Supermind Search Consulting Blog 
Solr - Elasticsearch - Big Data

First of all, I'll say this – if its at all possible to install the Ubuntu distro of EasyHotSpot (available from the EasyHotSpot download page), do so!

I couldn't because I couldn't get Ubuntu 10.04 installed on my antique laptop which I was going to use as the internet gateway. Only Ubuntu 10.10 worked. I therefore had to install Chillispot, FreeRadius etc and configure them separately, which was a real pain.

Secondly, if you read the documentation for EasyHotSpot, nowhere is there any mention of support for per-user bandwidth quotas. 🙂

Well, my realization was that, since all the accounting is handled in MySQL, all I needed to do to simulate daily quotas was to setup a cron job which runs daily at midnight which clears out the relevant tables which contains the bandwidth usage data. I'll be providing that script later on…

So, I'm assuming you've already read through the EasyHotSpot 0.2 PDF user guide and followed its instructions. Here are my comments on the installation process.

DNS in /etc/chilli.conf matters

I found out that my clients couldn't get an IP address when the DNS servers in /etc/chilli.conf weren't accurate.

uamallowed in /etc/chilli.conf

If your clients are getting an IP Address but not redirecting to the captive portal login page, then check uamallowed, that the relevant subnets have been added. To be safe, I added both tunnel and LAN subnets.

uamallowed 192.168.182.0/24,192.168.1.0/24

dnsmasq is also a DHCP server!

I think I may have had to disable the DHCP servers on the interfaces that Chillispot was running on.

In /etc/dnsmasq.conf, add this:

no-dhcp-interface=eth0

sqlcounter max_all_mb patch

In EasyHotSpot docs, it tells you to add this to /etc/freeradius/sql/mysql/counter.conf

sqlcounter max_all_mb {
counter-name = Max-All-MB
check-name = Max-All-MB
reply-name = ChilliSpot-Max-Total-Octets
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctInputOctets)/(1024*1024) + SUM(AcctOutputOctets)/ (1024*1024) FROM radacct WHERE UserName='%{%k}'"
}

This, however, somehow didn't work for me. I got some "2043939944 is not an octet" error in FreeRadius. The problem was that the query converts acctinputoctets and acctoutputoctets to megabytes, but FreeRadius was expecting bytes. This is what I changed it to:

sqlcounter max_all_mb {
counter-name = Max-All-MB
check-name = Max-All-MB
reply-name = ChilliSpot-Max-Total-Octets
sqlmod-inst = sql
key = User-Name
reset = never
#query = "SELECT SUM(AcctInputOctets)/(1024*1024) + SUM(AcctOutputOctets)/ (1024*1024) FROM radacct WHERE UserName='%{%k}'"
query = "SELECT SUM(AcctInputOctets) + SUM(AcctOutputOctets) FROM radacct WHERE UserName='%{%k}'"
}

/etc/freeradius/sites-available/default changes

In addition to changes recommended by EasyHotSpot, I had to comment out the following:

– chap authentication

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
#	chap

– radutmp session database
FreeRadius was giving me a stupid "Access Defined – this user is already logged-in" error. Commenting out radutmp fixed this.

#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
#	radutmp

iptables

If you're logged-in successfully but can't get access to the internet, you most likely need to add iptables forwarding rules. Here's mine.

 
IPTABLES="/sbin/iptables"
EXTIF="eth1"
INTIF="eth0"
 
# squid
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to 3128
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 3128
$IPTABLES -I FORWARD 1 -i tun0 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT:
$IPTABLES -I FORWARD 1 -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT:
 
#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Transparent Squid3 proxy

If you set this up correctly, users won't have to change their browser setting to use your squid proxy. The proxying will be "transparent" to them.

Here's my squid.conf.
Note the use of url_rewrite to squidguard. You can comment that out if you don't need it.

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid3/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
 
# newer Squid's don't need "all", it's built in:
#acl all src all
 
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 
# 10000MB max cache size (default is 100MB):
cache_dir ufs /var/spool/squid3 10000 16 256
 
http_access allow all
http_reply_access allow all
icp_access allow all
always_direct allow all
coredump_dir /var/spool/squid3

Daily quota reset with shell script

Here's the shell script I'm using to reset quotas. Additionally, I'm saving the bandwidth usages to a separate table (radacct_totals) so I have historical usage.

#!/bin/sh
 
#turn off free radius
/etc/init.d/freeradius stop
 
#update radacct_totals
echo 'INSERT IGNORE INTO radacct_totals(username, upload, download, DATE) SELECT username, acctinputoctets AS uploads, acctoutputoctets AS downloads, DATE(now()) FROM radacct GROUP BY username' | mysql -u rad radius -B
 
#truncate radacct_totals
echo 'truncate radacct' | mysql -u rad radius -B 
 
#start free radius
/etc/init.d/freeradius start

I don't have the schema DDL of radacct_totals handy, but as you can see, its a pretty simple table, with compound primary key on username and date.

You'll need to add this as a cronjob, daily at 12 midnight.

4 Comments »