GL-MT300N-V2 as a Captive Portal

[RyukMy]

Should I overwrite the software of the GL-MT300N or is also ok to keep it and use the LUCI thati can install?
@bluewavenet here I'm, received 5 minutes ago.

Details:

LUCI -> 19.07
openNDS available to install -> 5.2.0-1
GL-MT300N-V2 -> 3.216

[bluewavenet]

@RyukMy
To get the latest version of openNDS you must reflash with the latest stable version of OpenWrt.

Edit:
At the time of writing this was OpenWrt 23.05.0-rc3 and allowed installation of openNDS v10.1.3.

What you must do:

1. Download the latest stable version of OpenWrt for the MT300N-v2
2. Reflash the MT300N-v2
3. Enable WiFi
4. Install openNDS - it will then be working - no special setup required.
5. Customise openNDS if required

For item 1, assuming OpenWrt version 23.05.2, go to:
https://downloads.openwrt.org/releases/23.05.2/targets/ramips/mt76x8/

Download the "sysupgrade" version of the file.

Now item 2. Do you know how to do this? There are two ways. One leaves multiple ways to go wrong, the other is 100% safe. The safe way requires an ethernet connection from your computer to the MT300N-v2.
do you want me to show you what to do?

[RyukMy]

Yes please.
Let's avoid issues...

I will need help for point 5, I want that the user will register to get access.
We can also consider to prepare a landing page on the cafe domain (if not too difficult for a newby like me)

[bluewavenet]

If your computer has an ethernet interface (rj45 socket or usb ethernet dongle), we can use the safe way.
You will need to set your computer to have a fixed ip address of 192.168.1.2
Do you know how to do this? Is your computer running windows?

[RyukMy]

I have Mac and Windows
I know how to do this.

[bluewavenet]

OK then, with the Mac set to 192.168.1.2 and the ethernet cable connected from Mac to the lan port of the mt300n-v2,

1. Unplug the micro-usb power lead
2. Press and hold the reset button and plug the power back in, don't release the reset button yet.
3. Wait for the led lights to stop flashing, leaving just two adjacent lights on, then release the button.
4. On the mac, browse to http://192.168.1.1 where you will see a reflash page.
5. Select the previously downloaded sysupgrade file.
6. Do the reflash.

After a few minutes it will be done. Then we can go to the next step, enabling the wifi.

[RyukMy]

Done.

[RyukMy]

I assume that operating frequency will be N.
While mode should be ???

[bluewavenet]

Sorry, I've been busy.

I assume that operating frequency will be N.

The "operating frequency" is set by channel number.
2GHz wifi can use channels 1 to 14 depending on country.

Assuming you are still in the original state just after reflashing do:

1. Set your computer back to DHCP instead if a static ip address.
2. Connect your computer using an ethernet cable to the lan port on the mt300n-v2
3. Your computer should get an ip address allocated by dhcp.
4. Open an ssh terminal window at 192.168.1.1
5. Run the command uci set wireless.radio0.disabled='0'
6. Run the command uci set wireless.radio0.country='MY' - assuming your country code is MY
7. Run the command uci set wireless.radio0.channel='5' - or the channel number you want (default is channel 1)
8. Run the command uci commit wireless - this saves the changes.
9. Run the command uci set network.lan.ipaddr='10.168.1.1' - this sets the ip address subnet, making sure it does not clash with your isp's router.
10. Run the command uci commit network
11. Run the command exit - logging you out from the terminal session.
12. Disconnect the ethernet cable from your computer.
13. Unplug the usb power lead from the mt300n-v2, then plug it back in (hard reboot)
14. Wait for the leds to stabilise (a couple of minutes or so)
15. On your computer, search for the wireless network "OpenWrt"
16. Connect to OpenWrt. Your computer should get an ip address in the 10.168.1.x range.
17. If the mt300n-v2 wan port is connected to a lan port on your isp's router, your computer should have Internet access.

If this is successful we are ready for the next step.
Let me know ;-)

[RyukMy]

Working perfectly

[bluewavenet]

@RyukMy
Now to install openNDS.

In an ssh terminal session, do:

opkg update
opkg install opennds

After a couple of minutes, openNDS should be running.
Check it with:
ndsctl status

Your computer will probably pop up the login page (depending on its operating system and browser versions).
If not, in the browser, go to http://status.client

Also try connecting with your mobile phone.

[RyukMy]

I got this:

==================
openNDS Status
====
Version: 10.1.3
Uptime: 28s
Gateway Name: [ openNDS Node:9483c42eed7f  ]
Debug Level: [ 1 ]
Gateway FQDN: [ status.client ]
Managed interface: br-lan
Upstream gateway(s) [ online:192.168.1.254,eth0.2  ]
MHD Server [ version 0.9.75 ] listening on: http://10.168.1.1:2050
Maximum Html Page size is [ 10240 ] Bytes
Preemptive Authentication is Enabled
Binauth Script: /usr/lib/opennds/binauth_log.sh
Preauth Script: /usr/lib/opennds/libopennds.sh
FAS: Secure Level 1, URL: http://status.client:2050/opennds_preauth/
Client Check Interval: 15s
Rate Check Window: 2 check intervals (30s)
Preauthenticated Client Idle Timeout: 30m
Authenticated Client Idle Timeout: 120m
Download rate limit threshold (default per client): no limit
Upload rate limit threshold (default per client): no limit
Download quota (default per client): no limit
Upload quota (default per client): no limit
Total download: 44 kByte; average: 13.01 kbit/s
Total upload: 42 kByte; average: 12.49 kbit/s
====
Client authentications since start: 0
Current clients: 0
====
Trusted MAC addresses: none
Walled Garden FQDNs: none
Walled Garden Ports: none
========

[RyukMy]

How to modify the points in the squares and how to request name and contact?

[bluewavenet]

@RyukMy

to request name and contact?

Open the ssh terminal session again.

Do:

uci set opennds.@opennds[0].login_option_enabled='2'
uci commit opennds
service opennds restart

Now you should get a username/emailaddress login.

Let me know.

Nest step is to change things....

[RyukMy]

Everything works perfectly...

[bluewavenet]

@RyukMy
Now lets change things.

Your top red box. This is the GatewayName with a unique serial number suffix (this is very useful if you have numerous instances of openNDS installed for example in a chain of coffee shops all using a central FAS - you will know which shop a client is at).

As usual, in an ssh terminal session, do:

uci set opennds.@opennds[0].enable_serial_number_suffix='0'

This, as you might guess, switches off the serial number suffix.

Now while we are at it we can change the name.

uci set opennds.@opennds[0].gatewayname='RyukMy Coffee Shop'

And as usual, we save the changes:
uci commit opennds

And restart openNDS to make the changes take effect:

service opennds restart

However, now openNDS is fully operational, after a restart, it will automatically log back in any authenticated clients.

So to see the results, you need to log out.

Wait a couple of minutes after you did the restart, then, in the browser on your client that was logged in before the reset, you will see you still have an Internet connection as your session had not expired so openNDS logged you back in.

To log out, on the browser, go to http://status.client
There you can click to log out.

Now you can log back in.

You will see the your top red box will have changed.

We will deal with the second red box later.

For the third red box, the logo image, - do you have an example?

For testing we can use your Github avatar and tell openNDS to automatically download it.
(It is a bit low resolution, but a quick example we can try)

But first let me know if the top red box has changed ;-)

[RyukMy]

Yes is changed.

I have the image.
Let me know the correct parameters so I will set it.
I can put it in Google Drive and share the link from there.

[RyukMy]

Also, after login can I redirect the person to a specific website or social media page?
I will need to change the SSID name after.
Should I not put a password to LuCI?

[bluewavenet]

@RyukMy

This is an example from my test system of what you should get when you are logged in and you go to http://status.client:

And this is what it looks like if you click "logout":

Now if you click "Continue", you shold be back at the username/emailaddress page.

If not you might have missed out one of the "commit" commands.

Let me know.

Ref. the logo, yes, put it in Google Drive and give me the url. I will make sure it works then give you the uci commands to enter.

[RyukMy]

Yes, I have the same screens now.

This is the link of the logo:

https://drive.google.com/file/d/19MVvRb2eXNL5O1y4RLByhz2PAwR0vDk_/view?usp=sharing

[bluewavenet]

@RyukMy

after login can I redirect the person to a specific website or social media page?

You can, but almost all client devices will immediately close the page for security reasons as otherwise an unscrupulous party could redirect to a spoof banking page or whatever the client thought they wanted to go to...

So the real answer is NO !
You can put information and advertising on the pre-authentication page though.
We can look at that later.

[RyukMy]

OK.

[bluewavenet]

@RyukMy
Google drive will only allow downloads to browsers with javascript support enabled, so openNDS cannot access it.
Is it available or can it be made available on a web site as the .jpg file?

[bluewavenet]

@RyukMy
We can load the logo file here here in this issue. Then it is available as a simple download with no obfuscation involved by Google.....

[RyukMy]

https://liasgastronomy.com/wp-content/uploads/2023/09/finallyFINAL-scaled.jpg

Check this one

[bluewavenet]

@RyukMy

Check this one

Perfect. I'll test it here first, then give you the commands............

[bluewavenet]

@RyukMy
Actually, can you make a 400x400 version of this as it will save a little bit of memory on the router and higher resolution is not necessary here. Perhaps call it portal-logo.jpg.

[RyukMy]

Will do.

[RyukMy]

https://liasgastronomy.com/wp-content/uploads/2023/09/portal-logo.jpeg

[bluewavenet]

@RyukMy
Sorry for the big delay while I got on with the day job ;-)

Ok, back into an ssh terminal session:

Tell openNDS where to get the logo file and where to put it:

uci add_list opennds.@opennds[0].fas_custom_images_list='splash_jpg=https://liasgastronomy.com/wp-content/uploads/2023/09/portal-logo.jpeg'

Give openNDS a script to do the downloading:

uci set opennds.@opennds[0].themespec_path='/usr/lib/opennds/client_params.sh'

Create a link so the themespec displays the logo:

ln -s -f /tmp/ndsremote/splash.jpg /etc/opennds/htdocs/images/splash.jpg

Finally commit the changes and restart:

uci commit opennds
service opennds restart

I think I got that right - let me know if it works......

[RyukMy]

You got it right.
Working nicely.

[bluewavenet]

@RyukMy
As we are going to customise, we should first, on the portal webserver, rename fas-aes-http.php to liasgastronomy.php

Once that is done we can start configuring as follows:

1. Get the autogenerated faskey from the mt300n-v2.
   uci get opennds.@opennds[0].faskey
2. Edit, on the portal web server, our newly renamed liasgastronomy.php and update the faskey to the autogenerated value we just got. This is on line 58 and defaults to $key="1234567890";
3. Next, the openNDS config changes.
   The web path to the fas script:
   uci set opennds.@opennds[0].faspath='/fas/liasgastronomy.php'
   The webserver ip address:
   uci set opennds.@opennds[0].fasremoteip='199.250.216.103'
   The FAS FQDN:
   uci set opennds.@opennds[0].fasremotefqdn='portal.liasgastronomy.com'
   The FAS port:
   uci set opennds.@opennds[0].fasport='443'
   Disable ThemeSpec:
   uci set opennds.@opennds[0].login_option_enabled='0'
   Enable the remote FAS:
   uci set opennds.@opennds[0].fas_secure_enabled='3'
   Save the changes:
   uci commit opennds
   And restart openNDS:
   service opennds restart

Now test it, I think I remembered everything.... ;-)

If it doesn't work and you are locked out from the internet, do:
service opennds stop

[RyukMy]

Everything works smooth...
The logo in the login page is back to the previous one.

[bluewavenet]

@RyukMy
Yes, we now have to customise it.

[bluewavenet]

@RyukMy

Edit liasgatronomy.php, line 119

Currently it will be:
$imageurl="https://avatars1.githubusercontent.com/u/62547912";

Change it to:
$imageurl="https://liasgastronomy.com/wp-content/uploads/2023/09/portal-logo.jpeg";

And line 120 -
Currently it will be:
$imagetype="png";

Change it to:
$imagetype="jpg";

I think that should do it....

[RyukMy]

Works

[bluewavenet]

@RyukMy
Are you sure it's working?
If I set my opennds to access it I expect an encryption error because I do not have your faskey but I should have the logo but I do not:

[RyukMy]

I believe is because the router is offline now…

[bluewavenet]

@RyukMy
No, I have your portal web server configured on my router, so I should see the logo served by your web site.
It can wait.
It is 20:33 here and just gone dark, aren't you 8 hours ahead of me? It can wait until tomorrow :-D

[RyukMy]

Where are you?
Here is 03:40

[bluewavenet]

HaHa, yes 7 hours then.
I am in West Scotland, UK

[RyukMy]

Yes, I confirm, the logo is not there...
I have found the error, and fixed it.
Now should be ok.

[bluewavenet]

@RyukMy

Now should be ok.

Indeed it is:

[RyukMy]

What comes next?

[bluewavenet]

@RyukMy
Customisation of content.
It is easy to edit the static content on every page. The php script has a function for every page.

Page functions:

1. login_page() - this displays the username/email form
2. thankyou_page() - this displays a thankyou message and any information or advertising you might want. This is the last page that the user is guaranteed to see as after this they are authenticated and most client devices immediately close the CPD browser window after this page.
3. authentication_page() - this page does the authentication. It displays the ticker or an error message before calling the landing page.
4. landing_page() - most client devices will either not see this page at all, or might see it for just a few seconds before it is closed by the operating system of the client device. It will be seen and be useable on laptop/desktop devices that have used the normal browser to initiate the login process and some older mobile devices.

The html in these functions can be easily edited. Note however double quote characters used in html have the "string termination" function in PHP, so must be escaped using the \ character.

For example, to change the "You are connected to LocalZone:" line, look in function login_page().
Here you will find the code:

	if ($fullname == "" or $email == "") {
		echo "
			<big-red>Welcome!</big-red><br>
			<med-blue>You are connected to $client_zone</med-blue><br>
			<b>Please enter your Full Name and Email Address</b>
		";

Change it to (converting $gatewayname to html format):

	if ($fullname == "" or $email == "") {
                $gatewayname=htmlentities(rawurldecode($gatewayname), ENT_HTML5, "UTF-8", FALSE);
		echo "
			<big-red>Welcome!</big-red><br>
			<med-blue>You are now connected to the $gatewayname network.</med-blue><br>
			<b>Please enter your Full Name and Email Address</b>
		";

[bluewavenet]

@RyukMy
Here is the result on my test system:

[RyukMy]

What about login time?
Any other settings ?

[bluewavenet]

@RyukMy
No other settings are required but there are many optional settings.
How you change the login pages is up to you.

What about login time?

Do you mean session length? This defaults to 24 hours.
You can also configure data volume quotas and data rates.
Data rates are the most useful and are used for enforcing "fair usage", thus preventing a single user from using all the available bandwidth for example.

You should look at the logs that the FAS server keeps. On the FAS web server, in the folder where liasgastronomy.php is, you should find a folder named ndslog and in there will be the log file nds_log.php

For every client login it will contain an entry with:

1. login time
2. the php file name
3. gatewayname
4. username
5. email address
6. ip address
7. mac address
8. login type
9. interface used
10. Client's user agent

[RyukMy]

Can we put a session time of 3 hours and then relogin if necessary?

[bluewavenet]

@RyukMy
Session timeout is set in minutes:

uci set opennds.@opennds[0].sessiontimeout='240'

followed by:

uci commit opennds

and restart to activate:
service opennds restart

You can see all the available options in the documentation:
https://opennds.readthedocs.io/en/stable/config.html#configuration-options

[RyukMy]

Everything works nice and smooth.

I was trying to understand how to setup a time frame when this is working, preferably during the opening hours.

Can this be done from the FAS?

[bluewavenet]

@RyukMy
Yes, FAS can override the session length, so it would have to calculate an actual session length using current time, the opening time and closing time.

But, I would ask the question - Is this necessary?
If the opening and closing times can vary? - an example from one of my customers:

"We open at 7pm on Mondays, but 11am Tuesday to Sunday, but are closed on the first Monday of the month. These times may vary if there are large party bookings."

In most countries these days, ISPs provide unlimited or very large data quotas when providing Internet feeds, so use outside opening hours is not a concern.

If in your case this is an issue, then the best solution is to unplug the power from the router as another job for the member of staff who turns out the lights and locks the doors. Alternatively, get a cheap timer for the power supply to automate the switch off .

[RyukMy]

You are right. Better leave things simple

[bluewavenet]

@RyukMy
I have one customer that has the openNDS router mounted behind the bar at the venue. It gets its power from the lighting surrounding the bar.... If the bar is closed, the lights are switched off ;-)

[bluewavenet]

@RyukMy
3 hours is 180 minutes of course, so the command would be:
uci set opennds.@opennds[0].sessiontimeout='180'