Hiện nay, có khá nhiều khách hàng thắc mắc việc truy cập địa chỉ 192.168.1.1 và không thể đổi mật khẩu wifi được. Vì thế chúng tôi xin trình bày một số lời giải đáp với trường hợp cụ thể như sau:

Tôi đang sử dụng modem TP-Link: TL-WR741ND có hình ảnh như bên dưới:

- Thiết bị lắp đặt cáp quang bao gồm:

• 1 Converter
• 1 modem quang
• 1 hộp phối quang ODF.

- Mô hình:

Bước 1: Dây internet cáp quang (còn gọi là dây quang) màu đen, dây này được đấu nối với zắc nối màu vàng như hình bên dưới.

Với thiết kế gọn gàng, thân thiện với người dùng, giao diện hiển thị của Touch P5 – Router Gigabit Wi-Fi Cảm ứng AC1900 sử dụng bộ xử lý lõi kép 1GHz cho khả năng xử lý đa nhiệm mạnh mẽ. Với chuẩn wifi không dây AC băng tầng kép cho phép bạn kết nối nhiều thiết bị hơn nhưng vẫn có thể trải nghiệm tốc độ không dây lên đến 1900Mbps. Nghĩa là bạn có thể tận hưởng video độ phân giải cao 4K và trò chơi trực tuyến mượt mà trên băng tần 5GHz, trong khi các công việc khác như kiểm tra email, lướt web có thể được hoàn thành nhanh chóng trên băng tần 2.4GHz.

`#

Nodogsplash Configuration File

#

Parameter: GatewayInterface

Default: NONE

GatewayInterface is not autodetected, has no default, and must be set here.

Set GatewayInterface to the interface on your router

that is to be managed by Nodogsplash.

Typically br0 for the wired and wireless lan on OpenWrt White Russian.

May be br-lan on OpenWrt Kamikaze.

GatewayInterface br-lan

FirewallRuleSet: authenticated-users

Control access for users after authentication.

These rules are inserted at the beginning of the

FORWARD chain of the router's filter table, and

apply to packets that have come in to the router

over the GatewayInterface from MAC addresses that

have authenticated with Nodogsplash, and that are

destined to be routed through the router. The rules are

considered in order, and the first rule that matches

a packet applies to it.

If there are any rules in this ruleset, an authenticated

packet that does not match any rule is rejected.

N.B.: This ruleset is completely independent of

the preauthenticated-users ruleset.

FirewallRuleSet authenticated-users {

You may want to open access to a machine on a local

subnet that is otherwise blocked (for example, to

serve a redirect page; see RedirectURL). If so,

allow that explicitly here, e.g:

FirewallRule allow tcp port 80 to 192.168.254.254

Your router may have several interfaces, and you

probably want to keep them private from the GatewayInterface.

If so, you should block the entire subnets on those interfaces, e.g.:

FirewallRule block to 192.168.0.0/16

FirewallRule block to 10.0.0.0/8

Typical ports you will probably want to open up include

53 udp and tcp for DNS,

80 for http,

443 for https,

22 for ssh:

FirewallRule allow tcp port 53 FirewallRule allow udp port 53 FirewallRule allow tcp port 80 FirewallRule allow tcp port 443 FirewallRule allow tcp port 22

}

end FirewallRuleSet authenticated-users

FirewallRuleSet: preauthenticated-users

Control access for users before authentication.

These rules are inserted in the PREROUTING chain

of the router's nat table, and in the

FORWARD chain of the router's filter table.

These rules apply to packets that have come in to the

router over the GatewayInterface from MAC addresses that

are not on the BlockedMACList or TrustedMACList,

are not authenticated with Nodogsplash. The rules are

considered in order, and the first rule that matches

a packet applies to it. A packet that does not match

any rule here is rejected.

N.B.: This ruleset is completely independent of

the authenticated-users and users-to-router rulesets.

FirewallRuleSet preauthenticated-users {

For preauthenticated users to resolve IP addresses in their initial

request not using the router itself as a DNS server,

you probably want to allow port 53 udp and tcp for DNS.

FirewallRule allow tcp port 53 FirewallRule allow udp port 53

For splash page content not hosted on the router, you

will want to allow port 80 tcp to the remote host here.

Doing so circumvents the usual capture and redirect of

any port 80 request to this remote host.

Note that the remote host's numerical IP address must be known

and used here.

FirewallRule allow tcp port 80 to 192.168.1.1 FirewallRule allow tcp port 443 to 192.168.1.1 }

end FirewallRuleSet preauthenticated-users

FirewallRuleSet: users-to-router

Control access to the router itself from the GatewayInterface.

These rules are inserted at the beginning of the

INPUT chain of the router's filter table, and

apply to packets that have come in to the router

over the GatewayInterface from MAC addresses that

are not on the TrustedMACList, and are destined for

the router itself. The rules are

considered in order, and the first rule that matches

a packet applies to it.

If there are any rules in this ruleset, a

packet that does not match any rule is rejected.

FirewallRuleSet users-to-router {

Nodogsplash automatically allows tcp to GatewayPort,

at GatewayAddress, to serve the splash page.

However you may want to open up other ports, e.g.

53 for DNS and 67 for DHCP if the router itself is

providing these services.

FirewallRule allow udp port 53 FirewallRule allow tcp port 53 FirewallRule allow udp port 67

You may want to allow ssh, http, and https to the router

for administration from the GatewayInterface. If not,

comment these out.

FirewallRule allow tcp port 22 FirewallRule allow tcp port 80 FirewallRule allow tcp port 443 }

end FirewallRuleSet users-to-router

EmptyRuleSetPolicy directives

The FirewallRuleSets that NoDogSplash permits are:

authenticated-users

preauthenticated-users

users-to-router

trusted-users

trusted-users-to-router

For each of these, an EmptyRuleSetPolicy can be specified.

An EmptyRuleSet policy applies to a FirewallRuleSet if the

FirewallRuleSet is missing from this configuration file,

or if it exists but contains no FirewallRules.

The possible values of an EmptyRuleSetPolicy are:

allow -- packets are accepted

block -- packets are rejected

passthrough -- packets are passed through to pre-existing firewall rules

Default EmptyRuleSetPolicies are set as follows:

EmptyRuleSetPolicy authenticated-users passthrough

EmptyRuleSetPolicy preauthenticated-users block

EmptyRuleSetPolicy users-to-router block

EmptyRuleSetPolicy trusted-users allow

EmptyRuleSetPolicy trusted-users-to-router allow

Parameter: GatewayName

Default: NoDogSplash

Set GatewayName to the name of your gateway. This value

will be available as variable $gatewayname in the splash page source

and in status output from ndsctl, but otherwise doesn't matter.

If none is supplied, the value "NoDogSplash" is used.

GatewayName Wifi Login

Parameter: GatewayAddress

Default: Discovered from GatewayInterface

This should be autodetected on an OpenWRT system, but if not:

Set GatewayAddress to the IP address of the router on

the GatewayInterface. This is the address that the Nodogsplash

server listens on.

GatewayAddress 192.168.1.1

Parameter: ExternalInterface

Default: Autodetected from /proc/net/route

This should be autodetected on a OpenWRT system, but if not:

Set ExtrnalInterface to the 'external' interface on your router,

i.e. the one which provides the default route to the internet.

Typically vlan1 for OpenWRT.

ExternalInterface eth0

Parameter: RedirectURL

Default: none

After authentication, normally a user is redirected

to their initially requested page.

If RedirectURL is set, the user is redirected to this URL instead.

RedirectURL http://www.ilesansfil.org/

Parameter: GatewayPort

Default: 2050

Nodogsplash's own http server uses GatewayAddress as its IP address.

The port it listens to at that IP can be set here; default is 2050.

GatewayPort 2050

Parameter: MaxClients

Default: 20

Set MaxClients to the maximum number of users allowed to

connect at any time. (Does not include users on the TrustedMACList,

who do not authenticate.)

MaxClients 50

ClientIdleTimeout

Parameter: ClientIdleTimeout

Default: 10

Set ClientIdleTimeout to the desired of number of minutes

of inactivity before a user is automatically 'deauthenticated'.

ClientIdleTimeout 300

Parameter: ClientForceTimeout

Default: 360

Set ClientForceTimeout to the desired number of minutes before

a user is automatically 'deauthenticated', whether active or not

ClientForceTimeout 3600

Parameter: AuthenticateImmediately

Default: no

Set to yes (or true or 1), to immediately authenticate users

who make a http port 80 request on the GatewayInterface (that is,

do not serve a splash page, just redirect to the user's request,

or to RedirectURL if set).

AuthenticateImmediately no

Parameter: MACMechanism

Default: block

Either block or allow.

If 'block', MAC addresses on BlockedMACList are blocked from

authenticating, and all others are allowed.

If 'allow', MAC addresses on AllowedMACList are allowed to

authenticate, and all other (non-trusted) MAC's are blocked.

MACMechanism block

Parameter: BlockedMACList

Default: none

Comma-separated list of MAC addresses who will be completely blocked

from the GatewayInterface. Ignored if MACMechanism is allow.

N.B.: weak security, since MAC addresses are easy to spoof.

BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D

Parameter: AllowedMACList

Default: none

Comma-separated list of MAC addresses who will not be completely

blocked from the GatewayInterface. Ignored if MACMechanism is block.

N.B.: weak security, since MAC addresses are easy to spoof.

AllowedMACList 00:00:12:34:56:78

Parameter: TrustedMACList

Default: none

Comma-separated list of MAC addresses who are not subject to

authentication, and are not restricted by any FirewallRuleSet.

N.B.: weak security, since MAC addresses are easy to spoof.

TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D

Parameter: PasswordAuthentication

Default: no

Set to yes (or true or 1), to require a password matching

the Password parameter to be supplied when authenticating.

PasswordAuthentication no

Parameter: Password

Default: none

Whitespace delimited string that is compared to user-supplied

password when authenticating.

Password ratlabimat

Parameter: UsernameAuthentication

Default: no

Set to yes (or true or 1), to require a username matching

the Username parameter to be supplied when authenticating.

UsernameAuthentication yes

Parameter: Username

Default: none

Whitespace delimited string that is compared to user-supplied

username when authenticating.

Username wifi

Parameter: PasswordAttempts

Default: 5

Integer number of failed password/username entries before

a user is forced to reauthenticate.

PasswordAttempts 5

Parameter: TrafficControl

Default: no

Set to yes (or true or 1), to enable traffic control in Nodogsplash.

TrafficControl no

Parameter: DownloadLimit

Default: 0

If TrafficControl is enabled, this sets the maximum download

speed to the GatewayInterface, in kilobits per second.

For example if you have an ADSL connection with 768 kbit

download speed, and you want to allow about half of that

bandwidth for the GatewayInterface, set this to 384.

A value of 0 means no download limiting is done.

DownloadLimit 384

Parameter: UploadLimit

Default: 0

If TrafficControl is enabled, this sets the maximum upload

speed from the GatewayInterface, in kilobits per second.

For example if you have an ADSL connection with 128 kbit

upload speed, and you want to allow about half of that

bandwidth for the GatewayInterface, set this to 64.

A value of 0 means no upload limiting is done.

UploadLimit 64

Parameter: GatewayIPRange

Default: 0.0.0.0/0

By setting this parameter, you can specify a range of IP addresses

on the GatewayInterface that will be responded to and managed by

Nodogsplash. Addresses outside this range do not have their packets

touched by Nodogsplash at all.

Defaults to 0.0.0.0/0, that is, all addresses.

GatewayIPRange 0.0.0.0/0

Parameter: ImagesDir

Default: images

Set the directory from which images are served.

Use $imagesdir in HTML files to reference this directory.

ImagesDir images

Parameter: BinVoucher

Default: None

Enable Voucher Support.

If set, an alphanumeric voucher HTTP parameter is accepted

and passed to a command line call along with the clients MAC:

$ auth_voucher

BinVoucher must point to a program that will be called as described above.

The call is expected to output the number of seconds the client

is to be authenticated. Zero or negative seconds will cause the

authentification request to be rejected.

The output may contain a user specific download and upload limit in KBit/s:

BinVoucher "/bin/myauth"

Parameter: ForceVoucher

Default: no

Force the use of a voucher. Authentification is not possible without voucher.

ForceVoucher no

Parameter: EnablePreAuth

Default: no

Enable pre-authentication support.

Pass the MAC of a client to a command line call before the splash page

would be send:

$ auth_status

The call is expected to output the number of seconds the client

is to be authenticated. Zero or negative seconds will cause the

splash page to be displayed.

The output may contain a user specific download and upload limit in KBit/s:

EnablePreAuth no

`