I'm using Shibby's latest builds (116) on an RT-N16 and an RT-N66U. I have two wireless networks set up on different bridge groups/VLANs. One network requires authentication and is bridged (same VLAN) to the wired ports. The other is for guest Internet access only, with no authentication/security. Guests on that VLAN should never be able to access devices on the secure VLAN.
Without captive portal, I can connect to the guest network and access the router's internal services (web server, ssh) and the Internet but not anything on the secure VLAN - GOOD. With captive portal enabled on the guest VLAN, I click through the splash screen and can access the Internet AND anything on the secure VLAN - BAD.
The problem appears to be in the setup of the iptables FORWARD chain. The redirect to the NoCat chain is being placed at the very top of the FORWARD chain - above the VLAN isolation rules. There's code in nocatsplash/install.fw that looks for a "lan2wan" rule and places the NoCat redirect just above that rule if present, but there's no "lan2wan" rule in my table. However, there is a "wanin" rule and if I hand-add the NoCat rule just above the "wanin" rule (and remove it from the top of the table), then everything appears to work as desired.
I'm not sure if I can work around this by adding a script in the Firewall rules to patch up the table; when in the startup sequence are the NoCat rules added to the table? But a real fix modify be to modify the nocatsplash install.fw code to look for the "wanin" rule instead of or in addition to the "lan2wan" rule.
So… Can anyone tell me if this has already been fixed in some release? Or, failing that, is it safe to just replace "lan2wan" with "wanin" in the install.fw file or do we really need to be looking for both names?