From c1f191128fab1d65a935ba0c2039bd8241831bf8 Mon Sep 17 00:00:00 2001 From: ssmithx Date: Thu, 2 Jul 2026 20:51:27 +0000 Subject: [PATCH] fix(tollgate): restore DHCP/DNS in nodogsplash's pre-auth walled garden MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found live: new clients on the archipelago SSID couldn't get an IP address at all. configure()'s users_to_router rebuild replaced the nodogsplash package's stock default list (DNS, DHCP, SSH/Telnet to the router) with only our two TollGate-specific ports (2121, 2050) — dropping `allow udp port 67`, so DHCP DISCOVER from an unauthenticated client hit ndsRTR's default REJECT before ever reaching dnsmasq. Carries over DNS (53) and DHCP (67/udp) from the stock default — without them a client can't get an IP or resolve anything before authenticating. Deliberately does not carry over SSH/Telnet (22/23): the stock default exposes router shell access to every unauthenticated device on the network, which isn't an appropriate default for a public pay-as-you-go hotspot. --- core/openwrt/src/tollgate/nodogsplash.rs | 25 +++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/core/openwrt/src/tollgate/nodogsplash.rs b/core/openwrt/src/tollgate/nodogsplash.rs index de040e32..887cb144 100644 --- a/core/openwrt/src/tollgate/nodogsplash.rs +++ b/core/openwrt/src/tollgate/nodogsplash.rs @@ -56,12 +56,27 @@ pub fn configure(router: &Router, cfg: &TollGateConfig) -> Result<()> { router.uci_set("nodogsplash.main.gatewaydomainname", "TollGate.lan")?; router.uci_set("nodogsplash.main.gatewayport", "2050")?; - // Pre-auth "walled garden": unauthenticated clients must still be able to - // reach the TollGate payment endpoint (2121) and the splash portal itself - // (2050) — everything else is blocked by NoDogSplash until ndsctl - // authorizes their MAC. Rebuild the list each run rather than trying to - // dedupe, so repeated provisioning stays idempotent. + // Pre-auth "walled garden": traffic an unauthenticated client must still + // reach before ndsctl authorizes their MAC. `uci_delete` + rebuild (rather + // than only adding our own entries) is deliberate — the stock package + // config ships a `users_to_router` default of its own (DNS, DHCP, plus + // SSH/Telnet to the router), and `uci_set`/`add_list` on an existing + // *named* section does not clear an inherited default list, so without + // an explicit delete first, re-provisioning would silently keep + // whatever was there before. + // + // DNS (53) and DHCP (67, udp) are carried over from that stock default — + // without them a client can't even get an IP or resolve the portal + // domain before authenticating (confirmed live: omitting udp/67 here + // broke DHCP entirely for new clients on the archipelago SSID). 2121 + // (TollGate payment) and 2050 (NDS's own splash portal) are ours. + // SSH/Telnet (22/23) are deliberately *not* carried over — the stock + // default exposes router shell access to every unauthenticated device + // on a public pay-as-you-go network, which is a bad default here. let _ = router.uci_delete("nodogsplash.main.users_to_router"); + router.uci_add_list("nodogsplash.main.users_to_router", "allow udp port 53")?; + router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 53")?; + router.uci_add_list("nodogsplash.main.users_to_router", "allow udp port 67")?; router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 2121")?; router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 2050")?;