[CoovaChilli] upload limit bandwidth with xt_coova

Luc ZIMMERMANN luc.zimmermann at e-wi.fr
Tue Feb 21 14:35:25 GMT 2017


Hi guys,

1 week ago, i noticed that my users connected behind coova are not limitted on upload on my router with openWRT 15.05.1 and coova 1.3.2

this is my device in chilli_query list

CC-25-EF-31-3B-75 192.168.180.2 pass 58ac194800000003 1 2945522 8/31536000 2/900 2010420/0 0/0 0 1 0%/262144 0%/1048576 http://captive.apple.com/hotspot-detect.html vlan=(null)

My limits are set correctly. When i download something, i see log about leaky bucket for download, and my limit is well apllied. (Leaky bucket dropping download overflow to CC-25-EF-31-3B-75). it's applied because i see 99%/1048576 and my speedtest say to me 1Mb. great !

But... (and that make me crazy) i can't limit my upload.

i stay to 0%/262144

this are my confs
# /etc/config/chilli

config chilli 'public'

  *   option radiusnasid 'testacopub'
  *   option radiuslisten '10.1.210.254'
  *   option radiussecret '******'
  *   option radiusserver1 '******'
  *   option radiusserver2 '******'
  *   option radiusauthport '1812'
  *   option radiusacctport '1813'
  *   option uamserver 'http://testacopub.***.net<http://testacopub.%2A%2A%2A.net/>'
  *   option uamhomepage 'http://splash.***.net<http://splash.%2A%2A%2A.net/>'
  *   option uamsecret '******'
  *   option uamlisten '192.168.180.1'
  *   option uamport '3990'
  *   option uamanydns '1'
  *   option uamaliasip '1.0.0.1'
  *   option uamaliasname 'login'
  *   option uamlogoutip '1.1.1.1'
  *   option nouamsuccess '1'
  *   option coaport '3799'
  *   option coanoipcheck '1'
  *   option tundev 'tun11'
  *   option net '192.168.180.0/22'
  *   option lease '7200'
  *   option dhcpif 'br-if_pub'
  *   option dns1 '8.8.8.8'
  *   option dns2 '8.8.4.4'
  *   option domain '******'
  *   option kname 'chillipub'
  *   option swapoctets '1'
  *   option interval '3600'
  *   #option ipup '/iwibox/coova/ipup.sh'
  *   #option ipdown '/iwibox/coova/ipdown.sh'
  *   #option conup '/iwibox/coova/conup.sh'
  *   #option condown '/iwibox/coova/condown.sh'
  *   option locationname '***'
  *   option maxclients '1024'
  *   option nowispr1 '1'
  *   option nowispr2 '1'
  *   option noc2c '1'
  *   option rfc7710uri 'http://192.168.180.1:3990/prelogin'
  *   option dnslog '/var/log/coova_dns_pub.txt'



My iptables rules is a mix beetween firewall.openwrt + the KNAME part in ipup.sh
i used the file "firewall.openwrt" found in https://github.com/coova/coova-chilli/tree/master/doc
#!/bin/sh
#
# Firewall script for CoovaChilli on OpenWRT
#
# Uses $WANIF (vlan1) as the external interface (Internet or intranet) and
# $WLANIF (eth1) as the internal interface (access point).
# $LANIF is used as a trusted management interface.
#
# SUMMARY
# * All connections originating from CoovaChilli are allowed.
# * Nothing is allowed in on WAN interface.
# * Nothing is allowed in on WLAN interface.
# * Everything is allowed in on LAN interface.
# * Forwarding is allowed to and from WAN interface, but disallowed
#   to and from the WLAN interface.
# * NAT is enabled on the WAN interface.

. /etc/functions.sh

WANIF="eth0.100"
DHCPIF="br-if_pub"
WLANIF="br-if_pub"
KNAME="chillipub"
TUNTAP="tun11"
IPTABLES="/usr/sbin/iptables"

for T in filter nat mangle ; do
  $IPTABLES -t $T -F
  $IPTABLES -t $T -X
done

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow related and established $WANIF. Reject everything else.
$IPTABLES -A INPUT -i $WANIF -j REJECT

#Allow related and established $WLANIF. Drop everything else.
$IPTABLES -A INPUT -i $WLANIF -j DROP

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

#Drop everything to and from $WLANIF (forward)
$IPTABLES -A FORWARD -i $WLANIF -j DROP
$IPTABLES -A FORWARD -o $WLANIF -j DROP

#Enable NAT on output device.
$IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE

#ipup.sh part.
$IPTABLES -I FORWARD -i $DHCPIF -m coova --name $KNAME -j ACCEPT
$IPTABLES -I FORWARD -o $DHCPIF -m coova --name $KNAME --dest -j ACCEPT
$IPTABLES -I FORWARD -i $TUNTAP -j ACCEPT
$IPTABLES -I FORWARD -o $TUNTAP -j ACCEPT


br-if_pub is a bridge over eth1.1, wlan0 and wlan1 (wlan 0 and 1 is 2.4Ghz and 5Ghz for wifi )
tun11 is the coova network
my wan is eth0.100

I also tried to disable TSO GRO and GSO on my interfaces, but nothing change...
does anyone have an idea, What i'm missing ?

Thanks


More information about the CoovaChilli mailing list