# Various other parts of a captive portal setup Network (HA) setup with IPv4 NAT: - two nodes - shared uplink L2, some transfer network (can be private or public) * virtual addresses on active node for IPv4 and IPv6 to route traffic to - shared downlink L2 * virtual addresses on active node for IPv4 and IPv6 as gateway for clients * using `fe80::1` as gateway, but also add a public IPv6 virtual address * connected: private IPv4 prefix (e.g. CGNAT), not routed * connected: public IPv6 prefix (routed to virtual uplink address of nodes) - public IPv4 prefix routed virtual uplink address of nodes to use for NAT * IPv4-traffic from clients will be (S)NATted from this prefix; size depends on number of parallel connections you want to support. - webserver on nodes: * port 8080: receives transparent http redirects from the firewall; should return a temporary redirect to your portal page. * port 80: redirect to https * port 443: reverse-proxy to 127.0.0.1:8000 (the webui backend), but serve `/static` directly from directory (see main README) To access the portal page on the clients you'll need a DNS-name; it should point to the virtual addresses. In some ways downlink address is preferred, but you also might want to avoid private addresses - i.e. use the uplink IPv4 address and the downlink IPv6 address. Also the management traffic for the virtual address should use the uplink interface if possible (`keepalived` supports this). ## ISC dhcpd See `dhcpd.conf.erb` and `dhcpd6.conf.erb`. Note: don't use too large IPv4 pools or dhcpd will take a long time to sync and build up the leases files. ## Firewall / NAT See `nftables.conf.erb` for forwarding rules; if you want traffic shaping as well see `shape_non_whitelisted.sh`. Local policies (ssh access and normal "host protection") are not included in the example. You also might want to set a high `net.netfilter.nf_conntrack_max` with sysctl (e.g. `16777216`). ## Conntrackd Active/failover configuration TBD. I strongly recommend not to enable any tracking helpers; they often make significant holes into your stateful firewall (i.e. make clients reachable from the outside in ways they didn't actually want). ## Keepalived (for virtual addresses) See `keepalived.conf.erb`. ## Apache2 See `apache2.conf` (only contains "interesting" parts, probably won't start that way). Any other webserver configured in a similar way should do just as well. ## systemd units See the `systemd` directory for examples of systemd units.