain the requirement, I am not sure if I have done the explaining part well. There is another question i raised here on serverfault for the same issue,which got marked off-topic, Reading it will make you understand the requirement clearly. https://serverfault.com/questions/823139/iptables-for-linux-captive-portal-wifi-hotspot

Internet access at hotels, airports cafes is often gated by a captive portal which forces you to a particular web page on first use, for example a payment page or some page to accept a terms of service or an authentication/authorization page. You see this with both wireless and wired connections.

How does this work?

Please I need some help on how to configure this.

I have little bakery and would like to create a local webserver to host a digital menu. Customers would access it via wireless router from any device with wi-fi connection, such as smartphones, tablets, notebooks, etc.

This wireless router would not be connected to any ISP, it would be connected only to the local network.

I would like customers that are connected to my wireless router and open internet browser, are automatically redirected to the local webserver URL with the digital menu, just like when you connect to the public hot-spot and forced to subscribe to any service.

So the elements in the network would be: client devices with wi-fi, wireless router and a PC with webserver.

I'd like to set up and administer a small network which would supply a captive portal where users type in a unique password and/or username to connect to the internet and to each others' computers, and which would subsequently allow an administrator (myself) to monitor/log browsing history.

I'm imagining a captive portal like the network at a coffee shop, or, on a bigger scale, at an airport, for which you must supply your email address before you can connect to the global internet. At school, we used the Bluesocket network (and we all hated it, but I think we were pushing the capacity to the max), which presented a login page something like this one - You've all seen it. Attempting to browse to another page simply caused a redirect to the original page. I understand that this setup allows my school (and the coffee shop, and airport) to track and manage users on a per-user basis.

I'd like to connect a dozen or fewer users. Right now, I have a small wireless LAN that simply provides a network with a hidden SSID and WPA encryption to prevent unauthorized use. There's a short list of simple logged in, logged out, and error messages provided by the router, but that's about it.

For now, let's assume that I can establish a captive portal to allow login/logout. This seems fairly well documented. What must I do after this to record browsing history?

I'm open to suggestions ranging from

• Buy this better router (And load some sweet firmware), to
• Install this free software and share your connection through any always-on PC, to
• Dig up an old PC and use it as a dedicated server, configured thus.

The users would often be working from shared computers, so a MAC-address based approach won't work. Typical load would be 1-5 users at a time, but more users would be registered with the system. Let's try to keep the cost at or below $200.

EDIT: Two new terms I've learned are "captive portal" and "transparent caching/proxying". This, as I understand it, is how the coffeeshop/airport/university system works. Since that appears to be under control, let's move off of beginner networking terminology (sorry) and focus on implementations of these techniques for the small business or home.

FYI: I'm a computer engineer with experience in C and embedded systems. I'm computer literate, and enjoy learning new things, but I'm completely without experience in the networking sector.

I'm working in a high school and I'd like to put in place a public Wi-Fi network with a captive portal that asks for authentication but also keeps track of user information, like the amount of data transferred (to spot those who do excessive downloading).

I already have a wireless network covering almost the entire school (6 WRT54G V5 and V8 running DD-WRT Micro). This is accessed by school owned laptops that are used by students. My Wi-Fi network is secured with WPA2 and the key is only used for school laptops. I have never given the wireless key to students for obvious reasons like bandwidth abuse, but teachers have it. No student ever succeeded to key the key, so this is perfect...

What I want to do is to put public AP's in specific zones of the school to allow students with their own laptops to have controlled Internet access with user and password.

I've investigated many software solutions. One has retained my attention for a while. It was ZoneCD, but then I saw that It wasn't free anymore since March 2009. That was exactly what I was searching for, they were using WiFiDog as Auth core. That was the perfect solution. This is not expensive to buy (175$ US for a year with complete features) but I guess my boss will be happier if it could be done for free.

Running a dedicated server only for that isn't an issue for me.

I also came across RADIUS, was good but doesn't have accounting features I want to have.

So to conclude, I'd like to build something where students will be able to register an account for themselves, and then be forced to use it to have Internet access. And as WRT54G V1 to V4 (able to run DDWRT Standard and allow WiFiDog gateway to be install) are very rare these days, the access point I might buy to build this public network with could be anything, but this is unfortunate. So I really need a server solution that will achieve what I want.