• Registered: 2009-12-12
  • Posts: 8

Topic: no access...

Hello,

I try to run a simple hotspot with chillispot-radius-mysql. Till now I have something working and something not...
The authentication is working - The chilli can auth. by MAC address successfully.

The problem is that there is no internet connection even after the successful authentication. The DNS is not working as well.  The only access is to the local Apache (192.168.1.1).
When I try to access the web, the chilli says:
"cb_dhcp_data_ind. Packet received. DHCP authstate: 2"

I'm using the chillispot firewall with
EXTIF="ppp0"
INTIF="rausb0"

The Chillispot brings tun0 interface up. Do I have to add some rules to the firewall for it?

The next problem is that without authentication I'm not redirected to the login page.

Cheers,
Nik

  • Registered: 2009-12-12
  • Posts: 8

Re: no access...

I've just tried. No luck. It's the same.
Before adding the DNS and UAM-page to UAM-allowed, I had access to UAM page from the Web browser typing the IP address, but I was not  automatically redirected to it when not authenticated.

3 Reply by nickich (edited by nickich 2009-12-13 13:07:59)

  • Registered: 2009-12-12
  • Posts: 8

Re: no access...

it is 32bit very old machine (P133, 64MB...) with a Debian Leny.
It should be my mistake with the configuration or I'm missing something, but I cannot figure out what is it.
In chilli.conf I have:

# TUN parameters
net 192.168.1.0/24
dynip 192.168.1.128/25
statip 192.168.1.0/25
dns1 dns1.ip
dns2 dns2.ip
domain key.chillispot.info

# Radius parameters
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiussecret theradiussecret

# DHCP Parameters
dhcpif rausb0

# Universal access method (UAM) parameters
uamserver https://192.168.1.1/cgi-bin/hotspotlogin.cgi
uamhomepage http://192.168.1.1/
uamsecret theuamsecret
#uamlisten 192.168.1.1
uamallowed dns1.ip,dns2.ip,192.168.1.1
uamanydns

# MAC authentication
macauth
macallowed 00-11-22-33-44-55
macpasswd MySecretPassword


The firewall rules looks like:
IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="rausb0"

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
#$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT #< No difference with and without this line
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#PPP Bug
$IPTABLES -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1421:65535 -j TCPMSS --clamp-mss-to-pmtu #<= It is the same with and without this line

  • Registered: 2009-12-12
  • Posts: 8

Re: no access...

With all those parameters in chilli.conf commented out (as you suggest) it works! Great!
Now the question is why it doesn't with them?

  • Registered: 2009-12-12
  • Posts: 8

Re: no access...

I've tried first with 'dynip' and it stop working.
It looks like chillispot create a virtual network using the data in chilli.conf file and if I have LAN on the same address space the chilli won't work. Probably that's what happens - I have LAN 192.168.1.0/24 (that's rausb0, the same wireless I'm using for chilli) and I have the same IP addresses in chilli.conf file. Is that the way chilli works?

  • Registered: 2009-12-12
  • Posts: 8

Re: no access...

Well, it's not important to have different settings. I just like to know how it works and to understand why that happens.
Probably I'm not explaining well my situation (my english is not good either). I have a Debian with 2 interfaces - ppp0 (for Internet) and rausb0 (usb wireless card). The wireless card has static IP address 192.168.1.1 (ad-hoc mode for now). I was assuming that if I configure the chillispot to give clients addresses from this space would be OK. And the chilli gives IPs to the clients as expected, but the chilli itself doesn't work (no internet, no redirection, etc.).
With the default settings the chilli gives the clients addresses from the 192.168.182.x space and all works fine.
Anyway, it's not so important as the chilli is working well.
Thank you for your help! &#1041;&#1086;&#1083;&#1100;&#1096;&#1086;&#1077; &#1089;&#1087;&#1072;&#1089;&#1080;&#1073;&#1086;!

  • Registered: 2009-12-12
  • Posts: 8

Re: no access...

Great!
That explains everithing smile
Thanks a lot!
smile