GRE[NAT[GRE[NAT[PAYLOAD]]]] sort of thing, this second layer of NAT/GRE sticks a spanner in the works - is this the case for you?

anymore suggestions????

And on the iptables rule that you showed... "tun0" is not considered.

Maybe you should apply an ACCEPT on INPUT/FORWARD when interface is tun0.

$iptables -A INPUT -i tun0 -j ACCEPT
$iptables -A FORWARD -i tun0 -j ACCEPT

Regards,

#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
#   to and from the internal interface.
# * NAT is enabled on the external interface.

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Many thanks for you help

I dont have here chilli.iptables (where is the code?).

Post the scripts here and maybe I should be able to help you.

Regards,

mson77

Thanks

tp

PPTP type VPN uses tcp port 1723 to the server.
Also protocol 47 (GRE) should be allowed.

This is a firewall issue of the linux box which hosts Chillispot... but it is not an issue of Chillispot.

Hope this helps,

mson77

Using the Chillispot server as router ( with no Chillispot running and fixed IP assigned to interface connected to AP ) the users can connect with vpn server.

Any idea?

Thanks

I have installed a chilli server on my corporate network to allow guests to connect to the internet without accessing my corporate LAN.  My config is essentially the out of the box version running on Fedora Core4, with the only difference being that I am using an external FreeRADIUS server.

My wireless clients connect and get a 192.168.182.X IP assignment and allowed to connect to the internet. The are not able to make a vpn connection back to their own networks however.

tia.