2012-03-19 - Re: [GRASE-Hotspot] was integrate grase on router “Project gomitolo”

Header Data

From: Dikdust <di***t@adfacom.it>
Message Hash: 13d0856fba04357352f4cdeccd0c8cdb79388d00b5ce4070fcf43921c18af873
Message ID: <1861096998.216.1332166516758.JavaMail.root@zimbra>
Reply To: <1406374926.42216.1331024550954.JavaMail.root@zimbra>
UTC Datetime: 2012-03-19 07:15:16 UTC
Raw Date: Mon, 19 Mar 2012 15:15:16 +0100

Raw message

Hi to all

I' m working on the centralization of grase for and Italian project. I' m following Tim's advice (read below), if you want to cooperate I can translate in english and link what I have done.

I guess that Tim has to approve this anyway, if someone is interested write me a mail, (or write to gomitolo at adfacom dot it)

thanks a lot

Antonio Alessio "dikdust" Di Pinto

----- Messaggio originale -----
> Da: "Dikdust" <di***t@adfacom.it>
> A: gr***t@lists.sourceforge.net
> Inviato: Martedì, 6 marzo 2012 10:02:31
> Oggetto: Re: [GRASE-Hotspot] integrate grase on router - one hour by day connection - test beginning
> 
> 
> > Hi Antonio.
> > 
> > This is possible, but outside of the original design of the Grase
> > Hotspot.
> > Ideally, you'll need to install coova chilli on your routers, and
> > set
> > them up to use your Grase Hotspot install as the central server.
> > Easiest
> > way to do this would be to create a VPN (OpenVPN is ideal) so that
> > all
> > the clients can connect securely via the VPN, to the FreeRadius
> > software
> > on the main server. You'd also need to setup Coova Chilli on the
> > routers
> > to use the Web server on the main server, and there are some
> > functions
> > regarding that that haven't been tested that could need some work.
> > Lastly, the network settings you set in the Grase Hotspot admin
> > interface, won't propagate to the "remote" routers, and you
> > probably
> > don't want them to. Ideally each location would have it's own ip
> > range.
> > You'd probably remove the Squid redirection lines from each router,
> > as
> > running squid on each router wouldn't be ideal if they are
> > lightweight,
> > and using the squid on the main server would be stupid. This would
> > remove the ability to monitor what sites clients are using, but
> > that's
> > probably ok for this setup.
> > 
> > Trying to protect the LAN's at each site would be a challenge.
> > Ideally
> > you'll need a firewall rule that blocks connections leaving the
> > router,
> > that are destined for any address on the LAN, unless it was the
> > internet
> > router. (And as said above, each site would have it's own "Grase"
> > ip
> > range, that didn't conflict with any other site's Grase ip range,
> > or
> > with the local sites LAN ip range).
> > 
> > Limiting bandwidth and connect time is easy. Create a group with
> > the
> > relevant bandwidth limits, and connection time limit (daily 1 hour
> > for
> > example), and that will be enforced across all sites. i.e. they
> > could
> > use 30 mins at one site, 30 mins at another site, and that would be
> > it
> > for the day.
> > 
> > For 100€, you'll be fairly limited on router hardware. I'd check
> > out
> > what hardware CoovaAP (http://www.coova.org/CoovaAP) runs on, and
> > use
> > that.
> > 
> > The hardware I use to run routers the complete system on them come
> > out
> > at more than 100€, but would be a viable option for you if you can
> > increase the budget.
> > 
> > I've opened a ticket (http://trac.grasehotspot.org/ticket/56) for
> > making
> > this easier to setup, as in the future I'd like this to be
> > something
> > we
> > can offer easily.
> > 
> > Tim
> > 
> 
> Hi
> 
> I' m working on the project. Next week I will receive a Cisco\Linksys
> WRT54GL to test coovaAP.
> 
> For a generic wifi router I will put the "internet" interface in dhcp
> connected to the donators lan (or configurated to use and if there
> is a coovabox I will connect on the lan interface.
> 
> 
>  In the meaning time I'm testing the solution on a ubuntu linux box
>  (BOX1) where I can test everything connected trough openvpn to the
>  SERVER (the machine that running grase hotspot), cause some setup
>  can use a linux box (so I can use any access points with their own
>  firmware)
> 
> 
> I have correctly setup the openvpn, trough I can reach from BOX1 the
> SERVER and I surf trough BOX1 wifi private (not shared) connection.
> 
> To simplify I will assume 10.0.1.x/24 is the grase wifi net (gived by
> BOX1 wifi connected to eth0) and 192.168.1.100 (eth1) is the ip BOX1
> (gw 192.168.1.1) SERVER has ip 10.1.0.1 reached trogh tun1
> 
> eth0 of BOX1 is connected wifi router (SID PUBLIC) is 10.0.1.101 and
> SERVER is 10.1.0.1
> 
> I have installed only coova chilli on the BOX1 and I' m configuring
> it to use SERVER for everything is needed (except dhcp)
> 
> I guess have some problem with dhcp and maybe I don't know coova too
> much. It will give dhcp to client ?
> 
> For the security point i will use something like
> 
> iptables -P FORWARD DROP
> iptables -i eth0 -o eth1 -d !192.168.1.0/24 -j ACCEPT
> iptables -i eth0 -o eth1 -j DROP
> iptables -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> 
> 
> I will continue testing but for the beginning I could setup manually
> each box/router cause at the moment I have only 10 "testers" and two
> have a linux box.
> 
> Thanks in advance
> 
> (I guess I could launch a sf project if I receive feedback from some
> LUG here)
> 
> Antonio Alessio "dikdust" Di Pinto
> 
> 
> 
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft
> developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Grase-hotspot mailing list
> Gr***t@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/grase-hotspot
> 




Thread