search

f00b4r0 / uspot

A captive portal system for OpenWrt
GNU General Public License v2.0
14 stars 1 forks source link

Whitelisted domains / walled garden not working #11

Closed PWJW closed 5 months ago

PWJW commented 5 months ago

I'm following the documentation in order to allow certain domains to be allowed before authentication (walled garden), but no matter what I put in the list, I cannot access these sites.

Am I missing something, or some other script? How does it match against the domains to allow traffic through the firewall (with them not being IP's)...

/etc/config/firewall

# optional whitelist for e.g. remote UAM host and/or dynamic hosts via dnsmasq ipset functionality
config rule
        option name 'Allow-Whitelist'
        option src 'captive'
        option dest 'wan'
        option proto 'any'
        option ipset 'wlist'
        option target 'ACCEPT'

# associated whitelist ipset with prepopulated entries
config ipset
        option name 'wlist'
        list match 'dest_ip'
        list entry '35.201.xx.xx' # my external portal IP - I can access this fine pre-auth

/etc/config/dhcp

config dhcp 'captive'
        option interface 'captive'
        option start '2'
        option limit '100'
        option leasetime '2h'

# if using optional dynamic hosts whitelist
config ipset
        list name 'wlist'       # match value with whitelist ipset name in config/firewall
        list domain 'sky.com'
        list domain 'bbc.co.uk'
        list domain 'itv.com'

Connecting to the SSID, opening a browser and trying to visit any of those 3 domains in the whitelist do not work ad it just gives me the usual cannot connect error like trying to visit any non-whitelisted domain.

Meanwhile. I can ccess the 35.201 IP I've set in the config ipset rule in the firewall.

$ nft list sets


table inet fw4 {
        set uspot {
                type ether_addr
        }
        set wlist {
                type ipv4_addr
                elements = { 35.201.xx.xx }
        }
}

Thoughts?

Thanks.

PWJW commented 5 months ago

Hmm, it looks like "ipset" is not installed on my openwrt (custom build).

$ ipset

ipset: not found

and dnsmasq was built without ipset/nfset support:

$ dnsmasq -v

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

What openwrt package(s) should be added to support ipset and domain whitelists, whist retaining default openwrt support for firewall4 and nft?

Thanks

f00b4r0 commented 5 months ago

uspot does not use ipset but nftsets (although the uci terminology is the same). Please try your configuration on a standard OpenWrt build before reporting a problem: if it works then the issue is with your custom build. Standard build dnsmasq supports nftsets by default since 23.05. Thanks