fix(tollgate): restore DHCP/DNS in nodogsplash's pre-auth walled garden

Found live: new clients on the archipelago SSID couldn't get an IP
address at all. configure()'s users_to_router rebuild replaced the
nodogsplash package's stock default list (DNS, DHCP, SSH/Telnet to the
router) with only our two TollGate-specific ports (2121, 2050) —
dropping `allow udp port 67`, so DHCP DISCOVER from an unauthenticated
client hit ndsRTR's default REJECT before ever reaching dnsmasq.

Carries over DNS (53) and DHCP (67/udp) from the stock default —
without them a client can't get an IP or resolve anything before
authenticating. Deliberately does not carry over SSH/Telnet (22/23):
the stock default exposes router shell access to every unauthenticated
device on the network, which isn't an appropriate default for a public
pay-as-you-go hotspot.
This commit is contained in:
ssmithx 2026-07-02 20:51:27 +00:00
parent abe03a5702
commit c1f191128f

View File

@ -56,12 +56,27 @@ pub fn configure(router: &Router, cfg: &TollGateConfig) -> Result<()> {
router.uci_set("nodogsplash.main.gatewaydomainname", "TollGate.lan")?;
router.uci_set("nodogsplash.main.gatewayport", "2050")?;
// Pre-auth "walled garden": unauthenticated clients must still be able to
// reach the TollGate payment endpoint (2121) and the splash portal itself
// (2050) — everything else is blocked by NoDogSplash until ndsctl
// authorizes their MAC. Rebuild the list each run rather than trying to
// dedupe, so repeated provisioning stays idempotent.
// Pre-auth "walled garden": traffic an unauthenticated client must still
// reach before ndsctl authorizes their MAC. `uci_delete` + rebuild (rather
// than only adding our own entries) is deliberate — the stock package
// config ships a `users_to_router` default of its own (DNS, DHCP, plus
// SSH/Telnet to the router), and `uci_set`/`add_list` on an existing
// *named* section does not clear an inherited default list, so without
// an explicit delete first, re-provisioning would silently keep
// whatever was there before.
//
// DNS (53) and DHCP (67, udp) are carried over from that stock default —
// without them a client can't even get an IP or resolve the portal
// domain before authenticating (confirmed live: omitting udp/67 here
// broke DHCP entirely for new clients on the archipelago SSID). 2121
// (TollGate payment) and 2050 (NDS's own splash portal) are ours.
// SSH/Telnet (22/23) are deliberately *not* carried over — the stock
// default exposes router shell access to every unauthenticated device
// on a public pay-as-you-go network, which is a bad default here.
let _ = router.uci_delete("nodogsplash.main.users_to_router");
router.uci_add_list("nodogsplash.main.users_to_router", "allow udp port 53")?;
router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 53")?;
router.uci_add_list("nodogsplash.main.users_to_router", "allow udp port 67")?;
router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 2121")?;
router.uci_add_list("nodogsplash.main.users_to_router", "allow tcp port 2050")?;