fix(tollgate): restore DHCP/DNS in nodogsplash's pre-auth walled garden
Found live: new clients on the archipelago SSID couldn't get an IP address at all. configure()'s users_to_router rebuild replaced the nodogsplash package's stock default list (DNS, DHCP, SSH/Telnet to the router) with only our two TollGate-specific ports (2121, 2050) — dropping `allow udp port 67`, so DHCP DISCOVER from an unauthenticated client hit ndsRTR's default REJECT before ever reaching dnsmasq. Carries over DNS (53) and DHCP (67/udp) from the stock default — without them a client can't get an IP or resolve anything before authenticating. Deliberately does not carry over SSH/Telnet (22/23): the stock default exposes router shell access to every unauthenticated device on the network, which isn't an appropriate default for a public pay-as-you-go hotspot.
This commit is contained in:
parent
abe03a5702
commit
c1f191128f
@ -56,12 +56,27 @@ pub fn configure(router: &Router, cfg: &TollGateConfig) -> Result<()> {
|
||||
router.uci_set("nodogsplash.main.gatewaydomainname", "TollGate.lan")?;
|
||||
router.uci_set("nodogsplash.main.gatewayport", "2050")?;
|
||||
|
||||
// Pre-auth "walled garden": unauthenticated clients must still be able to
|
||||
// reach the TollGate payment endpoint (2121) and the splash portal itself
|
||||
// (2050) — everything else is blocked by NoDogSplash until ndsctl
|
||||
// authorizes their MAC. Rebuild the list each run rather than trying to
|
||||
// dedupe, so repeated provisioning stays idempotent.
|
||||
// Pre-auth "walled garden": traffic an unauthenticated client must still
|
||||
// reach before ndsctl authorizes their MAC. `uci_delete` + rebuild (rather
|
||||
// than only adding our own entries) is deliberate — the stock package
|
||||
// config ships a `users_to_router` default of its own (DNS, DHCP, plus
|
||||
// SSH/Telnet to the router), and `uci_set`/`add_list` on an existing
|
||||
// *named* section does not clear an inherited default list, so without
|
||||
// an explicit delete first, re-provisioning would silently keep
|
||||
// whatever was there before.
|
||||
//
|
||||
// DNS (53) and DHCP (67, udp) are carried over from that stock default —
|
||||
// without them a client can't even get an IP or resolve the portal
|
||||
// domain before authenticating (confirmed live: omitting udp/67 here
|
||||
// broke DHCP entirely for new clients on the archipelago SSID). 2121
|
||||
// (TollGate payment) and 2050 (NDS's own splash portal) are ours.
|
||||
// SSH/Telnet (22/23) are deliberately *not* carried over — the stock
|
||||
// default exposes router shell access to every unauthenticated device
|
||||
// on a public pay-as-you-go network, which is a bad default here.
|
||||
let _ = router.uci_delete("nodogsplash.main.users_to_router");
|
||||
router.uci_add_list("nodogsplash.main.users_to_router", "allow udp port 53")?;
|
||||
router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 53")?;
|
||||
router.uci_add_list("nodogsplash.main.users_to_router", "allow udp port 67")?;
|
||||
router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 2121")?;
|
||||
router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 2050")?;
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user