Hotspot Chillispot

From DD-WRT Wiki

Jump to: navigation, search

Copie de la version Anglaise

Contents

[edit] Introduction

[edit] Executive Summary

ChilliSpot (chilli, chillispot) is a way to

  • Easily make the wireless or lan-connected computers display a 'landing page' on user's browsers.
  • Redirection occurs on the first web page, and until the user clicks through (I Agree/Login).
  • Optionally earn revenue from your hotspot.
  • Provide a WiFi usage agreement, advertising or other neighbourhood or commercial activities.
  • Pro-active over-use prevention:
  • Limit the bandwidth, up and down, hotspot-connected laptops or desktops can use.
  • Limit the number of times within a given period hotspot users can log in.
  • Other fine-grained limitations.

ChilliSpot can be used for single router, or extended with the use of external services to cover an entire metropolitan area.

[edit] Technical Description

ChilliSpot is an open source Captive_Portal wireless or LAN access point controller. It is used for authenticating users. It supports web based login which is today's standard for public HotSpots. Authentication, authorization and accounting (AAA) is handled by an on-line provider, or a local radius service you provide.

Chillispot cannot work alone and needs two (2) additional services, provided externally:

  • A Web Portal to which users are redirected. This portal can provide any mean of access control service such as user login, on-line billing, etc...
  • A Radius service for authentication and accounting. Most of the time, the Radius server and the web server will be tightly integrated to offer advanced services.
  • There are several on-line providers (Chillispot Service Provider, CSP) that have the additional services needed to make Chillispot work: Captive_Portal#Provider
  • The advantage of a CSP is your Chillispot hotspot can be up and running in minutes.

Chillispot.info website is only a copy of the original chillispot.org website, without any development. DD-WRT uses an older version of chillispot. Chillispot development continued, and it is possible to load the latest release of Chillispot into DD-WRT (more later, in an update to this DD-WRT Wiki article).

Also, CoovaChilli is another entire firmware distribution, based on OpenWRT. It includes the most recent version of Chillispot, but requires changing your router flash and learning a completely new way of setting up the router, especially problematic if you use your router for anything other than just a Chillispot portal. Since this is the DD-WRT Wiki, and not the OpenWRT Wiki, we are not going to cover CoovaChilli here.

[edit] Terms and Definitions

  • DD-WRT Device: Your DD-WRT-flashed device!
  • Chillispot Account: Your [free] account on WorldSpot.net or another On-line Provider of Chillispot services .
  • Chillispot Service Provider (CSP): An on-line (Internet-based) provider of the necessary back-end services for the DD-WRT Device running Chillispot. The major contributor to this Wiki and other authors use Worldspot.net, but other CSP's are available. If you have good success and are familiar with Wiki-editing and Chilli, please update this Wiki with your preferred provider. A list of CSP's is at the bottom.

[edit] Prerequisites

  • A DD-WRT-Compatible device programmed with a distribution of DD-WRT containing Chilli. Highly recommend build 13064 (10/10/09) or the latest BETA. See general flashing instructions elsewhere in the DD-WRT Wiki.
  • For those using a CSP (Chillispot Service Provider, see above), the DD-WRT Device must already have Internet access.
    • Check that a wireless laptop is connected through the DD-WRT Device and receiving web pages.
  • Important: For easy setup within the scope of this wiki article, Internet should come from the WAN (Internet) port of the router (normal router mode), not from the LAN port (router in AP-only mode).
  • If you are adding the DD-WRT Device to an existing private subnet to introduce Chillispot services, and your existing network has a subnet of 192.168.1.X, there is a conflict with the DD-WRT Device default LAN subnet. For the specific issue, you must change the DD-WRT LAN IP address to another subnet, like 192.168.2.x.
    • If you chain your hotspot off your existing LAN network, so the Chillispot users are a separate, private subnet of your existing LAN, the DD-WRT WAN interface is facing the LAN. It is recommended that you open management interfaces on DD-WRT to the WAN-side so you can control the DD-WRT telnet/ssh/web interface from your existing network.
  • Create a Chillispot Account on a CSP.
    • After signing up, the CSP should show you a convenient customized screen-image displaying the entries for the DD-WRT Device.
  • An ethernet cable to connect your laptop LAN port to a LAN port on the DD-WRT Device.
  • The DD-WRT Device's Web Management Interface must work. You should be able to connect to at http://192.168.x.1/, or whatever LAN IP you have set your DD-WRT Device. Later, for memory consumption and performance of the DD-WRT Device, the Web Manager's service can be disabled and run only when needed.
  • Set-up your DD-WRT Device's Wireless LAN, but disable encryption for the WiFi for now. This greatly simplifies resolving issues.
  • The simplest instructions here assume your DD-WRT Device currently provides your clients a single private subnet. If this sounds technical, it is the default setup of DD-WRT. By factory setup, a DD-WRT Device uses 192.168.1.1 as a LAN IP, and all clients are assigned an address automatically of 192.168.1.x. While other configurations are possible, the easiest examples used here assume your DD-WRT Device is using the default settings.
  • http://192.168.1.1: The assumed LAN IP address of your DD-WRT Device's Web Management. If you have changed this number, use the new number.
  • Experts: When using Chillispot without using a CSP, you must provide your own Web Server to host the redirect website and a Radius Server for accounting. The Web Server and Radius Server may be installed on the same machine, but generally not the DD-WRT Device. Installation and Set-up of Chillispot without a CSP is beyond the scope of this Wiki article.
  • (old) V23SP2 Introduces the option of Enabling 'Separation of Wifi from the LAN Bridge': having ChilliSpot control only wireless clients. The existing DD-WRT Device settings are only used for the LAN. Clients behave as if the WiFi and LAN connections are separate networks completely. Most guides including the WorldSpot.net guide, assume this 'Separate WiFi' configuration is Enabled.
    However, new configurations are available with this option:
    • If you have Secondary Access Points specifically to increase the WiFi coverage, and these SAP's are physically wired into the LAN ports, then on the main Chillispot'ed DD-WRT Device, you do not want to 'Separate Wifi from the LAN Bridge'. Configurations A or B is recommended.
    • If you have 'public-access terminals' which are wired LAN computers, such as at a library, connected to the DD-WRT Device, and you want these clients to now be directed to the ChilliSpot Authentication Splash Page, you also do not want to 'Separate Wifi from the LAN Bridge'. Configuration A is recommended.
    • If you want to maintain a single, homogeneous network [all internet-connected devices shares the same private subnet], of wireless and wired clients, and your wired clients have been made secure from wireless attacks [outside of the scope of this guide], then you do not want to 'Separate Wifi from the LAN Bridge'. Configuration B is recommended.

[edit] Additional Prerequisites for Older Firmware

  • Highly-recommended to have firmware build 13064 (10/10/09) as the running firmware.
  • Firmware V23xx: If you haven't reset to factory settings after installation, do it, then reboot once more.
Anyone familiar with the V23-series firmware, please change the above point if this is only needed on specific revisions
  • Resetting to factory defaults is NOT needed for V24Final and later.

[edit] Configuration

After carefully following the above sections:

Three (3) options:

  • New HotSpot Introduction: Hang a new DD-WRT Device with Chilli, off an existing LAN. Existing LAN is left completely alone. If you have a DHCP server or some custom corporate setup and you don't want to change or alter it, this is the best way.
  • One (1) network: Put both the WLAN & LAN clients on the Chillspot. This is good for people who want to switch entirely over to Chillispot on their LAN and WLAN networks.
  • Two (2) networks: Keep the existing LAN clients on normal services while splitting off the WLAN clients to chilli. This is okay if you already have a DD-WRT box managing services, and you only want the WLAN clients to go to the Chillispot portal page.

[edit] Configuration A: New HotSpot introduction, existing non-DD-WRT subnet

Add chilli hotspot services to an existing network.

The existing network is not changed at all.

All existing clients operate as before.

A connection from the existing network is plugged into the WAN port on the DD-WRT device. Besides changing the DD-WRT Device to allow WAN access to SSHd and the Web Interface, the steps are nearly identical to 'One Network Subnet'. New library access terminals, for instance, can be connected to the LAN ports on the DD-WRT Device.

[edit] Configuration B: One Network Subnet, move all clients to Chillispot

Keep your pre-Chilli setup throughout. Move all clients to chilli. The LAN ports and WIFI are bridged together, and seen as a single network managed by chillispot.

Also known as, 'Separate WLAN from LAN' - Disable.

It is strongly recommended that before doing this, you should access dd-wrt's web interface from the WAN port. If you have a configuration problem with chillispot, you will still be able to access the configuration interface.

This setup is mandatory if you want to use WDS feature (wifi repeaters to extend the wifi range)

Chillispot has it's own DHCP Server. If 'Separate WiFi from LAN Bridge' is disabled, the DD-WRT Device's normal DHCP Server must be off.


Your existing LAN subnet was 192.168.1.x and your DD-WRT Device LAN IP was 192.168.1.1. You have a conflict, as dd-wrt's WAN will be your LAN. So you must change dd-wrt's LAN ip to another subnet.

  1. From the DD-WRT Web Setup page, change the DD-WRT Device LAN IP to another subnet, such as 192.168.2.1 & press Apply.
  2. Reconfigure your LAN client with 192.168.2.10, and reconnect to the Administration Web Site of the DD-WRT Device on 192.168.2.1.
  3. From the Setup (Main page) of the Web Interface, turn off the DD-WRT DHCP Server.
Now, clients are temporarily no longer receiving a DHCP assignment. After enabling and configuration of Chillispot (covered later), Chillispot will create a virtual LAN interface at 192.168.1.1 and provides DHCP Services again on 192.168.1.x for all your Wireless and Wired clients.
Enable Chillispot options:
    1. With build 13064/v24: Services, Hotspot - Chillispot section. or
    2. With v23xx: Administration, Hotspot - Chillispot section.
  1. DHCP Interface: select "LAN" this is the bridge between your LAN ports and the wifi.
  2. Fill in the information provided by the CSP
  3. Enable Chillispot
  4. Continue on to the next section, "Chillispot setup, detailed options".

[edit] Configuration C: Existing DD-WRT router, Chillispot manages only WiFi clients. The existing LAN, after some interruptions, operates as before (same IP's, DHCP services).

Two Networks, WiFi separated from LAN. Existing DD-WRT Device as a Router, adding Chillispot duties


Example: the existing DD-WRT set-up uses 192.168.1.0/24 as the IP range and the DD-WRT Device is at 192.168.1.1. Substitute your own numbers if there is a difference.
  1. 'Separate WiFi from the LAN Bridge' - ENABLE
  2. Enable Chillispot
  3. For build 13064 (10/10/09), DHCP Interface - leave at LAN. Older builds may have to select WLAN.
The previous 3 steps create a configuration called 'Bridge Separation'. It makes ChilliSpot control only your DD-WRT Device's wireless/WiFi. The LAN continues to function without being diverted to Chillispot, just as before. Your LAN ports are also inaccessible by the WiFi-connected computers.

[edit] Chillispot setup: detailed options

  • RADIUS Server 1 As assigned by CSP. the name or IP address of the primary RADIUS server.
  • RADIUS Server 2 As assigned by CSP. the name or IP address of the secondary RADIUS server.
    • If you have only one Radius Server, leave as 0.0.0.0 or specify the same field value of Radius Server 1.
  • DNS IP Your Internet provider's 1st DNS Server. This is available on the DD-WRT Device Status page.
  • Remote Network (1) (AD20110108: bug noted, option missing in build 14929)
  • For One Network, change the default to 192.168.1.0/24, or your old subnet.
  • For Two Networks, it's 192.168.182.0/24 here by default.
  • One could choose something else, like 192.168.155.0/24, so long as it is not the existing DD-WRT LAN subnet.
  • Redirect URL As given by your CSP. The address of the UAM Server, the web authentication portal.
  • Shared Key As given by your CSP. It's also called your RADIUS secret password
  • RADIUS NAS ID As given by your CSP. The RADIUS name of your Hotspot
  • UAM Secret is a secret password between the Redirect URL and the Hotspot. Given by the CSP.
  • UAM AnyDNS Allows Clients to use their own DNS servers. Allows ANY traffic through port 53. Only set this to 1 if you know what you are doing, and can reconfigure IPTABLES properly!
  • UAM Allowed is a list of websites that unauthenticated users are allowed to access.
  • MacAUTH Enabled or Disabled. Allows authentication of clients by their WLAN or LAN card MAC (hardware) address. Not used in this guide.
  • Additional Chillispot Options
    • If your local domain is 'local', then
      domain local
    • Your provider may offer another, optional setting for domain.
    • If your second Internet provider's DNS is for example 4.2.2.4, then for redundancy
      dns2 4.2.2.4
    • To tell Chillispot to limit DHCP addresses to be part of the entire subnet:
  • dynip 192.168.1.128/26 (2)
  • Can be most helpful in a 'one network' subnet setup.
  • Allows fixed IP's to exist from 192.168.1.2 through 127 for your existing devices.
  • Apply Changes/Save, and if needed, reboot your DD-WRT Device.
  • Your Chillispot Hotspot should work now. If you tested your wireless client device before setting up Chillispot, right-click and 'Repair' the WiFi connection in XP to get a new Chillispot-provided IP address.

(1) Remote Network is the same as the net command, found on the Internet, elsewhere in references to ChilliSpot configuration and chilli.conf. net defines the Chillispot network. In DD-WRT, the field is called Remote Network, but it is the same setting as net.

(2) dynip configures chillispot to use a limited range of IP's within the net parameter, as the client DHCP pool, instead of using the entire net range. In this example, address assignments from 192.168.1.128 to 192.168.1.191 are assigned to clients. IP's from 2 through 127 are left for fixed assignments, and can be further specified by statip if DHCP clients come on the network which need a specific address from the chilli DHCP service.

[edit] Tips

If you are not knowledgeable about your LAN security, or have insecure (i.e. poorly configured XP) devices on your LAN, to reduce possible attacks from wireless clients, you can enable the option: "Separate WiFi from the LAN Bridge" (your LAN won't be visible to wireless clients). If you /know/ your LAN is configured as secure, which it should be anyway, and you want to have access to your LAN equipment from your WiFi, then leave "Separate..." Disabled.

  • Chillispot will not start unless it can see the DNS Server specified the Chillispot settings.
  • Note that after reboot, it can take a certain time before a wireless client receives an IP address. Don't forget to switch back to automatic IP assignment (DHCP) on your client when testing!

[edit] Troubleshooting

[edit] Your Client gets a Chillispot IP but no welcome page, or certain websites don't open (MTU Bug)

Maybe you are using a PPPOE modem and you are experiencing the MTU bug?

Add this to your Firewall Commands (Administration tab in the Web Interface, Commands sub-tab): Changes MSS to fit inside Chillispot tunnel. Important so some websites work properly, otherwise 'MTU Bug'

/usr/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1421:65535 -j TCPMSS --clamp-mss-to-pmtu

More info in this forum post

[edit] Chillispot fails after awhile, **memory full on router** on low RAM units

This is a common problem when the infrequently-used Web Interface (httpd) is left running.

  • On a HotSpot (DD-WRT Device) with 16 (or less) megabytes of RAM, the chilli process uses 19%.
  • The Web Interface process, httpd, uses 19% also. About 3 megabytes!
  • Newer builds of Chilli are supposed to use less RAM, although DD-WRT may not have these yet.
  • The Web Interface uses a lot of RAM, and in any case, should not be left running on a production router.

[edit] Solution 1: SSHd (run HTTPD only when necessary)

This is most suitable when no secured or direct, wired connection to the HotSpot is available. Or the HotSpot is to be administered over the internet. In this case, an encrypted tunnel is desired to administer the HotSpot.
  1. On the HotSpot Web Interface, go to "Services, Services, Secure Shell", and turn on SSHd, and turn off Telnet.
  2. On "Administration, Management, Web Access", turn off HTTP Access (httpd).
  3. Make sure access to the HotSpot WAN port is available if your setup is Configuration A: Hotspot Only. (See above)
  4. Save/Apply/Reboot as needed.

To use the Web Interface:

  1. For Configuration A, physically plug your laptop into the existing network.
  2. For Configuration B or C, physically plug your laptop into a LAN port on the DD-WRT Device.
    1. Open your browser and log in to the ChilliSpot page as if you want to use the internet, as Chilli's firewall rules will block your client from connecting to the DD-WRT Device/HotSpot otherwise.
  3. Putty (SSH) into the DD-WRT Device.
    1. The command may look like "putty 192.168.182.1" or
    2. "putty 192.168.182.1 -P 60000", where 60000 is the chosen port number, if you changed the SSH port.
  4. Enter "httpd". (The command to restart httpd is different on older versions of DD-WRT (v23sp2))
  5. Open the Web Interface address on your client's browser.
  6. When you are finished, enter "killall httpd".

[edit] Solution 2: Telnetd alternate, in place of SSHd. Added: 2009.11.11

Telnetd uses less RAM than SSHd, however it is a completely insecure (clear-text) method to connect to the HotSpot.
The solution requires a direct, wired connection to the HotSpot for administration.
  1. Bring up the Web Interface of the DD-WRT Device.
  2. In "Administration, Management, Web Access", turn off HTTP Access (httpd).
  3. In "Services, Services, Secure Shell": Turn off SSHd.
  4. Scroll down and turn on Telnet (telnetd).
  5. Save changes

To use the Web Interface:

  1. Make sure your workstation or laptop data is secure to the HotSpot.
    1. Anyone who can monitor the traffic can see the root password sent to the HotSpot
  2. From a cmd prompt (Windows) or Linux: "telnet routerip"
  3. Enter "httpd" (only current versions of DD-WRT. v23sp2 requires a different command to start HTTPd.)
  4. In your browser: http://routerip. Log in.
  5. When finished, at the telnet prompt type: "killall httpd" <enter>

[edit] Use the "top" command to check memory usage

After using Solution 2, here is the "top" output:

Mem: 9012K used, 3992K free, 0K shrd, 1136K buff, 2836K cached CPU: 0.1% usr 2.9% sys 0.0% nic 96.8% idle 0.0% io 0.0% irq 0.0% sirq Load average: 0.72 0.29 0.10 1/22 778
PID PPID USER STAT VSZ %MEM %CPU COMMAND

 417   214 root     R     1184  9.0  0.4 top
 500     1 root     S     2500 19.1  0.2 chilli -c /tmp/chilli.conf
 157     1 root     S     1176  9.0  0.2 telnetd
 210     1 root     S     1660 12.7  0.0 pppd file /tmp/ppp/options.pppoe
 211     1 root     S     1504 11.5  0.0 /tmp/ppp/redial 30
  14     1 root     S     1504 11.5  0.0 watchdog
   1     0 root     S     1468 11.2  0.0 /sbin/init noinitrd
 454     1 root     S     1460 11.1  0.0 process_monitor
 221     1 root     S     1460 11.1  0.0 ttraff
 739     1 root     S     1460 11.1  0.0 wland
 214   157 root     S     1196  9.1  0.0 -sh
 511     1 root     S     1176  9.0  0.0 syslogd -R 192.168.xxx.xxx
 515     1 root     S     1176  9.0  0.0 klogd
 505     1 root     S      820  6.2  0.0 inadyn --input_file /tmp/ddns/inadyn.conf
 756     1 root     S      692  5.3  0.0 igmprt
  10     1 root     SW       0  0.0  0.0 [mtdblockd]
 545   505 root     Z        0  0.0  0.0 [sh]
   2     1 root     SW       0  0.0  0.0 [keventd]
   6     1 root     SW       0  0.0  0.0 [kupdated]
   3     1 root     SWN      0  0.0  0.0 [ksoftirqd_CPU0]
   4     1 root     SW       0  0.0  0.0 [kswapd]
   5     1 root     SW       0  0.0  0.0 [bdflush]

[edit] DD-WRT Firmware: Administration/Hotspot/Chillispot tab does not show

Make sure you are using a package that includes chillispot. Chillispot is not in the micro and mini versions of dd-wrt (consult this table).

[edit] Connection Failed on v23 Firmware

If your client does not recieve a Chillispot IP address you may have changed the Chillispot DHCP Interface. On older versions of DD-WRT Firmware, touching this setting breaks Chillispot. A fix is to reset to factory defaults and re-enter all your settings or use newer firmware.

If the UAM Secret you entered in Chillispot Settings is incorrect, you will have an authentication failure.

If the RADIUS Shared Secret is incorrect, the login process will hang.

[edit] More troubleshooting tips

If it does not work, you must connect with ssh or telnet to your router.

login: root 
password: <your password>

First, check that you have internet access:

ping google.com

If internet works from your router but you don't have chillispot working, check first that the chillispot process is launched with

ps -ef

You should see a "chilli -c /tmp/chilli.conf" process. If not, recheck your chillispot settings. For example, if you put a whitespace in the NAS ID, the chilli process won't launch.

[edit] Usefull Links

Captiv Portal

[edit] External Links

www.ChilliSpot.info