python-capport/contrib/README.md

# Various other parts of a captive portal setup

Network (HA) setup with IPv4 NAT:
- two nodes
- shared uplink L2, some transfer network (can be private or public)
  * virtual addresses on active node for IPv4 and IPv6 to route traffic to
- shared downlink L2
  * virtual addresses on active node for IPv4 and IPv6 as gateway for clients
    * using `fe80::1` as gateway, but also add a public IPv6 virtual address
  * connected: private IPv4 prefix (e.g. CGNAT), not routed
  * connected: public IPv6 prefix (routed to virtual uplink address of nodes)
- public IPv4 prefix routed virtual uplink address of nodes to use for NAT
  * IPv4-traffic from clients will be (S)NATted from this prefix; size depends
    on number of parallel connections you want to support.
- webserver on nodes:
  * port 8080: receives transparent http redirects from the firewall; should return a temporary redirect to your portal page.
  * port 80: redirect to https
  * port 443: reverse-proxy to 127.0.0.1:8000 (the webui backend), but serve `/static` directly from directory (see main README)

To access the portal page on the clients you'll need a DNS-name; it should point to the virtual addresses.  In some ways downlink address is preferred, but you also might want to avoid private addresses - i.e. use the uplink IPv4 address and the downlink IPv6 address.

Also the management traffic for the virtual address should use the uplink interface if possible (`keepalived` supports this).

## ISC dhcpd

See `dhcpd.conf.erb` and `dhcpd6.conf.erb`.

Note: don't use too large IPv4 pools or dhcpd will take a long time to sync and build up the leases files.

## Firewall / NAT

See `nftables.conf.erb` for forwarding rules; if you want traffic shaping as well see `shape_non_whitelisted.sh`.
Local policies (ssh access and normal "host protection") are not included in the example.

You also might want to set a high `net.netfilter.nf_conntrack_max` with sysctl (e.g. `16777216`).

## Conntrackd

Active/failover configuration TBD.

I strongly recommend not to enable any tracking helpers; they often make significant holes into your stateful firewall (i.e. make clients reachable from the outside in ways they didn't actually want).

## Keepalived (for virtual addresses)

See `keepalived.conf.erb`.

## Apache2

See `apache2.conf` (only contains "interesting" parts, probably won't start that way).
Any other webserver configured in a similar way should do just as well.

## systemd units

See the `systemd` directory for examples of systemd units.
add contrib 2023-01-13 14:05:05 +01:00			`# Various other parts of a captive portal setup`

			`Network (HA) setup with IPv4 NAT:`
			`- two nodes`
			`- shared uplink L2, some transfer network (can be private or public)`
			`* virtual addresses on active node for IPv4 and IPv6 to route traffic to`
			`- shared downlink L2`
			`* virtual addresses on active node for IPv4 and IPv6 as gateway for clients`
			* using `fe80::1` as gateway, but also add a public IPv6 virtual address
			`* connected: private IPv4 prefix (e.g. CGNAT), not routed`
			`* connected: public IPv6 prefix (routed to virtual uplink address of nodes)`
			`- public IPv4 prefix routed virtual uplink address of nodes to use for NAT`
			`* IPv4-traffic from clients will be (S)NATted from this prefix; size depends`
			`on number of parallel connections you want to support.`
			`- webserver on nodes:`
			`* port 8080: receives transparent http redirects from the firewall; should return a temporary redirect to your portal page.`
			`* port 80: redirect to https`
			* port 443: reverse-proxy to 127.0.0.1:8000 (the webui backend), but serve `/static` directly from directory (see main README)

			`To access the portal page on the clients you'll need a DNS-name; it should point to the virtual addresses. In some ways downlink address is preferred, but you also might want to avoid private addresses - i.e. use the uplink IPv4 address and the downlink IPv6 address.`

			Also the management traffic for the virtual address should use the uplink interface if possible (`keepalived` supports this).

			`## ISC dhcpd`

			See `dhcpd.conf.erb` and `dhcpd6.conf.erb`.

			`Note: don't use too large IPv4 pools or dhcpd will take a long time to sync and build up the leases files.`

			`## Firewall / NAT`

			See `nftables.conf.erb` for forwarding rules; if you want traffic shaping as well see `shape_non_whitelisted.sh`.
			`Local policies (ssh access and normal "host protection") are not included in the example.`

			You also might want to set a high `net.netfilter.nf_conntrack_max` with sysctl (e.g. `16777216`).

			`## Conntrackd`

			`Active/failover configuration TBD.`

			`I strongly recommend not to enable any tracking helpers; they often make significant holes into your stateful firewall (i.e. make clients reachable from the outside in ways they didn't actually want).`

			`## Keepalived (for virtual addresses)`

			See `keepalived.conf.erb`.

			`## Apache2`

			See `apache2.conf` (only contains "interesting" parts, probably won't start that way).
			`Any other webserver configured in a similar way should do just as well.`

			`## systemd units`

			See the `systemd` directory for examples of systemd units.