Bypass Chilli using alternate IPs?

Gunther Mayer gunther.mayer at googlemail.com
Sat May 3 16:54:36 UTC 2008 

Tuc at T-B-O-H.NET wrote:
> Hi,
>
> 	I'll start out saying this is a Chillispot problem on DD-WRT. 
> Unfortunately, support on the DD-WRT forum is generally lacking, so I
> come to you hoping that since this is a branch you'll be able to understand
> and suggest a change for me. If not, I certaininly understand.
>
> 	On a sample DD-WRT router, I have the chilli.conf to be :
>
> radiusserver1 EXAMPLE.IP.ADDRESS.HERE
> radiusserver2 EXAMPLE.IP.ADDRESS.HERE
> radiussecret TMCQgnAW3f9g31
> dhcpif br0
> uamserver http://www.example.com/cgi-bin/UAM/uam.cgi
> dns1 EXAMPLE.IP.ADDRESS.HERE
> uamsecret aERP68Fi3d9gkh0
> uamallowed www.paypal.com,www.paypalobjects.com,www.seabreezeconnections.com
> radiusnasid SBC-2064
> radiuslisten 192.168.50.13
>
> 	and :
>
> # ifconfig br0
> br0       Link encap:Ethernet  HWaddr 00:16:01:D1:90:3A  
>           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:6981 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:7444 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:690194 (674.0 KiB)  TX bytes:5253782 (5.0 MiB)
>
>  # ifconfig tun0
> tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
>           inet addr:192.168.182.1  P-t-P:192.168.182.1  Mask:255.255.255.0
>           UP POINTOPOINT RUNNING  MTU:1500  Metric:1
>           RX packets:5706 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:7222 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:10 
>           RX bytes:555035 (542.0 KiB)  TX bytes:5097966 (4.8 MiB)
>
> # ifconfig vlan1
> vlan1     Link encap:Ethernet  HWaddr 00:16:01:D1:90:3B  
>           inet addr:192.168.50.13  Bcast:192.168.50.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:263049 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:128066 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:31820918 (30.3 MiB)  TX bytes:11358988 (10.8 MiB)
>
>
> 	We've found out that if you MANUALLY set your IP to be in the 192.168.1.X
> range, set 192.168.1.1 as the gateway, and set your own DNS servers.... You can
> surf w/o authenticating... Which is a VERY bad thing...
>
> 	Is there a way to stop this? (Additional information provided if
> necessary.)
>   
I ran across this issue years ago. Your problem is that you have two lan 
interfaces, the tun0 one (192.168.182.1/24) and the br0 one. Nothing 
stops your box from routing stuff through br0 (the surfing w/o 
authenticating). One way to avoid that is to have no ip active on br0 
but DD-WRT doesn't allow you enough control to do that iirc. But here's 
a simple fix: Put

iptables -I FORWARD -i br0 -j DROP

in your firwall commands and nobody will be able to do that anymore.

In future, please use coova-ap, it's infinitely better, fully open 
source and less evil than DD-WRT ;-) well, don't want to start a thread 
on dd-wrt vs the rest here...

Gunther

More information about the Chilli mailing list