[Dnsmasq-discuss] DHCP for captive portal

Rune Kock rune.kock at gmail.com
Sun Nov 2 19:16:25 GMT 2008


On Sun, Nov 2, 2008 at 04:56, Peter <webwiz at pl.net> wrote:
> Rainy Sunday etc, thought id take a look at moving my captive portal code to
> dhcp.
>
> Situation:-
> =============
> - firewall, captiveportal, dnsmasq all run on the one gateway box
> - serving about 30-80 lan clients currently on static ip addresses for
> historical reasons
> - portal only allows registered users to access the internet
> - users traffic is accounted using netfilter counters
>
> Objectives:-
> =============
> - give captive portal registered users a quasi fixed ip per mac address for
> simple ip based firewalling

Firewall based on IP is worthless if your clients change their address
manually, but I guess you know that.

> - give un-registered machines a temporary IP and short lease so that they
> can register and get a proper ip issued as above.
> - less manual user NIC config with dhcp cf. static lan clients
> - dnsmasq host list dynamically updated by captive portal
> - 192.168.0.x ranges:
>  1 - 4 servers
>  5- 169 users
>  170-199 temp users

I would probably allow more address for temp users, so that they can
be likely to get the same address every time they connect -- thus make
it simpler for you to analyze log files.

>
> Prposed config:-
> ==============
> So reading the man and the archives a bit ive got, so far:
>
> #/etc/dnsmasq.conf
>
> resolv-file=/etc/dnsmasq.resolv.conf
> interface=eth0
> interface=lo
> #no-dhcp-interface=eth0 #=LAN
> no-dhcp-interface=ppp0
> no-dhcp-interface=eth1
> dhcp-range=192.168.0.170,192.168.0.199,2m  #=temp range
> dhcp-option=eth0,26,1492 #=pppoe
> domain=local.net
> #read-ethers
> conf-file=/home/tasks/ipacc/dnsmasq_ethers

I suggest to make dnsmasq authoritative.

>
>
> #/home/tasks/ipacc/dnsmasq_ethers
>
> dhcp-host=00:1c:c0:6f:f3:xx, 192.168.0.5,  12h
> dhcp-host=00:0e:a6:3e:1c:xx, 192.168.0.10, 12h
> etc
>
> Does that look ok? What will happen if a user runs another dhcp server?
> (probably a consumer wlan access point or similar).
> Any way to make this dnsmasq king?

No, but read all the advice that I got when I asked this list a
similar question some weeks ago.

Rune



More information about the Dnsmasq-discuss mailing list