Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT for chillispot network by line command

    Scheduled Pinned Locked Moved NAT
    12 Posts 2 Posters 8.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saso
      last edited by

      Hello everybody,

      I have installed Chillispot on Pfsense machine, everything works fine and when I start chilli a tun0 interface is enabled to serve the 192.168.182.0 net.
      The problem is to get the connection with the external world, infact  after I logged in by chillispotlogin page I can't contact any host on the internet. I suppose and I'm quite sure the problem is related to the nat for the tun0 interface created by the chillispot process. How can I create a rule for the outbound nat for this interface? I think it's possible by line command but I don't know what is the command. Is it IPFW or IPTABLE or….. ?
      One more think: after I get the access through the chillispot login, I can ping the wan interface but I can't reach the gateway.

      Thanks in advance for your help

      Saso

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Firewall>NAT, outbound. Enable manual outbound nat and add the missing items there. Also make sure your firewallrules allow traffic on the incoming interface for that subnet.

        1 Reply Last reply Reply Quote 0
        • S
          saso
          last edited by

          I tried with your suggestion but still not work. Always I can reach the WAN interface but not the GW.

          Just to avoid mistake I'm going to describe what is my test bench:

          GW (100.100.100.1) –--- (100.100.100.11) WAN Pfsense Machine LAN (192.168.5.1 ) + TUN0_Chilli (192.168.182.1) ------Client_Chilli (192.168.182.x)
                                                                                                        |
                                                                                                        |
                                                                                                        |
                                                                                                        |
                                                                                                      Client LAN(192.168.5.5)

          By Client LAN (192.168.5.5)  I can ping WAN interface and GW too, but from Client Chilli I can ping LAN interface of Pfsense machine and WAN interface too, but I cannot reach the GW and Client LAN as well.

          In the attachment the picture about the NAT settings made after your suggestion.
          Any idea??

          Thanks

          outboundNAT.JPG
          outboundNAT.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            What's that in the alerter? That looks like you have some kind of error. Please paste the complete line of the error. You'll find it in the systemlogs as well. It's easier to copy/paste from there.

            1 Reply Last reply Reply Quote 0
            • S
              saso
              last edited by

              That is what I see in the system log

              –------------------------------------------

              Apr 5 11:59:03 check_reload_status: reloading filter
              Apr 5 11:59:04 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 11:59:04 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 11:59:09 check_reload_status: reloading filter
              Apr 5 11:59:10 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 11:59:10 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 16:00:00 check_reload_status: check_reload_status is starting
              Apr 5 16:30:01 check_reload_status: check_reload_status is starting
              Apr 5 16:35:00 check_reload_status: check_reload_status is starting
              Apr 5 17:12:57 check_reload_status: reloading filter
              Apr 5 17:13:00 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 17:13:00 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 17:13:55 check_reload_status: reloading filter
              Apr 5 17:13:56 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 17:13:56 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 17:15:53 check_reload_status: reloading filter
              Apr 5 17:15:54 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 17:15:54 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 17:35:00 check_reload_status: check_reload_status is starting
              Apr 5 20:06:07 sshd[48227]: error: PAM: authentication error for root from 192.168.5.5
              Apr 5 20:06:07 sshd[48227]: error: PAM: authentication error for root from 192.168.5.5
              Apr 5 20:06:07 sshlockout[48240]: sshlockout starting up
              Apr 5 20:06:07 sshlockout[48240]: sshlockout starting up
              Apr 5 20:06:13 sshd[48227]: Accepted keyboard-interactive/pam for root from 192.168.5.5 port 2484 ssh2
              Apr 5 20:06:50 chillispot[48268]: ChilliSpot 1.0. Copyright 2002-2005 Mondru AB. Licensed under GPL. See http://www.chillispot.org for credits.
              Apr 5 20:06:51 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-50-56-C0-00-01
              Apr 5 20:06:51 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-50-56-C0-00-01
              Apr 5 20:06:51 chillispot[48268]: chilli.c: 3053: Client MAC=00-50-56-C0-00-01 assigned IP 192.168.182.2
              Apr 5 20:06:51 chillispot[48268]: chilli.c: 3053: Client MAC=00-50-56-C0-00-01 assigned IP 192.168.182.2
              Apr 5 20:06:54 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-0C-29-00-37-83
              Apr 5 20:06:54 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-0C-29-00-37-83
              Apr 5 20:06:54 chillispot[48268]: chilli.c: 3053: Client MAC=00-0C-29-00-37-83 assigned IP 192.168.182.3
              Apr 5 20:06:54 chillispot[48268]: chilli.c: 3053: Client MAC=00-0C-29-00-37-83 assigned IP 192.168.182.3
              Apr 5 20:09:09 chillispot[48268]: chilli.c: 3327: Successful UAM login from username=sasso IP=192.168.182.3
              Apr 5 20:09:09 chillispot[48268]: chilli.c: 3327: Successful UAM login from username=sasso IP=192.168.182.3
              Apr 5 20:14:48 check_reload_status: reloading filter
              Apr 5 20:14:50 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 20:14:50 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 20:15:24 syslogd: exiting on signal 15
              Apr 5 20:15:25 syslogd: kernel boot file is /boot/kernel/kernel
              Apr 5 21:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup
              Apr 5 22:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup
              Apr 5 22:20:48 check_reload_status: reloading filter
              Apr 5 22:20:50 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 22:20:50 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 22:38:07 check_reload_status: reloading filter
              Apr 5 22:38:08 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 22:38:08 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
              Apr 5 23:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup
              Apr 6 00:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup

              –--------------------------------------------------

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                As the webgui doesn't know anything about the tun interface created by chilispot the generated ruleset is somehow broken. This is not supported. Don't know how to help you here.

                1 Reply Last reply Reply Quote 0
                • S
                  saso
                  last edited by

                  I supposed something like that, but can I make any opertaion manually by line command via console ?
                  Is there a place (script or something else) where can I look in Pfsense?

                  However, many thanx for your support

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Everything you do at the console level will be replaced and regenerated sooner or later (bootup, changes in webgui, statuschange when using policybasedrouting/multiwan,…). Fwiw go to diagnostics>edit file and open /tmp/rules.debug. That is the autogenerated ruleset. For everything else (modifying the code that generates the rulesfile) check out our cvs at http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/ . If you come up with something it wold be nice if you could create a chilispot package  ;)

                    1 Reply Last reply Reply Quote 0
                    • S
                      saso
                      last edited by

                      Ok, thanks for this tip, can I ask some more info how is generated the rules.debug? 
                      What is the file which generates the rules.debug, one more: once the file is generated, what is the command to reload the new rules included in the file?
                      I'm asking that because I would like to start changing the rules.debug file manually and reload the new rules just to understand what is the right setting to include in the file and after I will try to generate it automatically  :)

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        I'm not that familiar with that part of the code. You have to do your own investigation in our cvs-web.

                        1 Reply Last reply Reply Quote 0
                        • S
                          saso
                          last edited by

                          ok, I found the command to reload the rules.debug file. It should be pfctl -f /tmp/rules.debug 
                          However I solved the problem since I deleted the third interface, because before in my configuration I created a second LAN2 which never was used but until was there I got always an error when I tried to run pfctl command manually. After I deleted it pfctl worked fine without error and also the NAT.
                          Obviously needs the outbound NAT rule set like in the picute I sent before.

                          If you want I can try to create a package for chillispot, but I need some more details how to build the package under pfsense. If you can give me some indication I will be happy to try to arrange the package.  ;)

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            Check http://devwiki.pfsense.org/PfSenseDevHome for some developement related info. Also Try to learn from one of the other packages. You can check them out here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/packages/

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.