[isf-wifidog] Gateway development

Andrew Niemantsverdriet andrewniemants at gmail.com
Lun 14 Nov 14:17:31 EST 2011


Yes, you can kinda have a walled garden working. However it is a huge
pain in the butt to do, since it is done in the conf file that means
each AP has to be touched. Also the conf file does not play nice with
domain names (even though iptables can) so for example allowing a
walled garden entry of google.com would involve adding 20 IP's that
change depending geographic location and loads on each server. This is
not practical at all.  What I am proposing is a mechanism to allow the
server to keep a central central list of URL's that is used by the
gateway to determine if a URL should be allowed or not.

What I ended up doing is moving away from putting things in the
wifidog.conf file and using a proxy server. This eliminates one of
wifidog's strengths, which is the fact that you only need a web server
to run wifidog no extra servers like squid radius etc. It also forced
me to move the gateways off the AP and onto a central server. That is
kinda a bad deal because it introduces a single point of failure for
my wireless network.

The way this gets used in my network is I have a couple of sites that
are allowed. My network is comprised of students, faculty and staff,
they need access to the schools web site and all the associated
servers with it. I also allow them to download virus scanners and what

For browser-less authentication there has been some talk about it here:


At the bottom it mentions v2 of the protocol. What I want to see is a
way for the Wifidog server be able to maintain a whitelist of MAC's
that are allowed to connect. That along with the walled garden
approach above would eliminate many of the problems I am seeing with
things like xbox's and nintendo's trying to connect up wireless and
being unable to.

/-\ ndrew

On Mon, Nov 14, 2011 at 11:38 AM, acv <acv at miniguru.ca> wrote:
> On Mon, Nov 14, 2011 at 11:16:09AM -0700, Andrew Niemantsverdriet wrote:
>> I have looked over the new protocol and am liking what I see. Some
>> things that I would like to see implemented is walled gardens and a
>> sane way to handle clients that don't have a browser.
> The lack of browser I am not sure... This falls a bit out of the bound of your
> typical captive portal. I might need help to see a scenario where the gateway
> can do /anything/.
> For the walled garden, can you flesh out the ideal use case for me? There is
> already some support for that in terms of the different user classes and the
> configurable firewall rules. The protocol is already able to handle that case
> although admittedly this might not be properly configurable. With a better
> use case I'd be able to better see what gateway side improvement might be
> needed.
> Alex
>> I can offer my network for testing. It is not huge but big enough... I
>> have 27 access points and max out at 200 on at one time. The average
>> is lower but I don't know what that is since I don't have any metrics
>> for that. Contact me off list if you are interested.
>> Thanks,
>>  _
>> /-\ ndrew
>> On Thu, Nov 10, 2011 at 7:45 PM, acv <acv at miniguru.ca> wrote:
>> > Hi All,
>> >
>> > I have been spending a bit more time working on the gateway and I have drafted a
>> > proposal for a protocol to replace the current ad-hoc protocol. This first proposal
>> > is more of an interim protocol to pave the way for new features since it doesn't
>> > implement any truly "new" functionalities but it is readily extensible.
>> >
>> > Specifications can be found here:
>> >
>> > https://bitbucket.org/acv/wifidog-ng/wiki/ProtocolV1.5
>> >
>> > I believe anyone should be able to edit this wiki page (may need a free bitbucket
>> > account).
>> >
>> > I figure I could have this implemented by Christmas or so given my current spare time.
>> >
>> > Cheers,
>> >
>> > Alexandre
>> >
>> > _______________________________________________
>> > WiFiDog mailing list
>> > WiFiDog at listes.ilesansfil.org
>> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> >
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

Plus d'informations sur la liste de diffusion WiFiDog