Accessing AP through eth1

SR Infosystèmes contact at sriviere.info
Sat Sep 8 17:04:57 UTC 2007 

Hi David,

> First of all, there are many possible configurations with chilli (plus 
> iptables, etc) - I can't claim to have tried them all. So, when in 
> doubt, give it a try! 

Yes this scheme works : no strange logs from Chilli and SSH access OK.

As a guideline for other readers (chilli net=192.168.1.0/24) :

Network interfaces settings
-------------------------------
eth0 : 192.168.0.0/24, ip 192.168.0.251 via /etc/network/interfaces
tun0 : 192.168.1.0/24, ip 192.168.1.1 via chilli.conf
eth1 : 192.168.2.0/24, ip 192.168.2.251 via /etc/network/interfaces
-------------------------------

generic ap1/ap2/apx config
-------------------------------
ip : 192.168.2.241/242/24x
mask : 255.255.255.0
gateway : 192.168.1.1
-------------------------------

> essentially overlaying two networks on your eth1 network -- which is 
> cool, if you know what you're doing. 

Good understatement :) I don't know what I'm doing. But I know I don't 
know, so I'll learn :) And -FIRST OF ALL- follow your advices.

> The cleanest way for chilli to operate is to completely own the dhcpif, 
> with no routing (forwarding in iptables) for the traffic on that 
> interface 

OK

 > Some things to watch out
> for: DHCP responses from something other than chilli on your dhcpif; 
> duplicate packets on your dhcpif or WAN; the ability to by-pass chilli 
> altogether; and, proper NAT and conn-tracking (for VPNs, etc, if that is 
> of any importance to you) in iptables.

OK

May be the wise way, at my skill level, is to avoid AP maintenance at 
the same time Chilli is running. This can be achieved inside the 
/etc/init.d/chilli script :

When starting Chilli :
- rewrite /etc/network/interfaces with proper settings for Chilli
- /etc/init.d/networking restart
- run Chilli

When stopping Chilli :
- stop Chilli
- rewrite /etc/network/interfaces with proper settings for AP access
- /etc/init.d/networking restart

This is stupid, but secure and give me time to lear how write safe 
iptables rules script :)

Thanks for your valuable help !

All the best from Oleron island,

Stephane Riviere

-- 
LA SOLUTION à vos problèmes INFORMATIQUES

SR Infosystèmes
15, rue du Temple
17310 St Pierre d'Oléron
Ile d'Oléron - France

Mobile : 06 89 29 88 44
Fixe :   09 54 10 55 60 (appel local)
Fax :    05 46 36 30 59
Site :   www.sriviere.info
Email :  contact at sriviere.info
Skype :  stephane.riviere

Certificat X509 : disponible sur le site

More information about the Chilli mailing list