[isf-wifidog] Fwd: Problems with WiFiDog 1.1.5-2 and Open-WRT 8.09
Aaron Z
aaronz at pls-net.org
Mar 14 Avr 15:19:56 EDT 2009
Hello all,
My name is Aaron and I am a Systems Administrator for the Pioneer Library System. We are currently running Open-WRT White Russian (.09) and WiFiDog 1.1.3 on wireless access points in ~36 of our libraries. We have them authenticating to a custom WiFiDog backend (which will hopefully be replaced with a less custom version this year). Some of the installs are 4-5 years old and we are getting ready to refresh them and add throttling, while researching that I discovered that upgrading to Open-WRT Kamikaze will let me have two SSIDs, which would be useful.
So, I have a test box, it is a Linksys WRT54GL v.1.1 on which I am running Open-WRT Kamikaze 8.09 and WiFiDog 1.1.5-2, the box has 2 SSIDs: STAFF which is encrypted and terminates in the WAN (vlan1, not throttled, gets addresses from the DHCP server in the WAN) and PUBLIC which is un-encrypted and terminated in the LAN (vlan0, throttled to 2.5M/250K down/up) throttling is done with the qos-scripts package.
This works great until I install and run WiFiDog, when that happens I get to the authentication page, I enter my library card number and pin, I then get sent to the authentication completed page and all seems well until I try to go anywhere else, I then get "Waiting for google.com" and eventually Firefox times out and I am left with a blank page. What is odd is that I can ping google.com and I get a response (with a 30-60ms response time).
Has anyone else run across a similar issue?
Do I need to post more configuration info?
Thanks for your time.
Aaron Z
Junior Systems Administrator
Pioneer Library System
List of installed packages:
**************************
root at OpenWrt:/etc# opkg list_installed
base-files-brcm-2.4 - 14-r14511 -
bridge - 1.0.6-1 -
busybox - 1.11.2-2 -
dnsmasq - 2.46-1 -
dropbear - 0.51-2 -
firewall - 1-1 -
iptables - 1.3.8-4 -
iptables-mod-conntrack - 1.3.8-4 -
iptables-mod-conntrack-extra - 1.3.8-4 -
iptables-mod-extra - 1.3.8-4 -
iptables-mod-filter - 1.3.8-4 -
iptables-mod-imq - 1.3.8-4 -
iptables-mod-ipopt - 1.3.8-4 -
iptables-mod-nat - 1.3.8-4 -
iptables-mod-nat-extra - 1.3.8-4 -
kernel - 2.4.35.4-brcm-2.4-1 -
kmod-brcm-wl - 2.4.35.4+4.150.10.5.3-brcm-2.4-2 -
kmod-diag - 2.4.35.4-brcm-2.4-4 -
kmod-ipt-conntrack - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-conntrack-extra - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-core - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-extra - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-filter - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-imq - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-ipopt - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-nat - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-nat-extra - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-nathelper - 2.4.35.4-brcm-2.4-1 -
kmod-ppp - 2.4.35.4-brcm-2.4-1 -
kmod-pppoe - 2.4.35.4-brcm-2.4-1 -
kmod-sched - 2.4.35.4-brcm-2.4-1 -
kmod-switch - 2.4.35.4-brcm-2.4-1 -
kmod-wlcompat - 2.4.35.4+4.150.10.5.3-brcm-2.4-2 -
libgcc - 3.4.6-14 -
liblua - 5.1.4-2 -
libncurses - 5.6-1 -
libpthread - 0.9.29-14 -
libuci - 0.7.3-1 -
libuci-lua - 0.7.3-1 -
lua - 5.1.4-2 -
luci-admin-core - 0.8.6-1 -
luci-admin-full - 0.8.6-1 -
luci-admin-mini - 0.8.6-1 -
luci-app-firewall - 0.8.6-1 -
luci-cbi - 0.8.6-1 -
luci-core - 0.8.6-1 -
luci-http - 0.8.6-1 -
luci-i18n-english - 0.8.6-1 -
luci-ipkg - 0.8.6-1 -
luci-sgi-cgi - 0.8.6-1 -
luci-sys - 0.8.6-1 -
luci-theme-base - 0.8.6-1 -
luci-theme-openwrt - 0.8.6-1 -
luci-uci - 0.8.6-1 -
luci-uvl - 0.8.6-1 -
luci-web - 0.8.6-1 -
mtd - 8 -
nano - 2.0.7-1 -
nas - 4.150.10.5.3-2 -
nvram - 1 -
opkg - 4564-3 -
ppp - 2.4.3-10 -
ppp-mod-pppoe - 2.4.3-10 -
qos-scripts - 1.2.1-2 -
tc - 2.6.25-1 -
uci - 0.7.3-1 -
uclibc - 0.9.29-14 -
wifidog - 1.1.5-2 -
wireless-tools - 29-2 -
wlc - 4.150.10.5.3-2 -
**************************
Output of iptables -L
**************************
root at OpenWrt:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
WiFiDog_WIFI2Internet all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain WiFiDog_AuthServers (1 references)
target prot opt source destination
ACCEPT all -- anywhere 10.199.30.20
Chain WiFiDog_Global (1 references)
target prot opt source destination
Chain WiFiDog_Known (1 references)
target prot opt source destination
REJECT all -- anywhere 10.199.0.0/16 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain WiFiDog_Locked (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain WiFiDog_Unknown (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:53
ACCEPT tcp -- anywhere anywhere tcp dpt:53
ACCEPT udp -- anywhere anywhere udp dpt:67
ACCEPT tcp -- anywhere anywhere tcp dpt:67
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain WiFiDog_Validate (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:25 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain WiFiDog_WIFI2Internet (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
WiFiDog_AuthServers all -- anywhere anywhere
WiFiDog_Locked all -- anywhere anywhere MARK match 0x254
WiFiDog_Global all -- anywhere anywhere
WiFiDog_Validate all -- anywhere anywhere MARK match 0x1
WiFiDog_Known all -- anywhere anywhere MARK match 0x2
WiFiDog_Unknown all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (7 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_MSSFIX (1 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan all -- anywhere anywhere
zone_lan_REJECT all -- anywhere anywhere
Chain zone_wan (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_MSSFIX (0 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (2 references)
target prot opt source destination
zone_lan_MSSFIX all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
**************************
/etc/config/firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'forwarding'
option 'mtu_fix' '1'
option 'src' 'wan'
option 'dest' 'lan'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'SSH_In'
option 'src' 'wan'
option 'proto' 'tcp'
option 'dest_port' '22'
**************************
/etc/config/network
#### VLAN configuration
config switch eth0
option vlan0 "0 1 2 3 5*"
option vlan1 "4 5"
#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
#### LAN configuration
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
#### WAN configuration
config interface wan
option type bridge
option ifname "eth0.1"
option proto dhcp
**************************
/etc/config/qos
# QoS configuration for OpenWrt
# INTERFACES:
config interface wan
option classgroup "Default"
option enabled 1
option overhead 1
option upload 250
option download 2500
##the rest of the file is unchanged from the stock config
**************************
/etc/wifidog.conf
# $Header: /cvsroot/wifidog/wifidog/wifidog.conf,v 1.24 2005/04/28 23:26:30 minaguib Exp $
# WiFiDog Configuration file
GatewayID LIBRARY0
ExternalInterface br-wan
GatewayInterface br-lan
AuthServer {
Hostname ADDRESS.pls-net.org
HTTPPort 80
Path /PATH/
}
CheckInterval 60
ClientTimeout 5
FirewallRuleSet global {
}
FirewallRuleSet validating-users {
FirewallRule block tcp port 25
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet known-users {
FirewallRule block to XXX.XXX.0.0/16
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}
*************************************
END files
Plus d'informations sur la liste de diffusion WiFiDog