[isf-wifidog] Implementing ipv6 support on wifidog

Lun 14 Fév 09:49:52 EST 2011

Hi

2011/2/14 Jean-Philippe Menil <jean-philippe.menil at univ-nantes.fr>:
> Le 14/02/2011 14:03, Marc Blanchet a écrit :
>>
>> sorry to be late on this thread.
>> - nat is not what a captive portal does. captive portal intercepts dns
>> request and then after authentication modify firewall rules to let it go
>> through. so ipv6 will be no different.
>> - however, something really different in IPv6 is the fact that the gateway
>> receives a prefix from the DHCPv6 server. The prefix is then used for the
>> internal network using router advertisements sent by the gateway. And the
>> gateway does not do any NAT, only forwarding. So in the design, you must
>> consider that.
>>
>> Marc.
>>
>>
>> Le 11-02-12 13:27, Richard Lussier a écrit :
>>>
>>> Hi,
>>>
>>> Would that approach make it easier to port to FreeBSD ?... I am thinking
>>> about a package for pfSense ?
>>> Sorry if that do not make sense, i'm a newbe.. :-)
>>>
>>> Richard
>>>
>>> On 2011-02-12 13:02, Andrew Niemantsverdriet wrote:
>>>>
>>>> Hi,
>>>>
>>>> 2011/2/12 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>>>>>
>>>>> Le 11/02/2011 20:30, Geneviève Bastien a écrit :
>>>>>>
>>>>>> ip6tables uses filtering, based on the ip address, instead of nat,
>>>>>> and you
>>>>>> can still build firewall and routing rules with it.
>>>>>>
>>>>>> But I'll take a look at tproxy and ipset and see if it would work
>>>>>> best for
>>>>>> wifidog.
>>>>>>
>>>>>> Geneviève
>>>>>>
>>>>>>
>>>>>>> Le 11/02/2011 17:01, Geneviève Bastien a écrit :
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> We'll soon start working on implementing the ipv6 support on the
>>>>>>>> wifidog
>>>>>>>> client. One of the problematic will be to port to ip6tables the
>>>>>>>> actual
>>>>>>>> iptables that wifidog creates at startup, so that all the redirects
>>>>>>>> still
>>>>>>>> work on ipv6.
>>>>>>>>
>>>>>>>> Can anyone help with that?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Geneviève
<snip>
> Hi,
>
> maybe i'm misunderstood.
> But with the actual wifidog, a client do a http request, request which is
> "natted" to the 2060 port, port on wich the wifidog daemon is listen to.
> Without this nat rule, you don't have any redirection.
>
> Regards.

Jean Philippe,

You are correct. IPv6 has no concept of NAT so the current way wifidog
works is not possible. However (correct me if I am wrong) ipv6tables
do support the queue mechanism. That would allow us to mark the
packets and pass them into user space. From there a proxy of some sort
could be used to implement the actual captive portal and when the user
authenticates the queue rule could be removed.  Similar to what
wifidog does now.

Thanks,
 _
/-\ ndrew