Modifying EasyHotSpot 0.2 for per-user daily bandwidth quotas
Posted by Kelvin on 03 Apr 2011 at 05:10 pm | Tagged as: Ubuntu
First of all, I'll say this – if its at all possible to install the Ubuntu distro of EasyHotSpot (available from the EasyHotSpot download page), do so!
I couldn't because I couldn't get Ubuntu 10.04 installed on my antique laptop which I was going to use as the internet gateway. Only Ubuntu 10.10 worked. I therefore had to install Chillispot, FreeRadius etc and configure them separately, which was a real pain.
Secondly, if you read the documentation for EasyHotSpot, nowhere is there any mention of support for per-user bandwidth quotas. 🙂
Well, my realization was that, since all the accounting is handled in MySQL, all I needed to do to simulate daily quotas was to setup a cron job which runs daily at midnight which clears out the relevant tables which contains the bandwidth usage data. I'll be providing that script later on…
So, I'm assuming you've already read through the EasyHotSpot 0.2 PDF user guide and followed its instructions. Here are my comments on the installation process.
DNS in /etc/chilli.conf matters
I found out that my clients couldn't get an IP address when the DNS servers in /etc/chilli.conf weren't accurate.
uamallowed in /etc/chilli.conf
If your clients are getting an IP Address but not redirecting to the captive portal login page, then check uamallowed, that the relevant subnets have been added. To be safe, I added both tunnel and LAN subnets.
uamallowed 192.168.182.0/24,192.168.1.0/24
dnsmasq is also a DHCP server!
I think I may have had to disable the DHCP servers on the interfaces that Chillispot was running on.
In /etc/dnsmasq.conf, add this:
no-dhcp-interface=eth0
sqlcounter max_all_mb patch
In EasyHotSpot docs, it tells you to add this to /etc/freeradius/sql/mysql/counter.conf
sqlcounter max_all_mb { counter-name = Max-All-MB check-name = Max-All-MB reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctInputOctets)/(1024*1024) + SUM(AcctOutputOctets)/ (1024*1024) FROM radacct WHERE UserName='%{%k}'" }
This, however, somehow didn't work for me. I got some "2043939944 is not an octet" error in FreeRadius. The problem was that the query converts acctinputoctets and acctoutputoctets to megabytes, but FreeRadius was expecting bytes. This is what I changed it to:
sqlcounter max_all_mb { counter-name = Max-All-MB check-name = Max-All-MB reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = never #query = "SELECT SUM(AcctInputOctets)/(1024*1024) + SUM(AcctOutputOctets)/ (1024*1024) FROM radacct WHERE UserName='%{%k}'" query = "SELECT SUM(AcctInputOctets) + SUM(AcctOutputOctets) FROM radacct WHERE UserName='%{%k}'" }
/etc/freeradius/sites-available/default changes
In addition to changes recommended by EasyHotSpot, I had to comment out the following:
– chap authentication
# # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set # chap
– radutmp session database
FreeRadius was giving me a stupid "Access Defined – this user is already logged-in" error. Commenting out radutmp fixed this.
# or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # radutmp
iptables
If you're logged-in successfully but can't get access to the internet, you most likely need to add iptables forwarding rules. Here's mine.
IPTABLES="/sbin/iptables" EXTIF="eth1" INTIF="eth0" # squid $IPTABLES -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to 3128 $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 3128 $IPTABLES -I FORWARD 1 -i tun0 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT: $IPTABLES -I FORWARD 1 -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT: #Enable NAT on output device $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Transparent Squid3 proxy
If you set this up correctly, users won't have to change their browser setting to use your squid proxy. The proxying will be "transparent" to them.
Here's my squid.conf.
Note the use of url_rewrite to squidguard. You can comment that out if you don't need it.
http_port 3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache access_log /var/log/squid3/access.log squid hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # newer Squid's don't need "all", it's built in: #acl all src all url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf # 10000MB max cache size (default is 100MB): cache_dir ufs /var/spool/squid3 10000 16 256 http_access allow all http_reply_access allow all icp_access allow all always_direct allow all coredump_dir /var/spool/squid3
Daily quota reset with shell script
Here's the shell script I'm using to reset quotas. Additionally, I'm saving the bandwidth usages to a separate table (radacct_totals) so I have historical usage.
#!/bin/sh #turn off free radius /etc/init.d/freeradius stop #update radacct_totals echo 'INSERT IGNORE INTO radacct_totals(username, upload, download, DATE) SELECT username, acctinputoctets AS uploads, acctoutputoctets AS downloads, DATE(now()) FROM radacct GROUP BY username' | mysql -u rad radius -B #truncate radacct_totals echo 'truncate radacct' | mysql -u rad radius -B #start free radius /etc/init.d/freeradius start
I don't have the schema DDL of radacct_totals handy, but as you can see, its a pretty simple table, with compound primary key on username and date.
You'll need to add this as a cronjob, daily at 12 midnight.
- Customized Ubuntu Captive Portal solution with per-user bandwidth quotas
- Features for the Captive Portal
- EasyHotSpot – what it is and isn't
- Modifying EasyHotSpot 0.2 for per-user daily bandwidth quotas
- Improving EasyHotSpot usability