Changes

Jump to navigation Jump to search
542 bytes added ,  05:31, 7 November 2021
Line 1: Line 1:  
{{Languages}}
 
{{Languages}}
   −
==Coova-Chilli for sme server==
      
===Maintainer===
 
===Maintainer===
[[User:VIP-ire|Daniel B.]]<br/>
+
[mailto:daniel@firewall-services.com[[User:VIP-ire|Daniel B.]]] from [http://www.firewall-services.com Firewall Services]
[http://www.firewall-services.com Firewall Services]<br>
+
 
mailto:daniel@firewall-services.com
+
=== Version ===
 +
 
 +
{{ #smeversion: smeserver-coova-chilli }}
 +
{{ #smeversion: coova-chilli }}
    
=== Description ===
 
=== Description ===
Line 25: Line 27:  
The first step is to add a third network card on your server.
 
The first step is to add a third network card on your server.
   −
{{ibox
+
{{Warning box|When rebooting, if you have several identical NICs, it is possible that the server has swapped two of them, so you may have to reconfigure your Internal/External interface (login as admin, then configure this server). Once that's finished, you should have a new 'eth2' card not configured (it's ok, you do not need to configure it).
|img={{{img|Warning.png}}}
  −
|msg=When rebooting, if you have several identical NICs, it is possible that the server has swapped two of them, so you may have to reconfigure your Internal/External interface (login as admin, then configure this server). Once that's finished, you should have a new 'eth2' card not configured (it's ok, you do not need to configure it).|{{{1}}}
  −
|type={{{type|Warning:}}}
  −
|color=#FFEED9
   
}}
 
}}
 
=== Installation ===
 
=== Installation ===
Line 36: Line 34:     
  yum --enablerepo=smecontribs install smeserver-coova-chilli
 
  yum --enablerepo=smecontribs install smeserver-coova-chilli
  −
(For now, you may also have to enable the repo smetest as smeserver-coova-chilli requires e-smith-radiusd => 1.0.0-18 which is in smetest repo)
      
*Enable the service
 
*Enable the service
Line 60: Line 56:  
*Attach an AP
 
*Attach an AP
   −
The final step is to connect an AP on the NIC. I'm talking about a AP and not a router. If you have a WiFi router, it is possible to work if these conditions are met:
+
The final step is to connect an AP on the NIC. I'm talking about a AP and not a router. If you have a WiFi router, it is possible to make it work if these conditions are met:
    
**Dhcp is disabled on the router
 
**Dhcp is disabled on the router
Line 69: Line 65:     
*Login
 
*Login
Connect a client, and try to open a web page, you should fall on a page like this:
+
Connect a client, and try to open a web page, you should be redirected on a page like this one:
    
[[Image:ChilliLogin-noguest.jpg]]
 
[[Image:ChilliLogin-noguest.jpg]]
Line 90: Line 86:     
*'''dhcpif''': the physical interface to use, in most cases, it will be eth2
 
*'''dhcpif''': the physical interface to use, in most cases, it will be eth2
 +
 +
*'''dhcpstart''': where to start assigning IPs (DHCP range)
 +
 +
*'''dhcpend''': where to stop assigning IPs
    
*'''dns1''' and '''dns2''': gives clients the dns servers to use. Here I have placed two public DNS servers.
 
*'''dns1''' and '''dns2''': gives clients the dns servers to use. Here I have placed two public DNS servers.
 
They should work for everyone, but you can replace them by example by your ISP's DNS
 
They should work for everyone, but you can replace them by example by your ISP's DNS
   −
*'''net''': the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide customers with addresses in this range.
+
*'''net''': the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide clients with addresses in this range.
   −
*'''radiussecret''': the secret shared between the radius server and chilli daemon. For each installation, a random secret is generated, so you shouldn't have to change it.
+
*'''status''': there's no trap, this key defines the state of service, and whether it should be started when the server boots up.
 
  −
*'''status''': there's no trap that defined the state of service, and whether it should be started when the server boots up.
      
*'''tundev''': defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
 
*'''tundev''': defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
 
By default, tun0, you can change if tun0 is already used for a VPN for example.
 
By default, tun0, you can change if tun0 is already used for a VPN for example.
 +
 +
*'''uamhomepage''': URL of homepage to redirect unauthenticated users to. If not specified this defaults to the login page
    
*'''uamallowed''': A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:host:port
 
*'''uamallowed''': A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:host:port
Line 123: Line 123:     
*'''guestUpLink''': if guestAccess is enabled, this will limit the uplink bandwidth for guest user (in kbps)
 
*'''guestUpLink''': if guestAccess is enabled, this will limit the uplink bandwidth for guest user (in kbps)
 +
 +
*'''noc2c''': can be enabled or disabled (default is enabled). If enabled, clients will get a /32 netmask, and a special route will be added so they can contact the gateway. This prevent direct client to client communication. Note that it's a layer 3 isolation, a better way to prevent client to client is a layer 2 isolation, some AP and switch provides this.
 +
 +
*'''macallowed''': A comma separated list of MAC addresses which won't need to authenticate
    
After you've changed the configuration, just run the command  
 
After you've changed the configuration, just run the command  
Line 149: Line 153:  
several groups, restrict the bandwidth up and down ... etc)
 
several groups, restrict the bandwidth up and down ... etc)
   −
To do so, follow the procedure:
+
To do so, follow the procedure:
 
   
 
   
*Create a folder in-custom templates:
+
*Create a folder in templates-custom:
   −
  mkdir -p /etc/e-smith/custom-templates/etc/raddb/users
+
  mkdir -p /etc/e-smith/templates-custom/etc/raddb/users
    
*and copy the original template
 
*and copy the original template
   −
  cp -a /etc/e-smith/templates/etc/raddb/users/40chilli /etc/e-smith/custom-templates/etc/raddb/users
+
  cp -a /etc/e-smith/templates/etc/raddb/users/40chilli /etc/e-smith/templates-custom/etc/raddb/users
    
*Now, you can edit it. By default it looks like this:
 
*Now, you can edit it. By default it looks like this:
Line 169: Line 173:  
         $uplink = $uplink * 1000;
 
         $uplink = $uplink * 1000;
 
         $OUT =<<END;
 
         $OUT =<<END;
  guest NAS-Identify == "chilli", Auth-Type: = Local User-Password == 'guest'
+
  guest NAS-Identify == "localhost", Auth-Type: = Local User-Password == 'guest'
 
       WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
 
       WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
 
  END
 
  END
 
  if (($chilli{'status'} || 'disabled') eq' enabled ') {
 
  if (($chilli{'status'} || 'disabled') eq' enabled ') {
 
     $OUT = <<END;
 
     $OUT = <<END;
  DEFAULT Group == "chilli", NAS-Identify == "chilli", Auth-Type: = unix
+
  DEFAULT Group == "chilli", NAS-Identify == "localhost", Auth-Type: = unix
 
  # WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
 
  # WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
 
   
 
   
  DEFAULT Group! = "chilli", NAS-Identify == "chilli", Auth-Type: Reject =
+
  DEFAULT Group! = "chilli", NAS-Identify == "localhost", Auth-Type: Reject =
 
         Reply Message = "Your are not allowed member of the group"
 
         Reply Message = "Your are not allowed member of the group"
 
  END
 
  END
Line 193: Line 197:  
         $uplink = $uplink * 1000;
 
         $uplink = $uplink * 1000;
 
         $OUT =<<END;
 
         $OUT =<<END;
  guest NAS-Identify == "chilli", Auth-Type: = Local User-Password == 'guest'
+
  guest NAS-Identify == "localhost", Auth-Type: = Local User-Password == 'guest'
 
       WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
 
       WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
 
  END
 
  END
 
  if (($chilli{'status'} || 'disabled') eq' enabled ') {
 
  if (($chilli{'status'} || 'disabled') eq' enabled ') {
 
     $OUT = <<END;
 
     $OUT = <<END;
  DEFAULT Group == "'''wifi'''", NAS-Identify == "chilli", Auth-Type: = unix
+
  DEFAULT Group == "'''wifi'''", NAS-Identify == "localhost", Auth-Type: = unix
 
  # WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
 
  # WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
  DEFAULT Group! = "'''wifi'''", NAS-Identify == "chilli", Auth-Type: Reject =
+
  DEFAULT Group! = "'''wifi'''", NAS-Identify == "localhost", Auth-Type: Reject =
 
         Reply Message = "Your are not allowed member of the group"
 
         Reply Message = "Your are not allowed member of the group"
 
  END
 
  END
 
  }
 
  }
 
  }
 
  }
      
=== What authenticated users have access to ? ===
 
=== What authenticated users have access to ? ===
Line 213: Line 216:  
Basically once authenticated, users have access to
 
Basically once authenticated, users have access to
   −
*DNS outside (udp port 53)
+
*DNS outside (udp port 53)
*Http outwards (through squid if squid is enabled and WebRequests set to squid), http to your server
+
*Http outwards (through squid if squid is enabled and WebRequests set to squid), http to your server
*Https outwards and https to your SME
+
*Https outwards and https to your SME
*Ping outwards and your server
+
*Ping outwards and your server
    
There are two key in the db to customize this:
 
There are two key in the db to customize this:
Line 225: Line 228:  
{{Note box|This will just open the corresponding port(s), you need to make sure the service listen on the correct interface.}}
 
{{Note box|This will just open the corresponding port(s), you need to make sure the service listen on the correct interface.}}
   −
*AllowedOutgoing will allow more outgoing traffic. It's list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword any) can replace host or port. Eg:
+
*AllowedOutgoing will allow more outgoing traffic. It's a list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword 'any') can replace host or port. Eg:
  db configuration setprop AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
+
  db configuration setprop chilli AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
    
This will allow:
 
This will allow:
Line 251: Line 254:  
If you get an error, check the log /var/log/messages
 
If you get an error, check the log /var/log/messages
 
*Check tun0 (or what you have configured as tundev) is up, with a valid ip
 
*Check tun0 (or what you have configured as tundev) is up, with a valid ip
  ifconfig
+
  ifconfig tun0
 
*Check the client gets a ip in the range 10.1.0.0/24 (or what ever you have configured as net)
 
*Check the client gets a ip in the range 10.1.0.0/24 (or what ever you have configured as net)
 
If it's not the case, check that the AP is working properly (tcpdump on tun0 to check that your server sees dhcp requests). You can try to connect your client directly to eth2 with a crossed cable to eliminate an AP or wifi-level issue
 
If it's not the case, check that the AP is working properly (tcpdump on tun0 to check that your server sees dhcp requests). You can try to connect your client directly to eth2 with a crossed cable to eliminate an AP or wifi-level issue
Line 260: Line 263:  
  yum remove smeserver-coova-chilli coova-chilli
 
  yum remove smeserver-coova-chilli coova-chilli
   −
=== Source ===
  −
The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/smeserver/smeserver-coova-chilli/ CVS] on sourceforge.
   
=== Bugs ===
 
=== Bugs ===
 
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
 
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
 
and select the smeserver-coova-chilli component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-coova-chilli|title=this link}}
 
and select the smeserver-coova-chilli component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-coova-chilli|title=this link}}
    +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-coova-chilli|noresultsmessage="No open bugs found."}}
 +
 +
 +
===Changelog===
 +
Only versions released in smecontrib are listed here.
 +
 +
{{#smechangelog: smeserver-coova-chilli}}
 
----
 
----
 
[[Category:Contrib]]
 
[[Category:Contrib]]
 +
[[Category:Administration:Remote Access]]
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,254

edits

Navigation menu