HomeForumsOpen-Source SoftwareCoovaChilli Development

Clients are unable to connect to the Internet

Wed, 02/18/2009 - 22:40 — liri

Hey,

I was wondering if someone encountered the same issue as I have with CoovaChilli (1.0.12) installed on OpenWRT (kamikaze 8.09) with X-WRT enabled (r4700).

The issue is that wireless clients associate with coova chilli ok (dhcp is provided), but when an attempt to browse the Internet is made the connection seems to drop (as seen with tcpdump - the router sends a reset packet to the syn packet in the sequence).

This is all of the trace details I can think of:

CoovaChilli debug (with my notes in the => lines):

<br />
====> wireless client associated with chillispot</p>
<p>chilli.c: 3564: 0 (Debug) Waiting for client request...<br />
dhcp.c: 1875: 0 (Debug) Address not found (192.168.182.5)<br />
chilli.c: 2694: 0 (Debug) New DHCP request from MAC=00-1D-6E-D5-B7-CD<br />
chilli.c: 2697: 0 (Debug) New DHCP connection established<br />
chilli.c: 2573: 0 (Debug) DHCP request for IP address<br />
ippool.c: 324: 0 (Debug) Requesting new static ip: 192.168.182.5<br />
ippool.c: 344: 0 (Debug) Static IP address not allowed<br />
ippool.c: 324: 0 (Debug) Requesting new dynamic ip: 192.168.182.5<br />
chilli.c: 2661: 0 (Debug) Client MAC=00-1D-6E-D5-B7-CD assigned IP 192.168.182.5<br />
dhcp.c: 2359: 0 (Debug) arp_decaps: dst=00:1d:7e:4a:fd:01 src=00:1d:6e:d5:b7:cd prot=0806</p>
<p>====> wireless client is now requesting to web surf to google.com</p>
<p>redir.c: 1984: 0 (Debug) Calling redir_getstate()<br />
redir.c: 2010: 0 (Debug) Get HTTP Request<br />
redir.c: 1141: 0 (Debug) http-request: GET / HTTP/1.1<br />
redir.c: 1169: 0 (Debug) The path:<br />
redir.c: 1236: 0 (Debug) Host: google.com<br />
redir.c: 1255: 0 (Debug) User-Agent: Mozilla/5.0 (X11; U; Linux armv6l; en-US; rv:1.9a6pre) Gecko/20080828 Firefox/3.0a1 Tablet browser 0.3.7 RX-34+RX-44+RX-48_DIABLO_4.2008.36-5<br />
redir.c: 1357: 0 (Debug) -->> Setting userurl=[http://google.com/]<br />
redir.c: 2019: 0 (Debug) Process HTTP Request<br />
redir.c: 2140: 0 (Debug) Processing received request<br />
redir.c: 2360: 0 (Debug) redir_accept: Original request<br />
redir.c: 2365: 0 (Debug) ---->>> resetting challenge: daafa8e8fe445fb0294e40882ee723b4</p>
<p>====> chilli captures this and forwards to local 'homepage' on the openwrt<br />
====> wireless client is now clicking the 'Go to Internet' button which links to: <a href="http://192.168.182.1:3990/prelogin?_menu=1" title="http://192.168.182.1:3990/prelogin?_menu=1">http://192.168.182.1:3990/prelogin?_menu=1</a></p>
<p>dhcp.c: 2359: 0 (Debug) arp_decaps: dst=ff:ff:ff:ff:ff:ff src=00:1d:6e:d5:b7:cd prot=0806<br />
redir.c: 1984: 0 (Debug) Calling redir_getstate()<br />
redir.c: 2010: 0 (Debug) Get HTTP Request<br />
redir.c: 1141: 0 (Debug) http-request: GET /prelogin?__menu=1 HTTP/1.1<br />
redir.c: 1169: 0 (Debug) The path: prelogin<br />
redir.c: 2019: 0 (Debug) Process HTTP Request<br />
redir.c: 2140: 0 (Debug) Processing received request<br />
redir.c: 2288: 0 (Debug) ---->>> resetting challenge: 1038142b8048a4627a80eb6c06baaa41<br />
redir.c: 863: 0 (Debug) here: <a href="https://UAM_SERVER?res=notyet&uamip=192.168.182.1&uamport=3990&challenge=1038142b8048a4627a80eb6c06baaa41&mac=00-1D-6E-D5-B7-CD&ip=192.168.182.5&called=00-1D-7E-4A-FD-01&nasid=TEST-NAS&userurl=http%3a%2f%2fgoogle.com%2f&md=99AC4A975BCBB9D2E508CDD071911E8D" title="https://UAM_SERVER?res=notyet&uamip=192.168.182.1&uamport=3990&challenge=1038142b8048a4627a80eb6c06baaa41&mac=00-1D-6E-D5-B7-CD&ip=192.168.182.5&called=00-1D-7E-4A-FD-01&nasid=TEST-NAS&userurl=http%3a%2f%2fgoogle.com%2f&md=99AC4A975BCBB9D2E508CDD071911E8D">https://UAM_SERVER?res=notyet&uamip=192.168.182.1&uamport=3990&challenge...</a></p>
<p>

This might be related to an issue with the firewall, hence iptables output:
iptables nat:

<br />
root@OpenWrt:~# iptables -L -nv --table nat<br />
Chain PREROUTING (policy ACCEPT 18322 packets, 1592K bytes)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
   25  8951 zone_wan_prerouting  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0<br />
  411 39237 zone_wifi_prerouting  all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0<br />
13217  789K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0<br />
18316 1590K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain POSTROUTING (policy ACCEPT 1181 packets, 66686 bytes)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
14198  794K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
14198  794K zone_wan_nat  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain OUTPUT (policy ACCEPT 2524 packets, 184K bytes)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain postrouting_rule (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain prerouting_lan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain prerouting_rule (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain prerouting_wan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain prerouting_wifi (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain zone_lan_nat (0 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 MASQUERADE  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_lan_prerouting (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
13217  789K prerouting_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan_nat (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 1984  112K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan_prerouting (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 3526  395K prerouting_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4661 to:192.168.1.121:4661<br />
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4661 to:192.168.1.121:4661<br />
   14   756 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4662 to:192.168.1.121:4662<br />
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4662 to:192.168.1.121:4662<br />
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6882 to:192.168.1.121:6882<br />
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:6882 to:192.168.1.121:6882<br />
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6881 to:192.168.1.121:6881<br />
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:6881 to:192.168.1.121:6881</p>
<p>Chain zone_wifi_nat (0 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 MASQUERADE  all  --  *      br-wifi  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wifi_prerouting (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
  411 39237 prerouting_wifi  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />

iptables:

<br />
root@OpenWrt:~# iptables -L -nv<br />
Chain INPUT (policy ACCEPT 380K packets, 129M bytes)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    4   284 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID<br />
 638K  310M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED<br />
   95  5712 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0<br />
 1039 53380 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02<br />
 387K  130M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
 387K  130M input      all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID<br />
13673  778K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU<br />
1043K  339M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED<br />
11698  649K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
11698  649K forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
   22  1435 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain OUTPUT (policy ACCEPT 883 packets, 58349 bytes)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID<br />
 756K   88M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED<br />
   95  5712 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0<br />
 3165  251K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
 3165  251K output     all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain forward (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
11536  635K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0<br />
  108 10429 zone_wifi_forward  all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 zone_wan_forward  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain forwarding_lan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain forwarding_rule (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain forwarding_wan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain forwarding_wifi (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain input (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 3611  319K zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0<br />
  247 29784 zone_wifi  all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0<br />
   25  8951 zone_wan   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain input_lan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain input_rule (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain input_wan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain input_wifi (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain output (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 3164  251K zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
 3108  233K zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
  883 58349 zone_wifi_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain output_rule (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination</p>
<p>Chain reject (7 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 1623 96558 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset<br />
 2536  337K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable</p>
<p>Chain syn_flood (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 1039 53380 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50<br />
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_lan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 3611  319K input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
 3611  319K zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_lan_ACCEPT (3 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 3611  319K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0<br />
   56 18095 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_lan_DROP (0 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_lan_REJECT (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
  619 37089 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_lan_forward (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
11536  635K zone_wifi_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
11536  635K zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
  619 37089 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
  619 37089 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
 3518  395K input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
 3518  395K zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan_ACCEPT (3 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0<br />
 2035  118K ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan_DROP (0 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan_REJECT (2 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
   25  8951 reject     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 reject     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wan_forward (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.121       udp dpt:6881<br />
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.121       tcp dpt:6881<br />
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.121       udp dpt:6882<br />
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.121       tcp dpt:6882<br />
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.121       udp dpt:4662<br />
   32  1704 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.121       tcp dpt:4662<br />
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.121       udp dpt:4661<br />
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.121       tcp dpt:4661<br />
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wifi (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
  247 29784 input_wifi  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
  247 29784 zone_wifi_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wifi_ACCEPT (3 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
  247 29784 ACCEPT     all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 ACCEPT     all  --  *      br-wifi  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wifi_DROP (0 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    0     0 DROP       all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 DROP       all  --  *      br-wifi  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wifi_REJECT (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
    3   217 reject     all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0<br />
    0     0 reject     all  --  *      br-wifi  0.0.0.0/0            0.0.0.0/0</p>
<p>Chain zone_wifi_forward (1 references)<br />
 pkts bytes target     prot opt in     out     source               destination<br />
  108 10429 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
  108 10429 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
    3   217 forwarding_wifi  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />
    3   217 zone_wifi_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br />

‹ Show logged in users / disconnect users from cli? Validation of behavior - logged in page + redirection link? ›
Sat, 02/21/2009 - 09:59 — liri

Re: Clients are unable to connect to the Internet [FIXED]

I've debugged the firewall ruleset and as it seems a bit smelly there the fix is to allow incoming traffic to tun0 before it's getting rejected.

The "problem" though is that the rules don't quite make sense as the FORWARD policy follows to the forward chain and that follows to zone_lan_forward first which rejects everything after a couple of checks (and everything, is EVERYTHING, not just the lan interface) which means that the forwarding_wifi chain and zone_wifi_forward chains aren't even reached.

For this reason, the fix is to add the tun0 accept rule to either of these chains:
iptables -A forwarding_rule -i tun0 -j ACCEPT
or to
iptables -A FORWARD -i tun0 -j ACCEPT
ofcourse if you add it to the FORWARD policy make sure it is BEFORE the last reject chain rule.

Regards,
Liran.

Thu, 02/19/2009 - 08:57 — liri

Re: Clients are unable to connect to the Internet

Hey David,

Regarding the firewall rules - I haven't really changed anything except for adding ppp0 there since I use PPTP to dial out to ISP and some P2P rules. Other than that it's really all related to openwrt/x-wrt management.

Chilli itself is running on br-wifi (from the config: dhcpif br-wifi) as I wish to only captive the wifi clients.

My chilli startup script (looks like it's going into FORWARD by the rules listed there (and no, I didn't change anything there...)):

<br />
#!/bin/sh<br />
# Coova Chilli - David Bird<br />
# Licensed under the GPL, see <a href="http://coova.org/" title="http://coova.org/">http://coova.org/</a><br />
# up.sh /dev/tun0 192.168.0.10 255.255.255.0</p>
<p>. /etc/chilli/functions</p>
<p>[ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null<br />
rm -f /var/run/chilli.iptables 2>/dev/null</p>
<p>IF=$(basename $DEV)</p>
<p>ipt() {<br />
    opt=$1; shift<br />
    echo "iptables -D $*" >> /var/run/chilli.iptables<br />
    iptables $opt $*<br />
}</p>
<p>ipt_in() {<br />
    ipt -A INPUT -i $IF $*<br />
}</p>
<p>[ -n "$DHCPIF" ] &ipt_in -p udp -d 255.255.255.255 --destination-port 67:68 -j ACCEPT<br />
    ipt_in -p udp --dst $ADDR --dport 53 -j ACCEPT</p>
<p>#    ipt -A INPUT -i $IF --dst $ADDR -j DROP<br />
#    ipt -A INPUT -i $IF -j DROP</p>
<p>#    ipt -I FORWARD -i $DHCPIF -j DROP<br />
#    ipt -I FORWARD -o $DHCPIF -j DROP<br />
    ipt -I FORWARD -i $IF -j ACCEPT<br />
    ipt -I FORWARD -o $IF -j ACCEPT</p>
<p>    [ "$HS_LAN_ACCESS" != "on" -a "$HS_LAN_ACCESS" != "allow" ] && \<br />
#       ipt -I FORWARD -i $IF -o \! $HS_WANIF -j DROP</p>
<p>    [ "$HS_LOCAL_DNS" = "on" ] && \<br />
        ipt -I PREROUTING -t nat -i $IF -p udp --dport 53 -j DNAT --to-destination $ADDR<br />
}</p>
<p># site specific stuff optional<br />
[ -e /etc/chilli/ipup.sh ] && . /etc/chilli/ipup.sh<br />

Here is some extra info:

routing table:

<br />
Kernel IP routing table<br />
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface<br />
212.199.26.28   172.24.128.1    255.255.255.255 UGH   0      0        0 eth0.1<br />
212.199.5.238   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0<br />
192.168.182.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0<br />
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan<br />
172.24.128.0    0.0.0.0         255.255.224.0   U     0      0        0 eth0.1<br />
0.0.0.0         212.199.5.238   0.0.0.0         UG    0      0        0 ppp0<br />

bridge information:

<br />
bridge name     bridge id               STP enabled     interfaces<br />
br-wifi         8000.001d7e4afd01       no              wl0<br />
br-lan          8000.001d7e4afcff       no              eth0.0<br />

interfaces:

<br />
br-lan    Link encap:Ethernet  HWaddr 00:1D:7E:4A:FC:FF<br />
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0<br />
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br />
          RX packets:568840 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:561881 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:0<br />
          RX bytes:62114121 (59.2 MiB)  TX bytes:308338588 (294.0 MiB)</p>
<p>br-wifi   Link encap:Ethernet  HWaddr 00:1D:7E:4A:FD:01<br />
          UP BROADCAST RUNNING  MTU:1500  Metric:1<br />
          RX packets:965 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:777 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:0<br />
          RX bytes:106538 (104.0 KiB)  TX bytes:144332 (140.9 KiB)</p>
<p>eth0      Link encap:Ethernet  HWaddr 00:1D:7E:4A:FC:FF<br />
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br />
          RX packets:1969712 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:1365589 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:1000<br />
          RX bytes:591830163 (564.4 MiB)  TX bytes:429639456 (409.7 MiB)<br />
          Interrupt:4</p>
<p>eth0.0    Link encap:Ethernet  HWaddr 00:1D:7E:4A:FC:FF<br />
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br />
          RX packets:570854 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:563452 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:0<br />
          RX bytes:64586401 (61.5 MiB)  TX bytes:310823352 (296.4 MiB)</p>
<p>eth0.1    Link encap:Ethernet  HWaddr 00:1D:7E:4A:FC:FF<br />
          inet addr:172.24.145.151  Bcast:255.255.255.255  Mask:255.255.224.0<br />
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br />
          RX packets:1398857 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:802162 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:0<br />
          RX bytes:491789297 (469.0 MiB)  TX bytes:111945374 (106.7 MiB)</p>
<p>lo        Link encap:Local Loopback<br />
          inet addr:127.0.0.1  Mask:255.0.0.0<br />
          UP LOOPBACK RUNNING  MTU:16436  Metric:1<br />
          RX packets:2184 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:2184 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:0<br />
          RX bytes:161949 (158.1 KiB)  TX bytes:161949 (158.1 KiB)</p>
<p>ppp0      Link encap:Point-to-Point Protocol<br />
          inet addr:77.127.177.23  P-t-P:212.199.5.238  Mask:255.255.255.255<br />
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1<br />
          RX packets:5537 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:5507 errors:0 dropped:17 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:3<br />
          RX bytes:1189928 (1.1 MiB)  TX bytes:659694 (644.2 KiB)</p>
<p>tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<br />
          inet addr:192.168.182.1  P-t-P:192.168.182.1  Mask:255.255.255.0<br />
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1<br />
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:81 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:100<br />
          RX bytes:860 (860.0 B)  TX bytes:5464 (5.3 KiB)</p>
<p>wl0       Link encap:Ethernet  HWaddr 00:1D:7E:4A:FD:01<br />
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br />
          RX packets:934 errors:3 dropped:0 overruns:0 frame:42979545<br />
          TX packets:958 errors:2 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:1000<br />
          RX bytes:116660 (113.9 KiB)  TX bytes:174382 (170.2 KiB)<br />
          Interrupt:2 Base address:0x5000<br />

Thu, 02/19/2009 - 07:42 — david

Re: Clients are unable to connect to the Internet

Wow, you have a lot going on there in the firewall. What interface, btw, is chilli running on, br-lan? If so, I don't understand the MASQUERADE rule for br-lan. I also don't see the chilli dhcpif interface being blocked with IP tables. It's important that you drop packets to the dhcpif since you don't want those packets routed by the kernel and chilli too. Finally, it looks like you are using PPPoE and you do have the clamp-mss-to-mtu rule, which is good. However, in the standard chilli up.sh script, I put that rule in the 'mangle' table instead of 'forward' - you might give that a try too.