Can I use openNDS to serve additional pages?

[lblabr]

Hey Guys,

i'm playing around with openwrt and openNDS. In our sportsarea we would like to offer some free services.. on of them is to register to events and watching live streams. more or less and intranet with no internet connection for guest. we would like to provide some portal with an default, stativ webpage.

I'm using openNDS 9.x.x. and normal operation is working... could we do something:

• registered users my get internet access
• unregistered users only get "intranet" content

all should be openwrt, router driven..

thanks in advnace

Lars

[bluewavenet]

@lblabr

I'm using openNDS 9.x.x. and normal operation is working... could we do something:

* registered users my get internet access
* unregistered users only get "intranet" content

all should be openwrt, router driven..

This is what it does anyway, so perhaps I am not understanding what you are trying to do.

What do you mean by a "static page"? A static page is a page that is fixed. ie it does not change depending on what the user does. The openNDS portal provides a set of dynamic pages that allow you to provide information to the client (such as terms of service, information, advertising etc), and allow the client to "login" in one way or another.

I would suggest you read the documentation in detail, then try to describe in more detail what you would want to do. https://opennds.readthedocs.io

[lblabr]

in my setup the mobile device gets an IP address, afterwards automatically the click to proceed button is displayed. by cancelling "registration" or click to proceed, an web page request should be answered with the registration for ot another web page, i can't found that, without registration, only intranet should be possible or better, should be redirected to default website (registration - click tp procced- in my case, or other webpage - intranet server)

[bluewavenet]

@lblabr Do you mean "Can I use openNDS to serve additional pages?" If so, then yes you can. You want it all to run on the router, so that adds a few restrictions you would need to take into account, but it all depends on what you want to achieve.

[lblabr]

@bluewavenet i would like to achieve:

• click to proceed (no registration process) will lead to access to intranet webpages (webpages on openwrt router running lighthttp on different ip-adresses)
• registration should leed to internet access

best would be if the user could choose between to models, how thos can be achieved and how the user may restricted to intranet only. at the moment "click to proceed" gets internet access

thanks a lot for your time!

Lars

[bluewavenet]

@lblabr Probably the best way of doing this is to set up FAS to run on lighttpd. See: https://opennds.readthedocs.io/en/stable/fas.html#example-script-file-fas-aes-php

Once you have this working you will be able to edit the example php to provide navigation to your intranet. Get it working with no changes first, then come back and ask questions if you need to ;-)

Note, this way you will not need a second ip address for lighttpd.

A note of caution: If you are considering using a Raspberry Pi, then please reconsider. A Pi does not make a good router and would be an expensive solution from a hardware point of view. The problems far outweigh any advantages and are very difficult to overcome particularly for [newbe] levels of experience.

[lblabr]

the manual says:

Preauthenticated ... Any other packet is dropped, except that a packet for destination port 80 at any address is redirected to port 2050 on the router, where openNDS’s built in libhttpd-based web server is listening. ...

It does not seem to happen...

[lblabr]

@lblabr Probably the best way of doing this is to set up FAS to run on lighttpd. See: https://opennds.readthedocs.io/en/stable/fas.html#example-script-file-fas-aes-php

Once you have this working you will be able to edit the example php to provide navigation to your intranet. Get it working with no changes first, then come back and ask questions if you need to ;-)

Note, this way you will not need a second ip address for lighttpd.

A note of caution: If you are considering using a Raspberry Pi, then please reconsider. A Pi does not make a good router and would be an expensive solution from a hardware point of view. The problems far outweigh any advantages and are very difficult to overcome particularly for [newbe] levels of experience.

my setup is as follows:

• openwrt

• luci running on 10.100.10.25

• dedicated wlan-interface for guest 192.168.50.1

• lightttp serves:

• luci on 10.100.10.25:80

• intranet on 192.168.50.1:81

[bluewavenet]

@lblabr

It does not seem to happen...

This indicates you have a configuration issue.

luci running on 10.100.10.25 dedicated wlan-interface for guest 192.168.50.1

lightttp serves: luci on 10.100.10.25:80 intranet on 192.168.50.1:81

This, although not necessarily incorrect, strongly implies you have a configuration problem.

Can you please share:

1. Your hardware make/model
2. The contents of /etc/config/network
3. The contents of /etc/config/wireless
4. The contents of /etc/config/opennds
5. The version of OpenWrt you are using
6. The version of openNDS you are using

[lblabr]

first of all, i do not get it formmatted right, i need to read somewhere hao to do, insert a quote or code didn't helped

1.) Hardware Hostname: OpenWrt Model: Linksys E4200 v2 (Viper) Architecture: Feroceon 88FR131 rev 1 (v5l) Firmware Version: OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-21.340.48972-61cc3b1 Kernel Version: 5.4.143

2.) /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9e:651b:6855::/48'

config device
        option name 'internet'
        option macaddr '58:6d:8f:fa:e1:41'

config interface 'wan'
        option device 'internet'
        option proto 'dhcp'
        option type 'bridge'

config interface 'LAN'
        option type 'bridge'
        option proto 'dhcp'
        option device 'lan'

config device
        option type 'bridge'
        option name 'lan'
        list ports 'ethernet1'
        list ports 'ethernet2'
        list ports 'ethernet3'
        list ports 'ethernet4'
        option vlan_filtering '1'

config interface 'openAP'
        option proto 'static'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'
        option device 'radio1.network2'

3) /etc/config/wireless root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
        option cell_density '0'
        option country 'DE'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'XXXXX'
        option encryption 'psk2'
        option key 'XXXXXX'
        option network 'LAN'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'XXXXX'
        option key 'XXXXX'
        option encryption 'psk2'
        option network 'LAN'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option encryption 'none'
        option network 'openAP'
        option ssid 'RadballKidz_Leipzig'

4) /etc/config/opennds cat /etc/config/opennds

config opennds
        # enabled
        # Set to 0 to disable opennds
        option enabled 1
        ###########################################################################################

        # Use deprecated generic configuration file (not recommended)
        #option config '/etc/opennds/opennds.conf'
        ###########################################################################################

        # debuglevel
        # Set Debug Level (0-3)
        # Default: 1
        # 0 : Silent (only initial startup, LOG_ERR and LOG_EMERG LOG_CRIT messages will be seen, otherwise there will be no logging.)
        # 1 : LOG_ERR, LOG_EMERG, LOG_CRIT, LOG_WARNING and LOG_NOTICE (this is the default level).
        # 2 : debuglevel 1  + LOG_INFO
        # 3 : debuglevel 2 + LOG_DEBUG
        option debuglevel '3'
        ###########################################################################################

        # fwhook_enabled
        # Firewall Restart hook
        # Set to 0 to disable hook that makes opennds restart when the firewall restarts.
        # This hook is needed as a restart of Firewall overwrites opennds iptables entries.
        option fwhook_enabled '1'
        ###########################################################################################

        # ndsctlsocket
        # The socket name to use for ndsctl socket access, relative to the tmpfs mountpoint.
        # Any directory/folder specified must exist.
        # Default: ndsctl.sock (Do not add a leading "/")
        # Full default socket path would be /tmp/ndsctl.sock in OpenWrt
        # In the following example, the socket path would be /tmp/sockets/ndsctl.sock
        #option ndsctlsocket 'sockets/ndsctl.sock'
        ###########################################################################################

        # log_mountpoint
        # Local Log Mountpoint
        # Default: router's volatile tmpfs storage eg on OpenWrt '/tmp'
        #
        # Local logging can be directed to any storage accessible to the router eg USB drive, SSD etc
        #
        # **WARNING** - you cannot use the router's built in flash storage as this would cause
        # excessive wear and eventual flash failure
        #
        # Example:
        #option log_mountpoint '/tmp'
        ###########################################################################################

        # Login Option
        # Default: 1
        # Integer value sent to PreAuth script as login mode
        #
        # opennds comes preconfigured for three basic modes of operation
        #
        # 0. If FAS is not enabled, then this functions as mode 1
        #
        # 1.Default Dynamic Click to Continue
        # The pre-installed dynamic login page is enabled by setting option login_option_enabled = '1'.
        # It generates a Click to Continue page followed by a info/advertising page.
        # User clicks on “Continue” are recorded in the log file /[tmpfs_dir]/ndslog/ndslog.log
        #
        # 2. Username/Emailaddress Dynamic Login
        # The pre-installed dynamic login page is enabled by setting option login_option_enabled = '2'.
        # It generates a login page asking for username and email address followed by an info/advertising page.
        # User logins are recorded in the log file /[tmpfs_dir]/ndslog/ndslog.log
        #
        # 3. Use Theme defined in ThemeSpec path (option themespec_path)
        #
        option login_option_enabled '1'
        ###########################################################################################

        # Allow Preemptive Authentication
        # Default: 0 - Disabled
        # Enable by setting to 1
        # This allows the ndsctl utility to preemptively authorise **connected** clients
        # that have not entered the preauthenticated state.
        # This is useful for example with IoT devices that do not have CPD (captive portal detection)
        # or for a FAS to manage inter-captive-portal roaming by making use of a centralised database of client validations.
        #
        #option allow_preemptive_authentication '1'
        ###########################################################################################

        # ThemeSpec Path
        # Default: None
        # Required when when login_option_enabled is set to '3'
        #
        # Note: /usr/lib/opennds/theme_click-to-continue.sh is used for login_option_enabled '1'
        # and:  /usr/lib/opennds/theme_user_email_login.sh is used for login_option_enabled '2'
        #
        # Sets the ThemeSpec file path to be used when login_option_enabled '3'
        #
        # The ThemeSpec script makes use of lists of custom parameters, custom variables, custom image urls and custom files.
        # and is used to generate the dynamic splash page sequence
        #
        # The ThemeSpec file will normally reside in /usr/lib/opennds/ but can be anywhere accessible to openNDS.
        # The file must be flagged as executable and have the correct shebang for the default shell.
        #
        #option themespec_path '/usr/lib/opennds/<filename>'
        ###########################################################################################

        # Define Custom Parameters
        # Custom parameters are sent as fixed values to FAS
        # Default None
        #
        # Custom Parameters listed in the form of param_name=param_value
        # param_name and param_value must be urlencoded if containing white space or single quotes
        # eg replace spaces with %20 - replace single quotes with %27
        #
        # Parameters should be configured one per line to prevent possible parsing errors.
        # eg:
        #list fas_custom_parameters_list '<param_name1=param_value1>'
        #list fas_custom_parameters_list '<param_name2=param_value2>'
        # etc.
        #
        # The following Working Example applies to the installed ThemeSpec Files:
        # theme_click-to-continue-custom-placeholders
        # and
        # theme_user-email-login-custom-placeholders
        #
        #list fas_custom_parameters_list 'logo_message=openNDS:%20Perfect%20on%20OpenWrt!'
        #list fas_custom_parameters_list 'banner1_message=BlueWave%20-%20Wireless%20Network%20Specialists'
        #list fas_custom_parameters_list 'banner2_message=HMS%20Pickle'
        #list fas_custom_parameters_list 'banner3_message=SeaWolf%20Cruiser%20Racer'
        ###########################################################################################

        # Define Custom Variables
        # Custom Variables are used by FAS to dynamically collect information from clients
        # Default None
        #
        # Custom Variables are listed in the form of var_name=var_type
        # var_name and var_type must be urlencoded if containing white space or single quotes
        # eg replace spaces with %20 - replace single quotes with %27
        #
        # Variables should be configured one per line to prevent possible parsing errors.
        # eg:
        #list fas_custom_variables_list '<var_name1=var_type1>'
        #list fas_custom_variables_list '<var_name2=var_type2>'
        # etc.
        #
        # FAS Generic Variables - a custom FAS or ThemeSpec must be written to make use of FAS Generic Variables
        #-------------------------------------------------------------------------------------------------------
        # eg:
        #list fas_custom_variables_list 'membership_number=number'
        #list fas_custom_variables_list 'access_code=password'
        #
        # ThemeSpec Dynamically generated Form Fields
        #--------------------------------------------
        # ThemeSpec scripts can dynamically generate Form Field html and inject into the dynamic splash page sequence.
        # This is achieved using a SINGLE line containing the keyword "input",
        # in the form: fieldname:field-description:fieldtype
        #
        # Numerous fields can be defined in this single "input=" line, separated by a semicolon (;).
        #
        # The following Working Example applies to the installed ThemeSpec Files:
        # theme_click-to-continue-custom-placeholders
        # and
        # theme_user-email-login-custom-placeholders
        #
        # this example inserts Phone Number and Home Post Code fields:
        #
        #list fas_custom_variables_list 'input=phone:Phone%20Number:text;postcode:Home%20Post%20Code:text'
        #
        ###########################################################################################

        # Define Custom Images
        # Custom Images are served by a local FAS where required in dynamic portal pages
        # Default None
        #
        # Custom images will be copied from the URL to the openNDS router
        #
        # Custom Images are listed in the form of image_name_type=image_url
        # image_name and image_url must be urlencoded if containing white space or single quotes
        # The image url must begin with http:// https:// or file://
        # Custom images will be copied from the URL to the openNDS router
        #
        # Images should be configured one per line to prevent possible parsing errors.
        #
        #list fas_custom_images_list '<image_name1_[type]=image_url1>'
        #list fas_custom_images_list '<image_name2_[type]=image_url2>'
        # etc.
        #
        # "type" can be any recognised image file extension eg jpg, png, ico, etc.
        #
        # The following Working Example applies to the installed ThemeSpec Files:
        # theme_click-to-continue-custom-placeholders
        # and
        # theme_user-email-login-custom-placeholders
        #
        #list fas_custom_images_list 'logo_png=https://openwrt.org/_media/logo.png'
        #list fas_custom_images_list 'banner1_jpg=https://raw.githubusercontent.com/openNDS/openNDS/v9.0.0/resources/bannerbw.jpg'
        #list fas_custom_images_list 'banner2_jpg=https://raw.githubusercontent.com/openNDS/openNDS/v9.0.0/resources/bannerpickle.jpg'
        #list fas_custom_images_list 'banner3_jpg=https://raw.githubusercontent.com/openNDS/openNDS/v9.0.0/resources/bannerseawolf.jpg'
        #
        ###########################################################################################

        # Define Custom Files
        # Custom Files are served by a local FAS where required in dynamic portal pages
        # Default None
        #
        # Custom files will be copied from the URL to the openNDS router
        #
        # Images should be configured one per line to prevent possible parsing errors.
        #
        # Custom files are listed in the form of file_name_type=file_url
        # file_name and file_url must be urlencoded if containing white space or single quotes
        # The file url must begin with http:// https:// or file://
        # Custom files will be copied from the URL to the openNDS router
        #
        #list fas_custom_files_list '<file_name1_[type]=file_url1>'
        #list fas_custom_files_list '<file_name2_[type]=file_url2>'
        # "type" can be any recognised file extension that can be used to display web content eg txt, htm etc.
        #
        # The following Working Example applies to the installed ThemeSpec Files:
        # theme_click-to-continue-custom-placeholders
        # and
        # theme_user-email-login-custom-placeholders
        #
        #list fas_custom_files_list 'advert1_htm=https://raw.githubusercontent.com/openNDS/openNDS/v9.0.0/resources/bannerpickle.htm'
        #
        ###########################################################################################

        # Set refresh interval for downloaded remote files (in minutes)
        # Seting to 0 (zero) means refresh is disabled
        # Default 0
        #
        option remotes_refresh_interval '1'
        #
        ###########################################################################################

        # Use outdated libmicrohttpd (MHD)
        # Default 0
        #
        # Warning, this may be unstable or fail entirely - it would be better to upgrade MHD.
        # Use at your own risk
        #
        # Older versions of MHD convert & and + characters to spaces when present in form data
        # This can make a PreAuth or BinAuth impossible to use for a client if form data contains either of these characters
        # eg. in username or password
        #
        # MHD versions earlier than 0.9.71 are detected.
        #
        # If this option is set to 0 (default), NDS will terminate if MHD is earlier than 0.9.71
        # If this option is set to 1, NDS will attempt to start and log an error.
        #
        #option use_outdated_mhd '0'
        ###########################################################################################

        # Maximum Page Size to be served by MHD
        # Default 10240 bytes
        # Minimum value 1024 bytes
        # Maximum - limited only by free RAM in the router
        #
        # This sets the maximum number of bytes that will be served per page by the MHD web server
        # Setting this option is useful:
        #       1. To reduce memory requirements on a resource constrained router
        #       2. To allow large pages to be served where memory usage is not a concern
        #
        #option max_page_size '4096'
        ###########################################################################################

        # Maximum number of Local Log Entries
        # Default 100
        # Minimum value 0
        # Maximum value - limited only be free storage space on the logging mountpoint
        #
        # If set to '0' there is no limit
        #
        # This is the maximum number of local log entries allowed before log rotation begins
        # Both ThemeSpec and Binauth log locally if they are enabled
        #
        # **WARNING** - local logging is by default written to the tmpfs volatile storage
        # If this option were to be set too high the router could run out of tmpfs storage and/or free RAM
        #
        # Non-volatile storage, such as a USB storage device may be defined using the log_mountpoint option
        #
        # Example:
        #option max_log_entries '1000'
        ###########################################################################################

        # MHD Unescape callback - This is an advanced option
        # Default 0
        #
        # MHD has a built in unescape function that urldecodes incoming queries from browsers
        #
        # This option allows an external unescape script to be enabled and replace the built in decoder
        #
        # The script must be named unescape.sh, be present in /usr/lib/opennds/ and be executable.
        #
        # A very simple standard unescape.sh script is installed by default
        # Set to 1 to enable this option, 0 to disable
        # default is disabled
        #
        #option unescape_callback_enabled '0'
        ###########################################################################################

        # WebRoot
        # Default: /etc/opennds/htdocs
        #
        # The local path where the system css file, and legacy splash page content resides.
        # ie. Serve the file splash.html from this directory
        #option webroot '/etc/opennds/htdocs'
        ###########################################################################################

        # GateWayInterface
        # Default br-lan
        # Use this option to set the device opennds will bind to.
        # The value may be an interface section in /etc/config/network or a device name such as br-lan.
        # The selected interface must be allocated an IPv4 address.
        # In OpenWrt this is normally br-lan, in generic Linux it might be wlan0
        #
        option gatewayinterface 'wlan1-1'
        ###########################################################################################

        # GatewayPort
        # Default: 2050
        #
        # openNDS's own http server uses gateway address as its IP address.
        # The port it listens to at that IP can be set here; default is 2050.
        #
        #option gatewayport '2050'
        ###########################################################################################

        # GatewayName
        # Default: openNDS
        #
        # gatewayname is used as an identifier for the instance of openNDS
        #
        # It is displayed on the default static splash page and the default preauth login script.
        #
        # It is particularly useful in the case of a single remote FAS server that serves multiple
        # openNDS sites, allowing the FAS to customise its response for each site.
        #
        # Note: The single quote (or apostrophe) character ('), cannot be used in the gatewayname.
        # If it is required, use the htmlentity &#39; instead.
        #
        # For example:
        # option gatewayname 'Bill's WiFi' is invalid.
        # Instead use:
        # option gatewayname 'Bill&#39;s WiFi'
        #
        option gatewayname 'OpenWrt openNDS'
        ###########################################################################################

        # GatewayFQDN
        # Default: status.client
        # This is the simulated FQDN used by a client to access the Client Status Page
        # If not set, the Status page can be accessed at: http://gatewayaddress:gatewayport/
        #
        # Warning - if set, services on port 80 of the gateway will no longer be accessible (eg Luci AdminUI)
        #
        # By default, the Error511/Status page will be found at http://status.client/ by a redirection
        # of port 80 to http://gatewayaddress:gatewayport/
        #
        # Disable GatewayFQDN by setting the option to 'disable'
        # ie:
        #option gatewayfqdn 'disable'
        #
        # Alternate Useful Example:
        #option gatewayfqdn 'login.page'
        ###########################################################################################

        # StatusPath
        # Default: /usr/lib/opennds/client_params.sh
        # This is the script used to generate the GatewayFQDN client status and Error511 pages
        #
        #option statuspath '/mycustomscripts/custom_client_params.sh'
        ###########################################################################################

        # MaxClients
        # Default 250
        # The maximum number of clients allowed to connect
        # This should be less than or equal to the number of allowed DHCP leases
        # For example:
        option maxclients '250'
        ###########################################################################################

        # Client timeouts in minutes
        #
        # preauthidletimeout is the time in minutes after which a client is disconnected if not authenticated
        # ie the client has not attempted to authenticate for this period
        # Default 30 minutes
        #option preauthidletimeout '30'

        # authidletimeout is the time in minutes after which an idle client is disconnected
        # ie the client has not used the network access for this period
        # Default 120 minutes
        #option authidletimeout '120'

        # Session Timeout is the interval after which clients are forced out (a value of 0 means never)
        # Clients will be deauthenticated at the end of this period
        # Default 1200 minutes (20 hours)
        # Example: Set to 24 hours (1440 minutes)
        option sessiontimeout '10'
        ###########################################################################################

        # The interval in seconds at which opennds checks client timeout and quota status
        # Default 60 seconds (1 minute)
        # Example: Set to 30 seconds
        #option checkinterval '30'
        ###########################################################################################

        # Rate Quotas
        # Note: upload means to the Internet, download means from the Internet
        # Defaults 0
        # Integer values only
        #
        # If the client average data rate exceeds the value set here, the client will be rate limited
        # Values are in kb/s
        # If set to 0, there is no limit
        #
        # Quotas and rates can also be set by FAS via Authmon Daemon, ThemeSpec scripts, BinAuth, and ndsctl auth.
        # Values set by these methods, will override values set in this config file.
        #
        # Rates:
        #option uploadrate '0'
        #option downloadrate '0'
        #
        ###########################################################################################

        # RateCheckWindow
        # Default 2
        #
        # The client data rate is calculated using a moving average.
        #
        # This allows clients to burst at maximum possible rate, only blocking if the moving average
        # exceeds the specified upload or download rate.
        #
        # The moving average window size is equal to ratecheckwindow times checkinterval (seconds)
        #
        # All rate limits can be globally disabled by setting this option to 0 (zero)
        #
        # Example: Disable all rate quotas for all clients, overriding settings made in FAS via Authmon Daemon,
        #       ThemeSpec scripts, BinAuth, and ndsctl auth:
        #option ratecheckwindow '0'
        #
        # Example: Set to 3 checkinterval periods:
        #option ratecheckwindow '3'
        ###########################################################################################

        # Volume Quotas:
        # If the client data quota exceeds the value set here, the client will be forced out
        # Defaults 0
        # Integer values only
        #
        # Values are in kB
        # If set to 0, there is no limit
        #
        #option uploadquota '0'
        #option downloadquota '0'
        ###########################################################################################

        # Enable BinAuth Support. BinAuth enables POST AUTHENTICATION PROCESSING
        # and is useful in particular when a FAS is configured remotely
        # Default disabled
        #
        # If set, a BinAuth program or script is triggered by several possible methods
        # and is called with several arguments on both authentication and deauthentication:
        #
        #
        # Possible methods
        #
        # Authentication:
        # "auth_client": Request for authentication received from the captive portal splash page.
        # "client_auth": Acknowledgement that Client was authenticated via this script.
        # "ndsctl_auth": Client was authenticated by ndsctl auth command.
        #
        # Deauthentication:
        # "client_deauth": Client deauthenticated by the client via captive portal splash page.
        # "idle_deauth": Client was deauthenticated because of inactivity.
        # "timeout_deauth": Client was deauthenticated because the session timed out.
        # "ndsctl_deauth": Client was deauthenticated by ndsctl deauth command.
        # "uprate_deauth": Client was deauthenticated because its average upload rate exceeded the allowed value
        # "downrate_deauth": Client was deauthenticated because its average download rate exceeded the allowed value
        # "upquota_deauth": Client was deauthenticated because its upload quota exceeded the allowed value
        # "downquota_deauth": Client was deauthenticated because its download quota exceeded the allowed value
        # "shutdown_deauth": Client was deauthenticated by openNDS terminating.
        #
        # A fully functional BinAuth script is pre-installed and provides local logging
        # of client activity. This is enabled by uncommenting the following line:
        #option binauth '/usr/lib/opennds/binauth_log.sh'
        ###########################################################################################

        # Set Fasport
        # This is the Forwarding Authentication Service (FAS) port number
        # Redirection is changed to the IP port of a FAS (provided by the system administrator)
        # Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used.
        #
        # Typical Remote Shared Hosting Example:
        #option fasport '80'
        #
        # Typical Locally Hosted example (ie fasremoteip not set):
        #option fasport '2080'
        ###########################################################################################

        # Option: fasremotefqdn
        # Default: Not set
        # If set, this is the remote fully qualified domain name (FQDN) of the FAS.
        # The protocol must NOT be prepended to the FQDN (ie http:// or https://)
        # To prevent CPD or browser security errors NDS prepends the required http:// or https://
        # before redirection, depending upon the fas_secure_enabled option.
        #
        # If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
        #
        # Typical Remote Shared Hosting Example (replace this with your own FAS FQDN):
        #option fasremotefqdn 'onboard-wifi.net'
        #
        # Note: For a CDN (Content Delivery Network) hosted server,
        #       you must also add fasremotefqdn to the Walled Garden list of FQDNs
        #
        ###########################################################################################

        # Option: fasremoteip
        # Default: GatewayAddress (the IP of NDS)
        # If set, this is the remote ip address of the FAS.
        #
        # Typical Remote Shared Hosting Example (replace this with your own remote FAS IP):
        #option fasremoteip '46.32.240.41'
        ###########################################################################################

        # Option: faspath
        # Default: /
        # This is the path from the FAS Web Root to the FAS login page
        # (not the file system root).
        #
        # In the following examples, replace with your own values for faspath
        #
        # Typical Remote Shared Hosting Example (if fasremotefqdn is not specified):
        #option faspath '/remote_host_fqdn/fas/fas-hid.php'
        #
        # Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set):
        #option faspath '/fas/fas-hid.php'
        #
        # Typical Locally Hosted Example (ie fasremoteip not set):
        #option faspath '/fas/fas-hid.php'
        ###########################################################################################

        # Option: faskey
        # Default: 1234567890
        # A key phrase for NDS to encrypt the query string sent to FAS
        # Can be any text string with no white space
        #
        # Option faskey must be pre-shared with FAS.
        #
        #option faskey '1234567890'
        ###########################################################################################

        # Option: fas_secure_enabled
        # Default: 1

        # ****If set to "0"****
        # The FAS is enforced by NDS to use http protocol.
        # The client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir.
        # Note: This level is insecure and can be easily bypassed

        # ****If set to "1"****
        # The FAS is enforced by NDS to use http protocol.
        # The client token will be hashed and sent to the FAS along with other relevent information in a base 64 encoded string
        #
        # FAS must return the sha256sum of the concatenation of hid(the hashed original token), and faskey to be used by NDS for client authentication.
        # This is returned to FAS for authentication
        #

        # ****If set to "2"****
        # The FAS is enforced by NDS to use http protocol.
        #
        # The parameters clientip, clientmac, gatewayname, hid(the hashed original token), gatewayaddress, authdir, originurl and clientif
        # are encrypted using faskey and passed to FAS in the query string.
        #
        # The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
        #
        # The cipher used is "AES-256-CBC".
        #
        # The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2 and 3.
        #
        # openNDS does not depend on this package and module, but will exit gracefully
        # if this package and module are not installed when this level is set.
        #
        # The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
        # An example FAS level 2 php script (fas-aes.php) is included in the /etc/opennds directory and also supplied in the source code.

        # ****If set to "3"****
        # The FAS is enforced by NDS to use https protocol.
        #
        # Level 3 is the same as level 2 except the use of https protocol is enforced for FAS.
        #
        # In addition, the "authmon" daemon is loaded.
        # This allows the external FAS, after client verification, to effectively traverse inbound firewalls and address translation
        # to achieve NDS authentication without generating browser security warnings or errors.
        # An example FAS level 3 php script (fas-aes-https.php) is included in the /etc/opennds directory and also supplied in the source code.
        #
        # Note: Option faskey must be pre shared with the FAs script in use (including any ThemeSpec local file) if fas secure is set to levels 1, 2 and 3.
        #option fas_secure_enabled '1'
        ###########################################################################################

        # PreAuth
        # Default Not set, or automatically set by "option login_option_enabled"
        # PreAuth support allows FAS to call a local program or script with html served by the built in NDS web server
        # If the option is set, it points to a program/script that is called by the NDS FAS handler
        # All other FAS settings will be overidden.
        #
        #option preauth '/path/to/myscript/myscript.sh'
        ###########################################################################################

        # Block Access For Authenticated Users (block):
        # Default: None
        #
        # If Block Access is specified, an allow or passthrough must be specified afterwards
        #       as any entries set here will override the access default
        #
        # Examples:
        #
        # You might want to block entire IP subnets. e.g.:
        #list authenticated_users 'block to 123.2.3.0/24'
        #list authenticated_users 'block to 123.2.0.0/16'
        #list authenticated_users 'block to 123.0.0.0/8'
        #
        # or block access to a single IP address. e.g.:
        #
        #list authenticated_users 'block to 123.2.3.4'
        #
        # Do not forget to add an allow or passthrough if the default only is assumed (see Grant Access)
        #
        ###########################################################################################

        # Grant Access For Authenticated Users (allow and passthrough):
        #
        # Access can be allowed by openNDS directly, overriding the operating system firewall rules
        # or Access can be allowed by openNDS but the final decision can be passed on to the operating system firewall.
        #
        # Default: list authenticated_users 'passthrough all'
        #
        # Any entries set here, or above in Block Access, will override the default
        #
        # Example: Grant access overriding operating system firewall
        #list authenticated_users 'allow all'
        #
        # Example:
        # Grant access to https web sites, subject to the operating system firewall rules
        #list authenticated_users 'passthrough tcp port 443'
        #
        # Grant access to http web sites, overriding the operating system firewall rules.
        #list authenticated_users 'allow tcp port 80'
        #
        # Grant access to udp services at address 123.1.1.1, on port 5000, overriding the operating system firewall rules.
        #list authenticated_users 'allow udp port 5000 to 123.1.1.1'
        #
        ###########################################################################################

        # For preauthenticated users:
        #
        #       *****IMPORTANT*****
        #
        # To support RFC8910 Captive Portal Identification
        #       AND to help prevent DNS tunnelling, DNS Hijacking and generally improve security,
        #
        #       ****DO NOT ALLOW ACCESS TO EXTERNAL DNS SERVICES****
        #
        ###########################################################################################

        # Walled Garden
        # Allow preauthenticated users to access external services
        # This is commonly referred to as a Walled Garden.
        #
        # A Walled Garden can be configured either:
        # 1. Manually for known ip addresses
        # or
        # 2. Autonomously from a list of FQDNs and ports

        #####
        # Manual Walled Garden configuration requires research to determine the ip addresses of the Walled Garden site(s)
        # This can be problematic as sites can use many dynamic ip addresses.
        # However, manual configuration does not require any additional dependencies (ie additional installed packages)
        #
        # Manual configuration example:
        #
        #list preauthenticated_users 'allow tcp port 80 to 112.122.123.124'
        #list preauthenticated_users 'allow udp port 8020 to 112.122.123.124'

        list preauthenticated_users 'allow tcp port 81 to 192.168.50.1'
        #

        #####
        # Autonomous Walled Garden configuration using a list of FQDNs and Ports.
        #
        # This has the advantage of discovering all ip addresses used by the Walled Garden sites.
        # But it does require the ipset and dnsmasq-full packages to be installed
        # by running the following commands:
        #
        # opkg update
        # opkg install ipset
        # opkg remove dnsmasq
        # opkg install dnsmasq-full
        #
        # Configuration is then a simple matter of adding two lists as follows:
        #
        # list walledgarden_fqdn_list 'fqdn1 fqdn2 fqdn3 .... fqdnN'
        # list walledgarden_port_list 'port1 port2 port3 .... portN'
        #
        # Note: If walledgarden_port_list is NOT specified, then Walled Garden access is granted
        # for all protocols (tcp, udp, icmp) on ALL ports for each fqdn specified in walledgarden_fqdn_list.
        #
        # Note: If walledgarden_port_list IS specified, then:
        #  1. Specified port numbers apply to ALL FQDN's specified in walledgarden_fqdn_list.
        #  2. Only tcp protocol Walled Garden access is granted.

        # Autonomous configuration examples:
        #
        # 1. To add Facebook to the Walled Garden, the list entries would be:
        #       list walledgarden_fqdn_list 'facebook.com fbcdn.net'
        #       list walledgarden_port_list '443'
        #
        # 2. To add Paypal to the Walled Garden, the list entries would be:
        #       list walledgarden_fqdn_list 'paypal.com paypalobjects.com'
        #       list walledgarden_port_list '443'

        ###########################################################################################

        # User access to the router
        #
        # Essential - Allow ports for DNS and DHCP (disabling these will soft brick your router):
        list users_to_router 'allow tcp port 53'
        list users_to_router 'allow udp port 53'
        list users_to_router 'allow udp port 67'

        # Optional - Allow ports for SSH/HTTP/HTTPS:
        list users_to_router 'allow tcp port 22'
        list users_to_router 'allow tcp port 80'
        list users_to_router 'allow tcp port 443'
        ###########################################################################################

        # MAC addresses that are/are-not allowed to access the splash page
        # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
        #
        # Examples:
        #
        #option macmechanism 'allow'
        #list allowedmac '00:00:C0:01:D0:0D'
        #list allowedmac '00:00:C0:01:D0:1D'
        #
        # or
        #
        #option macmechanism 'block'
        #list blockedmac '00:00:C0:01:D0:2D'
        ###########################################################################################

        # MAC addresses that do not need to authenticate
        #list trustedmac '00:00:C0:01:D0:1D'
        ###########################################################################################

        # dhcp_default_url_enable
        # Sends "default_url" (dhcp option 114) with all replies to dhcp requests
        # Required for RFC8910 Captive Portal Identification
        # Default 1 (enabled)
        # To disable, set to 0
        #option dhcp_default_url_enable '1'
        ###########################################################################################

        # openNDS uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
        # This mask can conflict with the requirements of other packages.
        #
        # However the defaults are fully compatible with the defaults used in mwan3 and sqm
        #
        # Any values set here are interpreted as in hex format.
        #
        # Option: fw_mark_authenticated
        # Default: 30000 (0011|0000|0000|0000|0000 binary)
        #
        # Option: fw_mark_trusted
        # Default: 20000 (0010|0000|0000|0000|0000 binary)
        #
        # Option: fw_mark_blocked
        # Default: 10000 (0001|0000|0000|0000|0000 binary)
        #
        #option fw_mark_authenticated '30000'
        #option fw_mark_trusted '20000'
        #option fw_mark_blocked '10000'
        ###########################################################################################

6)

root@OpenWrt:~#  /usr/bin/opennds -v
This is openNDS version 9.4.0

[bluewavenet]

Show also the outputs of: ip route

and

ip addr

[lblabr]

ip route:

root@OpenWrt:~# ip route
default via 10.100.10.1 dev lan  src 10.100.10.25
10.100.10.0/24 dev lan scope link  src 10.100.10.25
192.168.50.0/24 dev wlan1-1 scope link  src 192.168.50.1

ip addr

root@OpenWrt:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1000
    link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5a6d:8fff:fefa:e140/64 scope link
       valid_lft forever preferred_lft forever
3: ethernet1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lan state UP qlen 1000
    link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff
4: ethernet2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master lan state LOWERLAYERDOWN qlen 1000
    link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff
5: ethernet3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master lan state LOWERLAYERDOWN qlen 1000
    link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff
6: ethernet4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master lan state LOWERLAYERDOWN qlen 1000
    link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff
7: internet@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    link/ether 58:6d:8f:fa:e1:41 brd ff:ff:ff:ff:ff:ff
10: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff
    inet 10.100.10.25/24 brd 10.100.10.255 scope global lan
       valid_lft forever preferred_lft forever
    inet6 fe80::5a6d:8fff:fefa:e140/64 scope link
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master lan state UP qlen 1000
    link/ether 58:6d:8f:fa:e1:44 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5a6d:8fff:fefa:e144/64 scope link
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master lan state UP qlen 1000
    link/ether 58:6d:8f:fa:e1:42 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5a6d:8fff:fefa:e142/64 scope link
       valid_lft forever preferred_lft forever
13: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 5a:6d:8f:fa:e1:44 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global wlan1-1
       valid_lft forever preferred_lft forever
    inet6 fe80::586d:8fff:fefa:e144/64 scope link
       valid_lft forever preferred_lft forever

[lblabr]

root@OpenWrt:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:2050            0.0.0.0:*               LISTEN      5402/opennds
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      4817/lighttpd
tcp        0      0 10.100.10.25:80         0.0.0.0:*               LISTEN      4817/lighttpd
tcp        0      0 192.168.50.1:81         0.0.0.0:*               LISTEN      4817/lighttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5808/dnsmasq
tcp        0      0 10.100.10.25:53         0.0.0.0:*               LISTEN      5808/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      5808/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1370/dropbear
tcp        0      0 ::1:53                  :::*                    LISTEN      5808/dnsmasq
tcp        0      0 fe80::5a6d:8fff:fefa:e140:53 :::*                    LISTEN      5808/dnsmasq
tcp        0      0 fe80::5a6d:8fff:fefa:e140:53 :::*                    LISTEN      5808/dnsmasq
tcp        0      0 fe80::5a6d:8fff:fefa:e144:53 :::*                    LISTEN      5808/dnsmasq
tcp        0      0 fe80::5a6d:8fff:fefa:e142:53 :::*                    LISTEN      5808/dnsmasq
tcp        0      0 fe80::586d:8fff:fefa:e144:53 :::*                    LISTEN      5808/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1370/dropbear
udp        0      0 127.0.0.1:53            0.0.0.0:*                           5808/dnsmasq
udp        0      0 10.100.10.25:53         0.0.0.0:*                           5808/dnsmasq
udp        0      0 192.168.50.1:53         0.0.0.0:*                           5808/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           5808/dnsmasq
udp        0      0 ::1:53                  :::*                                5808/dnsmasq
udp        0      0 fe80::5a6d:8fff:fefa:e140:53 :::*                                5808/dnsmasq
udp        0      0 fe80::5a6d:8fff:fefa:e140:53 :::*                                5808/dnsmasq
udp        0      0 fe80::5a6d:8fff:fefa:e144:53 :::*                                5808/dnsmasq
udp        0      0 fe80::5a6d:8fff:fefa:e142:53 :::*                                5808/dnsmasq
udp        0      0 fe80::586d:8fff:fefa:e144:53 :::*                                5808/dnsmasq
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING      18548 5402/opennds        /tmp/ndsctl.sock
unix  2      [ ACC ]     STREAM     LISTENING        690 757/ubusd           /var/run/ubus/ubus.sock

[bluewavenet]

Do the following: uci set opennds.@opennds[0].debuglevel='2' then service opennds restart then show the output of: logread -e opennds

[bluewavenet]

Amongst other things, I think your firewall zones are probably incorrectly configured..

The 10.100.10.10.x network should be in the wan zone, but it looks like it is in lan:

10: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 58:6d:8f:fa:e1:40 brd ff:ff:ff:ff:ff:ff inet 10.100.10.25/24 brd 10.100.10.255 scope global lan

Show the output of: uci show firewall

[lblabr]

the router is configured as dump ap connected to lan, wan is not used

[lblabr]

firewall.@defaults[0]=defaults firewall.@defaults[0].input='ACCEPT' firewall.@defaults[0].output='ACCEPT' firewall.@defaults[0].synflood_protect='1' firewall.@defaults[0].forward='REJECT' firewall.@zone[0]=zone firewall.@zone[0].name='openAP' firewall.@zone[0].forward='REJECT' firewall.@zone[0].network='openAP' firewall.@zone[0].input='ACCEPT' firewall.@zone[0].output='ACCEPT' firewall.@zone[1]=zone firewall.@zone[1].name='lan' firewall.@zone[1].input='ACCEPT' firewall.@zone[1].output='ACCEPT' firewall.@zone[1].forward='ACCEPT' firewall.@zone[1].network='LAN' firewall.@include[0]=include firewall.@include[0].path='/etc/firewall.user' firewall.opennds=include firewall.opennds.type='script' firewall.opennds.path='/usr/lib/opennds/restart.sh' firewall.@zone[2]=zone firewall.@zone[2].name='wan' firewall.@zone[2].input='ACCEPT' firewall.@zone[2].output='ACCEPT' firewall.@zone[2].forward='ACCEPT' firewall.@zone[2].masq='1' firewall.@zone[2].network='wan' firewall.@forwarding[0]=forwarding firewall.@forwarding[0].src='lan' firewall.@forwarding[0].dest='wan' firewall.@nat[0]=nat firewall.@nat[0].name='redirect_radballkidz' firewall.@nat[0].target='SNAT' firewall.@nat[0].snat_port='81' firewall.@nat[0].snat_ip='192.168.50.1' firewall.@nat[0].proto='tcp' 'udp' firewall.@nat[0].src='lan' firewall.@nat[0].src_ip='192.168.50.1/24'

[lblabr]

WAN is not connected with a cable

[bluewavenet]

@lblabr See: https://opennds.readthedocs.io/en/stable/install.html#prerequisites

[lblabr]

mhh than we have a collision with: https://openwrt.org/docs/guide-user/network/wifi/dumbap

[bluewavenet]

@lblabr Installation on a properly configured router is a pre-requisite for openNDS. It will not run on a Wireless Access Point. However you have partially configured routing for your device. As far as I can see, the missing bits include firewall zone settings and network address translation. It is most definitely possible to configure this correctly. I am not sure if it is easy to do in Luci or not - I don't use it.

Assuming the pre-existing "private" networks are important and in use during business hours etc., it might be sensible to add your new "public" network by using a low cost router dedicated to the job (~25 Euros should do it). The intranet/FAS server could be anywhere eg keep it on the E4200 if you want.

BUT - You could host it on the Internet, allowing https to be used for the intranet. It would be very simple to block all access to the Internet hosted intranet for people not on your venue public network - or allow access if registered and outside the venue. Lots of possibilities.

A very big advantage of adding a low cost router to do this, is the fact that no changes are needed in your existing and probably business critical systems.

[lblabr]

mhh, it' for a sportclub... we would like to be as cheap as possible, there ar no critical data but we won't give access to internet for everyone

. It is most definitely possible to configure this correctly

could you short describe whats to do ?

[bluewavenet]

What is the 10.100.10.x network used for?

[lblabr]

10.10.100.x (wireless & wired clients)

• 10.100.10.25 (wireless extension of the local lan)
• 192.168.50.1 (wireless exentsion to guests) i tried to bridge wireless only to wan, i doesn't worked anymore as far as i know i had this before upgarding to newest openwrt

at least i had my cable at the wan port.....

[lblabr]

but after "click & process" 192.168.50.1 gets routed the internet... just the redirect is missing in case of not accepting or closing dialog proceed page how the redircetion is done i could manually add a rule /forwarding etc..

[bluewavenet]

Do any clients connect to the 10.100.10.x network via this E4200?

[lblabr]

Do any clients connect to the 10.100.10.x network via this E4200?

yes,

[lblabr]

[lblabr]

i could remove wan is not used at the moment

or use it for something....

[bluewavenet]

After a quick search, I found that it appears the E4200 and the EA4500 are very outdated and the wireless chipset is no longer fully supported. It is a design that is more than 10 years old so it might be time to retire it for something more up to date.

Otherwise, I would suggest reflashing back to basic OpenWrt 19.07.8 then configuring:

• wan port connected to 10.100.10.x
• bridge "private" wireless and ethernet to wan
• route "public" wireless lan to wan (eg 192.168.50.x to 10.100.10.x with nat)
• install openNDS bound to "public interface"

[lblabr]

okay, i will give at a try.... thanks a lot for support!

[bluewavenet]

@lblabr You will have to download the OpenWrt 21 packages for openNDS and libmicrohttpd-no-ssl and install them (libmicro first) as the OpenWrt 19 versions are very old and things have changed very much since then.

[lblabr]

the final installation will in a sport hall. internet (WAN) with wifi, does this will work ? how opennds/openwrt detect the right interface for wan ?

[lblabr]

my bridge in the case above is more or less tha wan interface from openAP view, isn't it ?

[bluewavenet]

@lblabr Do you now have OpenWrt 19.07.8 with openNDS 9.4.0?

(WAN) with wifi, does this will work ?

Yes. The people connected to this private wifi will get their ip address from the 10.100.10.x router.

how [does] opennds/openwrt detect the right interface for wan ?

It does not "detect" it, it will read the configuration that you create.

You will need a bridge between the "wan" ethernet port and the "private" wireless interface (usually defaults to br-wan when you create it). The other bridge (already there on installation) will be called br-lan and will bridge your "public" wireless interface and the "lan" ports.

my bridge in the case above is more or less tha wan interface from openAP view, isn't it ?

Sorry, I do not know what "openAP view" is.