openwrt有线lan口不经过nodogsplash认证仅wifi认证方法

openwrt有线lan口不经过nodog认证,仅wifi认证方法。2,重启nodog。方法二:2,修改无线默认配置,使其网络为新的lan1。3,修改防火墙默认配置,修新增的lan1的防火墙区为lan区。4,修改dhcp默认配置,使lan1开启dhcp。
openwrt有线lan口不经过nodog认证,仅wifi认证方法
经测试,方法一没有成功,所以我花了一天的时候,研究出了方法二
方法一:
1,修改nodogsplash.conf文件,把GatewayInterfacebr-lan中的br-lan改成无线设备名,比如ra0\radio0\wlan0等;
2,重启nodog
方法二:
1,添加lan口接口,命令为lan1:
vim ./package/base-files/files/lib/functions/uci-defaults.sh
uci-default.png

vim target/linux/ramips/base-files/etc/uci-defaults/02_network
02_network.png

02_network_2.png

2,修改无线默认配置,使其网络为新的lan1
vim package/kernel/mac80211/files/lib/wifi/mac80211.sh
mac80211.png

3,修改防火墙默认配置,修新增的lan1的防火墙区为lan区
vim package/network/config/firewall/files/firewall.config
firewall-config.png

4,修改dhcp默认配置,使lan1开启dhcp
vim package/network/services/dnsmasq/files/dhcp.conf
dhcp.conf.png

5,修改nodogplash默认配置,但其网络接口为br-lan1
vimbuild_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/nodogsplash-0.9_beta9.9.8/resources/nodogsplash.conf
nodogsplash.conf.png

本文章由 http://www.wifidog.pro/2015/04/27/nodogsplash-openwrt%E4%B8%8D%E8%AE%A4%E8%AF%81%E6%9C%89%E7%BA%BF.html 整理编辑,转载请注明出处

openwrt安装nodogsplash

安装nodogsplash
它是基于openwrt上的一个插件,用于实现用户登录验证的,具体见:

https://github.com/nodogsplash/nodogsplash

这个名称很生动,很有趣,称为nodog。其实他是针对openwrt上的另一款类似插件:wifi dog的,那个配置起来比较复杂,需要自己部署验证服务器,不适合我使用。

这个没有看门狗(no dog)的很适合我!

安装插件很简单,telnet连上去后,执行命令:

opkg updateopkg install nodogsplash

注意:
有可能执行第一行更新时报错,无法连接服务器,请检查etc/opkg.conf 中的服务器地址,是否发生了变更。
执行第二行时,可能会提示当前固件版本与服务器上的nodogsplash不匹配,那就先升级现有固件,这里就不展开了,一般不会遇到(但我遇到了,因为我的固件是一个月前下载的,服务器上的版本已升级)

配置nodogsplash

官方有个配置范例介绍:http://wiki.openwrt.org/doc/howto/wireless.hotspot.nodogsplash

但与新版插件不太符合,新版安装后,是没有/etc/nodogsplash/nodogsplash.conf这个配置文件的,需要用winscp手动建立一个

注意:

范例中的前半部分都不要参考,只需要复制nodogsplash章节中的配置内容即可(见下图)
nodogconf.jpg

这里面介绍的很详细,一般都不必修改,唯一容易迷惑的同时也需要修改的是这个GatewayInterface配置

其实它指的是需要由nodog来接管的interface,那就清楚了,本例中就是在network配置中的guest接口,但我们是填写guest吗?

不是,这时候需要通过ifconfig命令来查看下当前的网络接口配置,见下图。
ifconfig.jpg

我们的guest接口分配的是10.0.0.1,因此它的GatewayInterface名称是wlan0-1

你也许会问我,那个guest名称去那儿了?别问我,我也不知道……sign

启动nodog

键入命令:

/etc/init.d/nodogsplash start

查看nodog状态的命令:

ndsctl status
![ndgctl.jpg][3]

最终配置后的nodog状态,注意看第四行,Managed interface :wlan0-1
自动启动nodog

你会发现,重启路由后,nodog怎么不启动??

增加自启动配置!

打开winscp,进入: /etc/hotplug.d/iface
新建文件:95-nodog
修改95-nodog内容:

#!/bin/sh

if [ "$ACTION" = ifup ]; then 
    if [ "$DEVICE" = "wlan0-1" ]; then 
        /etc/init.d/nodogsplash enabled 
    /etc/init.d/nodogsplash start 
    fi 
fi

完成

用电脑或手机连接wifi后,会跳转至认证页面。

本文章由 http://www.wifidog.pro/2015/04/27/openwrt%E5%AE%89%E8%A3%85nodogsplash.html 整理编辑,转载请注明出处

nodogsplash认证nodogsplash.conf文件使用说明

nodogsplash.conf说明:

#
# Nodogsplash Configuration File
# 说明:#所在行不执行。(启用该参数需要删除执行参数前的#及空格)
# 文件格式为:参数|建议值|参数说明|执行参数 。
# 不同参数之间空一行,同一参数中间可使用带#的空行。
# 为保证规则正确运行,需要用"/etc/init.d/nodogsplash start"启动
#
# Parameter: GatewayInterface
# Default: NONE
#
# GatewayInterface is not autodetected, has no default, and must be set here.
# Set GatewayInterface to the interface on your router
# that is to be managed by Nodogsplash.
# Typically br-lan for the wired and wireless lan on OpenWrt White Russian.
# May be br-lan on OpenWrt Kamikaze.
# 监测接口
#
GatewayInterface br-lan1
# FirewallRuleSet: authenticated-users
#
# Control access for users after authentication.
# These rules are inserted at the beginning of the
# FORWARD chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# have authenticated with Nodogsplash, and that are
# destined to be routed through the router.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, an authenticated
# packet that does not match any rule is rejected.
# N.B.: This ruleset is completely independent of
# the preauthenticated-users ruleset.
# 防火墙规则集(我怕改这个)
#
FirewallRuleSet authenticated-users {
# You may want to open access to a machine on a local
# subnet that is otherwise blocked (for example, to
# serve a redirect page; see RedirectURL).  If so,
# allow that explicitly here, e.g:
#  FirewallRule allow tcp port 80 to 192.168.254.254
# Your router may have several interfaces, and you
# probably want to keep them private from the GatewayInterface.
# If so, you should block the entire subnets on those interfaces, e.g.:
    FirewallRule block to 192.168.0.0/16
    FirewallRule block to 10.0.0.0/8
# Typical ports you will probably want to open up include
# 53 udp and tcp for DNS,
# 80 for http,
# 443 for https,
# 22 for ssh:
    FirewallRule allow tcp port 53 
    FirewallRule allow udp port 53 
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
    FirewallRule allow tcp port 22
}
# end FirewallRuleSet authenticated-users

# FirewallRuleSet: preauthenticated-users
#
# Control access for users before authentication.
# These rules are inserted in the PREROUTING chain
# of the router's nat table, and in the
# FORWARD chain of the router's filter table.
# These rules apply to packets that have come in to the 
# router over the GatewayInterface from MAC addresses that
# are not on the BlockedMACList or TrustedMACList,
# are *not* authenticated with Nodogsplash.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it. A packet that does not match 
# any rule here is rejected.
# N.B.: This ruleset is completely independent of
# the authenticated-users and users-to-router rulesets.
#
FirewallRuleSet preauthenticated-users {
# For preauthenticated users to resolve IP addresses in their initial
# request not using the router itself as a DNS server,
# you probably want to allow port 53 udp and tcp for DNS.
    FirewallRule allow tcp port 53 
    FirewallRule allow udp port 53
# For splash page content not hosted on the router, you
# will want to allow port 80 tcp to the remote host here.
# Doing so circumvents the usual capture and redirect of
# any port 80 request to this remote host.
# Note that the remote host's numerical IP address must be known
# and used here.  
#    FirewallRule allow tcp port 80 to 123.321.123.321
}
# end FirewallRuleSet preauthenticated-users

# FirewallRuleSet: users-to-router
#
# Control access to the router itself from the GatewayInterface.
# These rules are inserted at the beginning of the
# INPUT chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# are not on the TrustedMACList, and are destined for
# the router itself.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it. 
# If there are any rules in this ruleset, a
# packet that does not match any rule is rejected.
#
FirewallRuleSet users-to-router {
# Nodogsplash automatically allows tcp to GatewayPort,
# at GatewayAddress, to serve the splash page.
# However you may want to open up other ports, e.g.
# 53 for DNS and 67 for DHCP if the router itself is
# providing these services.
    FirewallRule allow udp port 53 
    FirewallRule allow tcp port 53 
    FirewallRule allow udp port 67
# You may want to allow ssh, http, and https to the router
# for administration from the GatewayInterface.  If not,
# comment these out.
    FirewallRule allow tcp port 22
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
}
# end FirewallRuleSet users-to-router
# EmptyRuleSetPolicy directives
# The FirewallRuleSets that NoDogSplash permits are:
#
# authenticated-users
# preauthenticated-users
# users-to-router
# trusted-users
# trusted-users-to-router
#
# For each of these, an EmptyRuleSetPolicy can be specified.
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
# FirewallRuleSet is missing from this configuration file,
# or if it exists but contains no FirewallRules.
#
# The possible values of an EmptyRuleSetPolicy are:
# allow  -- packets are accepted
# block  -- packets are rejected
# passthrough -- packets are passed through to pre-existing firewall rules
#
# Default EmptyRuleSetPolicies are set as follows:
# EmptyRuleSetPolicy authenticated-users passthrough
# EmptyRuleSetPolicy preauthenticated-users block
# EmptyRuleSetPolicy users-to-router block
# EmptyRuleSetPolicy trusted-users allow
# EmptyRuleSetPolicy trusted-users-to-router allow

# Parameter: GatewayName
# Default: NoDogSplash
#
# Set  GatewayName to the name of your gateway.  This value
# will be available as variable $gatewayname in the splash page source
# and in status output from ndsctl, but otherwise doesn't matter.
# If none is supplied, the value "NoDogSplash" is used.
# 网关
#
# GatewayName NoDogSplash
# Parameter: GatewayAddress
# Default: Discovered from GatewayInterface
#
# This should be autodetected on an OpenWRT system, but if not:
# Set GatewayAddress to the IP address of the router on
# the GatewayInterface.  This is the address that the Nodogsplash
# server listens on.
# 服务器监听
#
# GatewayAddress 192.168.1.1
# Parameter: ExternalInterface
# Default: Autodetected from /proc/net/route
#
# This should be autodetected on a OpenWRT system, but if not:
# Set ExtrnalInterface to the 'external' interface on your router, 
# i.e. the one which provides the default route to the internet.
# Typically vlan1 for OpenWRT.
# 外部接口
#
# ExternalInterface vlan1
# Parameter: RedirectURL
# Default: none
#
# After authentication, normally a user is redirected 
# to their initially requested page. 
# If RedirectURL is set, the user is redirected to this URL instead.
# 确认后跳转网址(默认关闭) 
#
# RedirectURL http://www.ilesansfil.org/
# Parameter: GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses GatewayAddress as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
# 网关地址监听端口
#
# GatewayPort 2050
# Parameter: MaxClients
# Default: 20
#
# Set MaxClients to the maximum number of users allowed to 
# connect at any time.  (Does not include users on the TrustedMACList,
# who do not authenticate.)
# 最大用户数(不包括trustedmaclist项里的用户-不受任何限制用户)
#
# MaxClients 20
# ClientIdleTimeout
# Parameter: ClientIdleTimeout
# Default: 10
#
# Set ClientIdleTimeout to the desired of number of minutes
# of inactivity before a user is automatically 'deauthenticated'.
# 用户进入欢迎页面后不进行任何操作的超时设置 (分钟数)
#
# ClientIdleTimeout 10
# Parameter: ClientForceTimeout
# Default: 360
#
# Set ClientForceTimeout to the desired number of minutes before
# a user is automatically 'deauthenticated', whether active or not
# 欢迎页面弹出时间间隔(分钟)
#
# ClientForceTimeout 360
# Parameter: AuthenticateImmediately
# Default: no
#
# Set to yes (or true or 1), to immediately authenticate users
# who make a http port 80 request on the GatewayInterface (that is,
# do not serve a splash page, just redirect to the user's request,
# or to RedirectURL if set).
# 是否进行身份验证
#
# AuthenticateImmediately no
# Parameter: MACMechanism
# Default: block
#
# Either block or allow.
# If 'block', MAC addresses on BlockedMACList are blocked from
# authenticating, and all others are allowed.
# If 'allow', MAC addresses on AllowedMACList are allowed to
# authenticate, and all other (non-trusted) MAC's are blocked.
# MAC过滤方式(启用黑名单阻止方式还是白名单允许方式)
#
# MACMechanism block
# Parameter: BlockedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will be completely blocked
# from the GatewayInterface.  Ignored if MACMechanism is allow.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC过滤列表黑名单(用逗号隔开)
#
# BlockedMACList 00:00E:AD:BE:EF,00:00:C0:1D:F0:0D
# Parameter: AllowedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will not be completely
# blocked from the GatewayInterface.  Ignored if MACMechanism is block.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC过滤列表白名单(用逗号隔开)
#
# AllowedMACList 00:00:12:34:56:78
# Parameter: TrustedMACList
# Default: none
#
# Comma-separated list of MAC addresses who are not subject to
# authentication, and are not restricted by any FirewallRuleSet.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC例外(不受任何限制)
#
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:010:0D

# Parameter: PasswordAuthentication
# Default: no
# Set to yes (or true or 1), to require a password matching
# the Password parameter to be supplied when authenticating.  
# 是否启用密码保护
#
# PasswordAuthentication no
# Parameter: Password
# Default: none
# Whitespace delimited string that is compared to user-supplied
# password when authenticating.  
# 启用密码保护后使用的密码
#
# Password nodog
# Parameter: UsernameAuthentication
# Default: no
# Set to yes (or true or 1), to require a username matching
# the Username parameter to be supplied when authenticating.  
# 是否启用登陆用户名
#
# UsernameAuthentication no
# Parameter: Username
# Default: none
# Whitespace delimited string that is compared to user-supplied
# username when authenticating.  
# 启用登陆用户名后使用的用户名
#
# Username guest
# Parameter: PasswordAttempts
# Default: 5
# Integer number of failed password/username entries before
# a user is forced to reauthenticate.
# 用户名和密码重试次数(超过规定次数后需要重新授权)
#
# PasswordAttempts 5
# Parameter: TrafficControl
# Default: no
#
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
# 是否启用流量控制(流量控制总开关)
#
# TrafficControl no
# Parameter: DownloadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done.
# 最大下载流量(0 为无限制)
#
# DownloadLimit 384
# Parameter: UploadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum upload
# speed from the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 128 kbit
# upload speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 64.
# A value of 0 means no upload limiting is done.
# 最大上传流量(0 为无限制)
#
# UploadLimit 64
# Paramter: GatewayIPRange
# Default: 0.0.0.0/0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done
# 流量控制网段设置
#
# GatewayIPRange 0.0.0.0/0

本文章由 http://www.wifidog.pro/2015/04/25/nodogsplash%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E8%AF%B4%E6%98%8E.html 整理编辑,转载请注明出处

openwrt 利用nodogsplash 实现简单的广告路由

实现功能: 设备连上路由后,当打开浏览器上网时,浏览器上会显示欢迎画面,当用户点击继续上网后,会正常连接网络,访问之前请求网页。

需要做的工作:
将 nodogsplash 编译进openwrt 镜像,
首先在源码目录中运行

make menuconfig 

在 network/capitive portals 下 将 nodogsplash选上。如果没有nodogsplash选项的话,需要更新openwrt packet ,具体方法如下:
openwrt 源码目录下执行

./scripts/feeds  update routing
./scripts/feeds install -a 

之后应该就可以在menuconfig 界面看到 nodogsplash 选项了。

选择上nodogsplash 之后就可以编译了,还是 make V=99

编译之后就可以看到 nodogsplash 被解压编译目录为

build_dir/target-mips_34kc_uClibc-0.9.33.2/nod ogsplash-0.9_beta9.9.8 

可以在该目录下对部分网页文件进行修改,毕竟nodogsplash 自带的欢迎界面很简单,可以改成自己的。

编译完成,烧写镜像。之后重启路由,找个设备连接该路由,打开浏览器随便点个网页,会发现自己设置的欢迎界面。

本文章由 http://www.wifidog.pro/2015/04/25/nodogsplash-openwrt.html 整理编辑,转载请注明出处