Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Terry Coles 
On Friday, 15 June 2018 12:44:14 BST Ralph Corderoy wrote:
> Right.  Terry, I think you have
> 
> Visitors — Pi — ISP-router — Internet

That's it exactly.

> since you said the Pi has two Ethernet interfaces.  nodogsplash is
> `listening' on the Pi's left side to decide what to do with incoming
> packets from Visitors.  It is the `Gateway' from the Visitors'
> perspective.
> 
> Its `GatewayInterface' parameter must be set by you and is an interface
> name, e.g. one of those output by `ip a'.  The `GatewayAddress'
> parameter you point out says `Default: Discovered from GatewayInterface'
> so there should be no need to explicitly set it.
> 
> I think nodogsplash does all its work with iptables(8), and these can be
> listed once nodog' has done its work if you want to understand what it's
> done, and to do the same rules yourself so nodog' isn't required.

Thanks for that.

-- 



Terry Coles



-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread PeterMerchant via dorset 

Right. Terry, I think you have

 Visitors — Pi — ISP-router — Internet

since you said the Pi has two Ethernet interfaces.  nodogsplash is
`listening' on the Pi's left side to decide what to do with incoming
packets from Visitors.  It is the `Gateway' from the Visitors'
perspective.

Its `GatewayInterface' parameter must be set by you and is an interface
name, e.g. one of those output by `ip a'.  The `GatewayAddress'
parameter you point out says `Default: Discovered from GatewayInterface'
so there should be no need to explicitly set it.

I think nodogsplash does all its work with iptables(8), and these can be
listed once nodog' has done its work if you want to understand what it's
done, and to do the same rules yourself so nodog' isn't required.

Cheers, Ralph.

Just seen all this and wonder whether IPCop might be  a solution, if it 
is still available. It could separate the visitors from the rest of the 
network.  Who knows, it might even run on a Pi, though I think you are 
looking at three Ethernet ports with this as a solution.


Peter M.


--
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Ralph Corderoy 
Hi Patrick,

> > # Set GatewayAddress to the IP address of the router on
> > # the GatewayInterface.  This is the address that the Nodogsplash
> > # server listens on.
> > #
> > # GatewayAddress 192.168.1.1
> > 
> > I assumed that this was referring to the IP address of the Internet
> > side of the Pi, but see now that they are probably referring to the
> > IP Address of the router.
>
> No. In your case, it refers to the "internal" IP address of the Pi in
> its role as a router. That is to say, the IP address of the LAN-side
> interface of the Pi.

Right.  Terry, I think you have

Visitors — Pi — ISP-router — Internet

since you said the Pi has two Ethernet interfaces.  nodogsplash is
`listening' on the Pi's left side to decide what to do with incoming
packets from Visitors.  It is the `Gateway' from the Visitors'
perspective.

Its `GatewayInterface' parameter must be set by you and is an interface
name, e.g. one of those output by `ip a'.  The `GatewayAddress'
parameter you point out says `Default: Discovered from GatewayInterface'
so there should be no need to explicitly set it.

I think nodogsplash does all its work with iptables(8), and these can be
listed once nodog' has done its work if you want to understand what it's
done, and to do the same rules yourself so nodog' isn't required.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Terry Coles 
On Friday, 15 June 2018 12:16:32 BST Patrick Wigmore wrote:
> On Fri, 15 Jun 2018 11:58:42 +0100, Terry Coles wrote:
> > I assumed that this was referring to the IP address of the Internet
> > side of the Pi, but see now that they are probably referring to the
> > IP Address of the router.
> 
> No. In your case, it refers to the "internal" IP address of the Pi in
> its role as a router. That is to say, the IP address of the LAN-side
> interface of the Pi. I suppose this might be the IP address that you
> are serving your local website on.

Ah.  No problem there then.

> It should be the same address that already appears as the gateway
> address on DHCP clients of the Pi (people's phones). (Assuming DHCP
> has been configured to specify a gateway address.)

Yes.  It has.  DHCP is being provided by the WiFi Antenna.
 
> You also have to specify the interface name (e.g. eth1), so I suppose
> the IP address could be autodetected from that, which might be a more
> robust configuration in case the address ever needs to be changed.

eth0 in this case.  eth1 is the interface to the ISP supplied Router.

> On an OpenWRT system, the gateway interface would typically be
> something like br-lan; a bridge across multiple physical interfaces,
> such as ethernet ports and wifi networks. On your Pi, it will likely
> be a single physical interface.

So the references to OpenWRT is for when the NODogSplash system is being 
installed on the ISP supplied Router.  This was never considered to be an 
option, hence the idea of putting it on the Pi and turning the Pi into a 
Router.

> On a router running OpenWRT, there might be more than one LAN-side
> interface, so you would specify which one. For example, you might run
> both a private LAN and a guest LAN on the same router.

My problem (as always with these things), is understanding the terminology.

-- 



Terry Coles



-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Patrick Wigmore 
On Fri, 15 Jun 2018 11:58:42 +0100, Terry Coles wrote:
> I think that I may have mis-understood the config file commentary (I
> haven't actually done that bit yet), but I found the following at
> line 170:
> 
> # This should be autodetected on an OpenWRT system, but if not:
> 
> # Set GatewayAddress to the IP address of the router on
> # the GatewayInterface.  This is the address that the Nodogsplash
> # server listens on.
> #
> # GatewayAddress 192.168.1.1
> 
> I assumed that this was referring to the IP address of the Internet
> side of the Pi, but see now that they are probably referring to the
> IP Address of the router.

No. In your case, it refers to the "internal" IP address of the Pi in 
its role as a router. That is to say, the IP address of the LAN-side 
interface of the Pi. I suppose this might be the IP address that you 
are serving your local website on.

It should be the same address that already appears as the gateway 
address on DHCP clients of the Pi (people's phones). (Assuming DHCP 
has been configured to specify a gateway address.)

You also have to specify the interface name (e.g. eth1), so I suppose 
the IP address could be autodetected from that, which might be a more 
robust configuration in case the address ever needs to be changed.

On an OpenWRT system, the gateway interface would typically be 
something like br-lan; a bridge across multiple physical interfaces, 
such as ethernet ports and wifi networks. On your Pi, it will likely 
be a single physical interface.

On a router running OpenWRT, there might be more than one LAN-side 
interface, so you would specify which one. For example, you might run 
both a private LAN and a guest LAN on the same router.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Terry Coles 
On Friday, 15 June 2018 11:58:42 BST Terry Coles wrote:
> I know that the DHCP range is 192.168.1.xxx, because ipconfig on the Office
> computer yielded a number in that range.  However, that's all I know.

Thinking about it, I should be able to get the Gateway Address from the 
results of ipconfig.  I'll check the next time I'm there.

-- 



Terry Coles



-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Terry Coles 
On Friday, 15 June 2018 11:37:53 BST Ralph Corderoy wrote:
> I don't understand the problem.  What parameter is it in
> https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash
> .conf that needs a fixed IP address on the external side of the Pi?
> GatewayInterface wants an interface name, e.g. `ens35', not an IP
> address.

Thanks for pointing that out.

I think that I may have mis-understood the config file commentary (I haven't 
actually done that bit yet), but I found the following at line 170:

# This should be autodetected on an OpenWRT system, but if not:

# Set GatewayAddress to the IP address of the router on
# the GatewayInterface.  This is the address that the Nodogsplash
# server listens on.
#
# GatewayAddress 192.168.1.1

I assumed that this was referring to the IP address of the Internet side of 
the Pi, but see now that they are probably referring to the IP Address of the 
router.

Actually that still may be a problem, because the manual for the Router said 
that the Admin pages could be accessed by typing its IP Address into the 
browser, eg http://192.168.1.253, but that never worked.  However, typing the 
router name - http://dsldevice.lan produced the correct login dialog.

I know that the DHCP range is 192.168.1.xxx, because ipconfig on the Office 
computer yielded a number in that range.  However, that's all I know.

I still intend to implement the NoDogSplash software on the Pi Webserver, if 
only to get the auto Landing Page.  If after I've got it to work here, it then 
works at the WMT, then I'll be quite a happy bunny :-)

-- 



Terry Coles



-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-15 Thread Ralph Corderoy 
Hi Terry,

> Unfortunately that has now failed because it seems that the WMT's ISP
> has locked down the supplied Router and do not allow admin logins.
> Without that, I cannot use a fixed IP Address on the Internet side of
> the RPi (which will have two Ethernet Adaptors) and so I cannot
> configure NoDogSplash to point the users at it.

I don't understand the problem.  What parameter is it in
https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf
that needs a fixed IP address on the external side of the Pi?
GatewayInterface wants an interface name, e.g. `ens35', not an IP
address.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Setting up a URL Filter and Cascading Routers

2018-06-14 Thread Hamish MB 
Plan D can be don't use DHCP for your client and set a static IP that way - no 
router configuration needed. Just set it to something outside the DHCP lease 
range ( often 192.168.1.1 - 100)

Hamish
On 14 Jun 2018, at 18:01, Terry Coles 
mailto:d-...@hadrian-way.co.uk>> wrote:

Hi,

At the Meeting last week, our half of the table was talking about providing
limited access to the internet for our private network at the Wimborne Model
Town.  The object of this is to allow Android phones access to their special
sites to make them think they have full Internet Access.

This problem has gone through several iterations:

Plan A was to spoof the Google check sites from the local Webserver - this
originally worked and still does in a limited way, but doesn't work with later
versions of Android.

Plan B was to apply for and obtain a full SSL Certificate for the WMT website
and re-use it on the RPi Webserver - that failed because the WMT website
maintainer doesn't seem to want to play along with that.

Plan C was to interpose a URL filter between the local Webserver and the
Office Router; we discussed that at the Meeting and on this list and the
solution proposed was to use SquidGuard.  Subsequently, I found that the
reconfiguration needed to SquidGuard to turn it from a Kids Guard tool to what
we needed was pretty mega and someone on the RPi Forums suggested NoDogSplash,
which provides a Captive Portal.

Since a Captive Portal is exactly what we need (now I know what one is), I set
out to do it.  Unfortunately that has now failed because it seems that the
WMT's ISP has locked down the supplied Router and do not allow admin logins.
Without that, I cannot use a fixed IP Address on the Internet side of the RPi
(which will have two Ethernet Adaptors) and so I cannot configure NoDogSplash
to point the users at it.

The WMT Manager does not want to change the ISP/Router mid-season, (quite
reasonable since the Point of Sale equipment is connected to it), so I feel
that I've run out of solutions and therefore have no Plan D at present.

However, someone has just suggested Cascading Routers.  I've looked into this,
but it seems to me that this solution suffers from the same problem as Plan C,
because the 2nd Router needs to have a fixed IP Address too.  (In fact, I feel
that we would be cascading three routers even if we could get it to work,
since the RPi (with it's extra Ethernet Adaptor connected) is a router in its
own right.

Any ideas for Plan D/E?

-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

[Dorset] Setting up a URL Filter and Cascading Routers

2018-06-14 Thread Terry Coles 
Hi,

At the Meeting last week, our half of the table was talking about providing 
limited access to the internet for our private network at the Wimborne Model 
Town.  The object of this is to allow Android phones access to their special 
sites to make them think they have full Internet Access.

This problem has gone through several iterations:

Plan A was to spoof the Google check sites from the local Webserver - this 
originally worked and still does in a limited way, but doesn't work with later 
versions of Android.

Plan B was to apply for and obtain a full SSL Certificate for the WMT website 
and re-use it on the RPi Webserver - that failed because the WMT website 
maintainer doesn't seem to want to play along with that.

Plan C was to interpose a URL filter between the local Webserver and the 
Office Router; we discussed that at the Meeting and on this list and the 
solution proposed was to use SquidGuard.  Subsequently, I found that the 
reconfiguration needed to SquidGuard to turn it from a Kids Guard tool to what 
we needed was pretty mega and someone on the RPi Forums suggested NoDogSplash, 
which provides a Captive Portal.

Since a Captive Portal is exactly what we need (now I know what one is), I set 
out to do it.  Unfortunately that has now failed because it seems that the 
WMT's ISP has locked down the supplied Router and do not allow admin logins.  
Without that, I cannot use a fixed IP Address on the Internet side of the RPi 
(which will have two Ethernet Adaptors) and so I cannot configure NoDogSplash 
to point the users at it.

The WMT Manager does not want to change the ISP/Router mid-season, (quite 
reasonable since the Point of Sale equipment is connected to it), so I feel 
that I've run out of solutions and therefore have no Plan D at present.

However, someone has just suggested Cascading Routers.  I've looked into this, 
but it seems to me that this solution suffers from the same problem as Plan C, 
because the 2nd Router needs to have a fixed IP Address too.  (In fact, I feel 
that we would be cascading three routers even if we could get it to work, 
since the RPi (with it's extra Ethernet Adaptor connected) is a router in its 
own right.

Any ideas for Plan D/E?


-- 



Terry Coles



-- 
Next meeting:  Bournemouth, Tuesday, 2018-07-03 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR