Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: Daniel B. on April 08, 2008, 11:19:25 AM
-
Hi everyone.
I post here to announce a new contrib: smeserver-coova-chilli. Coova-Chilli (http://coova.org) is a captive portal based on chilliSpot. It'll configure a 3rd interface on your SME server (works only in server&gateway). Then, just plug an AP on this new interface, and your done. Users will have to enter credentials in order to have http/https access. You can also control the bandwidth used. The how-to is here:
http://sme.firewall-services.com/spip.php?article61 (http://sme.firewall-services.com/spip.php?article61) and some doc here http://sme.firewall-services.com/spip.php?article62 (http://sme.firewall-services.com/spip.php?article62). Both are in french for now. I'll translate it latter, when it'll be mature enaugh, and I'll add it in the wiki. If someone wants to help me with the translation, I'm interested.
For now, do not install on production servers, just test machines (in server&gateway).
If some security experts could look at it, i'd be glad. I think it's ok, I have been very carefull, but I'd like some other advices.
Cheers, Daniel
-
Excellent!
So with this I can replace my microtik?
With this I can share two internet connections with an extra NIC?
Thank you
-
I'm not sure what a microtik is (a kind of Wireless router with a captive portal like the fonAP?). Anyway, this contrib needs a 3rd nic on your server, but you cannot connect a second internet connection on it, it's just for wifi users (you plug a standard AP on this 3rd nic, and users will have http/https access only if they have valid credentials, their traffic will filtered by SME, and will go through the wan NIC)
-
looking forward to an english wiki, ive been waiting for a captive portal with a 3rd nic for a while now. :)
ive put in the 3rd nic allready now ;)
-
Hello VIP-ire,
Is a excellent work!! Congratulations! =)
looking forward to an english wiki
Saleh
-
Hi
Am I correct in understanding that this will work without a Wireless AP? That is if I plug the 3rd NIC into a "second" LAN, then the clients on that LAN will be subject to the management?
In both forms (wireless and non wireless) it could prove very useful.
I can just about understand the French instructions, so I'll try to get some time to try it shortly.
-
You're right, it can work with wired clients, as well as with wireless. But, once again, I repeat, please, install it on test servers, this morning, I've just found a security breach (users can access internet if they manually set their browser to use proxy 10.1.0.1:3128, so they can bypass the auth). This problem will be corrected as soon as I can (I've allready found a solution).
-
You're right, it can work with wired clients, as well as with wireless. But, once again, I repeat, please, install it on test servers
Good news, and I will be trying it on a test system.
One question - does it use the "usual" DHCP, i.e. are the Ip addresses which are allocated in the normal LAN subnet, or are they from a separate subnet?
-
coova-chilli will act as a dhcp server for clients connected on the 3rd interface (either wireless or wired). You need the clients connected directly to the new interface (I mean, switch and AP are ok, routers are not because they won't let pass broadcast messages like dhcp requests).
The default is to assign addresses in the range 10.1.0.0/24 for the clients. This lan is totally separated from the private lan. No communication between the two lan are allowed
-
That's even better news! Thanks for the info.
-
Hello VIP-ire,
Can We Do That?
1) editing coova-chilli configuration via SME Server Manager
2) online users via SME Server Manager
Thanks,
Saleh
-
For now, no. But configuration is quite simple, only with some db comands. I'll write detailed instruction in english when I can. For the online users, you can do on the command line
chilli_query list to have the list of the actual users online. Maybe I'll write a simple panel latter, when the contrib is more mature
-
Any further development on this? :-P
Bob
-
VIP-ire,
Is the fix for by passing the portal an easy fix? I think I have a use for this, but want to make sure they have to use the portal.
Thanks
Bob
-
Yes, this issue has been fixed in release 0.1-1. You can now find the latest release in smetest repo. I have some idea to enhance the contrib (mainly at the firewall level). When this is be done, I'll write a how-to in the wiki
-
Thanks
Bob
-
Hello VIP-ire,
i have the 2 RPMs coova-chilli-1.0.11-1.i386.rpm and smeserver-coova-chilli-0.1-1.noarch.rpm but can not login via the login web pages, can you give me some howtow
Note: in many forums stand that the CoovaChili had alot of bugs, is the original chillispot vs CoovaChili
ChilliSpot: http://www.chillispot.info/
CoovaChili : http://coova.org/wiki/index.php/CoovaChilli
Thanks
-
Hello VIP-ire,
i have the 2 RPMs coova-chilli-1.0.11-1.i386.rpm and smeserver-coova-chilli-0.1-1.noarch.rpm but can not login via the login web pages, can you give me some howtow
Note: in many forums stand that the CoovaChili had alot of bugs, is the original chillispot vs CoovaChili
ChilliSpot: http://www.chillispot.info/
CoovaChili : http://coova.org/wiki/index.php/CoovaChilli
Thanks
AFAIK no no development is done of ChiliSpot anymore since 2005, one of the devs of ChiliSpot is (still) active in CoovaChili. You could have read that yourself on the mainpage of your second link: http://coova.org/wiki/index.php/CoovaChilli .
-
Hello VIP-ire,
i have the 2 RPMs coova-chilli-1.0.11-1.i386.rpm and smeserver-coova-chilli-0.1-1.noarch.rpm but can not login via the login web pages, can you give me some howtow
I'd need more informations about what you've done, what's not working etc...
- Is server in server&gateway ?
- Do you have a third ethernet interface recognized by the system but not configured (try ifconfig eth2) ?
- You have installed the 2rpms then post-upgrade/reboot (or just signal-event chilli-update;/etc/init.d/chilli start) ?
- Is chilli daemon runing ? (ps aux | grep chilli)
- You have plug an AP on the third interface (It must be an AP or a switch, not a router) ?
- Do you have an IP in the subnet 10.1.0.0/24 when you ask for dhcp ?
- Is the DNS working on the client ?
- Can you see the login page when you ask for any web page ?
- Have you created the group called "chilli" and the users who must have web access in it ?
I know some documentation is missing, I'll try to write it as soon as I can in the wiki. Waiting for this, there's some documentation in french:
http://sme.firewall-services.com/spip.php?rubrique28
Note: in many forums stand that the CoovaChili had alot of bugs, is the original chillispot vs CoovaChili
ChilliSpot: http://www.chillispot.info/
CoovaChili : http://coova.org/wiki/index.php/CoovaChilli
Thanks
I'm not sure where you have see that coovachilli has more bugs than the original chillispot. I know coovachilli is a fork, and I've choosed it over chillispot:
- because the project is active
- because of the walled-garden which can be limited to host/port/protocol (this is the main motivation)
- some other facilities
Cheers.
-
- Is server in server&gateway ?
yes its server & gateway
- Do you have a third ethernet interface recognized by the system but not - configured (try ifconfig eth2) ?
yes, i have eth2
- signal-event chilli-update;/etc/init.d/chilli start) ?
done
- Is chilli daemon runing ? (ps aux | grep chilli)
yes, its runing
- You have plug an AP on the third interface
yes, i have
- Do you have an IP in the subnet 10.1.0.0/24 when you ask for dhcp ?
yes, i have
- Is the DNS working on the client ?
No, the DNS not working on the client
- Can you see the login page when you ask for any web page ?
yes, i can see the login web page, but can not log on it, Your are not member of the allowed group
- Have you created the group called "chilli" and the users who must have web access in it ?
No, i have not create the group called "chilli" , how can i create it
Thanks VIP-ire and I hope that we could togather do the best WiFi Hotspot in the best SME Server.
-
- Is the DNS working on the client ?
No, the DNS not working on the client
- Can you see the login page when you ask for any web page ?
yes, i can see the login web page, but can not log on it, Your are not member of the allowed group
- Have you created the group called "chilli" and the users who must have web access in it ?
No, i have not create the group called "chilli" , how can i create it
It seems that quite everything is configured correctly, (DNS works if you get the login page when you ask any other page). Now just go in the server-manager, create a new group called "chilli" and put the users you want to have web access through the hotspot in this group.
Thanks for testing this contrib.
Cheers, Daniel
-
PPTP is disabled or non working if Chilli installed ?
i can´t login my pptp , chiili is working.
Thanks for Chilli
Marcel
-
Hi. When connected with chilli, the firewall won't let PPTP by default (TCP 1723 and proto 47). For now, you have to create a custom template (look at the original /etc/e-smith/templates/etc/rc.d/init.d/60ChilliRules, copy it in templates-custom and modify it like you want). In future release I might enhance this so that we can change the rules applied on chilli interface with db value.
-
HowTo Setup the 3rd nic ?
and Howto Configure ?
Thx Marcel
-
3rd Nic is installed and enabled.
ifconfig eht2 --> yes
eth2 Protokoll:Ethernet Hardware Adresse 00:02:B3:33:38:20
inet Adresse:10.1.0.1 Bcast:10.1.0.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2185 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:201448 (196.7 KiB) TX bytes:11781 (11.5 KiB)
configure eth2 --> ifconfig eth2 10.1.0.1 netmask 255.255.255.0 ?
DHCP -- > yes
DNS --> no
Loginpage http//10.1.0.1/chilli/hotspotlogin.php --> no
Ping from SME to WLAN-Client --> yes
-
Eth2 should not be configured, just recognize by your system. Chilli will configure everything at startup (all the traffic comming in from eth2 will be tunneled to the virtual interface tun0, and controlled by chilli).
If DHCP is working, then good. For the DNS part, I've choosed two public DNS by default, but maybe you cannot contact them. You can configure the DNS of your FAI:
db configuration setprop chilli dns1 <ip of primary DNS of your FAI> dns2 <ip of secondary DNS of your FAI>
signal-event chilli-update
To test if chilli is redirecting you correctly, try to access a page by pointing your browser to an IP (it can be any IP). Chilli should redirect you to the login page.
-
ok Thx.DNS is in the DB.
DNS can not ping from wlan.
iptraf tells me ,that the WLanclient search the DNS, but become no ans ware from Tun0.
the Loginpage is working , i checked this from inside the sme network.
has anybody chilli worked correctly?
Marcel
-
I uninstalled the smeserver-openvpn-bridge-fws.noarch an now is Chilli Working ! :)
-
Strange, smeserver-openvpn-bridge can work with chilli (I run both on my own server).
-
hmmm , ok but now is chilli working.
is very cool , thx you.
an Accounting System like http://sourceforge.net/projects/phpmyprepaid/ (http://sourceforge.net/projects/phpmyprepaid/) it is possible to work with you Contrib ?
Sorry for my very bad english , am an German SME Fan.
but a search for a long time to get chillispot to work with SME.
Marcel
-
Your new rpm smeserver-coova-chilli-0.1-1.noarch.rpm makes a wrong directory:
/opt/chilli.rpmnew
Please take a look into your src file.
Best Regards
yythoss
-
PPTP from Extern to SME is Disabled or Busy ?
if uninstall Chilli, i can Login to my SME from outside the office.
it is possible to bring PPTP "and" Chilli get to work?
Marcel
-
PING !
Marcel
-
Ping VIP-ire
yythoss
-
News ?
Marcel
-
Hooray ..Coova works ..I am new to SME & enjoying it. Does anyone know how we can try to edit the login page. I'd like to include our content.
-
Hi. Sorry for the late response, I was on holydays. For the PPTP problem, I'm not sure, I never used pptp (I think it sucks compared to openvpn), but I don't see any reason pptp couldn't work anymore from the internet if coova-chilli is enabled. I'll try to dig this issue further. FOr the modification of the page, it's located in /opt/chilli, you can change what you want here.
Cheers, Daniel
-
Thank You VIP-ire. Just another question, Can all ports be opened for the Hotspot [ 3rd Nic]. What commands/files can I edit to make this happen. Once all the ports are open, port 25 can be redirected to SME's own smtp proxy.
-
If you want to custom the firewall rules for chilli, you'll have to create a custom template. The actual template is in /etc/e-smith/templates/etc/rc.d/init.d/masq/60ChilliRules, you can copy it in the templates-custom dir, and change what you want.
-
Hello VIP-ire,
any new news about the development process for the smeserver-coova-chilli
when can we see a stable version or any new futures in the existing version
Thanks
-
Hi. The developpement of smeserver-coova-chilli is going slower than I want, mainly because I'm actually spending a lot of time in testing and enhancing ldap authentication in SME server (still in developpement). Unfortunally, I cannot tell when it will be "stable".
Cheers, Daniel
-
New version of CoovaChilli Released June 8, 2008
ChangeLog (Coova Chilli v1.0.12 svn revision 171)
* Bug fix in RADIUS timeout, note that option radiustimeout is in seconds!
* Fix for dnsparanoia whereby chilli will reply with a host not found error instead of dropping the packet suggest by nextime
* New option macauthdeny which will result in the black-listing of devices given an Access-Reject during MAC address authentication
* New internal state called splash in which clients are given Internet access, but enforcing the port 80 http redirect
* new option dhcpradius for mapping of some DHCP options into RADIUS attributes and visa versa during MAC authentication
* new options dhcpgateway and dhcpgatewayport to specific a DHCP gateway (relay) host IP Address and port
* New option (in development) routeif to specify which WAN interface to use for the default - this also enables the use of internal routing instead of everything defaulting to the tun/tap
* Anyip fixes by Gunther, thanks.
* Code cleanups
DOWNLOAD LINK:
http://ap.coova.org/chilli/coova-chilli-1.0.12-1.i386.rpm
Note: can not install the new coova chilli version
rpm -Uvh coova-chilli-1.0.12-1.i386.rpm
error: Failed dependencies:
libc.so.6(GLIBC_2.4) is needed by coova-chilli-1.0.12-1.i386
-
Having a little trouble with this.
SME 7.3
Openvpn bridge installed
sme7admin installed
I have installed the 3rd NIC, and the files. DHCP is working on the eth2, but I don't get the login screen.
Here is s snippet of the message file about the process
Aug 20 15:39:51 premiercaulk coova-chilli[24001]: chilli.c: 2604: New DHCP request from MAC=00-03-0D-0C-6D-09
Aug 20 15:39:51 premiercaulk coova-chilli[24001]: chilli.c: 2566: Client MAC=00-03-0D-0C-6D-09 assigned IP 10.1.0.32
Aug 20 15:41:21 premiercaulk coova-chilli[24001]: options.c: 787: Rereading configuration file and doing DNS lookup
Aug 20 15:41:52 premiercaulk coova-chilli[24001]: chilli.c: 998: Unknown downlink protocol
Any ideas
TIA
Bob
-
AFAIK no no development is done of ChiliSpot anymore since 2005, one of the devs of ChiliSpot is (still) active in CoovaChili. You could have read that yourself on the mainpage of your second link: http://coova.org/wiki/index.php/CoovaChilli .
It appears that the ChiliSpot is still alive...a die hard FOSS "free and open source software"....
current links
ChiliSpot
http://www.chillispot.info/index.html (http://www.chillispot.info/index.html)
http://www.chillispot.info/chilliforum/index.php (http://www.chillispot.info/chilliforum/index.php)
CoovaChilli
http://coova.org/ (http://coova.org/)
http://coova.org/phpBB3/index.php (http://coova.org/phpBB3/index.php)
May the force be with them....
-
Having a little trouble with this.
SME 7.3
Openvpn bridge installed
sme7admin installed
I have installed the 3rd NIC, and the files. DHCP is working on the eth2, but I don't get the login screen.
Here is s snippet of the message file about the process
Aug 20 15:39:51 premiercaulk coova-chilli[24001]: chilli.c: 2604: New DHCP request from MAC=00-03-0D-0C-6D-09
Aug 20 15:39:51 premiercaulk coova-chilli[24001]: chilli.c: 2566: Client MAC=00-03-0D-0C-6D-09 assigned IP 10.1.0.32
Aug 20 15:41:21 premiercaulk coova-chilli[24001]: options.c: 787: Rereading configuration file and doing DNS lookup
Aug 20 15:41:52 premiercaulk coova-chilli[24001]: chilli.c: 998: Unknown downlink protocol
Any ideas
TIA
Bob
Hi.
You say DHCP is working, can you check your client as an address in the range 10.1.0.0/24 (if you haven't changed it in the config)
You don't get the login screen, but what do you have? The problem may come from the DNS, from your client, just try to ping a hostname (icmp messages won't pass but you should see the corresponding IP). If the problem comes from the DNS, you can change them (for example, set the DNS of your ISP)
db configuration setprop chilli dns1 <ip_address> dns2 <ip_address>
-
Thanks VIP-ire
I am getting an IP in the 10.1.0.0/24 range
I am not on location at this time, but if memory serves me, IE times out with a pager cannot be displayed.
I will try to change the DNS settings and try to get to the location in the next couple of days and report back.
Bob
-
Same problem in my case...
chilli.c: 998: Unknown downlink protocol
options.c: 787: Rereading configuration file and doing DNS lookup
AP is a bridged router, no dhcp
Chilli's DHCP provides addresses to AP and client. client can ping AP and server
Opening an url from the client gives a timeout and no panel.
[root@vmachines ~]# config show chilli
chilli=service
TCPPort=3990
access=private
defidletimeout=900
defsessiontimeout=7200
dhcpif=eth2
dns1=208.67.222.222
dns2=206.123.6.11
net=10.1.0.0/255.255.255.0
radiussecret=TuYsQc4Je05EGtubEFtiH6oZE
status=enabled
tundev=tun0
uamallowed=tcp:192.168.250.5:80
uamsecret=ojWOJATz0fT3eP0qcQdFu38GpDo
logs are silent (httpd/error.., messages, ..)
-
HI.
The error "unknown downlink protocol" is not very important, it's just a warning. It's each hour when chilli call the radiusconfig function. I need to find a way to stop it, but the problem dosn't come from here.
As for Crazybob, please, check if the DNS is working on your clients, if not, try to change the two dns (dns1 and dns2 key in the db) to those of your ISP.
Or easier, you can just try to enter an IP address in the browser of your client (even a fake one, http://11.12.13.14/ or anything). If this test works (you see the login page), the issue is dns related (it's often the case)
-
Well... after a yum update, every thing works as advertised!!!
Thanks for this great idea for sme!
-
I should be able to do that this weekend
Bob
-
Now I'll try to use Drupal as the portal...
see you soon!
-
Works great with Drupal Hotspot Module!
I changed /etc/chilli.conf
#uamserver https://10.254.254.1/chilli/hotspotlogin.php
uamserver http://192.168.250.5/drupal/?q=hotspot
To make it permanent:
/sbin/e-smith/db configuration setprop chilli uamserver http://192.168.250.5/drupal/?q=hotspot
/sbin/e-smith/signal-event chilli-update
/etc/init.d/chilli restart
In drupal's hotspot module:
Method of login : browser
Copied UAM secret
Radius protocol : PAP
No provisioning
Access codes : blank
-
VIP-ire, a yum update, and a re-boot fixed it. I performed them last night while the server was not in use, then went on location, and all is well
Thanks for a great contrib
Bob
-
I've got 2 problems:
1. with chilli-update:
When I make changes, they are not shown in /etc/chilli.conf
2. IP addresses collisions
WinXP complains that the IP address issued by dhcp if already in use
Thanks for any help on this...
-
Hi.
There's now a new component 'coova-chilli' in the bug tracker. Maybe you should report this issue here.
-
Hello VIP-ire,
Thanks for all your tutorials... I'm a two week user of Linux (sme server) and I was able to get coova-chilli up and running. YEEEHAAAAH!!! I'm finally learning how to get around in the file system of linux os shell.
I am having trouble finding the path to update the html on the coova-chilli log in and out pages. Can you give me the file path or teach me how to change it a better way?
Thanks for your work.
Clarence
-
You will find the stuff in opt/chilli
Bob
-
8-)
Thank you Bob!
-
I am an windows user who never tried to learn Linux. I have always been deathly afraid of the CLI. I can't believe how much more sense this makes than windows!
Bob! I wasn't sure what to do with the instruction you gave me but I managed to change the lanuage without doing any damage. Thanks for your help.
Yeah I'm a newbie... But a happy one!!!
Clarence
-
in order to modify the login page with
/sbin/e-smith/db configuration setprop chilli uamserver https://10.254.254.1/chilli/hotspot.php
/sbin/e-smith/signal-event chilli-update
I did some changes:
prepare a custom template
mkdir -p /etc/e-smith/templates-custom/etc/chilli.conf
cp /etc/e-smith/templates/etc/chilli.conf/55uamserver /etc/e-smith/templates-custom/etc/chilli.conf/55uamserver
Change the script
nano /etc/e-smith/templates-custom/etc/chilli.conf/55uamserver
my $uamserverdefault = "https://$chillip/chilli/hotspot.php";
my $uamsecret = $chilli{'uamsecret'} || 'azerty';
my $uamserver = $chilli{'uamserver'} || $uamserverdefault ;
$OUT = "uamserver $uamserver\n";
$OUT .= "uamsecret $uamsecret\n";
I'm not good at scripting so comments are more than welcome...
-
Problems after updating to smeserver-coova-chilli-0.1-1.el4.sme...
The directive uamallowed is not working anymore:
uamallowed tcp:www.sophieromano.com:80,tcp:www.logiciel-libre.org:80
The service does not start after a reboot if openvpn is installed.
Thanks for any help!
-
PPTP from Outside to SME is Disabled or Busy ?
if uninstall Chilli, i can Login to my SME from outside the office.
it is possible to bring PPTP "and" Chilli get to work?
Marcel
-
Please, use the bug tracker to report (potential) bugs, and use your own topic to ask for help in this forum. I really cannot answer everyone here. For the uamallowed, there's a bug. It's corrected in 0.1-8