[CoovaChilli] Documentation about xt_coova/ipt-coova/nfcoova
pparent at comminter.com
Tue Jun 7 09:16:50 BST 2016
Sorry concerning the first problem, it's my fault, I had forgotten the --dest
option. This iptables works fine.
iptables -I FORWARD -o eth0.1 -m coova --name chilli --dest -j ACCEPT
Sorry to have bothered with this inexistent problem.
I still have the identification problem: connections very often fails when
Thanks a lot,
Le lundi 6 juin 2016, 17:55:01 Pierre Parent a écrit :
> Thanks a lot for your message.
> It kind of works with some iptables, I succeed in getting 100Mbps throughput
> (instead of 25Mpbs before). But I had to change the iptables described in
> the link with:
> iptables -I FORWARD -i eth0.1 -m coova --name chilli -j ACCEPT
> iptables -I FORWARD -o eth0.1 -j ACCEPT
> iptables -I FORWARD -o tun0 -j ACCEPT
> iptables -I FORWARD -i tun0 -j ACCEPT
> iptables -A FORWARD -j DROP
> iptables -I INPUT -d 184.108.40.206 -j ACCEPT
> Notably I had to allow any incoming packet for eth0.1 (lan), without
> filtering with xt_coova. When Filtering with xt_coova for incoming packet
> for eth0.1 the rule was never matched, not sure why. I don't know whether
> using these iptables can be problematic or not. If the user cannot send any
> packet, routing incoming packets should not allow him to do anything. But
> this does not seem very normal either.
> I still have a big problem, during the authentication process, the TCP
> connections very often fails, most often when connecting to 220.127.116.11:3990,
> but also sometimes when connecting to the distant server specified in
> uamhomepage or at some other point of the identification process. It
> generally requires 1 to 5 attempts to actually access 18.104.22.168:3900.
> I made a packet capture with Wireshark, I see that some packages always flow
> in both ways (from and to 22.214.171.124), but I see a lot of [TCP previous
> segment not captured] [TCP Retransmission] [TCP Out-of-Order] [TCP Dup
> Do you have any information about this problem? Also, I have a quick
> question; is xt_coova supposed to be stable or is it still somewhat
> Thanks in advance!
> I use the version currently used in openwrt: commit
> Here is my /etc/chilli.conf
> radiusserver1 "xxxxxxxx"
> radiusserver2 "xxxxxxxx"
> radiussecret "xxxxxxxx"
> radiusauthport 1812
> radiusacctport 1813
> # UAM
> uamserver "http://xxxxxxxxxx"
> uamport 3990
> uamhomepage http://xxxxxxxxxx/
> uamlogoutip 126.96.36.199
> net 10.1.0.0/16
> dynip 10.1.0.0/24
> statip 10.1.1.0/24
> uamlisten 188.8.131.52
> dhcplisten 10.1.0.1
> dhcpstart 10
> uamaliasname chilli
> dhcpif eth0.1
> uamdomain coova.org
> cmdsock /var/run/chilli.sock
> kname chilli
> uamsecret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
> dns1 "10.1.0.1"
> uamallowed 0.0.0.0/0:110
> uamallowed 0.0.0.0/0:143
> uamallowed 0.0.0.0/0:587
> uamallowed 0.0.0.0/0:993
> uamallowed 0.0.0.0/0:995
> radiusnasid xxxxxxxxxxxxxxx
> nasmac xxxxxxxxxxxxxxxxxxx
> sslkeyfile /etc/chilli/server.key
> sslcertfile /etc/chilli/server.crt
> Le mercredi 1 juin 2016, 09:57:35 Brian Andrews a écrit :
> > Hi Pierre
> > You need a very specific configuration to get kmod-coova/xt_coova to work.
> > You need specific firewall rules and you need to change your ip setup. See
> > David’s original post here:
> > https://coova.github.io/mail-archive/chilli/2010-April/001239.html
> > There are also some more clues in this thread:
> > https://github.com/coova/coova-chilli/issues/61#issuecomment-139478433
> > -
> > brian
> > > On 1/06/2016, at 1:42 AM, Pierre Parent <pparent at comminter.com> wrote:
> > >
> > > Hi,
> > > I'm lacking documentation on how to have chili working with xt_coova.
> > > I compiled it (in openwrt) with --with-nfcoova option, I have the
> > > xt_coova
> > > linux module running, and I don't observe any improvement on
> > > performances,
> > > or CPU usage.
> > > Also lsmod shows that the module xt_coova is not called:
> > > [...]
> > > xt_connlimit 3296 0
> > > xt_connmark 960 3
> > > xt_conntrack 2064 14
> > > xt_coova 5312 0
> > > xt_dscp 928 0
> > > xt_ecn 1216 0
> > > xt_helper 800 0
> > > xt_hl 720 0
> > > xt_id 400 0
> > > [...]
> > > I guess, I must be missing something, but I don't find any documentation
> > > on how to setup xt-coova. Is there a special option to set in the config
> > > file, or special iptables to setup?
> > > Thanks in advance!
> > >
> > > Pierre.
> > >
> > > _______________________________________________
> > > CoovaChilli mailing list
> > > CoovaChilli at brightonchilli.org.uk
> > > https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli
> > _______________________________________________
> > CoovaChilli mailing list
> > CoovaChilli at brightonchilli.org.uk
> > https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli
> CoovaChilli mailing list
> CoovaChilli at brightonchilli.org.uk
More information about the CoovaChilli