[isf-wifidog] Implementing ipv6 support on wifidog

Geneviève Bastien gbastien at versatic.net
Mer 23 Mar 19:56:28 EDT 2011


Hi Mark,

Any update on this?  I'd like to read your draft.  What do you think 
would be the best way to do ipv6 captive portals?
On my part, I didn't have time to do anything regarding ipv6 support on 
wifidog :(  I certainly hope for something before the ipv6 day of June 
8, whether it is part of a gateway release or, more likely, just a proof 
of concept...

Geneviève


El 23/02/11 14:48, Marc Blanchet escribió:
> hello,
>  I'll starting writing a draft on captive portal and ipv6, with inside 
> on how ipv6 should be deployed in this context. That would be somewhat 
> a requirement document that can then be used as the basis for 
> implementing the solution. will forward on that list when 1st version 
> done.
>
> Marc.
>
> Le 11-02-14 14:15, Geneviève Bastien a écrit :
>> Hi,
>>
>> Thank you all for your feedback and suggestions.  Let's continue this
>> debate.  I personnally don't know much about either tinyproxy, ipset or
>> even ip[6]tables.
>>
>> But here are some thoughts, from all the comments:
>>
>> - ipv6 support will require some work, even if we decide to go 
>> ip6tables,
>> it will be like a second redirect mechanism, maybe double the
>> configuration options.
>> - We have to write something for ipv6 anyway, so if it is possible to 
>> have
>> a solution that would work the same with ip4, then great, all the best!
>> - And if we can make it compatible with pfsense and FreeBSD, or at least
>> make it easier to port, all the best!
>> - We might loose some of the code stability/maturity, but not all, just
>> for the redirecting part, but we don't have any ipv6 stability anyway...
>>
>> I'll start a branch for ipv6 support on the svn.
>>
>>
>> Thanks,
>> Geneviève
>>
>>
>> Some doc about the gateway:
>> The authentication process:
>> http://dev.wifidog.org/wiki/doc/developer/FlowDiagram
>>
>> The firewall map of wifidog
>> http://dev.wifidog.org/attachment/wiki/doc/wifidog_firewall_diagram.png
>>
>>
>>> Hi.
>>>
>>> 2011/2/14 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>>>> Le 14/02/2011 15:49, Andrew Niemantsverdriet a écrit :
>>>>>
>>>>> Hi
>>>>>
>>>>> 2011/2/14 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>>>>>>
>>>>>> Le 14/02/2011 14:03, Marc Blanchet a écrit :
>>>>>>>
>>>>>>> sorry to be late on this thread.
>>>>>>> - nat is not what a captive portal does. captive portal intercepts
>>>>>>> dns
>>>>>>> request and then after authentication modify firewall rules to 
>>>>>>> let it
>>>>>>> go
>>>>>>> through. so ipv6 will be no different.
>>>>>>> - however, something really different in IPv6 is the fact that the
>>>>>>> gateway
>>>>>>> receives a prefix from the DHCPv6 server. The prefix is then 
>>>>>>> used for
>>>>>>> the
>>>>>>> internal network using router advertisements sent by the 
>>>>>>> gateway. And
>>>>>>> the
>>>>>>> gateway does not do any NAT, only forwarding. So in the design, you
>>>>>>> must
>>>>>>> consider that.
>>>>>>>
>>>>>>> Marc.
>>>>>>>> On 2011-02-12 13:02, Andrew Niemantsverdriet wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> 2011/2/12 Jean-Philippe 
>>>>>>>>> Menil<jean-philippe.menil at univ-nantes.fr>:
>>>>>>>>>>
>>>>>>>>>> Le 11/02/2011 20:30, Geneviève Bastien a écrit :
>>>>>>>>>>>
>>>>>>>>>>> ip6tables uses filtering, based on the ip address, instead of
>>>>>>>>>>> nat,
>>>>>>>>>>> and you
>>>>>>>>>>> can still build firewall and routing rules with it.
>>>>>>>>>>>
>>>>>>>>>>> But I'll take a look at tproxy and ipset and see if it would 
>>>>>>>>>>> work
>>>>>>>>>>> best for
>>>>>>>>>>> wifidog.
>>>>>>>>>>>
>>>>>>>>>>> Geneviève
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Le 11/02/2011 17:01, Geneviève Bastien a écrit :
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>>
>>>>>>>>>>>>> We'll soon start working on implementing the ipv6 support on
>>>>>>>>>>>>> the
>>>>>>>>>>>>> wifidog
>>>>>>>>>>>>> client. One of the problematic will be to port to 
>>>>>>>>>>>>> ip6tables the
>>>>>>>>>>>>> actual
>>>>>>>>>>>>> iptables that wifidog creates at startup, so that all the
>>>>>>>>>>>>> redirects
>>>>>>>>>>>>> still
>>>>>>>>>>>>> work on ipv6.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can anyone help with that?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Geneviève
>>>>>
>>>>> <snip>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> maybe i'm misunderstood.
>>>>>> But with the actual wifidog, a client do a http request, request 
>>>>>> which
>>>>>> is
>>>>>> "natted" to the 2060 port, port on wich the wifidog daemon is listen
>>>>>> to.
>>>>>> Without this nat rule, you don't have any redirection.
>>>>>>
>>>>>> Regards.
>>>>>
>>>>> Jean Philippe,
>>>>>
>>>>> You are correct. IPv6 has no concept of NAT so the current way 
>>>>> wifidog
>>>>> works is not possible. However (correct me if I am wrong) ipv6tables
>>>>> do support the queue mechanism. That would allow us to mark the
>>>>> packets and pass them into user space. From there a proxy of some 
>>>>> sort
>>>>> could be used to implement the actual captive portal and when the 
>>>>> user
>>>>> authenticates the queue rule could be removed.  Similar to what
>>>>> wifidog does now.
>>>>>
>>>>> Thanks,
>>>>>   _
>>>>> /-\ ndrew
>>>>
>>>> Yes,
>>>>
>>>> but if you do that, there will be two mechanism of redirection, one 
>>>> for
>>>> ipv4
>>>> (wifidog dameon listen on port 2060), another for ipv6 (local proxy or
>>>> whatever).
>>>>
>>>> It will be good to have an unique mechanism working with both 
>>>> ipv4/ipv6.
>>>> Maybe it will a good idea to look at the tproxy target.
>>>>
>>>> I've see a interesting feature with rahunas (see rahunas.org). It's
>>>> working
>>>> with ipset.
>>>> Maybe another way to do it.
>>>>
>>>> In fact, i'm very interesting to work on ipv6 support.
>>>>
>>>>
>>>> Regards.
>>>
>>> Jean Philippe,
>>>
>>> ipv4 iptables contains the queue target as well. So the same mechanism
>>> would work for both, I think. However that being said after having
>>> researched the TPROXY target more I agree that it might be the way to
>>> go. I have not heard of ipset however it looks very interesting. I too
>>> would be interested in working on IPv6 support and have one other
>>> person that works for me who would be too.
>>>
>>> I would be interested in seeing what the design goals.
>>>
>>> Thanks,
>>>   _
>>> /-\ ndrew
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>



Plus d'informations sur la liste de diffusion WiFiDog