Winter Shutdown and Aspirations for the Future

[TerryJC]

This morning I shut down the webserver for the Winter. When I spoke to Greg about this he mentioned that it would be good to have a better method of logging on to the system and also that it would be nice if the Visitors could log on at the entrance instead of down the path.

I had already been thinking about both of these problems and outlined two possible solutions for the wireless coverage:

1. We could cascade WiFi Extenders; one in the Lady Hanham building and one in the Cafe.
2. We could install a Mesh network.

Solution 1 is cheap and cheerful, but may not work properly. Solution 2 is anything but cheap and may not work with the outdoor antenna. I need to look into this further and will post progress in this Forum.

Logging on to the system with Android devices has never worked properly and iPhones are not much better, so we need to find a way to solve that too.

[TerryJC]

Further to my previous post in this Topic, I should mention that it is an aspiration of the River System Team that the Audio Guide and Quiz server be utilised to provide the Staff and Visitor GUIs in due course.

[TerryJC]

Hi,

I have mentioned this to one or two people. I have been asking how best to improve reception on the TP-Link Forum (see http://forum.tp-link.com/showthread.php ... L-WA7210N). There were a few ideas, but then the responses dried up.

In summary, using the extenders idea, we could get another outdoor AP and set it up by the entrance with the WiFi signal being repeated from the existing signal or over Ethernet using mains adaptors. However, a better solution would be to move the existing AP to a better place, such as the main office building or the Gazebo. Unfortunately, without some other modifications that would mean moving the webserver hardware as well.

I was discussing this with Penri and he mentioned that he has asked Stuart to order plenty of armoured Ethernet cable for connecting up the remote Pis for the River System. He believes that there will be enough to run a cable to the Gazebo, where there will be a remote Pi for the gardener's water supply. This Pi will (initially at least) simply monitor the levels in the butts and there won't be any pipework to take water to and from the river system like the other butts farms. However, the presence of the Ethernet means that we can move the Outdoor AP from it's present position at the rear of the Railway Room store, without having to move the webserver itself.

That is currently the preferred solution.

[TerryJC]

That is currently the preferred solution.

Bringing this up to date, the decision was made a few weeks ago to move the WiFi Antenna to the Gazebo and run the armoured cable as mentioned above.

To date, the cable is in and I currently have the Antenna and RPi webservr here at home. I have spent the last week trying to get Android phones and tablets to connect without complaining that there is no Internet connection. Some work was done on this last year and the webserver responds to a query from the phone to 'spoof' a connection to the Internet.

I have made some progress, but the upshot is that modern Android devices V7.0 and up expect to connect using HTTPS (eg secure connections or SSL). It is very difficult to make this work on a closed network. There are work-rounds for this, but they all need regular updates to take place every couple of months and there is no guarantee that V 8.0 devices (which I haven't been able to test yet) won't become more strict and require a real Internet connection to validate the Certificate.

So, to summarise, the solution used works well for Android phones and tablets up to and including V 6.0. For later versions the server needs to have a Domain Validated SSL Certificate, which is probably fine if you are only intending the AP to be up for a few days or weeks, but a pain if you want it to be up from March until October, as we do.

[TerryJC]

Sitrep,

Today, we agreed the best solution for mounting the Antenna and associated PSUs / PoE injector etc. A start has been made on the installation of the equipment box and Antenna at the Gazebo.

The situation regarding SSL was discussed at some length with Greg and as a result, I will be attempting to reproduce the solution put in place by Lloyd at Foxdog Studios (see https://foxdogstudios.com/making-phones ... s-internet. This involves registering a new domain (say www.WMTGuide.com) and then obtaining a Domain Validated Certificate for it. I have asked Lloyd if he thinks that this would work and will implement it if I get a positive response.

[TerryJC]

Sitrep.

The new antenna was installed in the agreed location and set to work.

Greg has asked the WMT Website contractor for an upgrade of the Website to SSL so that the internal network can re-use the Certificate. I'm awaiting a call from him to explain what we are trying to do.

Currently the WiFi connects without complaint to laptops, iPhones and Android Phones with Android V 6.0 or less.

[TerryJC]

Greg has asked the WMT Website contractor for an upgrade of the Website to SSL so that the internal network can re-use the Certificate. I'm awaiting a call from him to explain what we are trying to do.

This never happened. However, while driving to the LUG Meeting last month, Paul suggested putting a firewall in the system and last night he explained how it could be done.

The technique is called URL filtering in this context and Paul provided some links:

https://duckduckgo.com/?q=url+filtering ... cal&ia=web
https://computers.tutsplus.com/articles ... -mac-55984

and - squidguard on pi:

http://danscourses.com/turn-a-raspberry ... quidguard/

I'll be looking at this further, but to work, we will need to add an Ethernet interace to the Webserver Pi and connect it to the WMT Router in the Office. Obviously we could run another Armoured Ethernet cable, but that could be difficult as well as expensive. Alternatively we could use a pair of mains / Ethernet Adaptors for around £30 to £40. I'd like to test this at home before we commit to it, but I don't have a spare set of adaptors, so I'll have to scrounge some from somewhere. In the meantime, I can test the setup with a direct Cat 5 link between the second Ethernet connector on the Webserver and my home router, with an old WiFi Router acting as WMT-Guest.

The idea is that the URL Filter is set up to allow traffic from the WMT-Guest AP to and from the Internet for the Google 'magic' URLs only.

I'll think about all this over the coming days.

[TerryJC]

Hi,

I've reviewed the info provided by Paul at the LUG Meeting and have come up against some problems. His main suggestion was Squid Guard, which is actually a 'Net Nanny' type solution and relies on an underlying installation of squid3. This is actually a proxy caching server, rather than a firewall. There are several pages on the Internet that give fairly detailed instructions on how to set up Squid Guard, but by following those, we'd end up with a system that allows access to everything except pages that contain Adult content. Not quite what we want!

That's the problem, most firewall / net filtering solutions expect that the clients will be granted access to most things, with restrictions on just a few sites, (eg a business might stop it's employees accessing Facebook or Twitter during working hours perhaps). What we want is diametrically opposite to that. We want our clients to be granted access to nothing except those few sites that Android uses to establish that it is not in a walled garden, eg:

Code: Select all

	clients3.google.com
        clients.l.google.com
        connectivitycheck.android.com
        connectivitycheck.gstatic.com
        play.googleapis.com

I'm sure that any firewall can be set up to do that, but my limited skill-set in that area is failing me at the moment; for example, the squid.conf file is very nearly 8000 lines long. On the other hand Squid Guard appears to be a bit simpler and seems to have places where I could list the allowed and barred clients and also the allowed and barred destinations. So if I can wade through squid.conf, I might be able to do something with it.

Webserver_Filter.gif (31.25 KiB) Viewed 1500 times

More work is clearly needed. In the meantime, I've produced a diagram of the physical architecture:

[TerryJC]

Spoke to Penri, Hamish and Greg about implementing the above. Penri says that if necessary, we could run (non-armoured) Cat 5 overground, but Greg is not keen on the disruption. He is happy with spending up to (say) £70 on Powerline Adapators.

Over the coming week I will implement the system above at home (with straight Cat 5 in lieu of adaptors) to prove the concept. A guy on the Raspberry Pi forums has recommended NoDogSplash as the best way to achieve what we want. This is a Captive Portal (like you get in Pubs and other businesses) and would appear to do everything we want.

I'll report back when I've done a bit more testing.

[TerryJC]

This post is a continuation of several posts that have been started elswhere. These include:

• https://wmtprojectsforum.altervista.org ... t=17#p1295 and
• https://wmtprojectsforum.altervista.org ... p?f=9&t=25

To re-iterate the problem; the WMT Audio Guide and Quiz Webserver works well, but some visitors have great difficulty connecting to the WiFi Access Point because Google have now updated Android to only seamlessly accept connections from devices if the AP has Internet access. We've tried various solutions to this over the past year or so:

• Plan A was to spoof the Google check sites - that no longer works with later versions of Android, as mentioned.
• Plan B was to apply for and obtain a full SSL Certificate for the WMT website and re-use it on the RPi Webserver - that failed because the website maintainer doesn't seem to want to play along with that.
• Plan C has just failed, as described in the first link above, temporarily at least.

Of relevance to this is that various solutions for Plan C were suggested by various people, but I finally I chose NoDogSplash, which provides a Captive Portal. A Captive Portal is the kind of thing that is found in pubs and apart from providing a controllable path to internet, it also ensures that when a user connects to the AP and opens his browser, the first site that he will see is the WMT Landing Page, regardless of what he/she types in the browser bar.

I therefore intend to carry on implementing and testing this here and will install it in due course. Obviously without a path to the Office Router, it won't solve the original problem, but it will make it easier for Visitors to find the Landing Page.

In the meantime, Greg has informed me that he will shortly be recording some new content for the Audio Guide. If possible, I will implement that in parallel to the above, but otherwise I'll add the new content after my holiday at the beginning of July.