I have set up hotspot together with userman to allow auto-signup this way:
hotspot running in a 10.0.0.0/24 subnet
made a new bridge with address 10.50.50.50/32
enabled radius for hotspot service on this address
added a router with same ip and credentials to user manager
edited hotspot login.html with a link to http://10.50.50.50/user/signup
added 10.50.50.50 as dst address in walled garden ip list
added a firewall input rule to allow 10.50.50.50 on port 80 tcp (otherwise no http://10.50.50.50/user/signup is reachable)
added a firewall input rule to allow 10.50.50.50 on ports 1812-1813 udp (otherwise no signup)
once user has self-signed up he is redirected again to login page where he can enters credentials and access internet (signup allows a time-free account)
The problem is if any logged-in user try to access http://10.50.50.50 he goes straight into webfig page without being asked for credentials !
How can I avoid this ?
Can I avoid to run webfig in 10.50.50.50 address for common users (and allow only for userman signup) ?
The problem is if any user try to access > http://10.50.50.50 > he goes straight into webfig page without being asked for credentials !
In laboratory test environment I forgot to set the admin password …
Anyway, the real question could be: once an interface (i.e. bridge) is created, is it possible to run userman web interface instead of webfig interface and vice-versa on it ?
Probably not as both are using same port 80 http server, could we filter access to these different services by url / path ?
I’ve never setup a hotspot but have you tried changing the www service port from 80 to whatever? I don’t have the hotspot package installed on any of my routers so I can’t check but afaik hotspot and webfig are different services so changing the www service port shouldn’t affect the hotspot portal?
You can’t do it at firewall level … if both userman and webfig use the same www service, then they’re indistinguishable on L3 layer which is where firewall operates (L7 hooks set aside). Selective allow/deny should thus be done inside www service (possibly similar to how webfig graphing is done … for each graph you set allowed client IP list).
