GL-MT300N-V2 as a Captive Portal

[RyukMy]

Should I overwrite the software of the GL-MT300N or is also ok to keep it and use the LUCI thati can install? @bluewavenet here I'm, received 5 minutes ago.

Details:

LUCI -> 19.07 openNDS available to install -> 5.2.0-1 GL-MT300N-V2 -> 3.216

[bluewavenet]

@RyukMy To get the latest version of openNDS you must reflash with the latest stable version of OpenWrt.

Edit: At the time of writing this was OpenWrt 23.05.0-rc3 and allowed installation of openNDS v10.1.3.

What you must do:

1. Download the latest stable version of OpenWrt for the MT300N-v2
2. Reflash the MT300N-v2
3. Enable WiFi
4. Install openNDS - it will then be working - no special setup required.
5. Customise openNDS if required

For item 1, assuming OpenWrt version 23.05.2, go to: https://downloads.openwrt.org/releases/23.05.2/targets/ramips/mt76x8/

Download the "sysupgrade" version of the file.

Now item 2. Do you know how to do this? There are two ways. One leaves multiple ways to go wrong, the other is 100% safe. The safe way requires an ethernet connection from your computer to the MT300N-v2. do you want me to show you what to do?

[RyukMy]

Yes please. Let's avoid issues...

I will need help for point 5, I want that the user will register to get access. We can also consider to prepare a landing page on the cafe domain (if not too difficult for a newby like me)

[bluewavenet]

If your computer has an ethernet interface (rj45 socket or usb ethernet dongle), we can use the safe way. You will need to set your computer to have a fixed ip address of 192.168.1.2 Do you know how to do this? Is your computer running windows?

[RyukMy]

I have Mac and Windows I know how to do this.

[bluewavenet]

OK then, with the Mac set to 192.168.1.2 and the ethernet cable connected from Mac to the lan port of the mt300n-v2,

1. Unplug the micro-usb power lead
2. Press and hold the reset button and plug the power back in, don't release the reset button yet.
3. Wait for the led lights to stop flashing, leaving just two adjacent lights on, then release the button.
4. On the mac, browse to http://192.168.1.1 where you will see a reflash page.
5. Select the previously downloaded sysupgrade file.
6. Do the reflash.

After a few minutes it will be done. Then we can go to the next step, enabling the wifi.

[RyukMy]

Done.

[RyukMy]

I assume that operating frequency will be N. While mode should be ???

[bluewavenet]

Sorry, I've been busy.

I assume that operating frequency will be N.

The "operating frequency" is set by channel number. 2GHz wifi can use channels 1 to 14 depending on country.

Assuming you are still in the original state just after reflashing do:

1. Set your computer back to DHCP instead if a static ip address.
2. Connect your computer using an ethernet cable to the lan port on the mt300n-v2
3. Your computer should get an ip address allocated by dhcp.
4. Open an ssh terminal window at 192.168.1.1
5. Run the command uci set wireless.radio0.disabled='0'
6. Run the command uci set wireless.radio0.country='MY' - assuming your country code is MY
7. Run the command uci set wireless.radio0.channel='5' - or the channel number you want (default is channel 1)
8. Run the command uci commit wireless - this saves the changes.
9. Run the command uci set network.lan.ipaddr='10.168.1.1' - this sets the ip address subnet, making sure it does not clash with your isp's router.
10. Run the command uci commit network
11. Run the command exit - logging you out from the terminal session.
12. Disconnect the ethernet cable from your computer.
13. Unplug the usb power lead from the mt300n-v2, then plug it back in (hard reboot)
14. Wait for the leds to stabilise (a couple of minutes or so)
15. On your computer, search for the wireless network "OpenWrt"
16. Connect to OpenWrt. Your computer should get an ip address in the 10.168.1.x range.
17. If the mt300n-v2 wan port is connected to a lan port on your isp's router, your computer should have Internet access.

If this is successful we are ready for the next step. Let me know ;-)

[RyukMy]

Working perfectly

[bluewavenet]

@RyukMy Now to install openNDS.

In an ssh terminal session, do:

opkg update
opkg install opennds

After a couple of minutes, openNDS should be running. Check it with: ndsctl status

Your computer will probably pop up the login page (depending on its operating system and browser versions). If not, in the browser, go to http://status.client

Also try connecting with your mobile phone.

[RyukMy]

I got this:

==================
openNDS Status
====
Version: 10.1.3
Uptime: 28s
Gateway Name: [ openNDS Node:9483c42eed7f  ]
Debug Level: [ 1 ]
Gateway FQDN: [ status.client ]
Managed interface: br-lan
Upstream gateway(s) [ online:192.168.1.254,eth0.2  ]
MHD Server [ version 0.9.75 ] listening on: http://10.168.1.1:2050
Maximum Html Page size is [ 10240 ] Bytes
Preemptive Authentication is Enabled
Binauth Script: /usr/lib/opennds/binauth_log.sh
Preauth Script: /usr/lib/opennds/libopennds.sh
FAS: Secure Level 1, URL: http://status.client:2050/opennds_preauth/
Client Check Interval: 15s
Rate Check Window: 2 check intervals (30s)
Preauthenticated Client Idle Timeout: 30m
Authenticated Client Idle Timeout: 120m
Download rate limit threshold (default per client): no limit
Upload rate limit threshold (default per client): no limit
Download quota (default per client): no limit
Upload quota (default per client): no limit
Total download: 44 kByte; average: 13.01 kbit/s
Total upload: 42 kByte; average: 12.49 kbit/s
====
Client authentications since start: 0
Current clients: 0
====
Trusted MAC addresses: none
Walled Garden FQDNs: none
Walled Garden Ports: none
========

[RyukMy]

How to modify the points in the squares and how to request name and contact?

[bluewavenet]

@RyukMy

to request name and contact?

Open the ssh terminal session again.

Do:

uci set opennds.@opennds[0].login_option_enabled='2'
uci commit opennds
service opennds restart

Now you should get a username/emailaddress login.

Let me know.

Nest step is to change things....

[RyukMy]

Everything works perfectly...

[bluewavenet]

@RyukMy Now lets change things.

Your top red box. This is the GatewayName with a unique serial number suffix (this is very useful if you have numerous instances of openNDS installed for example in a chain of coffee shops all using a central FAS - you will know which shop a client is at).

As usual, in an ssh terminal session, do:

uci set opennds.@opennds[0].enable_serial_number_suffix='0'

This, as you might guess, switches off the serial number suffix.

Now while we are at it we can change the name.

uci set opennds.@opennds[0].gatewayname='RyukMy Coffee Shop'

And as usual, we save the changes: uci commit opennds

And restart openNDS to make the changes take effect:

service opennds restart

However, now openNDS is fully operational, after a restart, it will automatically log back in any authenticated clients.

So to see the results, you need to log out.

Wait a couple of minutes after you did the restart, then, in the browser on your client that was logged in before the reset, you will see you still have an Internet connection as your session had not expired so openNDS logged you back in.

To log out, on the browser, go to http://status.client There you can click to log out.

Now you can log back in.

You will see the your top red box will have changed.

We will deal with the second red box later.

For the third red box, the logo image, - do you have an example?

For testing we can use your Github avatar and tell openNDS to automatically download it. (It is a bit low resolution, but a quick example we can try)

But first let me know if the top red box has changed ;-)

[RyukMy]

Yes is changed.

I have the image. Let me know the correct parameters so I will set it. I can put it in Google Drive and share the link from there.

[RyukMy]

Also, after login can I redirect the person to a specific website or social media page? I will need to change the SSID name after. Should I not put a password to LuCI?

[bluewavenet]

@RyukMy

This is an example from my test system of what you should get when you are logged in and you go to http://status.client:

And this is what it looks like if you click "logout":

Now if you click "Continue", you shold be back at the username/emailaddress page.

If not you might have missed out one of the "commit" commands.

Let me know.

Ref. the logo, yes, put it in Google Drive and give me the url. I will make sure it works then give you the uci commands to enter.

[RyukMy]

Yes, I have the same screens now.

This is the link of the logo:

https://drive.google.com/file/d/19MVvRb2eXNL5O1y4RLByhz2PAwR0vDk_/view?usp=sharing

[bluewavenet]

@RyukMy

after login can I redirect the person to a specific website or social media page?

You can, but almost all client devices will immediately close the page for security reasons as otherwise an unscrupulous party could redirect to a spoof banking page or whatever the client thought they wanted to go to...

So the real answer is NO ! You can put information and advertising on the pre-authentication page though. We can look at that later.

[RyukMy]

OK.

[bluewavenet]

@RyukMy Google drive will only allow downloads to browsers with javascript support enabled, so openNDS cannot access it. Is it available or can it be made available on a web site as the .jpg file?

[bluewavenet]

@RyukMy We can load the logo file here here in this issue. Then it is available as a simple download with no obfuscation involved by Google.....

[RyukMy]

https://liasgastronomy.com/wp-content/uploads/2023/09/finallyFINAL-scaled.jpg

Check this one

[bluewavenet]

@RyukMy

Check this one

Perfect. I'll test it here first, then give you the commands............

[bluewavenet]

@RyukMy Actually, can you make a 400x400 version of this as it will save a little bit of memory on the router and higher resolution is not necessary here. Perhaps call it portal-logo.jpg.

[RyukMy]

Will do.

[RyukMy]

https://liasgastronomy.com/wp-content/uploads/2023/09/portal-logo.jpeg

[bluewavenet]

@RyukMy Sorry for the big delay while I got on with the day job ;-)

Ok, back into an ssh terminal session:

Tell openNDS where to get the logo file and where to put it:

uci add_list opennds.@opennds[0].fas_custom_images_list='splash_jpg=https://liasgastronomy.com/wp-content/uploads/2023/09/portal-logo.jpeg'

Give openNDS a script to do the downloading:

uci set opennds.@opennds[0].themespec_path='/usr/lib/opennds/client_params.sh'

Create a link so the themespec displays the logo:

ln -s -f /tmp/ndsremote/splash.jpg /etc/opennds/htdocs/images/splash.jpg

Finally commit the changes and restart:

uci commit opennds
service opennds restart

I think I got that right - let me know if it works......

[RyukMy]

You got it right. Working nicely.

[bluewavenet]

@RyukMy Now you have had a little experience configuring openNDS, we should probably look at the resulting config file.

Display it in a terminal session: uci export opennds

This should give the same result as: cat /etc/config/opennds

Before moving on to customisation, we need to answer some important questions to determine if what we have done so far is the best way forward.

For example you could easily configure a "remote" FAS that would run on an Internet server for example on https://liasgastronomy.com/

The advantages of this would be:

1. Users will, if they know how to look, see https when they log in, giving them confidence in the system. (ie a warm cosy feeling for those with a paranoid outlook /s )
2. You can access the web server's opennds access database remotely from anywhere.
3. This is a scaleable solution if Lia's have or eventually have multiple venues.
4. The mt300n-v2 handles it with no problems at all. If anything, response will be faster.
5. This is pretty much just as simple to set up, but easier to modify content day to day as changes will be on the Internet, not on the router.

Disadvantages:

1. It needs php support on an Internet hosted web server - but almost all have this...
2. It needs more flash and ram on the router - but the mt300n-v2 has more than enough...
3. I can't think of anything else ;-)

Your feedback is needed.

[RyukMy]

Hi, I'm not at home today so I will check the resulting config file later.

Regarding the other questions. If you can guide me, we can do the FAS.

[RyukMy]

So, this is the result and is the same for both commands...

package opennds

config opennds
    option faskey 'cb13e11fd3074afb250a448c63dfd0f8464cbe304f8811a032f194c3a40daaf5'
    option login_option_enabled '2'
    option enable_serial_number_suffix '0'
    option gatewayname 'Lias Pie in the Sky'
    list fas_custom_images_list 'splash_jpg=https://liasgastronomy.com/wp-content/uploads/2023/09/portal-logo.jpeg'
    option themespec_path '/usr/lib/opennds/client_params.sh'

[bluewavenet]

@RyukMy I see you are using WordPress for the web site. The FAS server has to be outside the WordPress environment. With most hosting systems this is fully supported with WordPress present as a content management App for the underlying web server - although some specific WP hosting blocks this.

If you can create a directory in the web root of the server (often Apache or similar) and put files in there and access them, then we are good to go!

For uploading you will need SFTP or FTP. Are you able to do this on the hosting server?

On a Linux or Mac computer you can mount the web server file system directly. On windows you will have to use something like WinSCP.

[RyukMy]

I have full access to the cPanel and also SFTP or FTP

[bluewavenet]

@RyukMy

I have full access to the cPanel and also SFTP or FTP

Perfect.

First we will add some packages to the mt300n-v2.

As usual in a terminal session:

Tell OpenWrt to get a list of official packages

opkg update

Make sure this completes without any errors.

Now add sftp support

opkg install openssh-sftp-server

and add PHP cli support opkg install php8-cli

Finally for the router, add the php ssl module opkg install php8-mod-openssl

Now you should be able to access the mt300n-v2's filesystem using sftp. On a Mac or Linux box you should be able to just browse to sftp://10.168.1.1 in the filer app.

Let me know if you can .

[RyukMy]

Done. By putting the link in the browser it opens Cyberduck and seems working

[bluewavenet]

@RyukMy

Cyberduck

??????

Can you access the mt300n-v2's file system using an sftp client?

[RyukMy]

Cyberduck is like Filezilla

[bluewavenet]

@RyukMy AH! I looked up Cyberduck :-D

Ok then, you need to copy a file from the mt300n-v2 to your liasgastronomy web server.

Create a folder in the web root, lets call it "fas".

Now copy the file /etc/opennds/fas-aes-https.php on the mt300n-v2 to the fas folder on your liasgastronomy web server.

[RyukMy]

Done.

[bluewavenet]

@RyukMy It would be ideal if it appeared as https://liasgastronomy.com/fas/fas-aes-https.php

[RyukMy]

Done

[bluewavenet]

@RyukMy https://liasgastronomy.com/fas/fas-aes-https.php is giving me the default "Get Ready" Wordpress page... Probably a WP 404 error. It should give a blank page if accessed directly, maybe it is not active yet and I need to wait a few minutes.......

[RyukMy]

Probably the landing page doesn't allow to see other pages.

[bluewavenet]

@RyukMy This is what it looks like on my server if accessed directly: https://blue-wave.net/testing/fas-aes-https.php

So yes WP is intercepting requests. It needs to be outside WordPress. It can be any domain name if necessary.

[bluewavenet]

@RyukMy You could define a subdomain in cpanel. ie https://portal.liasgastronomy.com/fas/fas-aes-https.php

[RyukMy]

We can use this:

https://petscaboodle.com/fas/fas-aes-https.php

[bluewavenet]

@RyukMy petscaboodle would be ok for testing, but if you want this to eventually go live, portal.liasgastronomy would make more sense.

[RyukMy]

I have to check why is not working. They have the same settings but for a strange reason it doesn't work.

I will update once I get it working.