You are not logged in. Please login or register.
Chillispot Forum → Posts by breed
Pages 1
Lukas,
1. In chilli.conf make sure you have the following 2 lines:
a. macauth
b. macpasswd YOURPASSWORD
2. In the radcheck table add the row:
username = 'YOURMACADDRESS'
attribute = 'User-Password'
op = ':='
value = 'YOURPASSWORD'
3. If you are using radgroupreply and radgroupcheck, make sure you add a row in userinfo
CONTINUED:
The solution above works for blocking the traffic between the WLAN and the LAN, however traffic continues to route to 2 or more devices attached to the LAN interface (I do not know much about networking, but it appears that the packets are being routed by the physical interface before they get to br0). To solve this, I made each LAN port a separate VLAN and attached each VLAN to br0 (the bridge) and this effectively blocked the traffic from client to client, when there are no shared nodes between the client and the Chillispot router. I have not tested it where there are nodes in between, but I expect that it will behave the same and I will need to add the ebtables and appropriate iptables rules.
For more info on configuring VLANs - http://wiki.openwrt.org/OpenWrtDocs/Configuration#head-1f582c0ad21a03a769e00c345743d6cf85ba878f
If you are using a wireless router and connecting your client by ethernet (as depicted in the reference image), is the ethernet plugged into the LAN or WAN port? I only have success with the LAN ports (you should be able to tweak this with VLANs or by modifying your network scripts)
...According to the link you provided, 'assign WAN port to SWITCH' is optional, but the picture indicates you should check it -- but I it probably only matters if you use the WAN port to connect to your client;
=================
I'm using x-wrt on linksys wrt54gl and have been able to get both WDS and Client mode to work with chillispot. I can't tell why your setup does not work, but like ajauberg mentions, you need to ensure that DHCP service is turned off on the repeater and that chillispot is the only device handing out IPs.
A couple of other things you can check:
1. Are you certain that the repeater's firewall is off?
2. I put the chillispot router and repeater on the same subnet, but a different subnet from the chillispot software.
SOLVED:
with some help, I found a few references in the openwrt forum, aparently there is a problem with iptables and bridged interfaces in the 2.4 kernel. One solution that I am still testing and appears to work is to install and load the ebtables module. However, some references indicate that this slows performance of the bridge (I have not noticed this yet and will update the forum if it becomes an issue)
> ipkg install ebtables
> insmod /lib/modules/2.4.30/ebtables.o
> insmod /lib/modules/2.4.30/ebtable_filter.o
> insmod /lib/modules/2.4.30/ebtable_broute.o
Then the iptables works as expected for bridged interfaces. I added the modules to a startup script so they load at boot.
QUESTION:
I have a openwrt (x-wrt) / chillispot running on a wrt54gl with openwrt wrt54gl APs attached to the LAN ports via CAT5 operating a public wisp. The wlan and lan ports are bridged together as br0 and this is the interface that Chilli is managing and the wlan interface for IPTABLES.
On the APs I enabled 'Isolate WLAN clients' (which is inter BSS or layer 2 blocking), and as desired, 2 clients on the same AP are not able to network together. However, clients attached to different APs are able to network together and I would like a suggestion on how to block this.
My initial thinking is to utilize IPTABLES to block all traffic from br0 to br0. However:
1. I do not have much experience with IPTABLES and I have been unable to decipher online websites.
2. I do not understand exactly how Chillispot works with IPTABLES
Do you think that it is feasible to use IPTABLES to accomplish my goal - layer 2 blocking/isolation of all clients attached to the network? If yes, please provide specific IPTABLES rule / configuration.
Pages 1
Chillispot Forum → Posts by breed
Powered by PunBB 1.4.4, supported by Informer Technologies, Inc.