[CoovaChilli] Documentation about xt_coova/ipt-coova/nfcoova

Pierre Parent pparent at comminter.com
Mon Jun 6 16:55:01 BST 2016


Hi,

Thanks a lot for your message.

It kind of works with some iptables, I succeed in getting 100Mbps throughput 
(instead of 25Mpbs before). But I had to change the iptables described in the 
link with:

iptables -I FORWARD -i eth0.1 -m coova --name chilli -j ACCEPT
iptables -I FORWARD -o eth0.1  -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -j DROP

iptables -I INPUT -d 11.1.0.1 -j ACCEPT

Notably I had to allow any incoming packet for eth0.1 (lan), without filtering 
with xt_coova. When Filtering with xt_coova for incoming packet for eth0.1 the 
rule was never matched, not sure why. I don't know whether using these 
iptables can be problematic or not. If the user cannot send any packet, 
routing incoming packets should not allow him to do anything. But this does 
not seem very normal either.

I still have a big problem, during the authentication process, the TCP 
connections very often fails, most often when connecting to 11.1.0.1:3990, but 
also sometimes when connecting to the distant server specified in uamhomepage 
or at some other point of the identification process. It generally requires 1 
to 5 attempts to actually access 11.1.0.1:3900.

I made a packet capture with Wireshark, I see that some packages always flow in 
both ways (from and to 11.1.0.1), but I see a lot of [TCP previous segment not 
captured] [TCP Retransmission] [TCP Out-of-Order] [TCP Dup ACK]. 

Do you have any information about this problem? Also, I have a quick question; 
is xt_coova supposed to be stable or is it still somewhat experimental?

Thanks in advance!

Pierre.

Ps: 
I use the version currently used in openwrt: commit 
b93de20a288c01c2ba28e96e31ad6da01627f45f

Here is my /etc/chilli.conf

radiusserver1   "xxxxxxxx"
radiusserver2   "xxxxxxxx"
radiussecret    "xxxxxxxx"
radiusauthport  1812
radiusacctport  1813

# UAM
uamserver       "http://xxxxxxxxxx"
uamport         3990
uamhomepage     http://xxxxxxxxxx/
uamlogoutip     1.1.1.1


net 10.1.0.0/16
dynip 10.1.0.0/24
statip 10.1.1.0/24

uamlisten 11.1.0.1
dhcplisten 10.1.0.1
dhcpstart 10
uamaliasname chilli
ipup=
ipdown=

dhcpif eth0.1
uamdomain coova.org
cmdsock /var/run/chilli.sock
kname chilli

uamsecret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

dns1            "10.1.0.1"

uamdomain       
www.paypal.com,www.sandbox.paypal.com,www.paypalobjects.com,paypalobjects.com,paypal.112.2o7.net,developer.paypal.com,evsecure-
ocsp.verisign.com,evsecure-crl.verisign.com,102.112.2o7.n
uamallowed      0.0.0.0/0:110
uamallowed      0.0.0.0/0:143
uamallowed      0.0.0.0/0:587
uamallowed      0.0.0.0/0:993
uamallowed      0.0.0.0/0:995

radiusnasid     xxxxxxxxxxxxxxx
nasmac xxxxxxxxxxxxxxxxxxx

redirssl
sslkeyfile      /etc/chilli/server.key
sslcertfile     /etc/chilli/server.crt


Le mercredi 1 juin 2016, 09:57:35 Brian Andrews a écrit :
> Hi Pierre
> 
> You need a very specific configuration to get kmod-coova/xt_coova to work.
> 
> You need specific firewall rules and you need to change your ip setup. See
> David’s original post here:
> 
> https://coova.github.io/mail-archive/chilli/2010-April/001239.html
> 
> There are also some more clues in this thread:
> 
> https://github.com/coova/coova-chilli/issues/61#issuecomment-139478433
> 
> -
> brian
> 
> > On 1/06/2016, at 1:42 AM, Pierre Parent <pparent at comminter.com> wrote:
> > 
> > Hi,
> > I'm lacking documentation on how to have chili working with xt_coova.
> > I compiled it (in openwrt) with --with-nfcoova option, I have the xt_coova
> > linux module running, and I don't observe any improvement on performances,
> > or CPU usage.
> > Also lsmod shows that the module xt_coova is not called:
> > [...]
> > xt_connlimit 3296 0
> > xt_connmark 960 3
> > xt_conntrack 2064 14
> > xt_coova 5312 0
> > xt_dscp 928 0
> > xt_ecn 1216 0
> > xt_helper 800 0
> > xt_hl 720 0
> > xt_id 400 0
> > [...]
> > I guess, I must be missing something, but I don't find any documentation
> > on how to setup xt-coova. Is there a special option to set in the config
> > file, or special iptables to setup?
> > Thanks in advance!
> > 
> > Pierre.
> > 
> > _______________________________________________
> > CoovaChilli mailing list
> > CoovaChilli at brightonchilli.org.uk
> > https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli
> 
> _______________________________________________
> CoovaChilli mailing list
> CoovaChilli at brightonchilli.org.uk
> https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli




More information about the CoovaChilli mailing list