2012-03-06 - Re: [GRASE-Hotspot] integrate grase on router - one hour by day connection - test beginning

Header Data

From: Dikdust <di***t@adfacom.it>
Message Hash: 48443005a953066c7074a14fff9e771dd84b8013f16bc00d52eaa5948b4185a9
Message ID: <1406374926.42216.1331024550954.JavaMail.root@zimbra>
Reply To: <1082716247.38804.1330875483292.JavaMail.root@zimbra>
UTC Datetime: 2012-03-06 02:02:31 UTC
Raw Date: Tue, 06 Mar 2012 10:02:31 +0100

Raw message 


> Hi Antonio.
> 
> This is possible, but outside of the original design of the Grase
> Hotspot.
> Ideally, you'll need to install coova chilli on your routers, and set
> them up to use your Grase Hotspot install as the central server.
> Easiest
> way to do this would be to create a VPN (OpenVPN is ideal) so that
> all
> the clients can connect securely via the VPN, to the FreeRadius
> software
> on the main server. You'd also need to setup Coova Chilli on the
> routers
> to use the Web server on the main server, and there are some
> functions
> regarding that that haven't been tested that could need some work.
> Lastly, the network settings you set in the Grase Hotspot admin
> interface, won't propagate to the "remote" routers, and you probably
> don't want them to. Ideally each location would have it's own ip
> range.
> You'd probably remove the Squid redirection lines from each router,
> as
> running squid on each router wouldn't be ideal if they are
> lightweight,
> and using the squid on the main server would be stupid. This would
> remove the ability to monitor what sites clients are using, but
> that's
> probably ok for this setup.
> 
> Trying to protect the LAN's at each site would be a challenge.
> Ideally
> you'll need a firewall rule that blocks connections leaving the
> router,
> that are destined for any address on the LAN, unless it was the
> internet
> router. (And as said above, each site would have it's own "Grase" ip
> range, that didn't conflict with any other site's Grase ip range, or
> with the local sites LAN ip range).
> 
> Limiting bandwidth and connect time is easy. Create a group with the
> relevant bandwidth limits, and connection time limit (daily 1 hour
> for
> example), and that will be enforced across all sites. i.e. they could
> use 30 mins at one site, 30 mins at another site, and that would be
> it
> for the day.
> 
> For 100€, you'll be fairly limited on router hardware. I'd check out
> what hardware CoovaAP (http://www.coova.org/CoovaAP) runs on, and use
> that.
> 
> The hardware I use to run routers the complete system on them come
> out
> at more than 100€, but would be a viable option for you if you can
> increase the budget.
> 
> I've opened a ticket (http://trac.grasehotspot.org/ticket/56) for
> making
> this easier to setup, as in the future I'd like this to be something
> we
> can offer easily.
> 
> Tim
> 

Hi

I' m working on the project. Next week I will receive a Cisco\Linksys WRT54GL to test coovaAP. 

For a generic wifi router I will put the "internet" interface in dhcp connected to the donators lan (or configurated to use and if there is a coovabox I will connect on the lan interface.


 In the meaning time I'm testing the solution on a ubuntu linux box (BOX1) where I can test everything connected trough openvpn to the SERVER (the machine that running grase hotspot), cause some setup can use a linux box (so I can use any access points with their own firmware)


I have correctly setup the openvpn, trough I can reach from BOX1 the SERVER and I surf trough BOX1 wifi private (not shared) connection.

To simplify I will assume 10.0.1.x/24 is the grase wifi net (gived by BOX1 wifi connected to eth0) and 192.168.1.100 (eth1) is the ip BOX1 (gw 192.168.1.1) SERVER has ip 10.1.0.1 reached trogh tun1

eth0 of BOX1 is connected wifi router (SID PUBLIC) is 10.0.1.101 and SERVER is 10.1.0.1

I have installed only coova chilli on the BOX1 and I' m configuring it to use SERVER for everything is needed (except dhcp)

I guess have some problem with dhcp and maybe I don't know coova too much. It will give dhcp to client ? 

For the security point i will use something like

iptables -P FORWARD DROP
iptables -i eth0 -o eth1 -d !192.168.1.0/24 -j ACCEPT
iptables -i eth0 -o eth1 -j DROP
iptables -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT


I will continue testing but for the beginning I could setup manually each box/router cause at the moment I have only 10 "testers" and two have a linux box.

Thanks in advance

(I guess I could launch a sf project if I receive feedback from some LUG here)

Antonio Alessio "dikdust" Di Pinto

Thread