# The options available here are an adaptation of the settings used in nodogsplash.conf. # See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf config nodogsplash # Set to 0 to disable nodogsplash option enabled 1 # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts. # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries. option fwhook_enabled '1' # WebRoot # Default: /etc/nodogsplash/htdocs # # The local path where the splash page content resides. # ie. Serve the file splash.html from this directory #option webroot '/etc/nodogsplash/htdocs' # Use plain configuration file #option config '/etc/nodogsplash/nodogsplash.conf' # Use this option to set the device nodogsplash will bind to. # The value may be an interface section in /etc/config/network or a device name such as br-lan. option gatewayinterface 'br-lan' # GatewayPort # Default: 2050 # # Nodogsplash's own http server uses gateway address as its IP address. # The port it listens to at that IP can be set here; default is 2050. # #option gatewayport '2050' option gatewayname 'OpenWrt Nodogsplash' option maxclients '250' # Enables debug output (0-3) #option debuglevel '1' # Client timeouts in minutes option preauthidletimeout '30' option authidletimeout '120' # Session Timeout is the interval after which clients are forced out (a value of 0 means never) option sessiontimeout '1200' # The interval in seconds at which nodogsplash checks client timeout status option checkinterval '600' # Enable BinAuth Support. # If set, a program is called with several parameters on authentication (request) and deauthentication. # Request for authentication: # $ auth_client '' '' # # The username and password values may be empty strings and are URL encoded. # The program is expected to output the number of seconds the client # is to be authenticated. Zero or negative seconds will cause the authentification request # to be rejected. The same goes for an exit code that is not 0. # The output may contain a user specific download and upload limit in KBit/s: # # # Called on authentication or deauthentication: # $ <*auth|*deauth> # # "client_auth": Client authenticated via this script. # "client_deauth": Client deauthenticated by the client via splash page. # "idle_deauth": Client was deauthenticated because of inactivity. # "timeout_deauth": Client was deauthenticated because the session timed out. # "ndsctl_auth": Client was authenticated manually by the ndsctl tool. # "ndsctl_deauth": Client was deauthenticated by the ndsctl tool. # "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating. # # Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited. # #option binauth '/bin/myauth.sh' # Enable PreAuth Support. # # A simple login script is provided in the package. # This generates a login page asking for usename and email address. # User logins are recorded in the log file /tmp/ndslog.log # Details of how the script works are contained in comments in the script itself. # # The Preauth program will output html code that will be served to the client by NDS # Using html GET the Preauth program may call: # /nodogsplash_preauth/ to ask the client for more information # or # /nodogsplash_auth/ to authenticate the client # # The Preauth program should append at least the client ip to the query string # (using html input type hidden) for all calls to /nodogsplash_preauth/ # It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0) # for NDS authentication when calling /nodogsplash_auth/ # #option preauth '/usr/lib/nodogsplash/login.sh' # Your router may have several interfaces, and you # probably want to keep them private from the gatewayinterface. # If so, you should block the entire subnets on those interfaces, e.g.: #list authenticated_users 'block to 192.168.0.0/16' #list authenticated_users 'block to 10.0.0.0/8' # Typical ports you will probably want to open up. #list authenticated_users 'allow tcp port 22' #list authenticated_users 'allow tcp port 53' #list authenticated_users 'allow udp port 53' #list authenticated_users 'allow tcp port 80' #list authenticated_users 'allow tcp port 443' # Or for happy customers allow all list authenticated_users 'allow all' # For preauthenticated users to resolve IP addresses in their # initial request not using the router itself as a DNS server, # Leave commented to help prevent DNS tunnelling #list preauthenticated_users 'allow tcp port 53' #list preauthenticated_users 'allow udp port 53' # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS list users_to_router 'allow tcp port 22' list users_to_router 'allow tcp port 23' list users_to_router 'allow tcp port 53' list users_to_router 'allow udp port 53' list users_to_router 'allow udp port 67' list users_to_router 'allow tcp port 80' # MAC addresses that are / are not allowed to access the splash page # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used. #option macmechanism 'allow' #list allowedmac '00:00:C0:01:D0:0D' #list allowedmac '00:00:C0:01:D0:1D' #list blockedmac '00:00:C0:01:D0:2D' # MAC addresses that do not need to authenticate #list trustedmac '00:00:C0:01:D0:1D' # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask. # This mask can conflict with the requirements of other packages such as mwan3, sqm etc # Any values set here are interpreted as in hex format. # # List: fw_mark_authenticated # Default: 30000 (0011|0000|0000|0000|0000 binary) # # List: fw_mark_trusted # Default: 20000 (0010|0000|0000|0000|0000 binary) # # List: fw_mark_blocked # Default: 10000 (0001|0000|0000|0000|0000 binary) # #option fw_mark_authenticated '30000' #option fw_mark_trusted '20000' #option fw_mark_blocked '10000'