DNSMASQ config for captive portal

Question

I am trying to create a captive portal wifi hotspot.

Aim of the setup:

1. Users connecting to hotspot through wlan0 should never be allowed to access the internet through eth1.

2. For the "Sign into wifi network" to appear on android, iphone and any device that would connect, i am trying to route the requests that go to
   http://clients1.google.com/generate_204 and other url for other operating systems, i havent figured out yet, to my local server and return what the real servers would return.

I use dnsmasq and hostapd to achieve this.

The Problem : when I use address=/#/127.24.2.1 in dnsmasq.conf, the internet requests that go from internal scripts also fail. I think I am following the dnsmasq config man page that says how to use dnsmasq to filter only wlan0 interface traffic.

what should I do further.

The machine has these interfaces

    eth1      Link encap:Ethernet  HWaddr 00:1e:06:30:5b:03
          inet addr:192.168.0.107  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:6ff:fe30:5b03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37047 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3351437 (3.1 MiB)  TX bytes:176100 (171.9 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:284838 (278.1 KiB)  TX bytes:284838 (278.1 KiB)

wlan0     Link encap:Ethernet  HWaddr 98:de:d0:1b:95:5a
          inet addr:172.24.1.1  Bcast:172.24.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9ade:d0ff:fe1b:955a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:576 (576.0 B)

The DNSMASQ looks like this

interface=wlan0      # Use interface wlan0
listen-address=172.24.1.1 # Explicitly specify the address to listen on
#bind-interfaces      # Bind to the interface to make sure we aren't sending things elsewher$
server=8.8.8.8       # Forward DNS requests to Google DNS
domain-needed        # Don't forward short names
bogus-priv           # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24$
address=/#/172.24.1.1
except-interface=eth1

I use a nodejs express server and do this

 app.get('/generate_204', function(req, res) {
        console.log('generate 204 hit');
        res.statusCode = 302;
        res.setHeader("Location", "/");
        res.end();
    });

I created the hotspot using hostapd, the config is

    # This is the name of the WiFi interface we configured above
interface=wlan0

# Use the nl80211 driver with the brcmfmac driver
driver=nl80211

# This is the name of the network
ssid=Pi3-AP

# Use the 2.4GHz band
hw_mode=g

# Use channel 6
channel=6

# Enable 802.11n
ieee80211n=1

# Enable WMM
wmm_enabled=1

# Enable 40MHz channels with 20ns guard interval
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]

# Accept all MAC addresses
macaddr_acl=0

# Use WPA authentication
auth_algs=1

# Require clients to know the network name
ignore_broadcast_ssid=0

# Use WPA2
wpa=2

# Use a pre-shared key
wpa_key_mgmt=WPA-PSK

# The network passphrase
wpa_passphrase=raspberry

# Use AES, instead of TKIP
rsn_pairwise=CCMP

I have tried to explain the requirement, I am not sure if I have done the explaining part well. There is another question i raised here on serverfault for the same issue,which got marked off-topic, Reading it will make you understand the requirement clearly. https://serverfault.com/questions/823139/iptables-for-linux-captive-portal-wifi-hotspot

Answer 1

when I use address=/#/127.24.2.1, the internet requests that go from internal scripts also fail

It seems that your internal scripts use to resolve DNS names the same local dnsmasq server as you wifi clients.

Check your /etc/resolv.conf configuration and if there is present your dnsmasq server address (127.24.2.1 or 127.0.0.1 or other) - remove it. Instead use you ISP DNS servers, or Google DNS, or any other you prefer, which do not replace any addresses to 127.24.2.1.

Note. If you system use resolvconf to generate /etc/resolv.conf (in resolv.conf present warning like # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN), then you need to edit configs in /etc/resolvconf/resolv.conf.d/ instead, and after it regenerate /etc/resolv.conf (restart networking or better - restart whole system)

Another possibility: remove package resolvconf and edit /etc/resolv.conf

Answer 2

In case anyone is curious about an update (in 2017) to this question... I was able to recreate the issue and figured out a solution.

Disable dnsmasq from resolving for the loopback interface (in /etc/dnsmasq.conf):

except-interface=lo

Add to the tail file of resolvconf (in /etc/resolvconf/resolvconf.conf.d/tail)

nameserver 8.8.8.8

Restart Services

sudo systemctl restart dnsmasq
sudo resolvconf -u

What this does

dnsmasq will now reject any DNS Request make on the localhost, and the localhost will then have to resort to using the second Name Server in line (which is now 8.8.8.8)

What if there isn't a /etc/resolvconf/resolvconf.conf.d/ directory?

You might have openresolv installed instead... I uninstalled openresolv and installed resolvconf. You'll run into other issues - but that's probably not relevant to this answer.