Hiện nay, có khá nhiều khách hàng thắc mắc việc truy cập địa chỉ 192.168.1.1 và không thể đổi mật khẩu wifi được. Vì thế chúng tôi xin trình bày một số lời giải đáp với trường hợp cụ thể như sau:
Tôi đang sử dụng modem TP-Link: TL-WR741ND có hình ảnh như bên dưới:
- Thiết bị lắp đặt cáp quang bao gồm:
- 1 Converter
- 1 modem quang
- 1 hộp phối quang ODF.
- Mô hình:
Bước 1: Dây internet cáp quang [còn gọi là dây quang] màu đen, dây này được đấu nối với zắc nối màu vàng như hình bên dưới.
Với thiết kế gọn gàng, thân thiện với người dùng, giao diện hiển thị của Touch P5 – Router Gigabit Wi-Fi Cảm ứng AC1900 sử dụng bộ xử lý lõi kép 1GHz cho khả năng xử lý đa nhiệm mạnh mẽ. Với chuẩn wifi không dây AC băng tầng kép cho phép bạn kết nối nhiều thiết bị hơn nhưng vẫn có thể trải nghiệm tốc độ không dây lên đến 1900Mbps. Nghĩa là bạn có thể tận hưởng video độ phân giải cao 4K và trò chơi trực tuyến mượt mà trên băng tần 5GHz, trong khi các công việc khác như kiểm tra email, lướt web có thể được hoàn thành nhanh chóng trên băng tần 2.4GHz.
`#
Nodogsplash Configuration File
#
Parameter: GatewayInterface
Default: NONE
GatewayInterface is not autodetected, has no default, and must be set here.
Set GatewayInterface to the interface on your router
that is to be managed by Nodogsplash.
Typically br0 for the wired and wireless lan on OpenWrt White Russian.
May be br-lan on OpenWrt Kamikaze.
GatewayInterface br-lan
FirewallRuleSet: authenticated-users
Control access for users after authentication.
These rules are inserted at the beginning of the
FORWARD chain of the router's filter table, and
apply to packets that have come in to the router
over the GatewayInterface from MAC addresses that
have authenticated with Nodogsplash, and that are
destined to be routed through the router. The rules are
considered in order, and the first rule that matches
a packet applies to it.
If there are any rules in this ruleset, an authenticated
packet that does not match any rule is rejected.
N.B.: This ruleset is completely independent of
the preauthenticated-users ruleset.
FirewallRuleSet authenticated-users {
You may want to open access to a machine on a local
subnet that is otherwise blocked [for example, to
serve a redirect page; see RedirectURL]. If so,
allow that explicitly here, e.g:
FirewallRule allow tcp port 80 to 192.168.254.254
Your router may have several interfaces, and you
probably want to keep them private from the GatewayInterface.
If so, you should block the entire subnets on those interfaces, e.g.:
FirewallRule block to 192.168.0.0/16
FirewallRule block to 10.0.0.0/8
Typical ports you will probably want to open up include
53 udp and tcp for DNS,
80 for http,
443 for https,
22 for ssh:
FirewallRule allow tcp port 53 FirewallRule allow udp port 53 FirewallRule allow tcp port 80 FirewallRule allow tcp port 443 FirewallRule allow tcp port 22
}
end FirewallRuleSet authenticated-users
FirewallRuleSet: preauthenticated-users
Control access for users before authentication.
These rules are inserted in the PREROUTING chain
of the router's nat table, and in the
FORWARD chain of the router's filter table.
These rules apply to packets that have come in to the
router over the GatewayInterface from MAC addresses that
are not on the BlockedMACList or TrustedMACList,
are not authenticated with Nodogsplash. The rules are
considered in order, and the first rule that matches
a packet applies to it. A packet that does not match
any rule here is rejected.
N.B.: This ruleset is completely independent of
the authenticated-users and users-to-router rulesets.
FirewallRuleSet preauthenticated-users {
For preauthenticated users to resolve IP addresses in their initial
request not using the router itself as a DNS server,
you probably want to allow port 53 udp and tcp for DNS.
FirewallRule allow tcp port 53 FirewallRule allow udp port 53
For splash page content not hosted on the router, you
will want to allow port 80 tcp to the remote host here.
Doing so circumvents the usual capture and redirect of
any port 80 request to this remote host.
Note that the remote host's numerical IP address must be known
and used here.
FirewallRule allow tcp port 80 to 192.168.1.1 FirewallRule allow tcp port 443 to 192.168.1.1 }
end FirewallRuleSet preauthenticated-users
FirewallRuleSet: users-to-router
Control access to the router itself from the GatewayInterface.
These rules are inserted at the beginning of the
INPUT chain of the router's filter table, and
apply to packets that have come in to the router
over the GatewayInterface from MAC addresses that
are not on the TrustedMACList, and are destined for
the router itself. The rules are
considered in order, and the first rule that matches
a packet applies to it.
If there are any rules in this ruleset, a
packet that does not match any rule is rejected.
FirewallRuleSet users-to-router {
Nodogsplash automatically allows tcp to GatewayPort,
at GatewayAddress, to serve the splash page.
However you may want to open up other ports, e.g.
53 for DNS and 67 for DHCP if the router itself is
providing these services.
FirewallRule allow udp port 53 FirewallRule allow tcp port 53 FirewallRule allow udp port 67
You may want to allow ssh, http, and https to the router
for administration from the GatewayInterface. If not,
comment these out.
FirewallRule allow tcp port 22 FirewallRule allow tcp port 80 FirewallRule allow tcp port 443 }
end FirewallRuleSet users-to-router
EmptyRuleSetPolicy directives
The FirewallRuleSets that NoDogSplash permits are:
authenticated-users
preauthenticated-users
users-to-router
trusted-users
trusted-users-to-router
For each of these, an EmptyRuleSetPolicy can be specified.
An EmptyRuleSet policy applies to a FirewallRuleSet if the
FirewallRuleSet is missing from this configuration file,
or if it exists but contains no FirewallRules.
The possible values of an EmptyRuleSetPolicy are:
allow -- packets are accepted
block -- packets are rejected
passthrough -- packets are passed through to pre-existing firewall rules
Default EmptyRuleSetPolicies are set as follows:
EmptyRuleSetPolicy authenticated-users passthrough
EmptyRuleSetPolicy preauthenticated-users block
EmptyRuleSetPolicy users-to-router block
EmptyRuleSetPolicy trusted-users allow
EmptyRuleSetPolicy trusted-users-to-router allow
Parameter: GatewayName
Default: NoDogSplash
Set GatewayName to the name of your gateway. This value
will be available as variable $gatewayname in the splash page source
and in status output from ndsctl, but otherwise doesn't matter.
If none is supplied, the value "NoDogSplash" is used.
GatewayName Wifi Login
Parameter: GatewayAddress
Default: Discovered from GatewayInterface
This should be autodetected on an OpenWRT system, but if not:
Set GatewayAddress to the IP address of the router on
the GatewayInterface. This is the address that the Nodogsplash
server listens on.
GatewayAddress 192.168.1.1
Parameter: ExternalInterface
Default: Autodetected from /proc/net/route
This should be autodetected on a OpenWRT system, but if not:
Set ExtrnalInterface to the 'external' interface on your router,
i.e. the one which provides the default route to the internet.
Typically vlan1 for OpenWRT.
ExternalInterface eth0
Parameter: RedirectURL
Default: none
After authentication, normally a user is redirected
to their initially requested page.
If RedirectURL is set, the user is redirected to this URL instead.
RedirectURL //www.ilesansfil.org/
Parameter: GatewayPort
Default: 2050
Nodogsplash's own http server uses GatewayAddress as its IP address.
The port it listens to at that IP can be set here; default is 2050.
GatewayPort 2050
Parameter: MaxClients
Default: 20
Set MaxClients to the maximum number of users allowed to
connect at any time. [Does not include users on the TrustedMACList,
who do not authenticate.]
MaxClients 50
ClientIdleTimeout
Parameter: ClientIdleTimeout
Default: 10
Set ClientIdleTimeout to the desired of number of minutes
of inactivity before a user is automatically 'deauthenticated'.
ClientIdleTimeout 300
Parameter: ClientForceTimeout
Default: 360
Set ClientForceTimeout to the desired number of minutes before
a user is automatically 'deauthenticated', whether active or not
ClientForceTimeout 3600
Parameter: AuthenticateImmediately
Default: no
Set to yes [or true or 1], to immediately authenticate users
who make a http port 80 request on the GatewayInterface [that is,
do not serve a splash page, just redirect to the user's request,
or to RedirectURL if set].
AuthenticateImmediately no
Parameter: MACMechanism
Default: block
Either block or allow.
If 'block', MAC addresses on BlockedMACList are blocked from
authenticating, and all others are allowed.
If 'allow', MAC addresses on AllowedMACList are allowed to
authenticate, and all other [non-trusted] MAC's are blocked.
MACMechanism block
Parameter: BlockedMACList
Default: none
Comma-separated list of MAC addresses who will be completely blocked
from the GatewayInterface. Ignored if MACMechanism is allow.
N.B.: weak security, since MAC addresses are easy to spoof.
BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
Parameter: AllowedMACList
Default: none
Comma-separated list of MAC addresses who will not be completely
blocked from the GatewayInterface. Ignored if MACMechanism is block.
N.B.: weak security, since MAC addresses are easy to spoof.
AllowedMACList 00:00:12:34:56:78
Parameter: TrustedMACList
Default: none
Comma-separated list of MAC addresses who are not subject to
authentication, and are not restricted by any FirewallRuleSet.
N.B.: weak security, since MAC addresses are easy to spoof.
TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
Parameter: PasswordAuthentication
Default: no
Set to yes [or true or 1], to require a password matching
the Password parameter to be supplied when authenticating.
PasswordAuthentication no
Parameter: Password
Default: none
Whitespace delimited string that is compared to user-supplied
password when authenticating.
Password ratlabimat
Parameter: UsernameAuthentication
Default: no
Set to yes [or true or 1], to require a username matching
the Username parameter to be supplied when authenticating.
UsernameAuthentication yes
Parameter: Username
Default: none
Whitespace delimited string that is compared to user-supplied
username when authenticating.
Username wifi
Parameter: PasswordAttempts
Default: 5
Integer number of failed password/username entries before
a user is forced to reauthenticate.
PasswordAttempts 5
Parameter: TrafficControl
Default: no
Set to yes [or true or 1], to enable traffic control in Nodogsplash.
TrafficControl no
Parameter: DownloadLimit
Default: 0
If TrafficControl is enabled, this sets the maximum download
speed to the GatewayInterface, in kilobits per second.
For example if you have an ADSL connection with 768 kbit
download speed, and you want to allow about half of that
bandwidth for the GatewayInterface, set this to 384.
A value of 0 means no download limiting is done.
DownloadLimit 384
Parameter: UploadLimit
Default: 0
If TrafficControl is enabled, this sets the maximum upload
speed from the GatewayInterface, in kilobits per second.
For example if you have an ADSL connection with 128 kbit
upload speed, and you want to allow about half of that
bandwidth for the GatewayInterface, set this to 64.
A value of 0 means no upload limiting is done.
UploadLimit 64
Parameter: GatewayIPRange
Default: 0.0.0.0/0
By setting this parameter, you can specify a range of IP addresses
on the GatewayInterface that will be responded to and managed by
Nodogsplash. Addresses outside this range do not have their packets
touched by Nodogsplash at all.
Defaults to 0.0.0.0/0, that is, all addresses.
GatewayIPRange 0.0.0.0/0
Parameter: ImagesDir
Default: images
Set the directory from which images are served.
Use $imagesdir in HTML files to reference this directory.
ImagesDir images
Parameter: BinVoucher
Default: None
Enable Voucher Support.
If set, an alphanumeric voucher HTTP parameter is accepted
and passed to a command line call along with the clients MAC:
$ auth_voucher
BinVoucher must point to a program that will be called as described above.
The call is expected to output the number of seconds the client
is to be authenticated. Zero or negative seconds will cause the
authentification request to be rejected.
The output may contain a user specific download and upload limit in KBit/s:
BinVoucher "/bin/myauth"
Parameter: ForceVoucher
Default: no
Force the use of a voucher. Authentification is not possible without voucher.
ForceVoucher no
Parameter: EnablePreAuth
Default: no
Enable pre-authentication support.
Pass the MAC of a client to a command line call before the splash page
would be send:
$ auth_status
The call is expected to output the number of seconds the client
is to be authenticated. Zero or negative seconds will cause the
splash page to be displayed.
The output may contain a user specific download and upload limit in KBit/s:
EnablePreAuth no
`