VPN Traffic issues
Jimmy Brake
jimmy at dwalliance.com
Wed Mar 4 10:01:43 UTC 2009
everything he said plus check the network settings of a few clients
computers -- just make sure they have the proper gateway subnet mask etc
wlanmac wrote:
> Is eth1 your WAN interface or the chilli DHCP interface? Looks like your
> chilli DHCP ... not sure why you need an IP on that interface for "pass
> through traffic" ...
>
> I noticed that you don't have an MTU clamp iptables rule, which might
> help (see the up.sh in svn).
>
> So, you are saying the current setup allows VPNs to work, but you can't
> web surf when not using the VPN (or when using the VPN)?
>
> You might want to do a wireshark dump (or tcpdump) of the subscriber's
> traffic. Or, run chilli in debug mode to help see what it is doing. The
> first question is: can the subscriber surf the walled garden or does
> *nothing* work?
>
> David
>
>
> On Wed, 2009-03-04 at 17:15 +1100, Daniel Garcia wrote:
>
>> Hi David/Delevopers,
>>
>>
>>
>> I am having a headache with Coova and I was wondering if someone could
>> help me out, Ive been working on Coova for a few weeks now and time is
>> running out for me and so I hope you can help me.
>>
>>
>>
>> I was tasked with getting multiple VPN traffic to work with Coova so
>> people from the hotspot network for our wireless users. We have a
>> linux box that acts as a gateway for wireless traffic.
>>
>>
>>
>> Following the instructions on the web and coova I have done the
>> following...
>>
>>
>>
>> Edit /usr/local/etc/chilli/Up.sh
>>
>>
>>
>> #!/bin/sh
>>
>> # Coova Chilli - David Bird <david at coova.com>
>>
>> # Licensed under the GPL, see http://coova.org/
>>
>> # up.sh /dev/tun0 192.168.0.10 255.255.255.0
>>
>>
>>
>> . /usr/local/etc/chilli/functions
>>
>>
>>
>> [ -e "/usr/local/var/run/chilli.iptables" ] &&
>> sh /usr/local/var/run/chilli.iptables 2>/dev/null
>>
>> rm -f /usr/local/var/run/chilli.iptables 2>/dev/null
>>
>>
>>
>> IF=$(basename $DEV)
>>
>>
>>
>> ipt() {
>>
>> opt=$1; shift
>>
>> echo "iptables -D $*" >> /usr/local/var/run/chilli.iptables
>>
>> iptables $opt $*
>>
>> }
>>
>>
>>
>> ipt_in() {
>>
>> ipt -A INPUT -i $IF $*
>>
>> }
>>
>>
>>
>> [ -n "$DHCPIF" ] && {
>>
>>
>>
>> [ -n "$UAMPORT" -a "$UAMPORT" != "0" ] && \
>>
>> ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
>>
>>
>>
>> [ -n "$UAMUIPORT" -a "$UAMUIPORT" != "0" ] && \
>>
>> ipt_in -p tcp -m tcp --dport $UAMUIPORT --dst $ADDR -j ACCEPT
>>
>>
>>
>> [ -n "HS_TCP_PORTS" ] && {
>>
>> for port in $HS_TCP_PORTS; do
>>
>> ipt_in -p tcp -m tcp --dport $port --dst $ADDR -j ACCEPT
>>
>> done
>>
>> }
>>
>>
>>
>> ipt_in -p udp -d 255.255.255.255 --destination-port 67:68 -j
>> ACCEPT
>>
>> ipt_in -p udp --dst $ADDR --dport 53 -j ACCEPT
>>
>>
>>
>> ipt -A INPUT -i $IF --dst $ADDR -j DROP
>>
>> ipt -A INPUT -i $IF -j DROP
>>
>>
>>
>> ipt -I FORWARD -j DROP -i $DHCPIF
>>
>> ipt -I FORWARD -j DROP -o $DHCPIF
>>
>> ipt -t raw -I PREROUTING -j NOTRACK -i $DHCPIF #Beg. of appended
>> lines
>>
>> ipt -t raw -I OUTPUT -j NOTRACK -o $DHCPIF
>>
>> ipt -I FORWARD -j ACCEPT -i tun0 -p gre
>>
>> ipt -I FORWARD -j ACCEPT -i tun0 -p tcp --dport 1723
>>
>>
>>
>> ipt -I PREROUTING -t raw -j NOTRACK -i $DHCPIF
>>
>> ipt -I OUTPUT -t raw -j NOTRACK -o $DHCPIF #End of appended lines
>>
>>
>>
>> ipt -I POSTROUTING -t nat -o eth0 -j MASQUERADE
>>
>> ipt -I PREROUTING -t nat -i $IF -p tcp --dport 25 -j DNAT
>> --to-destination $HS_SMTP
>>
>>
>>
>> [ "$HS_LAN_ACCESS" != "on" -a "$HS_LAN_ACCESS" != "allow" ] && \
>>
>> ipt -I FORWARD -i $IF -o \! $HS_WANIF -j DROP
>>
>>
>>
>> [ "$HS_LOCAL_DNS" = "on" ] && {
>>
>> ipt -I PREROUTING -t nat -i $IF -p udp --dport 53 -j DNAT
>> --to-destination $HS_DNS1
>>
>> ipt -I PREROUTING -t nat -i $IF -p tcp --dport 53 -j DNAT
>> --to-destination $HS_DNS1
>>
>> }
>>
>> }
>>
>>
>>
>> # site specific stuff optional
>>
>> [ -e /usr/local/etc/chilli/ipup.sh ]
>> && . /usr/local/etc/chilli/ipup.sh
>>
>>
>>
>> As you can see the blue is the added code I copied from the forums. I
>> also did the following for the install of the appropriate modules...
>>
>>
>>
>> Modprobe ip_conntrack_pptp
>>
>> Modprobe ip_nat_pptp
>>
>> Modprobe nf_nat_proto_gre
>>
>> Modprobe nf_conntrack_proto_gre
>>
>>
>>
>> Now, I also amended the following
>>
>>
>>
>> # vi /usr/local/etc/init.d/chilli
>>
>>
>>
>> Under the case$1 in
>>
>> Start) – section (this starts the chilli
>> software and calls many procedures
>>
>>
>>
>> Changed the following code:
>>
>>
>>
>> Ifconfig $HS_LANIF 0.0.0.0
>>
>>
>>
>> To: ifconfig $HS_LANIF 10.200.100.129/24
>>
>>
>>
>> As I want an IP on the eth1 interface for traffic passthrough.
>>
>>
>>
>> My problem is two-fold, 1. Multiple VPN connections work great and I
>> can access the resources on the other network, but i can NOT browse
>> the internet. DNS is working because I can see a web search doing a
>> name-to-ip address translation, so HTTP or nat’ing is getting screwed
>> up somewhere.
>>
>>
>>
>> Also, we want to have snmp and ftp services working and go through the
>> eth1 interface (which is why I have placed an IP address on eth1; for
>> routing purposes), but if I remove the DROP chains:
>>
>>
>>
>> ipt -I FORWARD -j DROP -i $DHCPIF
>>
>> ipt -I FORWARD -j DROP -o $DHCPIF
>>
>>
>>
>> Then VPN stops working, I cant even get one connection going. Ive
>> spent weeks on these two issues to no avail.
>>
>>
>> Thank you.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Daniel Garcia
>>
>> IT Assistant Manager
>>
>> Core Infrastructure & Systems Development
>>
>> Global Gossip Group
>>
>> [a] 14 Wentworth Avenue, Sydney, NSW 2010
>>
>> [t] +612 9263 0458
>>
>> [f] +612 9263 0404
>>
>> [m] 0400 604 897
>>
>> [e] dgarcia at globalgossip.net
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>
>
More information about the Chilli
mailing list