[isf-wifidog] Fwd: Problems with WiFiDog 1.1.5-2 and Open-WRT 8.09
Jean-Philippe Menil
jean-philippe.menil at univ-nantes.fr
Mar 14 Avr 15:42:51 EDT 2009
Aaron Z a écrit :
> Hello all,
> My name is Aaron and I am a Systems Administrator for the Pioneer Library System. We are currently running Open-WRT White Russian (.09) and WiFiDog 1.1.3 on wireless access points in ~36 of our libraries. We have them authenticating to a custom WiFiDog backend (which will hopefully be replaced with a less custom version this year). Some of the installs are 4-5 years old and we are getting ready to refresh them and add throttling, while researching that I discovered that upgrading to Open-WRT Kamikaze will let me have two SSIDs, which would be useful.
>
> So, I have a test box, it is a Linksys WRT54GL v.1.1 on which I am running Open-WRT Kamikaze 8.09 and WiFiDog 1.1.5-2, the box has 2 SSIDs: STAFF which is encrypted and terminates in the WAN (vlan1, not throttled, gets addresses from the DHCP server in the WAN) and PUBLIC which is un-encrypted and terminated in the LAN (vlan0, throttled to 2.5M/250K down/up) throttling is done with the qos-scripts package.
>
> This works great until I install and run WiFiDog, when that happens I get to the authentication page, I enter my library card number and pin, I then get sent to the authentication completed page and all seems well until I try to go anywhere else, I then get "Waiting for google.com" and eventually Firefox times out and I am left with a blank page. What is odd is that I can ping google.com and I get a response (with a 30-60ms response time).
>
> Has anyone else run across a similar issue?
> Do I need to post more configuration info?
>
> Thanks for your time.
>
> Aaron Z
> Junior Systems Administrator
> Pioneer Library System
>
> List of installed packages:
> **************************
> root at OpenWrt:/etc# opkg list_installed
> base-files-brcm-2.4 - 14-r14511 -
> bridge - 1.0.6-1 -
> busybox - 1.11.2-2 -
> dnsmasq - 2.46-1 -
> dropbear - 0.51-2 -
> firewall - 1-1 -
> iptables - 1.3.8-4 -
> iptables-mod-conntrack - 1.3.8-4 -
> iptables-mod-conntrack-extra - 1.3.8-4 -
> iptables-mod-extra - 1.3.8-4 -
> iptables-mod-filter - 1.3.8-4 -
> iptables-mod-imq - 1.3.8-4 -
> iptables-mod-ipopt - 1.3.8-4 -
> iptables-mod-nat - 1.3.8-4 -
> iptables-mod-nat-extra - 1.3.8-4 -
> kernel - 2.4.35.4-brcm-2.4-1 -
> kmod-brcm-wl - 2.4.35.4+4.150.10.5.3-brcm-2.4-2 -
> kmod-diag - 2.4.35.4-brcm-2.4-4 -
> kmod-ipt-conntrack - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-conntrack-extra - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-core - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-extra - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-filter - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-imq - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-ipopt - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-nat - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-nat-extra - 2.4.35.4-brcm-2.4-1 -
> kmod-ipt-nathelper - 2.4.35.4-brcm-2.4-1 -
> kmod-ppp - 2.4.35.4-brcm-2.4-1 -
> kmod-pppoe - 2.4.35.4-brcm-2.4-1 -
> kmod-sched - 2.4.35.4-brcm-2.4-1 -
> kmod-switch - 2.4.35.4-brcm-2.4-1 -
> kmod-wlcompat - 2.4.35.4+4.150.10.5.3-brcm-2.4-2 -
> libgcc - 3.4.6-14 -
> liblua - 5.1.4-2 -
> libncurses - 5.6-1 -
> libpthread - 0.9.29-14 -
> libuci - 0.7.3-1 -
> libuci-lua - 0.7.3-1 -
> lua - 5.1.4-2 -
> luci-admin-core - 0.8.6-1 -
> luci-admin-full - 0.8.6-1 -
> luci-admin-mini - 0.8.6-1 -
> luci-app-firewall - 0.8.6-1 -
> luci-cbi - 0.8.6-1 -
> luci-core - 0.8.6-1 -
> luci-http - 0.8.6-1 -
> luci-i18n-english - 0.8.6-1 -
> luci-ipkg - 0.8.6-1 -
> luci-sgi-cgi - 0.8.6-1 -
> luci-sys - 0.8.6-1 -
> luci-theme-base - 0.8.6-1 -
> luci-theme-openwrt - 0.8.6-1 -
> luci-uci - 0.8.6-1 -
> luci-uvl - 0.8.6-1 -
> luci-web - 0.8.6-1 -
> mtd - 8 -
> nano - 2.0.7-1 -
> nas - 4.150.10.5.3-2 -
> nvram - 1 -
> opkg - 4564-3 -
> ppp - 2.4.3-10 -
> ppp-mod-pppoe - 2.4.3-10 -
> qos-scripts - 1.2.1-2 -
> tc - 2.6.25-1 -
> uci - 0.7.3-1 -
> uclibc - 0.9.29-14 -
> wifidog - 1.1.5-2 -
> wireless-tools - 29-2 -
> wlc - 4.150.10.5.3-2 -
> **************************
>
> Output of iptables -L
> **************************
> root at OpenWrt:~# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
> syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
> input_rule all -- anywhere anywhere
> input all -- anywhere anywhere
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> WiFiDog_WIFI2Internet all -- anywhere anywhere
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> forwarding_rule all -- anywhere anywhere
> forward all -- anywhere anywhere
> reject all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
> output_rule all -- anywhere anywhere
> output all -- anywhere anywhere
>
> Chain WiFiDog_AuthServers (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere 10.199.30.20
>
> Chain WiFiDog_Global (1 references)
> target prot opt source destination
>
> Chain WiFiDog_Known (1 references)
> target prot opt source destination
> REJECT all -- anywhere 10.199.0.0/16 reject-with icmp-port-unreachable
> ACCEPT all -- anywhere anywhere
>
> Chain WiFiDog_Locked (1 references)
> target prot opt source destination
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain WiFiDog_Unknown (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:53
> ACCEPT tcp -- anywhere anywhere tcp dpt:53
> ACCEPT udp -- anywhere anywhere udp dpt:67
> ACCEPT tcp -- anywhere anywhere tcp dpt:67
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain WiFiDog_Validate (1 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp dpt:25 reject-with icmp-port-unreachable
> ACCEPT all -- anywhere anywhere
>
> Chain WiFiDog_WIFI2Internet (1 references)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
> WiFiDog_AuthServers all -- anywhere anywhere
> WiFiDog_Locked all -- anywhere anywhere MARK match 0x254
> WiFiDog_Global all -- anywhere anywhere
> WiFiDog_Validate all -- anywhere anywhere MARK match 0x1
> WiFiDog_Known all -- anywhere anywhere MARK match 0x2
> WiFiDog_Unknown all -- anywhere anywhere
>
> Chain forward (1 references)
> target prot opt source destination
> zone_lan_forward all -- anywhere anywhere
> zone_wan_forward all -- anywhere anywhere
> zone_wan_forward all -- anywhere anywhere
>
> Chain forwarding_lan (1 references)
> target prot opt source destination
>
> Chain forwarding_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_wan (1 references)
> target prot opt source destination
>
> Chain input (1 references)
> target prot opt source destination
> zone_lan all -- anywhere anywhere
> zone_wan all -- anywhere anywhere
> zone_wan all -- anywhere anywhere
>
> Chain input_lan (1 references)
> target prot opt source destination
>
> Chain input_rule (1 references)
> target prot opt source destination
>
> Chain input_wan (1 references)
> target prot opt source destination
>
> Chain output (1 references)
> target prot opt source destination
> zone_lan_ACCEPT all -- anywhere anywhere
> zone_wan_ACCEPT all -- anywhere anywhere
>
> Chain output_rule (1 references)
> target prot opt source destination
>
> Chain reject (7 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere reject-with tcp-reset
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain syn_flood (1 references)
> target prot opt source destination
> RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
> DROP all -- anywhere anywhere
>
> Chain zone_lan (1 references)
> target prot opt source destination
> input_lan all -- anywhere anywhere
> zone_lan_ACCEPT all -- anywhere anywhere
>
> Chain zone_lan_ACCEPT (3 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain zone_lan_DROP (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain zone_lan_MSSFIX (1 references)
> target prot opt source destination
> TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>
> Chain zone_lan_REJECT (1 references)
> target prot opt source destination
> reject all -- anywhere anywhere
> reject all -- anywhere anywhere
>
> Chain zone_lan_forward (1 references)
> target prot opt source destination
> forwarding_lan all -- anywhere anywhere
> zone_lan_REJECT all -- anywhere anywhere
>
> Chain zone_wan (2 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:22
> input_wan all -- anywhere anywhere
> zone_wan_REJECT all -- anywhere anywhere
>
> Chain zone_wan_ACCEPT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain zone_wan_DROP (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
> DROP all -- anywhere anywhere
> DROP all -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain zone_wan_MSSFIX (0 references)
> target prot opt source destination
> TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
> TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>
> Chain zone_wan_REJECT (2 references)
> target prot opt source destination
> reject all -- anywhere anywhere
> reject all -- anywhere anywhere
> reject all -- anywhere anywhere
> reject all -- anywhere anywhere
>
> Chain zone_wan_forward (2 references)
> target prot opt source destination
> zone_lan_MSSFIX all -- anywhere anywhere
> zone_lan_ACCEPT all -- anywhere anywhere
> forwarding_wan all -- anywhere anywhere
> zone_wan_REJECT all -- anywhere anywhere
> **************************
>
> /etc/config/firewall
> config 'defaults'
> option 'syn_flood' '1'
> option 'input' 'ACCEPT'
> option 'output' 'ACCEPT'
> option 'forward' 'REJECT'
>
> config 'zone'
> option 'name' 'lan'
> option 'input' 'ACCEPT'
> option 'output' 'ACCEPT'
> option 'forward' 'REJECT'
>
> config 'zone'
> option 'name' 'wan'
> option 'input' 'REJECT'
> option 'output' 'ACCEPT'
> option 'forward' 'REJECT'
> option 'masq' '1'
>
> config 'forwarding'
> option 'mtu_fix' '1'
> option 'src' 'wan'
> option 'dest' 'lan'
>
> config 'rule'
> option 'target' 'ACCEPT'
> option '_name' 'SSH_In'
> option 'src' 'wan'
> option 'proto' 'tcp'
> option 'dest_port' '22'
> **************************
>
> /etc/config/network
> #### VLAN configuration
> config switch eth0
> option vlan0 "0 1 2 3 5*"
> option vlan1 "4 5"
>
> #### Loopback configuration
> config interface loopback
> option ifname "lo"
> option proto static
> option ipaddr 127.0.0.1
> option netmask 255.0.0.0
>
> #### LAN configuration
> config interface lan
> option type bridge
> option ifname "eth0.0"
> option proto static
> option ipaddr 192.168.1.1
> option netmask 255.255.255.0
>
> #### WAN configuration
> config interface wan
> option type bridge
> option ifname "eth0.1"
> option proto dhcp
> **************************
>
> /etc/config/qos
> # QoS configuration for OpenWrt
>
> # INTERFACES:
> config interface wan
> option classgroup "Default"
> option enabled 1
> option overhead 1
> option upload 250
> option download 2500
> ##the rest of the file is unchanged from the stock config
> **************************
>
> /etc/wifidog.conf
> # $Header: /cvsroot/wifidog/wifidog/wifidog.conf,v 1.24 2005/04/28 23:26:30 minaguib Exp $
> # WiFiDog Configuration file
>
> GatewayID LIBRARY0
>
> ExternalInterface br-wan
>
> GatewayInterface br-lan
>
> AuthServer {
> Hostname ADDRESS.pls-net.org
> HTTPPort 80
> Path /PATH/
> }
>
> CheckInterval 60
>
> ClientTimeout 5
>
> FirewallRuleSet global {
>
> }
>
> FirewallRuleSet validating-users {
> FirewallRule block tcp port 25
> FirewallRule allow to 0.0.0.0/0
> }
>
>
> FirewallRuleSet known-users {
> FirewallRule block to XXX.XXX.0.0/16
> FirewallRule allow to 0.0.0.0/0
> }
>
> FirewallRuleSet unknown-users {
> FirewallRule allow udp port 53
> FirewallRule allow tcp port 53
> FirewallRule allow udp port 67
> FirewallRule allow tcp port 67
> }
>
> FirewallRuleSet locked-users {
> FirewallRule block to 0.0.0.0/0
> }
> *************************************
> END files
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
Hi,
don't know much about open-wrt,
but why, in your iptables rules, have you a drop rule before your accept?
--
Menil Jean-Philippe
Dsi de l'Université de Nantes
tél: 02 51 12 53 92
Fax: 02 51 12 58 60
Jean-Philippe.Menil at univ-nantes.fr
Plus d'informations sur la liste de diffusion WiFiDog