[Chilli] [Chillispot] Redirection problem with DD-WRT [SOLVED]

Alexandru Gheorghe alghe.global at gmail.com
Sun Sep 28 14:46:25 UTC 2014

On 09/27/2014 01:10 PM, Alexandru Gheorghe wrote:
> Hi guys,
>     Please apologize me for having to put into discussions the defuncted
> Chillispot but this is a forced corner case for me.
>     With router TP-Link TL-WR740N (see [1] for hardware details), I've
> installed DD-WRT image for WR740N (v24 PreSP2 Beta Build 21061).
>     Trying to get chillispot to work, so here goes some information my
> setup (please bare with me):
> FreeRADIUS side (on CentOS, firewall disabled allows incoming, SELinux
> not enforcing):
> -----------------------------------------------------------------------
> 1. Type: other
> 2. clients allow
> 3. secret is configured to be the same with hotspotlogin.cgi (chillispot
> doc/) for test purposes
> 4. local radius test login works fine (both accept & reject)
> 5. remote radius test (from dd-wrt) works fine from bash
> 6. when dd-wrt should redirect the user there's no incoming data on the
> WAN interface of the server (ping however is seen and is working; so
> this rules out connectivity issues)
> DD-WRT most important:
> A summary first: this router is intended to be deployed in production
> behind an ADSL router, so it will serve Hotspot and will use the
> upstream router as a gateway.
> A. Networking side
> ------------------
> i. Config type: Gateway
> ii. WAN is static in Gateway's LAN (router ip:, gw:
> -> this is the ADSL)
> iii. DHCP disabled
> iv. br0: eth0 ("WAN" - to ADSL router) + eth1 (LAN)
> v. br1: ath0.1 + ath0 (wireless iface; ath0.1 is the hotspot one which
> announces its bssid to the public and is free; ath0 is for management
> purposes, passwd protected)
> vi. firewall is disabled; connectivity is fine (dns as well); all
> interfaces are set bridged (Setup > Networking); brctl is ok (see iv and
> v above)
> vii. tun0 is created by chilli and serves dhcp for its subnet as well
> (; running in debug mode i can see it serves dhcp
> leases so is fine
> viii. the client that gets the lease has chilli ( as
> gateway, first ip for client is from range: .2-.254/24 (OK) and dns
> works correctly (can resolve google.ro for example); pinging also works
> ix. iptables is reflecting the rules from firewall.openwrt[2]
> (chillispot doc/); once I remove masquerade on postrouting however in
> nat table, connectivity for client is cut; it seems is bypassing chilli
> somehow
> So last: x. redirection issue: the client gets the lease, but when it
> will browse is just completely bypassing chilli altogether. Chilli gives
> the lease, and i can see the traffic (tcpdump) but the browser is not
> redirected to hotspotlogin.cgi (centos tcpdump doesn't prompt anything
> so is like chilli never got the traffic in the first place).
I've fixed this by not having br1 and tun0 overlapping.

tun0 (chilli listen) is now on

while br1 is on different network:

what was happening was taht once chilli served the dhcp request for the
client, he would go out via br1 to br0 and internet bypassing chilli

> How can chilli be bypassed since it is the gateway and should capture
> all traffic from the client? Could it be that once chilli gives the
> lease then traffic bypasses from br1 to br0 without going via tun0?
indeed this happened, it was not going through chilli after the lease

> Tried in debug mode, nothing of interest just the lease (chilli -d -f -c
> /tmp/chilli/chilli.conf). Could be the forward rules that are not blocking?
> Any suggestions? Much appreciated!
> Thanks a lot,
> Alex
> [1] specs:
> Platform...........Atheros AR9132 @ 400 MHz
> FCC ID.............TE7WR1043NX
> Wireless NIC...Atheros AR9103 3x3 MIMO
> WLAN..............802.11b/g/n
> LAN.................4/gigabit
> WAN................1/gigabit
> RAM.................32 MB
> Flash...............8 MB
> Serial Port.......1 (internal)
> JTAG...............1 (internal)
> USB.................1 (external)
> Input Voltage...12V 1.5A
> [2] firewall rules:
> #!/bin/sh
> #
> # Firewall script for ChilliSpot on OpenWRT
> #
> # -- changed for a different network topology: enable Wi-Fi --
> WANIF="eth0"
> WLANIF="ath0.1"
> LANIF="br0"
> IPTABLES="/usr/sbin/iptables"
> for T in filter nat mangle ; do
>   $IPTABLES -t $T -F
>   $IPTABLES -t $T -X
> done
> # Just let everything to the router be accepted (behind another router
> already)
> #Allow related and established on all interfaces (input)
> #Allow related and established $WANIF. Reject everything else.
> #Allow related and established $WLANIF. Drop everything else.
> #Allow 3990 on other interfaces (input).
> #$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
> #Allow everything on loopback interface.
> #Allow everything on $LANIF
> #Drop everything to and from $WLANIF (forward)
> #Enable NAT on output device.

; Alexandru Gheorghe
; alghe.global {at} gmail {dot} com
; OpenPGP key ID 0xCAF985D2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140928/5ba146fe/attachment.pgp>

More information about the Chilli mailing list