Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3)

By: Eric Geier
Monday, May 18, 2009 02:41:42 PM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/6751/1/

Setting up the Captive Portal

Last month we discovered ZeroShell (part 1, part 2), a multi-purpose LAN server that you can run from an open source Live CD on a old PC. After doing the initial setup in Part 1, we configured the RADIUS server for 802.1X/PEAP authentication in Part 2. This way we could configure our wireless access points (APs) to run enterprise-level Wi-Fi encryption. We played around with the AP features of ZeroShell in the second part as well.

Now we're going to experiment with the captive portal functions, in case you want to offer public Internet access. Plus we'll figure out how to get ZeroShell to take over the routing and DHCP functions of your network, so you can get rid of your off-the-shelf router. Let's get started!

Setting up the Captive Portal

As briefly mentioned, you might want to use ZeroShell's captive portal feature if you want to offer managed Internet access to the public. Thus we'll go through the steps of setting this up, for a simple system. In simple, I mean you'd have to manually input the usernames and passwords of the hotspot users into ZeroShell; but you can give people the same details if desired. Additionally, you can't completely customize the portal or login page user's will see, but you can customize portions of it. Figure 1 shows an example.

If you require a more complex system, such as full customization, self-registering, or fee-based-access, you can look into doing remote authentication.

Here's how to start captivating your users:

1. On the ZeroShell web-based GUI, click the Captive Portal link on the menu. Figure 2 shows an example of the Captive Portal page.

   

2. For the Mode, select Bridged, and then for the Interface, select the adapter that the hotspot users are going to connect to, and click Save.
3. For the Simultaneous Connections option, under the Gateway Parameters, select Not Allowed if you are giving users unique accounts, and click Save. This ensures only one connection per user at a time, preventing users from sharing their login details. However if you need to allow simultaneous connections, such as when giving users the same username and password to login, you should keep this option set to Allow.
4. If you want to add additional Free Authorized Services to the list, so users can use additional ports/IP addresses before logging in, click the plus sign. This is useful if you have some sort of server or application you want you or your users to be able to access before logging in. For example, you could add port 80 and 443 for the ZeroShell's IP address, so you don't have to log in to access the web-based GUI. Additionally, you could add the IP address of a website (with port 80), to allow free access to it. But remember, the website must be configured with a static IP address. Plus bigger sites, such as Google, use multiple IPs.
5. If you want specific computers to bypass the captive portal, such as your PC, choose Clients on the Free Authorized section, click the plus sign, enter the MAC (physical) address of your computer's network adapter, and click OK.
6. If you are only offering free access, you probably want to disable HTTPS (SSL encryption) for the captive portal page. Click the Authentication tab (see Figure 3), in the X.509 section, mark the Do not use HTTPS checkbox, and then click Save.

   

   This prevents users from being "warned" by their browser that the captive portal page isn't using a trusted certificate. Though users can proceed to the portal page when they get this error, it will likely confuse them. If you want to use encryption on the portal page, it's best replace the default self-signed certificate on the ZeroShell machine with one purchased from a third-party that's supported by browsers.

7. Finally, to start captivating, mark the checkbox next to GW (gateway) on the top of the page.

Now if everything runs smoothly, users should be prompted to login with a username and password you've created before they can use the Internet.

Using ZeroShell as an Internet Gateway and Network Router

In the first part of this series, we set up ZeroShell to work with an existing router. Therefore we could take advantage of ZeroShell's services, such as RADIUS authentication and the soft AP, without having to do the configuration work of setting it up to do the routing on the network. However, if want to get rid of your off-the-shelf router (or use it as an extra AP), you can follow the steps in this section.

This requires your ZeroShell machine to be loaded with at least two Ethernet adapters, if you want any wired access to the network. For example, one adapter would be connected to the Internet modem, and the other to a single computer, or a switch to support multiple computers. If you only want ZeroShell to offer wireless access (and you have a compatible Wi-Fi adapter), only one Ethernet adapter is required.

Tip: If you don't have a switch, you can use your old router. To do this, disable DHCP on the router, and change it's IP to something within the subnet of ZeroShell (but not the same), such as 192.168.0.2 or 192.168.1.2. Then plug ZeroShell and other computers into the regular Ethernet ports; don't use the WAN or Internet port. If its a wireless router, Wi-Fi computers can connect too.

Here's how to configure ZeroShell to act as the router/gateway:

1. You need to edit the IP address of the adapter you previously had connected to your off-the-shelf router. We'll make this adapter the one that will provide the wired access to your computers; the other adapter will hook to your modem. You want to change this adapter to an IP that will better represent it as the router. For example, you should use 192.168.0.1 or 192.168.1.1, rather than 192.168.0.75 or 192.168.1.75. To do this, click Setup from the main menu, click the Network tab, select the IP address, and click the Edit button. If you enabled DHCP for the adapter (instead of assigning a static IP) you can follow the directions from Part 1 on changing the default IP settings. If you have only one wired adapter and you're going to only offer wireless access, you need to create/change an IP for the wireless interface rather than for the single wired adapter, since that Ethernet adapter will be used for the Internet connection.
2. Next you probably want to enable the DHCP server, so you don't have to manually set each client up with a static IP address: (Figure 4 shows an example configuration)

   

   • Click the DHCP link on the main menu and click the New button in the upper right of the page. Then on the window that appears, select the subnet of the IP address you created (such as 192.168.0.0/255.255.255.0 if the IP is 192.168.0.1 or 192.168.1.0/255.255.255.0 if the IP is 192.168.1.1), and click OK.
   • On the DHCP page, define the IP address range for clients, such as 192.168.1.100 - 192.168.1.199, in the Range 1 fields. If you want a particular client to always receive the same IP, click the Add  button in the Static IP Entries section, input the desired IP and the client's MAC address, and click OK.
   • On the DHCP page, type the IP address you created into the Default Gateway and DNS 1 fields on the right, and click Save.
   • Make sure the Enabled checkbox in the upper right is marked.
3. If you have a DSL or other Internet connection that requires IP or logon details, configure it now (automatic cable connections are discussed later). This is just like when setting up a off-the-shelf router/gateway; it needs the Internet connection details. Click the Setup link on the main menu and select the Network tab. If your connection uses PPPoE, click the New PPPoE button, input the details, and click OK. If your connection uses a static IP only, click the Add IP button for the interface that's connected to the modem.
4. On the Network page, click the New Bridge button, move the Internet connection and other Ethernet interfaces over to the Bridge Components, and click Save.
5. If you have an automatic cable Internet connection, where you don't have to input any IP or logon details, you can just enable the DHCP client to retrieve the IP details from your ISP. On the Network page, in the Bridge section, click the Dyn IP button, select Enabled from the drop down list box, wait till the adapter receives an IP from your ISP, and click Close.
6. You must enable Network Address Translation (NAT) for the Bridge. Click Router from the main menu, click the NAT tab, move the bridge over to the NAT Enabled Interfaces, and click Save.

Now the ZeroShell box should be routing the network traffic and acting as the gateway to the Internet. Computers plugged into the wired port should automatically receive an IP and access to the Internet.

Wrapping up our ZeroShell series

This part completes our series on configuring and using ZeroShell. You should now be able to run WPA/WPA2-Enterprise encryption on your Wi-Fi network; thanks to ZeroShell's RADIUS server. If you have the right wireless adapter, ZeroShell can also act as an AP. Plus you should understand how to get a simple captive portal working for hotspots. Finally, you should be able to replace your router with the ZeroShell machine.

Eric Geier is an author of many computing and networking books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).