
# The options available here are an adaptation of the settings used in nodogsplash.conf.
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf

config nodogsplash
  # Set to 0 to disable nodogsplash
  option enabled 1
  
  # Set to 0 to disable hook that makes Firewall restart nodogsplash when Firewall restarts
  # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries
  option fwhook_enabled '1'

  # Serve the file splash.html from this directory
  option webroot '/etc/nodogsplash/htdocs'

  # Use plain configuration file
  #option config '/etc/nodogsplash/nodogsplash.conf'

  # Use this option to set the network interface the users are connected to
  # Must not be used with option gatewayinterface
  # This option automatically identifies the active lan device for nodogsplash to bind to
  # This option may fail if the device configured for this interface is not up when nodogsplash starts at boot time
  # You may change this to any valid virtual lan interface that has been defined, eg lan, lan2, public_lan wlan2 etc
  # option network 'lan'
  
  # Use this option to set the device nogogsplash will bind to
  # Must not be used with option network
  # The nodogsplash init script will wait for this device to be up before loading the nodogsplash service
  # You may change this to any valid lan device eg br-lan, wlan0, eth0.1 etc
  option gatewayinterface 'br-lan'
  
  option gatewayname 'OpenWrt Nodogsplash'
  option maxclients '250'
  # Client timeouts in minutes
  option clientidletimeout '120'
  option clientforcetimeout '1440'


  # Your router may have several interfaces, and you
  # probably want to keep them private from the network/gatewayinterface.
  # If so, you should block the entire subnets on those interfaces, e.g.:
  # list authenticated_users 'block to 192.168.0.0/16'
  # list authenticated_users 'block to 10.0.0.0/8'

  # Typical ports you will probably want to open up.
  #list authenticated_users 'allow tcp port 22'
  #list authenticated_users 'allow tcp port 53'
  #list authenticated_users 'allow udp port 53'
  #list authenticated_users 'allow tcp port 80'
  #list authenticated_users 'allow tcp port 443'
  # Or for happy customers allow all
  list authenticated_users 'allow all'


  # For preauthenticated users to resolve IP addresses in their
  # initial request not using the router itself as a DNS server,
  # Leave commented to help prevent DNS tunnelling
  #list preauthenticated_users 'allow tcp port 53'
  #list preauthenticated_users 'allow udp port 53'

  # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
  list users_to_router 'allow tcp port 22'
  list users_to_router 'allow tcp port 23'
  list users_to_router 'allow tcp port 53'
  list users_to_router 'allow udp port 53'
  list users_to_router 'allow udp port 67'
  list users_to_router 'allow tcp port 80'

  # MAC addresses that are / are not allowed to access the splash page
  # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
  #option macmechanism 'allow'
  #list allowedmac '00:00:C0:01:D0:0D'
  #list allowedmac '00:00:C0:01:D0:1D'
  #list blockedmac '00:00:C0:01:D0:2D'

  # MAC addresses that do not need to authenticate
  #list trustedmac '00:00:C0:01:D0:1D'

  # Set FW_MARK for compatibilty with other OpenWrt Packages eg mwan3, sqm etc.
  list fw_mark_authenticated '30000'
  list fw_mark_trusted '20000'
  list fw_mark_blocked '10000'
