[isf-wifidog] IPTables locking up with OpenWRT - another distro?

Steve Congrave steve at congrave.com
Lun 1 Fév 13:58:37 EST 2010


Thanks Andrew

 

In our case the load never exceeds 0.2 and whilst the problem does occur
with just a single user, it only happens maybe once a day. If we load the
router up with 5 or 6 users then it will happen about every 2 hours. The
iptables rules are rewritten (mangle table) about every 15 minutes per user
so that's maybe 24 times per hour so we are thinking that it may be a
resource issue. This is on 7.09 of course and the version of iptables that
came with that distro. We have swapped out hardware and the problem keeps
happening - we have even used the wrt54g-tm models to see if the extra
memory improved things but it didn't make a difference.

 

We also have a much simpler auth server but we only have 30-50 users online
at any point in time so it shouldn't be too stressed (auth server load is
0.2 -0.4)

 

I'm definitely thinking that it's the rule rewriting in iptables that has a
resource issue. 

 

Steve

 

 

From: wifidog-bounces at listes.ilesansfil.org
[mailto:wifidog-bounces at listes.ilesansfil.org] On Behalf Of
andrewhodel at gmail.com
Sent: Monday, February 01, 2010 9:05 AM
To: WiFiDog Captive Portal
Subject: Re: [isf-wifidog] IPTables locking up with OpenWRT - another
distro?

 

I would keep track of the sysload on the particular ap's you are having
trouble with.

We use wifidog on openwrt 8.09 for 200+ nodes with a custom auth server and
have experienced the same issue on rare occassions. However, when we
experience the issue the sysload usually shoots up to around 6+ and requires
a hard reboot to resolve. This can be seen by looking at the last gateway
update for the node which is down.

In my experience it is usually the same node that has the problem, and about
once a month on one node out of 200 isn't bad. From my logs the issue is not
related to the number of authenticated users, as we have had it happen with
as few as 6 while other nodes with the exact same hardware handle 20+
authenticated users without issue.

If I had to guess at this point I would blame it on a hardware issue with
that particular node.

You may want to test that you are actually having the problem on all nodes
and not just one or a few in particular. I would also recommend slimming
down openwrt as much as possible, there's a lot you do not need.

I will also say that with the number of users we have per auth server at
times, 350+, the wifidog auth server would become unstable. You may also
want to try splitting your nodes amongst multiple auth servers if you are
having more then 100 users online at any given time. We had to rewrite a
much leaner auth server to remedy this issue.



Regards,
Andrew Hodel



On Feb 1, 2010 9:52am, Steve Congrave <steve at congrave.com> wrote:
> I agree that OpenWRT is easy to use - we do have a partial build using the
> 
> latest version but I'm reluctant to continue down that path until I'm sure
> 
> that the iptables was resolved as others report the same problems. Our
> 
> implementation makes a lot of use of iptables in a dynamic way and that
may
> 
> be the cause of the problem as we change rules so frequently.
> 
> 
> 
> What are the DNS oddities that you experience because the result of the
> 
> iptables problem is the client being denied access that looks exactly like
a
> 
> dns issue from the client end?
> 
> 
> 
> I appreciate your feedback.
> 
> 
> 
> Steve
> 
> 
> 
> -----Original Message-----
> 
> From: wifidog-bounces at listes.ilesansfil.org
> 
> [mailto:wifidog-bounces at listes.ilesansfil.org] On Behalf Of Aaron Z
> 
> Sent: Monday, February 01, 2010 7:30 AM
> 
> To: WiFiDog List
> 
> Subject: [isf-wifidog] IPTables locking up with OpenWRT - another distro?
> 
> 
> 
> Can you upgrade to the current version of OpenWRT (8.09.x) or is that not
> 
> possible?
> 
> We recently rolled out 40ish WAPS running OpenWRT 8.09 and WiFiDog (with a
> 
> custom WiFiDog backend) on WRT54GL hardware and are very happy with them.
We
> 
> have them in libraries and use WiFiDog for the public network
> 
> (authentication against our patron database and access control only) and a
> 
> WPA2 encrypted network for staff use.
> 
> We do a nightly reboot (to force them to check for updates and because of
> 
> some DNS oddities that seem to crop up after the WAP has been running for
a
> 
> few days) but we are very happy with it. I personally find OpenWRT easier
to
> 
> work with than DD-Wrt, but that is probably just be a personal preference.
> 
> 
> 
> 
> 
> Aaron Z
> 
> 
> 
> ----- "Steve Congrave" steve at congrave.com> wrote:
> 
> 
> 
> > From: "Steve Congrave" steve at congrave.com>
> 
> > To: "WiFiDog Captive Portal" wifidog at listes.ilesansfil.org>
> 
> > Sent: Monday, February 1, 2010 1:58:06 AM GMT -05:00 US/Canada Eastern
> 
> > Subject: [isf-wifidog] IPTables locking up with OpenWRT - another
distro?
> 
> >
> 
> > https://dev.openwrt.org/ticket/2558
> 
> >
> 
> > This ticket is showing as closed but it appears that others are still
> 
> > having
> 
> > problems.
> 
> >
> 
> > Our routers (WRT54GL) running OpenWRT 7.09 are locking up at least
> 
> > once a
> 
> > day - much more often when they have 5 or 6 customers connected and
> 
> > we
> 
> > implemented the update at https://dev.openwrt.org/changeset/16141
> 
> >
> 
> > We have tried everything that we can think of to get this working but
> 
> > it's
> 
> > hard to even find a workaround as there seems to be no way of testing
> 
> > for it
> 
> > happening. At the moment we are running a reboot every 2 hours just to
> 
> > get
> 
> > around this but it's hardly satisfactory.
> 
> >
> 
> > Is anyone else on the list having a problem - has anyone fixed it yet?
> 
> > Have
> 
> > you all moved away from OpenWRT because of it?
> 
> >
> 
> > What other distro would you suggest to try instead of OpenWRT on a
> 
> > Linksys
> 
> > WRT54GL for WifiDog?
> 
> >
> 
> >
> 
> >
> 
> >
> 
> > _______________________________________________
> 
> > WiFiDog mailing list
> 
> > WiFiDog at listes.ilesansfil.org
> 
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> 
> _______________________________________________
> 
> WiFiDog mailing list
> 
> WiFiDog at listes.ilesansfil.org
> 
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> 
> 
> 
> _______________________________________________
> 
> WiFiDog mailing list
> 
> WiFiDog at listes.ilesansfil.org
> 
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listes.ilesansfil.org/pipermail/wifidog/attachments/20100201/a5e90dd6/attachment.htm>


Plus d'informations sur la liste de diffusion WiFiDog