TL-MR3020 上的 OpenWRT 上的 Nodogsplash 上除 DNS 外无任何流量

TL-MR3020 上的 OpenWRT 上的 Nodogsplash 上除 DNS 外无任何流量

我正在尝试使用 OpenWRT (BARRIER BREAKER (14.07, r42625)) 和 Nodogsplash 在 TL-MR3020 上创建一个强制门户。我使用 ExtRoot 增加了存储空间。

这是我的配置文件:

/etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

config 'dhcp'
    option interface    'wifi'
    option start    100
    option limit    150
    option leasetime    2h

/etc/config/网络

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fda9:8510:6ea4::/48'

config interface 'lan'
    option type 'bridge'
    option _orig_ifname 'eth0 radio0.network1'
    option _orig_bridge 'true'
    option proto 'dhcp'
    option ifname 'eth0'

config interface 'wifi'
    option proto 'static'
    option ipaddr '10.10.15.1'
    option netmask '255.255.255.0'
    option _orig_ifname 'wlan0'
    option _orig_bridge 'false'
    option type 'bridge'
    option macaddr 'AD:2A:DD:FB:B3:64'

/etc/config/无线

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '7'
    option hwmode '11g'
    option path 'platform/ar933x_wmac'
    option htmode 'HT20'
    option disabled '0'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option ssid 'Hotspot'
    option encryption 'none'
    option network 'wifi'

/etc/nodogsplash/nodogsplash.conf

#
# Nodogsplash Configuration File
#

# Parameter: GatewayInterface
# Default: NONE
#
# GatewayInterface is not autodetected, has no default, and must be set here.
# Set GatewayInterface to the interface on your router
# that is to be managed by Nodogsplash.
# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
# May be br-lan on OpenWrt Kamikaze.
#
GatewayInterface br-wifi

# FirewallRuleSet: authenticated-users
#
# Control access for users after authentication.
# These rules are inserted at the beginning of the
# FORWARD chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# have authenticated with Nodogsplash, and that are
# destined to be routed through the router.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, an authenticated
# packet that does not match any rule is rejected.
# N.B.: This ruleset is completely independent of
# the preauthenticated-users ruleset.
#
FirewallRuleSet authenticated-users {

 # You may want to open access to a machine on a local
 # subnet that is otherwise blocked (for example, to
 # serve a redirect page; see RedirectURL).  If so,
 # allow that explicitly here, e.g:
 #  FirewallRule allow tcp port 80 to 192.168.254.254

 # Your router may have several interfaces, and you
 # probably want to keep them private from the GatewayInterface.
 # If so, you should block the entire subnets on those interfaces, e.g.:
    FirewallRule block to 192.168.0.0/16
    FirewallRule block to 10.0.0.0/8

 # Typical ports you will probably want to open up include
 # 53 udp and tcp for DNS,
 # 80 for http,
 # 443 for https,
 # 22 for ssh:
    FirewallRule allow tcp port 53  
    FirewallRule allow udp port 53  
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
    FirewallRule allow tcp port 22

}
# end FirewallRuleSet authenticated-users


# FirewallRuleSet: preauthenticated-users
#
# Control access for users before authentication.
# These rules are inserted in the PREROUTING chain
# of the router's nat table, and in the
# FORWARD chain of the router's filter table.
# These rules apply to packets that have come in to the 
# router over the GatewayInterface from MAC addresses that
# are not on the BlockedMACList or TrustedMACList,
# are *not* authenticated with Nodogsplash.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it. A packet that does not match 
# any rule here is rejected.
# N.B.: This ruleset is completely independent of
# the authenticated-users and users-to-router rulesets.
#
FirewallRuleSet preauthenticated-users {
 # For preauthenticated users to resolve IP addresses in their initial
 # request not using the router itself as a DNS server,
 # you probably want to allow port 53 udp and tcp for DNS.
    FirewallRule allow tcp port 53  
    FirewallRule allow udp port 53
 # For splash page content not hosted on the router, you
 # will want to allow port 80 tcp to the remote host here.
 # Doing so circumvents the usual capture and redirect of
 # any port 80 request to this remote host.
 # Note that the remote host's numerical IP address must be known
 # and used here.  
 #    FirewallRule allow tcp port 80 to 123.321.123.321
}
# end FirewallRuleSet preauthenticated-users


# FirewallRuleSet: users-to-router
#
# Control access to the router itself from the GatewayInterface.
# These rules are inserted at the beginning of the
# INPUT chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# are not on the TrustedMACList, and are destined for
# the router itself.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it. 
# If there are any rules in this ruleset, a
# packet that does not match any rule is rejected.
#
FirewallRuleSet users-to-router {
 # Nodogsplash automatically allows tcp to GatewayPort,
 # at GatewayAddress, to serve the splash page.
 # However you may want to open up other ports, e.g.
 # 53 for DNS and 67 for DHCP if the router itself is
 # providing these services.
    FirewallRule allow udp port 53  
    FirewallRule allow tcp port 53  
    FirewallRule allow udp port 67
 # You may want to allow ssh, http, and https to the router
 # for administration from the GatewayInterface.  If not,
 # comment these out.
    FirewallRule allow tcp port 22
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
}
# end FirewallRuleSet users-to-router

# EmptyRuleSetPolicy directives
# The FirewallRuleSets that NoDogSplash permits are:
#
# authenticated-users
# preauthenticated-users
# users-to-router
# trusted-users
# trusted-users-to-router
#
# For each of these, an EmptyRuleSetPolicy can be specified.
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
# FirewallRuleSet is missing from this configuration file,
# or if it exists but contains no FirewallRules.
#
# The possible values of an EmptyRuleSetPolicy are:
# allow  -- packets are accepted
# block  -- packets are rejected
# passthrough -- packets are passed through to pre-existing firewall rules
#
# Default EmptyRuleSetPolicies are set as follows:
# EmptyRuleSetPolicy authenticated-users passthrough
# EmptyRuleSetPolicy preauthenticated-users block
# EmptyRuleSetPolicy users-to-router block
# EmptyRuleSetPolicy trusted-users allow
# EmptyRuleSetPolicy trusted-users-to-router allow


# Parameter: GatewayName
# Default: NoDogSplash
#
# Set  GatewayName to the name of your gateway.  This value
# will be available as variable $gatewayname in the splash page source
# and in status output from ndsctl, but otherwise doesn't matter.
# If none is supplied, the value "NoDogSplash" is used.
#
# GatewayName NoDogSplash

# Parameter: GatewayAddress
# Default: Discovered from GatewayInterface
#
# This should be autodetected on an OpenWRT system, but if not:
# Set GatewayAddress to the IP address of the router on
# the GatewayInterface.  This is the address that the Nodogsplash
# server listens on.
#
# GatewayAddress 192.168.1.1

# Parameter: ExternalInterface
# Default: Autodetected from /proc/net/route
#
# This should be autodetected on a OpenWRT system, but if not:
# Set ExtrnalInterface to the 'external' interface on your router, 
# i.e. the one which provides the default route to the internet.
# Typically vlan1 for OpenWRT.
#
ExternalInterface br-lan #br-lan

# Parameter: RedirectURL
# Default: none
#
# After authentication, normally a user is redirected 
# to their initially requested page. 
# If RedirectURL is set, the user is redirected to this URL instead.
# 
# RedirectURL http://www.ilesansfil.org/

# Parameter: GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses GatewayAddress as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
#
# GatewayPort 2050

# Parameter: MaxClients
# Default: 20
#
# Set MaxClients to the maximum number of users allowed to 
# connect at any time.  (Does not include users on the TrustedMACList,
# who do not authenticate.)
#
# MaxClients 20

# ClientIdleTimeout
# Parameter: ClientIdleTimeout
# Default: 10
#
# Set ClientIdleTimeout to the desired of number of minutes
# of inactivity before a user is automatically 'deauthenticated'.
#
# ClientIdleTimeout 10

# Parameter: ClientForceTimeout
# Default: 360
#
# Set ClientForceTimeout to the desired number of minutes before
# a user is automatically 'deauthenticated', whether active or not
#
# ClientForceTimeout 360

# Parameter: AuthenticateImmediately
# Default: no
#
# Set to yes (or true or 1), to immediately authenticate users
# who make a http port 80 request on the GatewayInterface (that is,
# do not serve a splash page, just redirect to the user's request,
# or to RedirectURL if set).
#
# AuthenticateImmediately no

# Parameter: MACMechanism
# Default: block
#
# Either block or allow.
# If 'block', MAC addresses on BlockedMACList are blocked from
# authenticating, and all others are allowed.
# If 'allow', MAC addresses on AllowedMACList are allowed to
# authenticate, and all other (non-trusted) MAC's are blocked.
#
# MACMechanism block

# Parameter: BlockedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will be completely blocked
# from the GatewayInterface.  Ignored if MACMechanism is allow.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D

# Parameter: AllowedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will not be completely
# blocked from the GatewayInterface.  Ignored if MACMechanism is block.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
# AllowedMACList 00:00:12:34:56:78

# Parameter: TrustedMACList
# Default: none
#
# Comma-separated list of MAC addresses who are not subject to
# authentication, and are not restricted by any FirewallRuleSet.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D


# Parameter: PasswordAuthentication
# Default: no
# Set to yes (or true or 1), to require a password matching
# the Password parameter to be supplied when authenticating.  
#
#
# PasswordAuthentication no

# Parameter: Password
# Default: none
# Whitespace delimited string that is compared to user-supplied
# password when authenticating.  
#
#
# Password nodog

# Parameter: UsernameAuthentication
# Default: no
# Set to yes (or true or 1), to require a username matching
# the Username parameter to be supplied when authenticating.  
#
#
# UsernameAuthentication no

# Parameter: Username
# Default: none
# Whitespace delimited string that is compared to user-supplied
# username when authenticating.  
#
#
# Username guest

# Parameter: PasswordAttempts
# Default: 5
# Integer number of failed password/username entries before
# a user is forced to reauthenticate.
#
#
# PasswordAttempts 5

# Parameter: TrafficControl
# Default: no
#
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
#
# TrafficControl no

# Parameter: DownloadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done.
#
# DownloadLimit 384

# Parameter: UploadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum upload
# speed from the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 128 kbit
# upload speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 64.
# A value of 0 means no upload limiting is done.
#
# UploadLimit 64

# Parameter: GatewayIPRange
# Default: 0.0.0.0/0
#
# By setting this parameter, you can specify a range of IP addresses
# on the GatewayInterface that will be responded to and managed by
# Nodogsplash.  Addresses outside this range do not have their packets
# touched by Nodogsplash at all.
# Defaults to 0.0.0.0/0, that is, all addresses.
#
# GatewayIPRange 0.0.0.0/0

# Parameter: ImagesDir
# Default: images
#
# Set the directory from which images are served.
# Use $imagesdir in HTML files to reference this directory.
#
# ImagesDir images

# Parameter: BinVoucher
# Default: None
#
# Enable Voucher Support.
# If set, an alphanumeric voucher HTTP parameter is accepted
# and passed to a command line call along with the clients MAC:
#
# $<BinVoucher> auth_voucher <mac> <voucher>
#
# BinVoucher must point to a program that will be called as described above.
# The call is expected to output the number of seconds the client
# is to be authenticated. Zero or negative seconds will cause the
# authentification request to be rejected.
# The output may contain a user specific download and upload limit in KBit/s:
# <seconds> <download> <upload>
#
# BinVoucher "/bin/myauth"

# Parameter: ForceVoucher
# Default: no
#
# Force the use of a voucher. Authentification is not possible without voucher.
#
# ForceVoucher no

# Parameter: EnablePreAuth
# Default: no
#
# Enable pre-authentication support.
# Pass the MAC of a client to a command line call before the splash page
# would be send:
#
# $<BinVoucher> auth_status <mac>
#
# The call is expected to output the number of seconds the client
# is to be authenticated. Zero or negative seconds will cause the
# splash page to be displayed.
# The output may contain a user specific download and upload limit in KBit/s:
# <seconds> <download> <upload>
#
# EnablePreAuth no

消息

[   26.430000] IPv6: ADDRCONF(NETDEV_CHANGE): wifi: link becomes ready
[   26.460000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready
[   27.260000] br-lan: port 1(eth0) entered forwarding state
[   28.420000] wifi: port 1(br-wifi) entered forwarding state

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ndsOUT     all  --  anywhere             anywhere            

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain ndsOUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             mark match 0x200/0x700
ACCEPT     all  --  anywhere             anywhere             mark match 0x400/0x700
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
DNAT       tcp  --  anywhere             anywhere             tcp dpt:www to:10.10.15.1:2050
ACCEPT     all  --  anywhere             anywhere            

iptables -t 过滤器 -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ndsRTR     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ndsNET     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain ndsAUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     all  --  anywhere             192.168.0.0/16       reject-with icmp-port-unreachable
REJECT     all  --  anywhere             10.0.0.0/8           reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ndsNET (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             mark match 0x100/0x700
DROP       all  --  anywhere             anywhere             state INVALID
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere             mark match 0x200/0x700
ndsAUT     all  --  anywhere             anywhere             mark match 0x400/0x700
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ndsRTR (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             mark match 0x100/0x700
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             tcp option=!2 flags:SYN/SYN
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2050
ACCEPT     all  --  anywhere             anywhere             mark match 0x200/0x700
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ndsTRT (0 references)
target     prot opt source               destination         

Chain ndsTRU (0 references)
target     prot opt source               destination 

我可以: - 连接到 AP - 获取 IP 地址 - 获取启动画面 - 通过 wifi 连接到 openwrt 接口 - DNS 流量正常工作

我不能: - 使用任何其他交通

我尝试过: - 进行远程 tcpdump。数据包从 wifi 传输到 eth0,没有丢失。请求没有响应。 - 我尝试为 Nodogsplash 添加规则,以允许未经身份验证的设备进行 http 和 https 流量。没有区别

你觉得有什么不对吗?

相关内容