Supermind Consulting Blog Solr - ElasticSearch - Big DataModifying EasyHotSpot 0.2 for per-user daily bandwidth quotasPosted by Kelvin on 03 Apr 2011 at 05:10 pm | Tagged as: Ubuntu

This entry is part 4 of 5 in the Ubuntu Hotspot with Daily Per-User Quotas series

First of all, I'll say this if its at all possible to install the Ubuntu distro of EasyHotSpot (available from the EasyHotSpot download page), do so!

I couldn't because I couldn't get Ubuntu 10.04 installed on my antique laptop which I was going to use as the internet gateway. Only Ubuntu 10.10 worked. I therefore had to install Chillispot, FreeRadius etc and configure them separately, which was a real pain.

Secondly, if you read the documentation for EasyHotSpot, nowhere is there any mention of support for per-user bandwidth quotas. Well, my realization was that, since all the accounting is handled in MySQL, all I needed to do to simulate daily quotas was to setup a cron job which runs daily at midnight which clears out the relevant tables which contains the bandwidth usage data. I'll be providing that script later on

So, I'm assuming you've already read through the EasyHotSpot 0.2 PDF user guide and followed its instructions. Here are my comments on the installation process.

DNS in /etc/chilli.conf matters

I found out that my clients couldn't get an IP address when the DNS servers in /etc/chilli.conf weren't accurate.

uamallowed in /etc/chilli.conf

If your clients are getting an IP Address but not redirecting to the captive portal login page, then check uamallowed, that the relevant subnets have been added. To be safe, I added both tunnel and LAN subnets.

uamallowed 192.168.182.0/24,192.168.1.0/24

dnsmasq is also a DHCP server!

I think I may have had to disable the DHCP servers on the interfaces that Chillispot was running on.

In /etc/dnsmasq.conf, add this:

no-dhcp-interface=eth0

sqlcounter max_all_mb patch

In EasyHotSpot docs, it tells you to add this to /etc/freeradius/sql/mysql/counter.conf

sqlcounter max_all_mb {counter-name = Max-All-MBcheck-name = Max-All-MBreply-name = ChilliSpot-Max-Total-Octetssqlmod-inst = sqlkey = User-Namereset = neverquery = "SELECT SUM(AcctInputOctets)/(1024*1024) + SUM(AcctOutputOctets)/ (1024*1024) FROM radacct WHERE UserName='%{%k}'"}

This, however, somehow didn't work for me. I got some "2043939944 is not an octet" error in FreeRadius. The problem was that the query converts acctinputoctets and acctoutputoctets to megabytes, but FreeRadius was expecting bytes. This is what I changed it to:

sqlcounter max_all_mb {counter-name = Max-All-MBcheck-name = Max-All-MBreply-name = ChilliSpot-Max-Total-Octetssqlmod-inst = sqlkey = User-Namereset = never#query = "SELECT SUM(AcctInputOctets)/(1024*1024) + SUM(AcctOutputOctets)/ (1024*1024) FROM radacct WHERE UserName='%{%k}'"query = "SELECT SUM(AcctInputOctets) + SUM(AcctOutputOctets) FROM radacct WHERE UserName='%{%k}'"}

/etc/freeradius/sites-available/default changes

In addition to changes recommended by EasyHotSpot, I had to comment out the following:

chap authentication

# # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set# chap

radutmp session databaseFreeRadius was giving me a stupid "Access Defined this user is already logged-in" error. Commenting out radutmp fixed this.

# or rlm_sql module can handle this.# The rlm_sql module is *much* fastersession {# radutmp

iptables

If you're logged-in successfully but can't get access to the internet, you most likely need to add iptables forwarding rules. Here's mine.

IPTABLES="/sbin/iptables"EXTIF="eth1"INTIF="eth0"

# squid$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp dport 80 -j REDIRECT to 3128$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp dport 80 -j REDIRECT to 3128$IPTABLES -I FORWARD 1 -i tun0 -p tcp dport 443 -m conntrack ctstate NEW -j LOG log-prefix HOTSPOT:$IPTABLES -I FORWARD 1 -i eth0 -p tcp dport 443 -m conntrack ctstate NEW -j LOG log-prefix HOTSPOT:

#Enable NAT on output device$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Transparent Squid3 proxy

If you set this up correctly, users won't have to change their browser setting to use your squid proxy. The proxying will be "transparent" to them.

Here's my squid.conf.Note the use of url_rewrite to squidguard. You can comment that out if you don't need it.

http_port 3128 transparenthierarchy_stoplist cgi-bin ?acl QUERY urlpath_regex cgi-bin \?cache deny QUERYacl apache rep_header Server ^Apacheaccess_log /var/log/squid3/access.log squidhosts_file /etc/hostsrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320

# newer Squid's don't need "all", it's built in:#acl all src all

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

# 10000MB max cache size (default is 100MB):cache_dir ufs /var/spool/squid3 10000 16 256

http_access allow allhttp_reply_access allow allicp_access allow allalways_direct allow allcoredump_dir /var/spool/squid3

Daily quota reset with shell script

Here's the shell script I'm using to reset quotas. Additionally, I'm saving the bandwidth usages to a separate table (radacct_totals) so I have historical usage.

#!/bin/sh

#turn off free radius/etc/init.d/freeradius stop

#update radacct_totalsecho 'INSERT IGNORE INTO radacct_totals(username, upload, download, DATE) SELECT username, acctinputoctets AS uploads, acctoutputoctets AS downloads, DATE(now()) FROM radacct GROUP BY username' | mysql -u rad radius -B

#truncate radacct_totalsecho 'truncate radacct' | mysql -u rad radius -B

#start free radius/etc/init.d/freeradius start

I don't have the schema DDL of radacct_totals handy, but as you can see, its a pretty simple table, with compound primary key on username and date.

You'll need to add this as a cronjob, daily at 12 midnight.