At our local Model Town, I've installed a Raspberry Pi 3 running a Webserver (nginx) to serve local content to visitors that log onto an outdoor WiFi Access Point. It works pretty well and is now running during its second season. However, there is one problem; Android devices won't connect to the WiFi (without hassle) if there isn't a path to the Internet. Originally we used a fairly successful hack whereby our Webserver spoofed the Google sites that Android attempt to access to establish that an Internet connection exists. More recent Android versions however are more fussy and required the site to be a fully validated type; not the Self-signing type that we've tried.
The Model Town is a registered charity and the Trustees are not keen to allow visitors unfettered access to the Internet, because of data costs. Some kind of IP Filtering would therefore seem to be the answer. I asked at our local LUG Meeting and SquidGuard was suggested, but presumably any firewall / net filtering solution could be used. I've found several pages on the Internet that give fairly detailed instructions on how to set up Squid Guard, but by following those, we'd end up with a system that allows access to everything except pages that contain Adult content. Not quite what we want!
As I understand it, most firewall / net filtering solutions expect that the clients will be granted access to most things, with restrictions on just a few sites, (eg a business might stop it's employees accessing Facebook or Twitter during working hours perhaps). What we want is diametrically opposite to that. We want our clients to be granted access to nothing except those few sites that Android uses to establish that it is not in a walled garden.
I'm sure that any firewall or net filter can be set up to do that, but my limited skill-set in that area is failing me at the moment; for example, the squid.conf file is very nearly 8000 lines long. On the other hand Squid Guard appears to be a bit simpler and seems to have places where I could list the allowed and barred clients and also the allowed and barred destinations. So if I can wade through squid.conf, I might be able to do something with it. However, before I invest a lot of time in that, I'd like to know:
- Is Squid Guard is the right solution (or as good as any other)?
- Will the physical architecture that I've shown below work?