Community discussions

 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Jul 08, 2014 3:58 pm

hotspot + userman : how avoid to reach webfig ?

Tue May 14, 2019 4:24 pm

I have set up hotspot together with userman to allow auto-signup this way:

hotspot running in a 10.0.0.0/24 subnet
made a new bridge with address 10.50.50.50/32
enabled radius for hotspot service on this address
added a router with same ip and credentials to user manager
edited hotspot login.html with a link to http://10.50.50.50/user/signup
added 10.50.50.50 as dst address in walled garden ip list
added a firewall input rule to allow 10.50.50.50 on port 80 tcp (otherwise no http://10.50.50.50/user/signup is reachable)
added a firewall input rule to allow 10.50.50.50 on ports 1812-1813 udp (otherwise no signup)

once user has self-signed up he is redirected again to login page where he can enters credentials and access internet (signup allows a time-free account)

The problem is if any logged-in user try to access http://10.50.50.50 he goes straight into webfig page without being asked for credentials !

How can I avoid this ?
Can I avoid to run webfig in 10.50.50.50 address for common users (and allow only for userman signup) ?

Any suggestion please ?
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Jul 08, 2014 3:58 pm

Re: hotspot + userman : how avoid to reach webfig ?

Tue May 14, 2019 5:44 pm

The problem is if any user try to access http://10.50.50.50 he goes straight into webfig page without being asked for credentials !
In laboratory test environment I forgot to set the admin password ......... :? :?

Anyway, the real question could be: once an interface (i.e. bridge) is created, is it possible to run userman web interface instead of webfig interface and vice-versa on it ?
Probably not as both are using same port 80 http server, could we filter access to these different services by url / path ?
 
NetWorker
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sun Jan 31, 2010 6:55 pm

Re: hotspot + userman : how avoid to reach webfig ?

Tue May 14, 2019 7:47 pm

I've never setup a hotspot but have you tried changing the www service port from 80 to whatever? I don't have the hotspot package installed on any of my routers so I can't check but afaik hotspot and webfig are different services so changing the www service port shouldn't affect the hotspot portal?
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Jul 08, 2014 3:58 pm

Re: hotspot + userman : how avoid to reach webfig ?

Wed May 15, 2019 9:25 am

Already tried, changing www port affects both userman and webfig, it would be easy if a port could be set for separate www services.

Any other idea to allow/deny userman rather than webfig at firewall level ?
 
mkx
Forum Guru
Forum Guru
Posts: 2433
Joined: Thu Mar 03, 2016 10:23 pm

Re: hotspot + userman : how avoid to reach webfig ?

Wed May 15, 2019 2:35 pm

Already tried, changing www port affects both userman and webfig, it would be easy if a port could be set for separate www services.

Any other idea to allow/deny userman rather than webfig at firewall level ?
You can't do it at firewall level ... if both userman and webfig use the same www service, then they're indistinguishable on L3 layer which is where firewall operates (L7 hooks set aside). Selective allow/deny should thus be done inside www service (possibly similar to how webfig graphing is done ... for each graph you set allowed client IP list).
BR,
Metod
 
HenryChinaski
just joined
Posts: 10
Joined: Mon Sep 25, 2017 10:00 pm

Re: hotspot + userman : how avoid to reach webfig ?

Fri Jun 14, 2019 3:08 am

Already tried, changing www port affects both userman and webfig, it would be easy if a port could be set for separate www services.

Any other idea to allow/deny userman rather than webfig at firewall level ?
ik3umt,

Hi, did you find a way to secure webfix access from signup page?

Who is online

Users browsing this forum: Google [Bot] and 52 guests