Accessing AP through eth1

David Bird mem.corruption at gmail.com
Sat Sep 8 15:50:07 UTC 2007


First of all, there are many possible configurations with chilli (plus
iptables, etc) - I can't claim to have tried them all. So, when in doubt,
give it a try! But, to keep things manageable for any kind of support, there
are some "best practices" and such. I consider un-setting the dhcpif IP
address a "best practice". In your configuration, you're essentially
overlaying two networks on your eth1 network -- which is cool, if you know
what you're doing. You need to ensure proper access controls on both
networks - only one of which is utilizing chilli (if done correctly).

The cleanest way for chilli to operate is to completely own the dhcpif, with
no routing (forwarding in iptables) for the traffic on that interface --
instead, only for the traffic to/from the chilli tunnel interface. Yet, when
you assign an IP to dhcpif, you're probably wanting your system to route
traffic directly to that interface. Now you have an overlay network
bypassing chilli.

So, it isn't a matter of chilli geting confused. Rather, it becomes
increasingly possible that traffic is bypassing chilli or even being passed
through chilli _and_ being picked up by the kernel (like in conn_track or
even for routing). How all this interacts with iptables and its various
modules is something to test. Some things to watch out for: DHCP responses
from something other than chilli on your dhcpif; duplicate packets on your
dhcpif or WAN; the ability to by-pass chilli altogether; and, proper NAT and
conn-tracking (for VPNs, etc, if that is of any importance to you) in
iptables.

David

On 9/8/07, SR Infosystèmes <contact at sriviere.info> wrote:
>
> Hi David,
>
> Thanks for your fast answer !
>
> > I think I must come to your island to help you out! :)
>
> You're welcome ! Sail, wind-surf, surf, dive, kite-surf, plane, see,
> horses, bicycle, sun... But I'm at work, even week-ends :)))
>
> Since the guy who have to setup the test platform has given up (too
> difficult, he says, after trying many things around NoCat for weeks. I
> restart the project from the ground and, after intensive googling,
> choose CoovaChilli : better design, faster software and alive project. I
> use hotcake to manage accounts, hotcake is a new project, very promising.
>
> More seriously, I'm basically a software and hardware engineer,
> definitly not an experienced network engineer. I discover theses days
> netfilter/iptables and so on. But I'm stubborn, and I want to learn and
> make things work together, gracefully if possible :)
>
> > Have you tested authenticating multiple users from the same AP?
>
> I start CoovaChilli
>
> I switch on pc1 wifi card
> log says client mac_wifi_card_pc1 assigned 192.168.1.5
>
> I switch on pc2 wifi card
> log says client mac_wifi_car_pc2 assigned 192.168.1.6
>
> I log test01 user on pc1
> log says Successful UAM login from username=test01 IP=192.168.1.5
>
> I log test01 user on pc2
> log says Successful UAM login from username=test02 IP=192.168.1.6
>
> I know my APs mac adresses and my PC mac adresses : there is no ambiguity.
>
> > I typically don't assign my dhcpif an IP address, but others do. You
> > indeed just need to be a lot more careful with your iptables rules.
>
> > For instance, if someone made the their default gateway that of your
> > eth1 instead of the chilli tunnel, are they bypassing authentication?
>
> Must I give eth1 a real IP OUTSIDE my Chilli network class (192.168.1.x)
> choosing 192.168.3.x for example ? and affect IP of APs in the same
> 192.168.3 class ?
>
> eth0 : 192.168.0.0/24, ip 192.168.0.251 via /etc/network/interfaces
>
> tun0 : 192.168.1.0/24, ip 192.168.1.1 via chilli.conf
>
> eth1 : 192.168.2.0/24, ip 192.168.2.251 via /etc/network/interfaces
>
> If I setup AP1 like this :
>
> ip : 192.168.2.241
> gateway : 192.168.2.251
>
> May I hope avoiding interference between Chilli and AP maintenance via
> SSH doing like this  ?
>
> > You need to be careful what traffic gets picked up and handled by the
> > kernel and what gets switched through chilli...
>
> Despite the iptables rules to avoid unauthentication bypassing, why
> CoovaChilli is confused when I give a real IP to eth1 ?
>
> Because I melt tun0 and eth1 in the same network class (192.168.1.0/24) ?
>
> If I understood well the Chilli design :
>
> 1) Chilli listen to DHCP request. At this stage, Chilli don't mind
> network class or ip of eth1, it just listen eth1 to dhcp request.
>
> 2) When it receives a dhcp request, it affects an ip address (inside
> network class settings in chilli.conf) through its internal dhcp and
> make a tunnel between the client and Chilli.
>
> Thanks again for your help.
>
> Sorry to disturb you with newbie questions.
>
> Stephane Riviere
>
> --
> LA SOLUTION à vos problèmes INFORMATIQUES
>
> SR Infosystèmes
> 15, rue du Temple
> 17310 St Pierre d'Oléron
> Ile d'Oléron - France
>
> Mobile : 06 89 29 88 44
> Fixe :   09 54 10 55 60 (appel local)
> Fax :    05 46 36 30 59
> Site :   www.sriviere.info
> Email :  contact at sriviere.info
> Skype :  stephane.riviere
>
> Certificat X509 : disponible sur le site
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070908/13b46c47/attachment.htm>


More information about the Chilli mailing list