Views

From JoatWiki

Intro

At one point, Dave and I tried out the ZoneCD. It's a nice concept but it's extremely slow to boot/manage because it's running directly off of the CD. (No HD install allowed.) I find this to be a very annoying concept as it restricts the ability to "tweak the system" and severly limits the response time of just about anything associated with the system.

Following are my notes from our attempt to roll our own. Because of the size of the project, I've attempted to break it up into mini-HOWTOs. I've also included the output from the various build and configure commands, for future reference and/or troubleshooting.

Warning!! This is not a small project. It took roughly two weeks (the first time) just to install the WiFiDog software, its dependencies, and to document the steps here. For your first time, it will probably take the better part of a day to build and configure WiFiDog.

You may notice bits and pieces highlighted in RED. These are mostly notes to myself, indicating that further work or verbiage is needed. However, there are a few notes in the same color for anyone who attempts to follow this process.

Please note that this is a work in progress and content is subject to change. Please bare with me while I clean up the notes in the coming days.

To Do Here

Indicate what prerequisites are optional.
Update/write better "What is" descriptions.
Transcribe this into a PDF

Goal

To have a working captive portal to which various monitoring and control functions can be added.

Recommendations

Regardless of the Linux distribution that you employ as the underlying OS (I used Mandriva Spring 2007), it is probably best to use the most recent version. This helps minimize the number of software version incompatabilities and the amount of time that you might have to spend in tracking down a specific version of a libary or other dependancy.

I also recommend reading all the way through these notes and all other documentation for the various programs included in the project. I've included the parts where I ran into trouble so, unless you want to make the same mistakes, you should have an idea of the proper "path" before you start.

Initial Feature Wishlist

In no particular order:

Additional tool: BIND
Additional tool: DHCPd
Additional tool: Driftnet
Additional tool: Etherape
Additional tool: Kismet
Additional tool: Nagios
Additional tool: p0f
Additional tool: Snort
Additional tool: Spinning Cube of Impending Doom
Additional tool: Squid
Additional tool: TCPDump
Additional tool: Wi-Spy
Additional tool: Wireshark

Available Hardware

An older computer with 2 Ethernet NICs and a number of wireless APs of various make and manufacture. I'm hoping that the fact that the NICs are of two different MFRs/models will help in quickly identifying which is the internal interface and which is the external.

Need to list NICs, hd space, and system model here.

Initial Research

In looking for info, I found the following:

ZeroShell from ZeroShell Net Services. It's a bit more than I'm looking for but is interesting enough that I'll probably try it first. Most noticeable shortcoming, without installing it, is that it's also a live CD distro.
OS-Cafe from Open Source Cafe. Most notable shortcomings without trying it: it appears to be a cybercafe management system (not what I'm looking for), and all docs are in French (which I don't speak). I doubt that I'll revisit this.
CaPo. This is a simple redirecter for Squid. I may need this later.
Chillispot. This is a well-known open source captive portal. Most noticeable shortcoming, without installing it, is that the portal appears to need to be on the AP. This may be an inaccurate assumption.
Linux LiveCD Hotspot Server appears to be another locked up, live CD-based, captive portal. Not sure that I'm coming back to this one.
Captivator-GW. Another captive portal setup. This one works at layer 2, so it'll require an AP capable of "bridge mode". I may come back to this one.
WiFree Project. Advertised as having an aim to build a universal, decentralized WiFi network. It's really not what I'm looking to do.
WilmaGate. No comment at this time.
Wifidog. This is the captive portal used in the ZoneCD distro. May be worth coming back to.
Sweetspot. Appears to be a good tool to include in a kit. Good for the "build it yourself" crowd. (Me!)
And last but definitely not least, NoCatNet. Old but useful.

Failed Attempt #1

First up, Zeroshell. A 99 MB download from a very slow site (10+ minutes) in Italy (I think). Browse the site while it's downloading. The list of open source components (at the bottom of the main page) displays why I'm reluctant to build a portal from scratch. It's also a good shopping list to use if I do get around to having to build my own portal.

Zeroshell loads quickly and presents a menu interface and (I believe) a web interface. It appears to run entirely out of RAM (where ZoneCD ran off of the CD). Overall, this may be the one that I come back to.

OS Install - Mandriva

Other than the live CD or in-an-AP options, you'll have to install the operating system yourself. For our choice, we picked Mandriva Spring 2007, mostly because it was on hand and it has a very large selection of pre-compiled software options.

Recommendation: Avoid the "Live CD" versions if you're using older equipment. They tend to be optimized for modern hardware and, to save space, don't work well (if at all) on older hardware.

When installing Mandriva (or any other OS for that matter), be sure to include the development packages because some of the following will require you to build code from source.

Configuring Network Interfaces

For Mandriva, you can use the command rpmdrake. It's also available in the menu under ...

Prerequisites

Following is what you'll need to do/install before attempting to build WiFiDog and WiFiDog-Auth. (Please note that this is Mandriva-centric but is easily adaptable to other distro's.)

WiFiDog

What is WiFiDog?

WiFiDog's home page bills WiFiDog as "a complete and embeddable captive portal solution for wireless community groups or individuals who wish to open a free Hotspot while still preventing abuse of their Internet connection." It's use is not limited to wireless hotspots. It can be used anywhere you need to set up controlled public access to the Internet (libraries, conference rooms, etc.).

Installing WiFiDog

WiFiDog is one of those tools that you need to build from scratch and the source code isn't available as a normal tarball. In other words, you need to "check out" the source code from the WiFiDog's Subversion repository. This is done via the command:

svn checkout https://dev.wifidog.org/svn/trunk/wifidog

The output should look like what's in Setting up a captive portal - Appendix C4. The source code for the WiFiDog Authentication server can be "checked out" via the command:

svn checkout https://dev.wifidog.org/svn/trunk/wifidog-auth

The output should look like what's in Setting up a captive portal - Appendix C5. In short, the above command creates a folder called wifidog-auth and populates it with the source code. You can now build WiFiDog by cd'ing into the wifidog folder via:

cd wifidog

and running the "autogen.sh" script. The output should look like what's in Setting up a captive portal - Appendix C6.

If you intend to redirect traffic into a Squid proxy, you want to add the following line to wifidog/src/fw_iptables.c, after the last line containing the variable "TABLE_WIFIDOG_WIFI_TO_INTERNET".

iptables_do_command("-t nat -I WiFiDog_WIFI2Internet -i eth0 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 3128");

Note: this assumes that eth0 is the internal interface.

Next, run "make". The output should look like what's in Setting up a captive portal - Appendix C7.

You can then install the binaries with "make install". The output should look like what's in Setting up a captive portal - Appendix C8. You'll also want to manually copy wifidog.conf to your /usr/local/etc directory.

Configuring WiFiDog

TBD

Please note that this was the easy part of installing WiFiDog as it had little or no prerequisites. If you cd into the wifidog-auth folder and run "more INSTALL", you'll see that there is a large amount of prerequisite software. Please be sure that it is all installed prior to going past this point.

WiFiDog-Auth

What is WiFiDog-Auth?

Installing WiFiDog-Auth

Untar the tarball
cd into the tarball
mv wifidog /var/www/html/
Point your browser at http://192.168.1.242/wifidog/install.php (change the IP to whatever your system has). It should prompt you to do things similar to the following steps.
Start postgres via "server postgresql start"
Run "su - root" and enter the root password when prompted
Run "su - postgresql"
Create the Postgres database user for wifidog by running "createuser wifidog --pwprompt". Answer "n" to all three questions. The output should look something like:

[joat@gateway ~]$ su - root
Password:
[root@gateway ~]# su - postgres
-bash-3.1$ createuser wifidog --pwprompt
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
CREATE ROLE
-bash-3.1$

Create the Postgres database for wifi dog by running "createdb wifidog --encoding=UTF-8 --owner=wifidog". The output should look something like:

-bash-3.1$ createdb wifidog --encoding=UTF-8 --owner=wifidog
CREATE DATABASE
-bash-3.1$

Run "more /tmp/dog_cookie.txt" and make note of the temporary install password. Suggestion: copy it into your clipboard.

[root@gateway tmp]# more dog_cookie.txt 
Y6ci7D6E
[root@gateway tmp]#

Click next at the bottom of the browser page and use wifidog (as a username) and the temporary password to login and load the Permissions page. (Screenshot of this page and some of the following are avialable on the ilesansfil wiki.
Follow the suggestions on the Permissions page to make corrections. Hit refresh as needed. Repeat until you've made the suggested corrections and the Permissions page returns with a "Next" button.
Click on "Next" to go to the "Checking Dependencies" page.
As before, make corrections and hit refresh to remove the red ERRORs and yellow WARNINGs. Use the "Type" to provide hints to fix the issues. If the "Type" column for a specific entry says "phpExtension", try running "urpmi php-program_name". If the "Type" column for a specific entry says "pearStandard", try running "urpmi php-pear-programname". For items like Smarty, you may have to download the source code and copy the contents of the Smarty libs folder to /var/www/html/wifidog/lib/smarty/. You also need to copy the contents of FCKeditor (wherever you installed it) to /var/www/html/wifidog/lib/FCKeditor/.

Note: if the ERRORs and WARNINGs don't change, try hitting the browser's refresh button instead of the one embedded in the page. You may also need to stop and restart the web server.

Note: I was able to get green for all requirements except for the optional HTML_Safe. I'll come back to fix that one at a later date.

Click on "Next" at the bottom of the page to check for your Smarty Template Engine. It should already be installed. If it isn't do so.
Click on "Next" at the bottom of the page to check for your SimplePie installation. Don't click on "Install" as it points to a subversion branch that no longer exists. Rather, go to the site (the current page has the link to it) and download the zip file. Unzip the zip file, cd into it, and run "cp -R * /var/www/html/wifidog/lib/simplepie/"
Click on the "Back" key to go back to the Smarty page and then click on the "Next" key to recheck for SimplePie. It should indicate installed
Click on the "Next" key to check for your Feed Press Review install. Click on "Install" to install it. (It should return a 0 return code (successful)). If it doesn't, you may have to use the same method as what you used for SimplePie.
Click on "Refresh" to recheck the Feed Press Review install. It should indicate "already installed" this time.
Click on "Next" to go to the "Database access configuration" page. Change the password to whatever you plan on using.
Click on "Next". It should indicate success.
Click on "Next" to initialize the database. At this point, the install failed. I had to go back to where I originally untarred the wifidog-auth tarball and copied the sql folder to /var/www/html. Clicking on "Refresh" caused the database to be initialized.
Click on "Next" to go to the available options page. Make whatever changes you think are appropriate. I think you can change them later.
Click on "Next" to go to the Languages Configuration page. For this version, this is just a placeholder. Read the text and ignore the example error.
Click on "Next" to go to the RADIUS Authenticator Configuration page. Note that this is also a placeholder.
Click on "Next" to go to the Adminstration Account page. Create a password. Enter it twice. Enter a valid email address for whomever you want the alerts to go to.
Click on "Next". Make note of the admin account name.
Click on "Next" to go to the Network page. Another placeholder. You will have to use the regular interface later via the administration pages.
Click on "Next" to go to the Hotspot page. It should say that a default hotspot should already be configured and that others can be created via the administration pages.
Click on "Next" to go to the "Thanks for using WiFiDog" page. The page should refresh after a few minutes and go to your root web page. If all the page says is "It worked!", you probably installed to /var/www/html/wifidog instead of /var/www/html. To fix this, cd into /var/www/html/wifidog and run "mv * .." and refresh your browser. An alternate to moving all this data is to leave it where it is and edit the "Path" in /usr/local/etc/wifidog.conf (under "AuthServer") to look like "Path /wifidog/".

From here, you can log in using whatever account name you used to create the admin account and edit your various settings.

At this point, I was able to log in and play around with the menus. Even the PDF generator worked. What follows is my notes for getting the first hot spot configured. You're likely to use a different set up but feel free to try mine.

(Okay, I'm annoyed with the layout of the login page. Something for the "to do" list!)

Configuring WiFiDog-Auth

To redirect traffic into Squid, the following rule is needed.

iptables -t nat -I WiFiDog_WIFI2Internet -i eth0 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 3128

I'm still trying to figure out how to add it to the WiFiDog configuration (WiFiDog translates from its own syntax into iptables syntax).

Add-ons and Tweaks

Following are optional add-on features to improve operation and/or facilitate monitoring of the WiFiDog portal.

Ideas for further experiments

Use vmconvert to convert this system into a VM
Convert this portion of the wiki into a PDF for publication
iptables rule for redirection
The Public Wireless Internet Access Project

Sources

The README and INSTALL text files accompanying the various source code packages
The WiFiDog Wiki
The Public Wireless Internet Project

Additional Reading

Wireless Portals With WiFiDog (Linux Journal article)

Scratch Area

You can safely ignore the following. They are just links to various sub-pages while I'm organizaing them. Also, listing them here keeps them off of the "orphaned pages" listing.

Comments:

Andrew Beverley Says:
Mar 08 2010 5:54 pm

Hi, Some time ago I was also faced with the need for a captive portal. None of the solutions worked in the way that I wanted, so I created one myself using an iptables script (and PHP to display the signup page). If you would like to see the solution, I have detailed it at http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal Regards, Andy

Retrieved from "http://users.757.org/~joat/wiki/index.php/Setting_up_a_captive_portal"

Setting up a captive portal