Captive Portal & GL-USB150

glitch · 2017-08-10T16:31:03.000Z

OK, regarding whitelisting, I finally found the solution and answered my own question:

Luci > network > DHCP and DNS > general settings.
The last box is “Domain whitelist”. Enter the captive portal domain here eg. captiveportal.com.
I believe this has the same effect as editing the /etc/config/dhcp file (under config dnsmasq) and adding the line:

list rebind_domain captiveportal.com

Regards,
Glitch

PS. @sammo: thanks, reading the link now.

sammo · 2017-08-10T16:41:55.000Z

@Glitch,

Thanks, I have never setup my box using the Luci/gui ever.

I have only ever needed 1 scenario, and thats repeater mode (natted) and I have heavily customised mine.

ds-iceland · 2017-08-11T05:10:11.000Z

Second hotel and second time the tip from @sammo worked!

So happy with how it works that I’ve created two simple shell scripts to copy a version of dhcp with option rebind_protection set to either 0 or 1 over the file in /etc/config and restart the dnsmasq service. Yes I’m lazy

It requires me to attach the AR150 to the captive portal network (with the GUI), then SSH into the AR150 and run the script. But what counts (for me) is that this solution works and can be done from either a laptop or smart phone.

Thank you for the information @sammo, I’m in love with my AR150 all over again.

ds-iceland · 2017-08-13T10:45:43.000Z

Thinking about the suggestion from @EEKtheCAT to use the button to set ‘rebind_protection’ - it would save me from having to SSH into the AR150 and edit ‘rebind_protection’. This evening I disabled the button on my AR150 (it was set to activate / deactivate VPN via the GUI). With the aid of some code my AR150’s button now controls setting ‘rebind_protection’ to 0 or 1.

glitch · 2017-08-13T16:24:44.000Z

@ ds

Of course you are going to share the code

Did you try white-listing the portal instead of the rebind option?

Glitch

ds-iceland · 2017-08-14T20:18:38.000Z

Per your request @Glitch, my code is attached. The install directions are:

extract the contents of portal.zip
copy the “portal” directory (and its contents) to /root
cd to the “/root/portal” directory
Perform “chmod +x” on /root/portal/config.sh
Run config.sh (./config.sh)
Reboot

Feel free to test / use / modify as you wish.

eekthecat · 2017-08-14T22:18:12.000Z

@ds-Iceland Cool! Now lets see if this can be obtained in the stable

sammo · 2017-08-14T23:55:16.000Z

@ds-iceland Everybody dhcp might be slightly different. Here’s a one liner, substitute in place

Disabled

sed -i – “s/^[[:blank:]]*option[[:blank:]][[:blank:]]rebind_protection.$/ option rebind_protection ‘0’/” /etc/config/dhcp

Enabled

sed -i – “s/^[[:blank:]]*option[[:blank:]][[:blank:]]rebind_protection.$/ option rebind_protection ‘1’/” /etc/config/dhcp

ds-iceland · 2017-08-15T01:14:09.000Z

My dhcp file is stock, however you raise a good point @sammo. A revised version of the code using your in-place edit has been attached to my previous post as portal-v2.zip.

Thanks to everyone who has contributed to this effort.

alzhao · 2017-08-15T15:04:06.000Z

why not use uci instead of sed

Disabled:

uci set dhcp.@dnsmasq[0].rebind_protection=‘0’

uci commit dhcp

Enabled:

uci set dhcp.@dnsmasq[0].rebind_protection=‘1’

uci commit dhcp

glitch · 2017-08-15T16:39:37.000Z

@ ds: thanks for sharing
@ everyone else: you just got to love this forum and the people that contribute to it!

Glitch

murdock57 · 2017-08-16T11:09:34.000Z

Piling on here to request this feature as a button of some sort in the gui…I currently can’t connect (and stupidly created another thread about these issues - sorry). It’s not completely beyond me to tinker at this level with the router but it’s not something I have the energy to mess with this trip. It would take a little research to just figure out exactly what you guys are all explaining how to do. That’s really been the beauty of these routers though…I don’t spend time messing around with settings and junk in the hotel when I just want to relax/recover/get work done. Having this feature easily available for dummies (like me) would be awesome!

murdock57 · 2017-08-16T21:18:27.000Z

Hey the tip from Sammo worked for me! I used WinSCP and connected via SCP to edit the dhcp config file. Might be handy for those who work better with gui than command line. Thanks guys!!!

ptiemann · 2017-08-22T09:29:38.000Z

I used the whitelisting suggested by Glitch

<span style=“color: #222222; font-family: source_sans_proregular, ‘Helvetica Neue’, Arial, Helvetica, Geneva, sans-serif; font-size: 14.6667px; background-color: #f9f9f9;”>Luci > network > DHCP and DNS > general settings.</span><br style=“outline: none; vertical-align: baseline; background: #f9f9f9; margin: 0px; padding: 0px; color: #222222; font-family: source_sans_proregular, ‘Helvetica Neue’, Arial, Helvetica, Geneva, sans-serif; font-size: 14.6667px;” /><span style=“color: #222222; font-family: source_sans_proregular, ‘Helvetica Neue’, Arial, Helvetica, Geneva, sans-serif; font-size: 14.6667px; background-color: #f9f9f9;”>The last box is “Domain whitelist”. Enter the captive portal domain here eg. captiveportal.com.</span>

Go to your browser and either try the captive portal address or in my case I just refreshed a page. Don’t try a SSL site though you’ll get a warning because it will have an invalid certificate.

budwoo · 2017-08-31T22:30:03.000Z

So, to sum all of that up: enter each captive portal’s domain as a separate entry in LUCI’s web GUI under “Network -> DHCP and DNS -> domain whitelist” and captive portals should work without ssh’ing in the router and running scripts?

Can someone confirm this ‘LUCI-method’ to work?

glitch · 2017-09-01T01:32:42.000Z

@budwoo: can’t confirm it myself but it would appear so.

Also, can you turn rebind on and off in the same menu (Network -> DHCP and DNS -> rebind protection).
At least, I assume this does what the scripts do (didn’t try it myself yet).

Glitch

budwoo · 2017-09-01T04:11:26.000Z

@alzhao:

What would you think of adding a text hint next to the blue question mark icon in LUCI’s web GUI at the appropiate setting (i.e. “DNS whitelist”) to inform the users about the possibilities here to deal with captive portals? Before I read this thread, I wasn’t aware of this setting’s effect.

alzhao · 2017-09-01T11:41:04.000Z

@budwoo,

I will add rebind-protection settings in next firmware. For whitelisting, need to gather a list of domains.

blue-wavenet · 2018-04-09T10:27:26.744Z

I think dns rebind attacks are not that common so it is fairly safe to turn protection off and if you are really worried, turn off javascript in your browser.
I suppose it is a balance between protection and convenience.
Maybe a button in the UI that starts a script that turns it off for say 5 minutes to allow you to login then it re-enables automatically?

Onntwo · 2018-05-02T19:25:43.410Z

Add tengointernet to the list.

Any update since this thread ended? I would love a Gui solution to the problem since I know nothing about Linux and scripts.