VPN Traffic issues
wlanmac
wlan at mac.com
Wed Mar 4 06:33:29 UTC 2009
Is eth1 your WAN interface or the chilli DHCP interface? Looks like your
chilli DHCP ... not sure why you need an IP on that interface for "pass
through traffic" ...
I noticed that you don't have an MTU clamp iptables rule, which might
help (see the up.sh in svn).
So, you are saying the current setup allows VPNs to work, but you can't
web surf when not using the VPN (or when using the VPN)?
You might want to do a wireshark dump (or tcpdump) of the subscriber's
traffic. Or, run chilli in debug mode to help see what it is doing. The
first question is: can the subscriber surf the walled garden or does
*nothing* work?
David
On Wed, 2009-03-04 at 17:15 +1100, Daniel Garcia wrote:
> Hi David/Delevopers,
>
>
>
> I am having a headache with Coova and I was wondering if someone could
> help me out, Ive been working on Coova for a few weeks now and time is
> running out for me and so I hope you can help me.
>
>
>
> I was tasked with getting multiple VPN traffic to work with Coova so
> people from the hotspot network for our wireless users. We have a
> linux box that acts as a gateway for wireless traffic.
>
>
>
> Following the instructions on the web and coova I have done the
> following...
>
>
>
> Edit /usr/local/etc/chilli/Up.sh
>
>
>
> #!/bin/sh
>
> # Coova Chilli - David Bird <david at coova.com>
>
> # Licensed under the GPL, see http://coova.org/
>
> # up.sh /dev/tun0 192.168.0.10 255.255.255.0
>
>
>
> . /usr/local/etc/chilli/functions
>
>
>
> [ -e "/usr/local/var/run/chilli.iptables" ] &&
> sh /usr/local/var/run/chilli.iptables 2>/dev/null
>
> rm -f /usr/local/var/run/chilli.iptables 2>/dev/null
>
>
>
> IF=$(basename $DEV)
>
>
>
> ipt() {
>
> opt=$1; shift
>
> echo "iptables -D $*" >> /usr/local/var/run/chilli.iptables
>
> iptables $opt $*
>
> }
>
>
>
> ipt_in() {
>
> ipt -A INPUT -i $IF $*
>
> }
>
>
>
> [ -n "$DHCPIF" ] && {
>
>
>
> [ -n "$UAMPORT" -a "$UAMPORT" != "0" ] && \
>
> ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
>
>
>
> [ -n "$UAMUIPORT" -a "$UAMUIPORT" != "0" ] && \
>
> ipt_in -p tcp -m tcp --dport $UAMUIPORT --dst $ADDR -j ACCEPT
>
>
>
> [ -n "HS_TCP_PORTS" ] && {
>
> for port in $HS_TCP_PORTS; do
>
> ipt_in -p tcp -m tcp --dport $port --dst $ADDR -j ACCEPT
>
> done
>
> }
>
>
>
> ipt_in -p udp -d 255.255.255.255 --destination-port 67:68 -j
> ACCEPT
>
> ipt_in -p udp --dst $ADDR --dport 53 -j ACCEPT
>
>
>
> ipt -A INPUT -i $IF --dst $ADDR -j DROP
>
> ipt -A INPUT -i $IF -j DROP
>
>
>
> ipt -I FORWARD -j DROP -i $DHCPIF
>
> ipt -I FORWARD -j DROP -o $DHCPIF
>
> ipt -t raw -I PREROUTING -j NOTRACK -i $DHCPIF #Beg. of appended
> lines
>
> ipt -t raw -I OUTPUT -j NOTRACK -o $DHCPIF
>
> ipt -I FORWARD -j ACCEPT -i tun0 -p gre
>
> ipt -I FORWARD -j ACCEPT -i tun0 -p tcp --dport 1723
>
>
>
> ipt -I PREROUTING -t raw -j NOTRACK -i $DHCPIF
>
> ipt -I OUTPUT -t raw -j NOTRACK -o $DHCPIF #End of appended lines
>
>
>
> ipt -I POSTROUTING -t nat -o eth0 -j MASQUERADE
>
> ipt -I PREROUTING -t nat -i $IF -p tcp --dport 25 -j DNAT
> --to-destination $HS_SMTP
>
>
>
> [ "$HS_LAN_ACCESS" != "on" -a "$HS_LAN_ACCESS" != "allow" ] && \
>
> ipt -I FORWARD -i $IF -o \! $HS_WANIF -j DROP
>
>
>
> [ "$HS_LOCAL_DNS" = "on" ] && {
>
> ipt -I PREROUTING -t nat -i $IF -p udp --dport 53 -j DNAT
> --to-destination $HS_DNS1
>
> ipt -I PREROUTING -t nat -i $IF -p tcp --dport 53 -j DNAT
> --to-destination $HS_DNS1
>
> }
>
> }
>
>
>
> # site specific stuff optional
>
> [ -e /usr/local/etc/chilli/ipup.sh ]
> && . /usr/local/etc/chilli/ipup.sh
>
>
>
> As you can see the blue is the added code I copied from the forums. I
> also did the following for the install of the appropriate modules...
>
>
>
> Modprobe ip_conntrack_pptp
>
> Modprobe ip_nat_pptp
>
> Modprobe nf_nat_proto_gre
>
> Modprobe nf_conntrack_proto_gre
>
>
>
> Now, I also amended the following
>
>
>
> # vi /usr/local/etc/init.d/chilli
>
>
>
> Under the case$1 in
>
> Start) – section (this starts the chilli
> software and calls many procedures
>
>
>
> Changed the following code:
>
>
>
> Ifconfig $HS_LANIF 0.0.0.0
>
>
>
> To: ifconfig $HS_LANIF 10.200.100.129/24
>
>
>
> As I want an IP on the eth1 interface for traffic passthrough.
>
>
>
> My problem is two-fold, 1. Multiple VPN connections work great and I
> can access the resources on the other network, but i can NOT browse
> the internet. DNS is working because I can see a web search doing a
> name-to-ip address translation, so HTTP or nat’ing is getting screwed
> up somewhere.
>
>
>
> Also, we want to have snmp and ftp services working and go through the
> eth1 interface (which is why I have placed an IP address on eth1; for
> routing purposes), but if I remove the DROP chains:
>
>
>
> ipt -I FORWARD -j DROP -i $DHCPIF
>
> ipt -I FORWARD -j DROP -o $DHCPIF
>
>
>
> Then VPN stops working, I cant even get one connection going. Ive
> spent weeks on these two issues to no avail.
>
>
> Thank you.
>
>
>
>
>
>
>
>
>
> Daniel Garcia
>
> IT Assistant Manager
>
> Core Infrastructure & Systems Development
>
> Global Gossip Group
>
> [a] 14 Wentworth Avenue, Sydney, NSW 2010
>
> [t] +612 9263 0458
>
> [f] +612 9263 0404
>
> [m] 0400 604 897
>
> [e] dgarcia at globalgossip.net
>
>
>
>
More information about the Chilli
mailing list