[isf-wifidog] Re[2]: Successful auth - but re-locks - continued.

listserv.traffic at sloop.net listserv.traffic at sloop.net
Mar 31 Oct 20:42:20 EST 2006

> Is bridging on when you turn on wifidog?  In any case, check that when you
> shutdown wifidog, you DO have internet access.

I turn off bridging as shown on the docs pages.
Here: http://dev.wifidog.org/wiki/doc/install/openwrt

They say:
Firewall rules

If you set up your OpenWrt-powered router with a bridged network interface (default), the current firewall rules of OpenWrt do not permit to block all outgoing TCP/UDP ports except port 80 until a user has authenticated via WiFiDog?'s login page.

You are going to have to disable forwarding from the bridge interface to the wan interface in /etc/init.d/S45firewall:

# The following have been commented out for WiFiDog to work
# iptables -A FORWARD -i br0 -o br0 -j ACCEPT
# iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

Which makes sense to me - however that doesn't mean it's correct.
:) (Though I'd admit I've not really scrutinized it much in terms of
"does it make sense" ...)

So, yes, the bridge is blocked. (More like not forwarded, but the
effect is the same.

No, when WiFiDog is down, there is NO Internet access. I assume then,
that the bridge documentation above is wrong, and that WiFiDog is
setting up all the rules it needs as it runs.

The only problem would be if WiFiDog *didn't* run and the firewall
rules were wide open, right?

Which brings the question. Does WifiDog *reset* all the rules, so we can
have a default-closed config, rather than default-open? (i.e. Flush
iptables before creating the "new" rules? (Or am I totally lost and

> However this would not explain why the server returns you a deny.  Are you
> sure that the user you are trying to use to connect to the internet has
> validated?  Looking at the code, we may have made a logic error in the
> authentication, causing a successfull auth followed by an immediate deny for
> a user that has account status denied. 

> Go to "User log" in the admin interface.  In the "Account Status" column, what
> do you see for the user you are using to get internet access?

This I'll check on. More on that later.


Plus d'informations sur la liste de diffusion WiFiDog