Skip to main content

Captive Portal Fail using DD-Wrt on WRT54GS

I recently bought a WRT54GS V7.2 for about $30.  I intended to use this as a Captive Portal Wifi for guests.  It turns out that this version of the GS has only 2Megs of Flash, nearly crippling it.  

I was able to run VxWorksKiller and replace the VxWorks OS with dd-wrt-v2.4Sp1-micro-generic, which is a large improvement.  It has network statistics and repurposes the "Secure Easy Setup" button on the front to toggle the Wifi on/off, which is nice.  But I was unable to run anything useful for a portal, which would redirect clients.  

Useful notes:  

This will allow you to tftp up an image to the router from a linux box
#tftp 192.168.1.1
>binary
>rexmt 1
>timeout 60
>trace
>put file.bin

If the image seems corrupt, meaning when you power it on all the Ethernet lights blink, then only the one port you are plugged into blinks, yet you can ping the device, you can bring it back from the brink of death by:

Powering it up, wait until it gets into its hung state, then press the reset button for 20 seconds
still holding the reset button down, pull the power plug, and continue to hold it down for another 20 seconds
still holding the reset button down, plug the power in, and continue to hold the reset button for 20 seconds

Hotspot notes:
Chillispot won't run on Micro.  Even if it did, it requires a RADIUS server
NoCatSplash won't run on micro
CoovaChili works as a stand-alone Captive Portal for the WRT54GL--I'll use this if I need one
Sveavasoft is commercial (you have to pay or get it from a torrent), and I didn't try to get it for the micro
UseMyNet is a commercial product
WiFiDog needs back end a php or PostgresSQL server
eWRT, which runs NoCatSplash runs on the OpenWRT, but not on 2MB of space

Sputnik DOES run, and I was excited to get that going.   They also have a network management only (NMS) mode, which supposedly incurs no licensing or subscription fees.  This supposedly provides "Client Isolation", and "Enables each user in a hotspot to have a private, hence "isolated" session, improving security on public Wi-Fi networks without adding complexity."  

Here is a screenshot:  

In testing, this never was able to work, even in NMS mode.  The error is that  was "unable to resolve Jabber service IP" even when connected directly to the Internet.   My assumption is that their site went down.  

So, I got dd-wrt to run as an open WiFi hotspot, and can turn the wifi on/off using the Easy Setup button. 

But I could not get a captive portal working on the WRT54GS.  My next try at a Captive Portal will be on a WRT54GL using either ewrt0.4.3 with NoCatSplash, which was state of the art two years ago, or CoovaAP, which I'm pretty confident will work well, and seems to be the latest best thing (but perhaps without a configurable splash page). 

NoCatSplash has authentication deprecated (ghetto!), so I can't use that, as I wanted to hand guests a userid/password.

ewrt wouldn't work, and ChilliSpot required a RADIUS server.  Ugh.  

Tried CoovaAP (openwrt-54g-squashfs.bin).   It looks like this might be the ticket.  Tried to configure this, and somehow messed up my configuration.  tried to upload a new firmware and start over, and it turns out that CoocvaAP takes over the firmware, and won't let you install anything else.  SO USE COOVAAP AT YOUR OWN RISK.  The only way I was able to reflash the router was with the JTAG cable again.   This thing has been worth its weight in gold with this router, as it's helped me recover from a corrupt BIOS (CFE Image), enabled me to reflash the router when the boot-wait was not turned on, enabled me to reflash nvram that was corrupt and I couldn't fix (say with the reset button), but mostly just fix bad firmware images that like to take over the OS and lot let it go.  

Uploaded the CoovaAP WRT54GL 1.0-beta.8 openwrt-54g-squashfs.bin file to the router, and started over.   Tried to do this directly via the JTAG cable, which took over three hours, but it didn't work.   So I uploaded the original Linksys firmware, and upgraded through the GUI.  

When CoovaAP booted, I changed the default password, and then went to the Hotspot section.  Under the "Configuration Tab", I changed the Hotspot type to Internal, Wireless only, Deny, Http for configured users.  

Under the "Access List" tab, I added one guest.  

Under the Portal Tab, I selected "Login Page", and changed the HTML to what I wanted it to say.  The cool thing about this is that it allows you to customize your login page!  

I applied changes, and tested it.  It didn't work.  So I went in to the GUI and started CoovaChilli (it was installed, but not running).   This worked like a champ (after unplugging and then plugging the router back in).   

A couple of items worth note is that the Coova firmware is a little buggy, and wouldn't finish applying the changes I made unless it had an Internet connection.  Also, a user has to have a browser with JavaScript enabled to see the login page.   This is a little ghetto, but I suppose that most folks have Javascript enabled on their browsers anyway, so I guess that I can live with it. 

So I have an authenticated, encrypted Captive Portal to the Internet.   Finally!   CoovaAP seems like the ticket.  Next on the list is installing a client and server certificate-authenticated VPN tunnel, so that I can jump to the Internet from my home router when accessing it from an external, unencrypted Hotspot.  

Comments

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosmart Essential, HP

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" I al

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page https://github.com/secur