[Chilli] [Chillispot] Redirection problem with DD-WRT [SOLVED]

Alexandru Gheorghe alghe.global at gmail.com
Sun Sep 28 14:46:25 UTC 2014 


On 09/27/2014 01:10 PM, Alexandru Gheorghe wrote:
> Hi guys,
> 
>     Please apologize me for having to put into discussions the defuncted
> Chillispot but this is a forced corner case for me.
> 
>     With router TP-Link TL-WR740N (see [1] for hardware details), I've
> installed DD-WRT image for WR740N (v24 PreSP2 Beta Build 21061).
>     Trying to get chillispot to work, so here goes some information my
> setup (please bare with me):
> 
> FreeRADIUS side (on CentOS, firewall disabled allows incoming, SELinux
> not enforcing):
> -----------------------------------------------------------------------
> 1. Type: other
> 2. clients allow 0.0.0.0/0
> 3. secret is configured to be the same with hotspotlogin.cgi (chillispot
> doc/) for test purposes
> 4. local radius test login works fine (both accept & reject)
> 5. remote radius test (from dd-wrt) works fine from bash
> 6. when dd-wrt should redirect the user there's no incoming data on the
> WAN interface of the server (ping however is seen and is working; so
> this rules out connectivity issues)
> 
> 
> DD-WRT most important:
> 
> A summary first: this router is intended to be deployed in production
> behind an ADSL router, so it will serve Hotspot and will use the
> upstream router as a gateway.
> 
> A. Networking side
> ------------------
> i. Config type: Gateway
> 
> ii. WAN is static in Gateway's LAN (router ip: 192.168.1.2/24, gw:
> 192.168.1.254 -> this is the ADSL)
> 
> iii. DHCP disabled
> 
> iv. br0: eth0 ("WAN" - to ADSL router) + eth1 (LAN)
> 
> v. br1: ath0.1 + ath0 (wireless iface; ath0.1 is the hotspot one which
> announces its bssid to the public and is free; ath0 is for management
> purposes, passwd protected)
> 
> vi. firewall is disabled; connectivity is fine (dns as well); all
> interfaces are set bridged (Setup > Networking); brctl is ok (see iv and
> v above)
> 
> vii. tun0 is created by chilli and serves dhcp for its subnet as well
> (192.168.182.0/24); running in debug mode i can see it serves dhcp
> leases so is fine
> 
> viii. the client that gets the lease has chilli (192.168.182.1) as
> gateway, first ip for client is from range: .2-.254/24 (OK) and dns
> works correctly (can resolve google.ro for example); pinging also works
> 
> ix. iptables is reflecting the rules from firewall.openwrt[2]
> (chillispot doc/); once I remove masquerade on postrouting however in
> nat table, connectivity for client is cut; it seems is bypassing chilli
> somehow
> 
> So last: x. redirection issue: the client gets the lease, but when it
> will browse is just completely bypassing chilli altogether. Chilli gives
> the lease, and i can see the traffic (tcpdump) but the browser is not
> redirected to hotspotlogin.cgi (centos tcpdump doesn't prompt anything
> so is like chilli never got the traffic in the first place).
I've fixed this by not having br1 and tun0 overlapping.

tun0 (chilli listen) is now on 192.168.182.0/24

while br1 is on different network: 192.168.183.0/24

what was happening was taht once chilli served the dhcp request for the
client, he would go out via br1 to br0 and internet bypassing chilli
completely.


> How can chilli be bypassed since it is the gateway and should capture
> all traffic from the client? Could it be that once chilli gives the
> lease then traffic bypasses from br1 to br0 without going via tun0?
indeed this happened, it was not going through chilli after the lease
anymore

> 
> Tried in debug mode, nothing of interest just the lease (chilli -d -f -c
> /tmp/chilli/chilli.conf). Could be the forward rules that are not blocking?
> 
> Any suggestions? Much appreciated!
> 
> Thanks a lot,
> Alex
> 
> 
> __REFERENCES:
> 
> [1] specs:
> 
> Platform...........Atheros AR9132 @ 400 MHz
> FCC ID.............TE7WR1043NX
> Wireless NIC...Atheros AR9103 3x3 MIMO
> WLAN..............802.11b/g/n
> LAN.................4/gigabit
> WAN................1/gigabit
> RAM.................32 MB
> Flash...............8 MB
> Serial Port.......1 (internal)
> JTAG...............1 (internal)
> USB.................1 (external)
> Input Voltage...12V 1.5A
> 
> 
> 
> [2] firewall rules:
> #!/bin/sh
> #
> # Firewall script for ChilliSpot on OpenWRT
> #
> # -- changed for a different network topology: enable Wi-Fi --
> 
> WANIF="eth0"
> WLANIF="ath0.1"
> LANIF="br0"
> 
> IPTABLES="/usr/sbin/iptables"
> 
> for T in filter nat mangle ; do
>   $IPTABLES -t $T -F
>   $IPTABLES -t $T -X
> done
> 
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> 
> # Just let everything to the router be accepted (behind another router
> already)
> $IPTABLES -A INPUT -j ACCEPT
> 
> #Allow related and established on all interfaces (input)
> #$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> #Allow related and established $WANIF. Reject everything else.
> #$IPTABLES -A INPUT -i $WANIF -j REJECT
> 
> #Allow related and established $WLANIF. Drop everything else.
> #$IPTABLES -A INPUT -i $WLANIF -j DROP
> 
> #Allow 3990 on other interfaces (input).
> #$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
> 
> #Allow everything on loopback interface.
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> #Allow everything on $LANIF
> #$IPTABLES -A INPUT -i $LANIF -j ACCEPT
> 
> #Drop everything to and from $WLANIF (forward)
> $IPTABLES -A FORWARD -i $WLANIF -j DROP
> $IPTABLES -A FORWARD -o $WLANIF -j DROP
> 
> #Enable NAT on output device.
> $IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
> 
> 

-- 
; Alexandru Gheorghe
; alghe.global {at} gmail {dot} com
; OpenPGP key ID 0xCAF985D2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.coova.org/pipermail/chilli/attachments/20140928/5ba146fe/attachment.pgp>

More information about the Chilli mailing list