VPN Traffic issues

Daniel Garcia DGarcia at globalgossip.net
Thu Mar 5 09:19:11 UTC 2009


>Is eth1 your WAN interface or the chilli DHCP interface? Looks like your
>chilli DHCP ... not sure why you need an IP on that interface for "pass
>through traffic" ...

eth1 is the chilli DHCP interface, the one that chilli replaces with 0.0.0.0 and creates a virtual tunnel

In regards for pass-through traffic, what I mean is, I have a couple of APS and other devices behind the chilli hotspot network and I would like to be able to HTTP to those devices, also get traffic like SNMP working for monitoring purposes, which is why I placed the internet on eth1, so the APS with IP's can be browsed to.


>I noticed that you don't have an MTU clamp iptables rule, which might
>help (see the up.sh in svn).

Whats an MTU clamp? Ill take a look.


So, you are saying the current setup allows VPNs to work, but you can't
web surf when not using the VPN (or when using the VPN)?

>You might want to do a wireshark dump (or tcpdump) of the subscriber's
>traffic. Or, run chilli in debug mode to help see what it is doing. The
>first question is: can the subscriber surf the walled garden or does
>*nothing* work?

surf the walled garden? Sorry you lost me. Browsing the internet is fine when subscribers log in correctly. Once logged in and successfully browsing, if they VPN, then browsing stops working. I notice that DNS is working because I see the browser resolving the name URL...it appears to be something in the iptables is preventing it

David


On Wed, 2009-03-04 at 17:15 +1100, Daniel Garcia wrote:
> Hi David/Delevopers,
>
>
>
> I am having a headache with Coova and I was wondering if someone could
> help me out, Ive been working on Coova for a few weeks now and time is
> running out for me and so I hope you can help me.
>
>
>
> I was tasked with getting multiple VPN traffic to work with Coova so
> people from the hotspot network for our wireless users. We have a
> linux box that acts as a gateway for wireless traffic.
>
>
>
> Following the instructions on the web and coova I have done the
> following...
>
>
>
> Edit /usr/local/etc/chilli/Up.sh
>
>
>
> #!/bin/sh
>
> # Coova Chilli - David Bird <david at coova.com>
>
> # Licensed under the GPL, see http://coova.org/
>
> # up.sh /dev/tun0 192.168.0.10 255.255.255.0
>
>
>
> . /usr/local/etc/chilli/functions
>
>
>
> [ -e "/usr/local/var/run/chilli.iptables" ] &&
> sh /usr/local/var/run/chilli.iptables 2>/dev/null
>
> rm -f /usr/local/var/run/chilli.iptables 2>/dev/null
>
>
>
> IF=$(basename $DEV)
>
>
>
> ipt() {
>
>     opt=$1; shift
>
>     echo "iptables -D $*" >> /usr/local/var/run/chilli.iptables
>
>     iptables $opt $*
>
> }
>
>
>
> ipt_in() {
>
>     ipt -A INPUT -i $IF $*
>
> }
>
>
>
> [ -n "$DHCPIF" ] && {
>
>
>
>     [ -n "$UAMPORT" -a "$UAMPORT" != "0" ] && \
>
>       ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
>
>
>
>     [ -n "$UAMUIPORT" -a "$UAMUIPORT" != "0" ] && \
>
>       ipt_in -p tcp -m tcp --dport $UAMUIPORT --dst $ADDR -j ACCEPT
>
>
>
>     [ -n "HS_TCP_PORTS" ] && {
>
>       for port in $HS_TCP_PORTS; do
>
>           ipt_in -p tcp -m tcp --dport $port --dst $ADDR -j ACCEPT
>
>       done
>
>     }
>
>
>
>     ipt_in -p udp -d 255.255.255.255 --destination-port 67:68 -j
> ACCEPT
>
>     ipt_in -p udp --dst $ADDR --dport 53 -j ACCEPT
>
>
>
>     ipt -A INPUT -i $IF --dst $ADDR -j DROP
>
>     ipt -A INPUT -i $IF -j DROP
>
>
>
>     ipt -I FORWARD -j DROP -i $DHCPIF
>
>     ipt -I FORWARD -j DROP -o $DHCPIF
>
>     ipt -t raw -I PREROUTING -j NOTRACK -i $DHCPIF #Beg. of appended
> lines
>
>     ipt -t raw -I OUTPUT -j NOTRACK -o $DHCPIF
>
>     ipt -I FORWARD -j ACCEPT -i tun0 -p gre
>
>     ipt -I FORWARD -j ACCEPT -i tun0 -p tcp --dport 1723
>
>
>
>     ipt -I PREROUTING -t raw -j NOTRACK -i $DHCPIF
>
>     ipt -I OUTPUT -t raw -j NOTRACK -o $DHCPIF #End of appended lines
>
>
>
>     ipt -I POSTROUTING -t nat -o eth0 -j MASQUERADE
>
>     ipt -I PREROUTING -t nat -i $IF -p tcp --dport 25 -j DNAT
> --to-destination $HS_SMTP
>
>
>
>     [ "$HS_LAN_ACCESS" != "on" -a "$HS_LAN_ACCESS" != "allow" ] && \
>
>       ipt -I FORWARD -i $IF -o \! $HS_WANIF -j DROP
>
>
>
>     [ "$HS_LOCAL_DNS" = "on" ] && {
>
>       ipt -I PREROUTING -t nat -i $IF -p udp --dport 53 -j DNAT
> --to-destination $HS_DNS1
>
>       ipt -I PREROUTING -t nat -i $IF -p tcp --dport 53 -j DNAT
> --to-destination $HS_DNS1
>
>       }
>
> }
>
>
>
> # site specific stuff optional
>
> [ -e /usr/local/etc/chilli/ipup.sh ]
> && . /usr/local/etc/chilli/ipup.sh
>
>
>
> As you can see the blue is the added code I copied from the forums. I
> also did the following for the install of the appropriate modules...
>
>
>
> Modprobe ip_conntrack_pptp
>
> Modprobe ip_nat_pptp
>
> Modprobe nf_nat_proto_gre
>
> Modprobe nf_conntrack_proto_gre
>
>
>
> Now, I also amended the following
>
>
>
> # vi /usr/local/etc/init.d/chilli
>
>
>
> Under the case$1 in
>
>                            Start) – section (this starts the chilli
> software and calls many procedures
>
>
>
> Changed the following code:
>
>
>
> Ifconfig $HS_LANIF 0.0.0.0
>
>
>
> To: ifconfig $HS_LANIF 10.200.100.129/24
>
>
>
> As I want an IP on the eth1 interface for traffic passthrough.
>
>
>
> My problem is two-fold, 1. Multiple VPN connections work great and I
> can access the resources on the other network, but i can NOT browse
> the internet. DNS is working because I can see a web search doing a
> name-to-ip address translation, so HTTP or nat’ing is getting screwed
> up somewhere.
>
>
>
> Also, we want to have snmp and ftp services working and go through the
> eth1 interface (which is why I have placed an IP address on eth1; for
> routing purposes), but if I remove the DROP chains:
>
>
>
>     ipt -I FORWARD -j DROP -i $DHCPIF
>
>     ipt -I FORWARD -j DROP -o $DHCPIF
>
>
>
> Then VPN stops working, I cant even get one connection going. Ive
> spent weeks on these two issues to no avail.
>
>
> Thank you.
>
>
>
>
>
>
>
>
>
> Daniel Garcia
>
> IT Assistant Manager
>
> Core Infrastructure & Systems Development
>
> Global Gossip Group
>
> [a]    14 Wentworth Avenue, Sydney, NSW 2010
>
> [t]    +612 9263 0458
>
> [f]    +612 9263 0404
>
> [m]    0400 604 897
>
> [e]    dgarcia at globalgossip.net
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: chilli-unsubscribe at coova.org
For additional commands, e-mail: chilli-help at coova.org
Wiki: http://coova.org/wiki/index.php/CoovaChilli
Forum: http://coova.org/phpBB3/viewforum.php?f=4




More information about the Chilli mailing list