Hello. I am not sure where to post this and would appreciate any moderator help in moving this to the area where it is most applicable. Thank you.


I've posted these questions in a couple different forums, but have not received any answers about what I am doing wrong. I would appreciate any help you guys could provide me. Even a point to the right direction would be beneficial.

I am trying to set up a LAN web server. This is just a wireless router, a Linksys WRT160N flashed with DD-WRT (done) that users can connect to, and Mac Mini for the web server, running Apache 2.2.6 on OS X 10.5.2. There is no internet access here, just wireless clients connecting to the router.

I have set up DNSmasq on the router to run as the DHCP server (works perfectly), as well as for DNS. DNSmasq is set to be authoritative. I've entered the MAC address and IP address in DNSmasq for the webserver, named localserver.

Okay. So what I am trying to do is set up this so that when wireless clients connect, they can open their web browsers, and assuming they don't have a blank page set, they are redirected to the the index.html page on the web server. That's all. Then of course they can browse around the server. That is the entire function of this wireless network. The users don't know anything about the IP of the web server, nor its name.

Google should resolve as http://localserver/ ANYTHING, other than the router IP, localhost, or specific valid pages on the webserver, like http://localserver/page2.html, I would like to be redirected to http://localserver I will set up ipfw on the Mac so that any packets not destined for the web server (TCP 80) are just dropped. That's no problem.

But rerouting the traffic successfully is quite a task for me. I'm honestly a novice when it comes to networking. Is it possible to set up DNSmasq without needing a LAN domain, so no matter what is present in the client's web browser address bar, it will change to just http://localserver? I've tried forwarding all traffic with a LAN domain, and without, with mixed results.

This would be very similar to going to a library or a cafe and opening your browser once you connect to the router, and being redirected to a login page, only I'm just redirecting people to index.html on a web server. I can't just use port forwarding on the router because I'm forwarding traffic from the LAN, not a WAN.

The /etc/hosts file on the router is:

127.0.0.1 localhost
192.168.1.254 DD-WRT
192.168.1.253 localserver

I have to say here that in DD-WRT, under the DNSmasq options, I have added the line: address=/#/192.168.1.253 which I believe would resolve all entries that aren't found in the hosts file to 192.168.1.253. Is that correct? It does SEEM to work. Is the client then sent to the web server IP?

I can verify that without a LAN domain, under nslookup, I can get anything to resolve as 192.168.1.253, which is what I want, but when I open a web browser, the address bar does not change to http://localserver/. Why is that? I have attempted to do RedirectMatch and 404 redirects to index.html in Apache, but that does not work. If I can't get users to be redirected to http://localserver/, I'd be happy with just http://192.168.1.253 as long as they are actually able to just open their browser and get to the server with no interaction on their part.

Should I just set up a name server on the Mac Mini? I could do that, but then how would I go about it? Name Daemon (named)? I would like to avoid learning BIND if it's not absolutely necessary. And if the Mini is the name server, how would I forward all web traffic from the LAN clients to it?

Would you guys be willing to point me to where I can go to get more help with this? I guess I need direction on how to correctly configure DNSmasq for what I'm trying to do, how the traffic is routed from beginning to the server, and probably how to set up Apache correctly.

Thanks again.

Google for WLAN + "walled garden"

Thank you for the term era. I'd never heard of a walled garden, but after a search did find out some info about how it could be set up.

What I've decided to do is use DNSmasq to act as a DHCP server on the LAN, then use iptables to do all the routing. I switched the IPs a little bit, but the idea is the same.

Router IP - 192.168.0.254
web server - 192.168.0.253
DHCP IPs - 192.168.0.1 - 192.168.0.8
Rarely connected machine for admin stuff - 192.168.0.171 (I know it's no more secure this way really, just a way to potentially log access)
Subnet - 255.255.255.0

Can you help me out and tell me if I'm going the right direction here?


iptables -t nat -A PREROUTING -p tcp -s 192.168.0.1-192.168.0.8 --dport 80 -j DNAT --to-destination 192.168.0.253:80

iptables -A INPUT -p tcp -s 192.168.0.171 -d 192.168.0.254 --dport 45170 -j ACCEPT

If a wireless client attempts to do anything with TCP, where the destination port is 80 (HTTP) its destination is changed to the web server IP and port, and the packet is routed there. The web server is running on Apache at port 80.

If I use an address outside of the DHCP assigned area ( .171 in this case), and the packet is destined for the router itself at a specific port, the router will allow that packet to go through (still need to know the username and 4096-bit passcode to get in). The firmware on the router allows for wireless clients to be oblivious to each other.

How would I blackhole all packets after this point? I mean, if the packet is anything other than a TCP packet destined for port 80 from a DHCP assigned LAN IP, or from my "special" IP to the router at the special 45170 port for administration, how would I go ahead and just drop that packet at that point? I know there are other things that have to be allowed before packets can just be dropped (ICMP echo requests can be dropped, all IPv6 packets)...

I'm new to iptables and find this a little confusing. I will have to go through the tables already on the router to see how I will need to alter them for what I need.

Thank you for all the help!

I'm no authority on iptables. Because of the way these forums work, I'd suggest you post a new, specific question about this.

This is certainly a highly qualified topic, and might be better suited for the IP Networking board than the Unix for Dummies section.