net/python-capport
2
0
Fork 0
Code
77bb2b7ceb
python-capport/contrib/README.md

2.5 KiB
Raw Blame History

Various other parts of a captive portal setup

Network (HA) setup with IPv4 NAT:

  • two nodes
  • shared uplink L2, some transfer network (can be private or public)
    • virtual addresses on active node for IPv4 and IPv6 to route traffic to
  • shared downlink L2
    • virtual addresses on active node for IPv4 and IPv6 as gateway for clients
      • using fe80::1 as gateway, but also add a public IPv6 virtual address
    • connected: private IPv4 prefix (e.g. CGNAT), not routed
    • connected: public IPv6 prefix (routed to virtual uplink address of nodes)
  • public IPv4 prefix routed virtual uplink address of nodes to use for NAT
    • IPv4-traffic from clients will be (S)NATted from this prefix; size depends on number of parallel connections you want to support.
  • webserver on nodes:
    • port 8080: receives transparent http redirects from the firewall; should return a temporary redirect to your portal page.
    • port 80: redirect to https
    • port 443: reverse-proxy to 127.0.0.1:5001 (the webui backend), but serve /static directly from directory (see main README)

To access the portal page on the clients you'll need a DNS-name; it should point to the virtual addresses. In some ways downlink address is preferred, but you also might want to avoid private addresses - i.e. use the uplink IPv4 address and the downlink IPv6 address.

Also the management traffic for the virtual address should use the uplink interface if possible (keepalived supports this).

ISC dhcpd

See dhcpd.conf.erb and dhcpd6.conf.erb.

Note: don't use too large IPv4 pools or dhcpd will take a long time to sync and build up the leases files.

Firewall / NAT

See nftables.conf.erb for forwarding rules; if you want traffic shaping as well see shape_non_whitelisted.sh. Local policies (ssh access and normal "host protection") are not included in the example.

You also might want to set a high net.netfilter.nf_conntrack_max with sysctl (e.g. 16777216).

Conntrackd

Active/failover configuration TBD.

I strongly recommend not to enable any tracking helpers; they often make significant holes into your stateful firewall (i.e. make clients reachable from the outside in ways they didn't actually want).

Keepalived (for virtual addresses)

See keepalived.conf.erb.

Apache2

See apache2.conf (only contains "interesting" parts, probably won't start that way). Any other webserver configured in a similar way should do just as well.

systemd units

See the systemd directory for examples of systemd units.