Topic: dansguardian and CoovaChilli

[tropicalview]

Dear all,

I'm running SME server on a school and it's running perfectly.
we are using dansguardian to be able to log and restrict internet access to the students.


we do now consider in buying an additional NIC and install CoovaChili as accesspoint feed for laptops.

Does anybody know if these 2 contribs conflict? and if not. can i use the dansguardian filter / logging on this new network?

Kind regards.

[Stefano]

tropicalview

as you are not a SME newbie, you should know that dual eth in SME is supported only in Server & Gateway mode (or in binding mode)..

using a second nic to have a separate wi-fi lan will be, IMO, an hard work in SME

my 2c

Ciao
Stefano

[cactus]

as you are not a SME newbie, you should know that dual eth in SME is supported only in Server & Gateway mode (or in binding mode)..

True... but that is what the smeserver-coovachili package does for you according to http://wiki.contribs.org/CoovaChilli#Description

[Daniel B.]

Yes, CoovaChilli contrib is made to support a 3rd NIC when runing in server & gateway mode (server only is not supported).

For Dansguardian I don't know, I don't use it. You'll have to do some customization to both contribs if you want it to work (redirect to port 8080 instead of 3128, open port 8080 for the clients, allow requests from 10.1.0.0/24 in dansguardian etc...). But CoovaChilli works pretty well with squid+squidGuard, I'm actually using it.

Cheers, Daniel

[tropicalview]

Hi VIP-ire.
thanks for you answer, you gave me some stuff to test in a vmware / lab test.

Sorry Stefano, i should have explained my situation some better.
Indeed is the server i'm talking about already in gateway mode and i'm using dansguardian over that to filter / log the web requests.
The new NIC will be the 3th NIC in the system.

Kind regards,

[David Harper]

I think there will be three issues:

1. Is the eth2 network regarded as "local" by SME Server? If yes, dansguardian will be available for use.
2. Can CoovaChilli be customised to redirect to port 8080 [dansguardian], rather than 3128 [squid]?
3. Does the dansguardian port blocking work on the eth2 network? Otherwise just pointing the browser to 3128 will bypass the filtering.

A little bit of testing should shed some light on these issues.

[Daniel B.]

1. Is the eth2 network regarded as "local" by SME Server? If yes, dansguardian will be available for use.

Of course not. Captive portal clients are not trusted (btw, the interface to look at is tun0, not eth2 as chilli will mask the traffic as incoming from tun0). You'll have to configure dansguardian to bind on tun0 (10.1.0.1 is the default IP), and to accept requests from this network.

2. Can CoovaChilli be customised to redirect to port 8080 [dansguardian], rather than 3128 [squid]?

Yes, it's possible, you'll have to customize /etc/chilli/conup.sh and /etc/chilli/condown.sh scripts. They won't be overriden on upgrades. This script will open needed ports and redirection when a clients connect, avoiding the possibility to bypass the authentication with squid.

3. Does the dansguardian port blocking work on the eth2 network? Otherwise just pointing the browser to 3128 will bypass the filtering.

No need to block squid, it's blocked by default. Depending on the key WebRequest, which can be 'direct' or 'squid', squid may be opened for clients, but only once they are authenticated (if the value is 'squid').

Hope this helps, just let me know if you can get this to work. Unfortunally, I do not use dansguardian, so I won't be able to test, but I may be able to help with some assitance.

Cheers, Daniel

[ntblade]

Hi all,
Has anyone been able to get DG and Coovachilli to work together yet?

Norrie

[tropicalview]

Hi,

I had installed it in a VMware machine, and have tested it with 4 private network clients and 2 hotspot users.
it worked fine.

[ntblade]

Hi thanks for your reply,
Do you remember what you had to do to get them both to work together?
CoovaChilli works (with guest access) but there seems to be no filtering.

Norrie

[tropicalview]

I had opened the rights to connect to the proxy, and configured the clients to connect via proxy.

I was searching for a way to force the clients to use the proxy settings.