Captive Portal

Hi,

We are planning on using m0n0wall for a couple of hotels.  Captive Portal and Vouchers work brilliantly but we want to capture the outbound SMTP requests and divert these off to the hotel's ISP.  That way we have an "all-in-one" solution that we can then roll out to other hotels.

Excuse the iptables rule, but basically here's what I want to do:

iptables -v -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to x.x.x.x:25

Anybody know how to do this (not the ipfw rule, but the insertion of this into one of the startup scripts).

Rick.

You mean redirect an outbound SMTP (port 25) from the requested site to a site of your choosing?

I'm not sure how well that would work since if a client is requesting to talk to yahoo.com to send e-mail and it gets something else, it would just fail on the session. If they are using TLS or some other form of certificate encryption, it certainly won't work.

Need more details about how this process is suppose to work and what it will accomplish if it does?

What we want is for the guest in the room to not fuss about with email settings if we can avoid it.  So, we want to capture their outbound SMTP session, redirect to the ISP's SMTP server and not have to tell them.  If they do have TLS enabled or some other security we can expect that they will have enough knowedge to follow some simple instructions to disable TLS or use a special SMTP port that will then use Port Address Translation to get to their original SMTP server.

I don't see the issue with "expecting to talk to yahoo.com to send e-mail" failing as the redirected email server will allow mail requests from the source IP address (which will be part of our internal address range).

It should be seamless for 90-95% of the guests and the other 5-10% should be able to make the simple changes - instead of requiring all guests to change their email settings.  We currently have the guests having to change their mail settings each time - this is a problem that tends to cause an issue or two a week for reception (who are not IT people).

Is this possible?

What we want is for the guest in the room to not fuss about with email settings if we can avoid it.  So, we want to capture their outbound SMTP session, redirect to the ISP's SMTP server and not have to tell them.  If they do have TLS enabled or some other security we can expect that they will have enough knowedge to follow some simple instructions to disable TLS or use a special SMTP port that will then use Port Address Translation to get to their original SMTP server.

I don't see the issue with "expecting to talk to yahoo.com to send e-mail" failing as the redirected email server will allow mail requests from the source IP address (which will be part of our internal address range).

It should be seamless for 90-95% of the guests and the other 5-10% should be able to make the simple changes - instead of requiring all guests to change their email settings.  We currently have the guests having to change their mail settings each time - this is a problem that tends to cause an issue or two a week for reception (who are not IT people).

Is this possible?

I think it's possible, but your SMTP server will have to function in a "open relay" mode, basically the clients are going to throw a username/password at it and it needs to send the "password ok" for anything they use. Those using encryption, it will fail due to certificate mismatch with the CN. I think if anyone is smart enough to use encryption, they will think someone is trying to tamper with the e-mail. That means either they will complain or just not use the SMTP to send fearing stolen mail/passwords/etc.

The default m0n0wall GUI doesn't have a place to create an outbound rule redirection, but I'm sure someone here knows a way to hack it in via the command line to test with and see how well it works. The rule would have to be a "any outbound port 25 redirect to x.x.x.x mail server instead" I've read about people using a cache proxy for web browsing, so I'm sure a proxy for email should be possible.

The following can only be done by backupping the config, add the following rule accordingly and restore the config.

<nat>
<rule>
<protocol>tcp</protocol>
<external-port>25</external-port>
<target>IP_OF_YOUR_MAILSERVER_HERE</target>
<local-port>25</local-port>
<interface>wan</interface>
<descr>redirect SMTP to WAN SMTP server</descr>
</rule>
</nat>