Topic: Chillispot Firewall - Open question to ajauberg

Hi,

I have chillispot 1.0 working with freeradius 1.17 and mysql 5.0. I only use use the following attributes:
User-Password
Simultaneous-Use
Max-All-Session
Expiration
I now want to implement some WISPr and/or Chillispot. I understand from previous other posts on other forums that all wifi traffic must be pushed through the tunnel (tun0) that Chillispot uses, so the parameters can be enforced.

Can I ask regarding the great Howto you posted with the S35firewall script - will this script indeed force the traffice through the tunnel opened by chillispot? Even if it is not tun0 but, say, tun1?

What needs to be chnaged in the script (if anything), to allow traffic through a second tunnel, for openvpn for example? Or will S35firewall still work and just some entry in fiewall.user is sufficient? I have currently added the line
iptables -A forwarding_rule -i tun0 -j ACCEPT
ro allow chillispot to go through and
iptables -A forwarding_rule -i tun1 -j ACCEPT
to firewall.user, which enables openvpn to go through in combination with the stock standard WRT54GL firewall script in /etc/init.d
Do I still have to make these entries? Will the entry for tun1 break the forcing of all ethernet traffic though tun0?

I (and some more people, I am sure) would really value your clarification.

Thanks

*************
Auckland, New Zealand

Re: Chillispot Firewall - Open question to ajauberg

Hi,

I am not sure if I understand your question, so I will try to explain the options you have:

If you wish unauthenticated machines to go through the firewall you can do that based on MAC address and/or IP address.


1)

IP address matching can be done by adding the following lines to the firewall script:


#Allow satellite WDSs, related and established $WLANIF. Drop everything else.
$IPTABLES -A INPUT -i $WLANIF -s x.x.x.x  -j ACCEPT
...
#Drop everything to and from $WLANIF (forward)
$IPTABLES -A FORWARD -i $WLANIF -s x.x.x.x  -j ACCEPT
$IPTABLES -A FORWARD -i $WLANIF -j DROP
$IPTABLES -A FORWARD -o $WLANIF -d x.x.x.x -j ACCEPT
$IPTABLES -A FORWARD -o $WLANIF -j DROP

I have been using this for my WDS satellites to be able to add packages and manage the units.


2)

For MAC address matching you need at least the following:

#Allow satellite WDSs, related and established $WLANIF. Drop everything else.
#$IPTABLES -A INPUT -i $WLANIF -m mac --mac-source yy:yy:yy:yy:yy:yy -j ACCEPT

You may also need something for the FORWARD chain, I have not tested it fully. You also need to install the kmod-ipopt package for MAC filtering.


3)

For authenticated clients everything should work out of the box, I have been running PPTP without problems myself.


4)

You can also make Chillispot authenticate on MAC address for selected machines added to the /etc/chilli.conf file. I have not tested this either, but it should work.


5)

A second tun device would probably mean running a second chilli process reading another configuration file. I have not read about any such configurations.


I do not know if that helped, or if I have understood you correctly?  ;>



R

ajauberg

Re: Chillispot Firewall - Open question to ajauberg

Hi ajauberg,

Thanks for the fast response.

My question was obviouly a bit cryptic. I am not interested in IP or MAc based routing or authorisation, as I run a hotspot and I need to authenticate any IP or MAC address that comes in. The purpose of ensuring all wireless traffic (eth1) goes through the ************* tunnel (tun0) is to be able to enforce further attributes like WISPr. have look at http://www.chillispot.info/chilliforum/ … php?id=107 to see what I am getting at.

The second tunnel is not for a seconf ************* process but for openvpn, which will open a second tunnel (in my configuration tun1). To allow traffic of  openvpn to go through the router, I had to open tun1 in the firewall.user file (see the quoted entries. my question to you was, how do these entries have to be chnaged (or maybe they are not required at all?) given your new /etc/init.d/S35firewall script, which seems to replace the standard OpenWRT firewall script.

Thanks

*************

PS: Do you have some views/input on http://www.chillispot.info/chilliforum/ … php?id=107?

4 (edited by ajauberg 2008-01-13 19:05:13)

Re: Chillispot Firewall - Open question to ajauberg

The WISPr attributes are described well in this document:

http://www.ebusinessforum.gr/engine/index.php?op=modload&modname=Downloads&action=downloadsviewfile&ctn=500&language=el

or you may search for a PDF-file named WISPr-V1.0.pdf:

http://www.google.com/search?hl=en&q=WISPr+1.0

For the rest of the attributes, search for the RFCs

Re: Chillispot Firewall - Open question to ajauberg

Thanks again for the response.
The WISPr document you refer to is indeed interesting, but does not address my question:
How do you install or enable WISPr attributes on Freeradius. I cannot get freeradius to include WISPr attributes in its authentication response as much as I try.

Back to the original question. Did my clarification help?
So, is all wifi traffic forced through tun0 with the help of that firewall script?
And what has to be done to open a tun1 on the firewall for openvpn?

Thanks

*************

6 (edited by ajauberg 2008-01-13 19:03:41)

Re: Chillispot Firewall - Open question to ajauberg

Yes, the firewall script does only let tun0 and Chillispot authentication pass through the WiFi interface, I still do not understand what you mean by tun1. To open the firewall for OpenVPN you need to identify the TCP/UDP ports that it uses (default is 1194 according to the FAQ), and add them to the INPUT and FORWARD sections as indicated in the previous post, matching ports instead of IP addresses. This will allow unauthenticated users access using OpenVPN. Authenticated users should work without modifications.


I use the following RADIUS attributes to allow users to log in until a specific time, placed in the indicated Freeradius tables:

radcheck:
----------
User-Password := 'password'

radgroupcheck:
-----------------
Simultaneous-Use := 1
Auth-Type := PAP

radgroupreply:
-----------------
Idle-Timeout := 1800
WISPr-Bandwidth-Max-Down := 128000
WISPr-Bandwidth-Max-Up := 256000

radreply:
-----------
WISPr-Session-Terminate-Time := 2007-06-05T16:47:46


This has worked perfectly for me, but I had some problems before I added 'Auth-Type'. Maybe that is your problem too?

Re: Chillispot Firewall - Open question to ajauberg

Thanks for the reply,
yes this must have been it. Now the freeradius sends the correct group responses. Hurray!

Now, what I ment with tun1 was this. You will see the interfaces instantiated on the router with the command 'ifconfig'. If you have chillispot running on openwrt one of these interfaces will be 'tun0' - a tunnel opened by chillispot so it can excert control over the traffic going through the router (i.e. enforce session-timeout bandwidht restrictions etc.). If you also have openvpn running at the same time you will notice a second interface, named 'tun1', which openvpn uses to do its own thing. Indeed the nubering depedns entirely on the order in which you start up chillispot and openvpn. If the order in /etc/init.d starts openvpn first, openvpn will have the tun0 interface and chillispot will have tun1.

Both of these tunnels have to be explicitly 'allowed' and declared to the firewall - otherwise the traffic won't go through. My question to you was regarding the behaviour of the S35firewall script, as it is a deviation to the OpenWRT standard.

My question was what configuration had to be put in to enable openvpn. with the standard OpenWRT firewall script and firewall.user configuration script all that needed to be done was add the two lines:
iptables -A forwarding_rule -i tun0 -j ACCEPT
iptables -A forwarding_rule -i tun1 -j ACCEPT
No fussing with ports - all was working fine. Your script works different by the looks of it, so my question is, what entry needs to be added to allow openvpn, as "iptables -A forwarding_rule -i tun1 -j ACCEPT" is probably not going to work anymore.

You kind of answered the question though in your last post. So are you saying that adding something like:
#Allow openvpn on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 1194 --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m tcp --dport 1194 --syn -j ACCEPT
should lead to success?

Thanks for your patience :-)

*************

Re: Chillispot Firewall - Open question to ajauberg

The firewall script I use is just the one that came with Chillispot, slightly modified. I know it deviates from the OpenWrt standard, but I find it safer to use it as it will not allow any connections to the Wifi interface except for tun0 and authentication.

I think you have the correct firewall syntax, but I think you only need either TCP or UDP depending on the config, not both.