[Chilli] kmod-coova

David Bird david at coova.com
Wed Apr 7 08:14:26 UTC 2010


Yes, there would be an issue. Chilli does a little "trick" with it's
additional NAT'ing for unauthenticated traffic. The "dhcplisten" and
"uamlisten" IP addresses are made to be separate networks. The
dhcplisten IP is the actual IP of the dhcpif and clients get addresses
in that same network. Before authentication, all their traffic (via
FORWARD) is dropped, but chilli is listening and sending the packets
(NAT'ed one-to-one to the uamlisten network, i.e. 10.1.0.10 <->
11.1.0.10) and packets are forwarded that way (this is necessary such
that chilli can get the return packets via tun0/11.1.0.10). You would
have the issue (without using MASQUERADING) that clients would have a
different IP on the WAN side before and after authentication. 

On Wed, 2010-04-07 at 10:40 +0300, Oguzhan Kayhan wrote:
> It might create a great improvement in performance for sure,
> But what about the users that doesnt us NAT in their network.
> For ex, with me, i got no NAT  all my users gets real ip.
> So does it work with me too?
> 
> On Wednesday 07 April 2010 08:10:50 am David Bird wrote:
> > Hi,
> > 
> > Been working on a concept for a kernel module for CoovaChilli. With the
> > subversion code, configure with "--with-nfcoova" to have the module
> > built. With the support built in, and the xt_coova module loaded, the
> > idea is that authenticated traffic goes straight through the kernel and
> > unauthorized traffic still goes through chilli user-space - enforcing
> > captive portal and doing the walled garden, etc. xt_coova (which borrows
> > from the 'recent' module) does a simple allow/drop decision based on
> > authentication status. Some specific configurations are needed for this
> > to work.
> > 
> > The iptables rules might look like this:
> > 
> > iptables -I FORWARD -o eth0 --src 10.0.0.0/8 \
> >   -m coova --name chilli -j ACCEPT
> > iptables -I FORWARD -i eth0 --dst 10.0.0.0/8 \
> >   -m coova --name chilli --dest -j ACCEPT
> > 
> > iptables -I FORWARD --src 11.0.0.0/8 -j ACCEPT
> > iptables -I FORWARD --dst 11.0.0.0/8 -j ACCEPT
> > 
> > (where the assumption is that the default FORWARD rule is to DENY). The
> > idea is that traffic to/from eth0 (WAN) from source 10.0.0.0/8 (the
> > chilli DHCP IP space) is either allowed or dropped by the xt_coova
> > module based on authentication status. The 11.0.0.0/8 network, in this
> > example, is the network chilli has configured for it's uamlisten.
> > 
> > I should mention that when using the kernel module, I have it setup such
> > that the dhcpif (eth1) is actually configured with IP address 10.1.0.1
> > and the same IP is configured in chilli as the 'dhcplisten' (note that
> > typically chilli doesn't want the dhcpif interface configured with an
> > IP). Chilli is then also configured with 'uamlisten' of 11.0.0.1 and
> > this is the IP address that gets assigned to tun0 (so note that
> > dhcplisten and uamlisten are different!). The high level concept is that
> > subscribers get a 10.1.0.0/24 IP address which is routed (when
> > authenticated) through the kernel. Chilli still monitors all traffic on
> > the dhcpif and when users are not authorized yet (i.e. their 10.1.0.0/24
> > address is not being forwarded), then chilli does the routing (after
> > doing a NAT translation from 10.1.0.0/24 to 11.1.0.0/24).
> > 
> > Thus, chilli basically is only routing unauthorized traffic while
> > authorized traffic goes straight through the kernel. With some testing
> > on open-mesh routers, we have seen this can drastically increase
> > throughput for authenticated users.
> > 
> > With the iptables rules above, here is an example chilli.conf that I
> > have been using:
> > 
> > cat<<EOF>/tmp/chilli.conf
> > net 10.1.0.0/16
> > dynip 10.1.0.0/24
> > statip 10.1.1.0/24
> > 
> > uamlisten 11.1.0.1
> > dhcplisten 10.1.0.1
> > dhcpstart 10
> > uamaliasname chilli
> > ipup=
> > ipdown=
> > 
> > radiusserver1 localhost
> > radiussecret testing123
> > dhcpif eth0
> > dns1 192.168.1.1
> > uamdomain coova.org
> > uamserver http://portal/hotspot
> > uamsecret uamsecret
> > cmdsock /var/run/chilli.sock
> > kname chilli
> > EOF
> > 
> > Give it a try if interested in testing!
> > 
> > David
> > 
> > 
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> > 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli




More information about the Chilli mailing list