Outbound NAT for chillispot network by line command

saso

Hello everybody,

I have installed Chillispot on Pfsense machine, everything works fine and when I start chilli a tun0 interface is enabled to serve the 192.168.182.0 net.
The problem is to get the connection with the external world, infact  after I logged in by chillispotlogin page I can't contact any host on the internet. I suppose and I'm quite sure the problem is related to the nat for the tun0 interface created by the chillispot process. How can I create a rule for the outbound nat for this interface? I think it's possible by line command but I don't know what is the command. Is it IPFW or IPTABLE or….. ?
One more think: after I get the access through the chillispot login, I can ping the wan interface but I can't reach the gateway.

Thanks in advance for your help

Saso

hoba

Firewall>NAT, outbound. Enable manual outbound nat and add the missing items there. Also make sure your firewallrules allow traffic on the incoming interface for that subnet.

saso

I tried with your suggestion but still not work. Always I can reach the WAN interface but not the GW.

Just to avoid mistake I'm going to describe what is my test bench:

GW (100.100.100.1) –--- (100.100.100.11) WAN Pfsense Machine LAN (192.168.5.1 ) + TUN0_Chilli (192.168.182.1) ------Client_Chilli (192.168.182.x)
                                                                                              |
                                                                                              |
                                                                                              |
                                                                                              |
                                                                                            Client LAN(192.168.5.5)

By Client LAN (192.168.5.5)  I can ping WAN interface and GW too, but from Client Chilli I can ping LAN interface of Pfsense machine and WAN interface too, but I cannot reach the GW and Client LAN as well.

In the attachment the picture about the NAT settings made after your suggestion.
Any idea??

Thanks

hoba

What's that in the alerter? That looks like you have some kind of error. Please paste the complete line of the error. You'll find it in the systemlogs as well. It's easier to copy/paste from there.

saso

That is what I see in the system log

–------------------------------------------

Apr 5 11:59:03 check_reload_status: reloading filter
Apr 5 11:59:04 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 11:59:04 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 11:59:09 check_reload_status: reloading filter
Apr 5 11:59:10 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 11:59:10 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 16:00:00 check_reload_status: check_reload_status is starting
Apr 5 16:30:01 check_reload_status: check_reload_status is starting
Apr 5 16:35:00 check_reload_status: check_reload_status is starting
Apr 5 17:12:57 check_reload_status: reloading filter
Apr 5 17:13:00 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 17:13:00 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 17:13:55 check_reload_status: reloading filter
Apr 5 17:13:56 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 17:13:56 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 17:15:53 check_reload_status: reloading filter
Apr 5 17:15:54 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 17:15:54 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 17:35:00 check_reload_status: check_reload_status is starting
Apr 5 20:06:07 sshd[48227]: error: PAM: authentication error for root from 192.168.5.5
Apr 5 20:06:07 sshd[48227]: error: PAM: authentication error for root from 192.168.5.5
Apr 5 20:06:07 sshlockout[48240]: sshlockout starting up
Apr 5 20:06:07 sshlockout[48240]: sshlockout starting up
Apr 5 20:06:13 sshd[48227]: Accepted keyboard-interactive/pam for root from 192.168.5.5 port 2484 ssh2
Apr 5 20:06:50 chillispot[48268]: ChilliSpot 1.0. Copyright 2002-2005 Mondru AB. Licensed under GPL. See http://www.chillispot.org for credits.
Apr 5 20:06:51 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-50-56-C0-00-01
Apr 5 20:06:51 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-50-56-C0-00-01
Apr 5 20:06:51 chillispot[48268]: chilli.c: 3053: Client MAC=00-50-56-C0-00-01 assigned IP 192.168.182.2
Apr 5 20:06:51 chillispot[48268]: chilli.c: 3053: Client MAC=00-50-56-C0-00-01 assigned IP 192.168.182.2
Apr 5 20:06:54 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-0C-29-00-37-83
Apr 5 20:06:54 chillispot[48268]: chilli.c: 3083: New DHCP request from MAC=00-0C-29-00-37-83
Apr 5 20:06:54 chillispot[48268]: chilli.c: 3053: Client MAC=00-0C-29-00-37-83 assigned IP 192.168.182.3
Apr 5 20:06:54 chillispot[48268]: chilli.c: 3053: Client MAC=00-0C-29-00-37-83 assigned IP 192.168.182.3
Apr 5 20:09:09 chillispot[48268]: chilli.c: 3327: Successful UAM login from username=sasso IP=192.168.182.3
Apr 5 20:09:09 chillispot[48268]: chilli.c: 3327: Successful UAM login from username=sasso IP=192.168.182.3
Apr 5 20:14:48 check_reload_status: reloading filter
Apr 5 20:14:50 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 20:14:50 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 20:15:24 syslogd: exiting on signal 15
Apr 5 20:15:25 syslogd: kernel boot file is /boot/kernel/kernel
Apr 5 21:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup
Apr 5 22:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup
Apr 5 22:20:48 check_reload_status: reloading filter
Apr 5 22:20:50 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 22:20:50 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 22:38:07 check_reload_status: reloading filter
Apr 5 22:38:08 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 22:38:08 php: : There were error(s) loading the rules: pfctl: DIOCSETSTATUSIF - The line in question reads [ DIOCSETSTATUSIF]:
Apr 5 23:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup
Apr 6 00:06:50 chillispot[48268]: chilli.c: 864: Rereading configuration file and doing DNS lookup

–--------------------------------------------------

hoba

As the webgui doesn't know anything about the tun interface created by chilispot the generated ruleset is somehow broken. This is not supported. Don't know how to help you here.

saso

I supposed something like that, but can I make any opertaion manually by line command via console ?
Is there a place (script or something else) where can I look in Pfsense?

However, many thanx for your support

hoba

Everything you do at the console level will be replaced and regenerated sooner or later (bootup, changes in webgui, statuschange when using policybasedrouting/multiwan,…). Fwiw go to diagnostics>edit file and open /tmp/rules.debug. That is the autogenerated ruleset. For everything else (modifying the code that generates the rulesfile) check out our cvs at http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/ . If you come up with something it wold be nice if you could create a chilispot package  ;)

saso

Ok, thanks for this tip, can I ask some more info how is generated the rules.debug? 
What is the file which generates the rules.debug, one more: once the file is generated, what is the command to reload the new rules included in the file?
I'm asking that because I would like to start changing the rules.debug file manually and reload the new rules just to understand what is the right setting to include in the file and after I will try to generate it automatically  :)

hoba

I'm not that familiar with that part of the code. You have to do your own investigation in our cvs-web.

saso

ok, I found the command to reload the rules.debug file. It should be pfctl -f /tmp/rules.debug 
However I solved the problem since I deleted the third interface, because before in my configuration I created a second LAN2 which never was used but until was there I got always an error when I tried to run pfctl command manually. After I deleted it pfctl worked fine without error and also the NAT.
Obviously needs the outbound NAT rule set like in the picute I sent before.

If you want I can try to create a package for chillispot, but I need some more details how to build the package under pfsense. If you can give me some indication I will be happy to try to arrange the package.  ;)

hoba

Check http://devwiki.pfsense.org/PfSenseDevHome for some developement related info. Also Try to learn from one of the other packages. You can check them out here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/packages/