(WRONG TITILE but fixed) xt_coova Openwrt - MUCH MORE DATA USED AS REPORTED

[xewonder]

Hello

I am using xt_coova in what I thought was a sucessful installation(s).

Everything works properly... we have upload/download speed restrictions, the user gets disconnected after quota is used... everything looks fine.

EXCEPT

We have a 25% and more "data leak"??

There is nothing else connected to our system except wlan0 and wwan0

For example, in the last few days our Radius system reports 4GB used, vnstat report 6GB used (and so does our service provider).

Can someone hep me in fixing what we are doing wrong??

using iftop, I can see a lot of requests reaching our wwan0 interface for users that are not authenticated...

I attach our working iptables, config and "rules" we activate with firewall.user

iptables.txt config.txt firewall.user.txt

Thank you in advance

DD

[nzamps]

How are you getting upload/download speed restrictions? If you haven't implemented this independently of coova (using e.g. tc) then xt_coova isn't working and it is basically working the same as not using xt_coova.

What does 'cat /proc/net/coova/chilli' show?

I think you need to go back to the basic xt_coova setup e.g. those first 4 x FORWARD rules should be using ip addresses AND interfaces. Or probably better is not use xt_coova and set it up normal (you're using 4G so how much speed do you really need??)

[xewonder]

Hi Brian,

Than you for trying to help.

Yes, we use tc and ifb for the speed limits.

The reason we are using xt_coova on 4g is the bad speed we were getting per connection. I think this may have been caused by the CPU maxing out after 10 concurrent connections.

In any case it xt_coova works great apart from the lost data that is causing us huge problems as we are reaching our data limit way before we should.

I have personally seen lots of mbs being used while users were not authenticated (just connected to wlan0)

Using iftop -i wwan0 you can see many requests going out that really should not be there..

I get the rest of the info tomorrow from a live system and post it.

[xewonder]

Hello,

So i managed to reproduce the problem. Still no idea where to look for solutions!

My condown.sh script is now forcing a wifi disconnect for the user (was hoping this would fix the problem but it does not)

Schenario:

2 X Android devices Limit 50Mb Software to test StarTrinity continuous download test

Connect devices to wifi (wlan0) devices ask for authentication authenticate (now we have internet) start running StarTrinity after 50Mb devices kicked off radius devices kicked off wifi devices auto re-connect to wifi devices ask for authentication StarTrinity continues download!!!

chilli_query list: F4-42-8F-18-13-E0 192.168.182.15 dnat 616af20800000002 0 F4-42-8F-18-13-E0 0/0 0/0 0/0 0/0 0 0 0/0 0/0 http://ftp-stud.hs-esslingen.de/pub/Mirrors/linuxmint.com/stable/19.3/linuxmint-19.3-xfce-64bit.iso A0-27-B6-DB-B5-8B 192.168.182.16 dnat 616af26e00000001 0 A0-27-B6-DB-B5-8B 0/0 0/0 0/0 0/0 0 0 0/0 0/0 http://mirror.easyname.at/ubuntu-releases/20.04/ubuntu-20.04-desktop-amd64.iso

cat /proc/net/coova/chilli mac=A0-27-B6-DB-B5-8B src=192.168.182.16 state=0 bin=0 bout=0 pin=0 pout=0 mac=F4-42-8F-18-13-E0 src=192.168.182.15 state=0 bin=0 bout=0 pin=0 pout=0

download of data contiunes on both devices..... I took a "tcpdump -i any" that I attach in the hope it can shed some light.

stop test.

tcpdump3.txt

I have no idea. Really any help apreciated!

EDIT:

Looking a the tcpdump, it looks like xt_coova is still doing all the NAT?

End result is that instead of having 100(something)Mb on my wwan0, i had 130Mb....

[xewonder]

another update... GET'S BAD TO WORSE!

Even if you are not authenicated but connected to wlan0, this "StarTrinity" app can still download!

If you try to browse, you get the "spalsh" page but obviously other things get through!!!

where am i (or coova whatever) going wrong?

another dump...

router just rebooted..

1 andoid device just connected to wlan0 tcpdump4.txt

edit: StarTrinity is a load of bollox!!

[xewonder]

ok... sorry... in paniced before and i gave rubbish info...

Here is a real life example:

noone is authenticated right now:

chilli_query list

C0-4A-09-27-D6-CA 192.168.182.1 dnat 616fdd0b00000002 0 - 0/0 0/0 0/0 0/0 0 0 0/0 0/0 - 58-C5-CB-2E-AF-83 192.168.182.20 dnat 616fdaa900000005 0 58-C5-CB-2E-AF-83 0/0 0/0 2309551/0 936319/0 0 0 0/0 0/0 http://connectivitycheck.gstatic.com/generate_204 90-97-F3-0F-00-B4 192.168.182.18 dnat 616fda7300000004 0 90-97-F3-0F-00-B4 0/0 0/0 40602515/0 4313486/0 0 0 0/0 0/0 http://clients3.google.com/generate_204 F6-DC-7B-B7-6A-42 192.168.182.19 dnat 616fda7200000003 0 F6-DC-7B-B7-6A-42 0/0 0/0 284075425/0 22961013/0 0 0 0/0 0/0 http://portal.fb.com/mobile/status.php 64-A2-00-59-BE-6A 192.168.182.15 dnat 616fda7200000001 0 64-A2-00-59-BE-6A 0/0 0/0 0/0 0/0 0 0 0/0 0/0 http://portal.fb.com/mobile/status.php

but here is my iftop -i wwan0

What the fudge???

HELP!!

[xewonder]

Some more info.... VERY STRANGE!

chilli_query list

C0-4A-09-27-D6-CA 192.168.182.1 dnat 616fe23d00000002 0 - 0/0 0/0 0/0 0/0 0 0 0/0 0/0 - 58-C5-CB-2E-AF-83 192.168.182.20 dnat 616fdaa900000005 0 58-C5-CB-2E-AF-83 0/0 0/0 2364321/0 974911/0 0 0 0/0 0/0 http://connectivitycheck.gstatic.com/generate_204 90-97-F3-0F-00-B4 192.168.182.18 dnat 616fda7300000004 0 90-97-F3-0F-00-B4 0/0 0/0 40692727/0 4395725/0 0 0 0/0 0/0 http://portal.fb.com/mobile/status.php F6-DC-7B-B7-6A-42 192.168.182.19 dnat 616fda7200000003 0 F6-DC-7B-B7-6A-42 0/0 0/0 301892547/0 23957736/0 0 0 0/0 0/0 http://assets-news-bcdn.dailyhunt.in/cmd/resize/100x90_60/fetchdata16/images/54/56/ae/5456aea30c5378a6b0df3c37ba00b9ce40e74906c5fd9bfb8d09c4ca74e68e7c.png?src=notifications

2 mins later... everyone in dnat (not authenticated)

chilli_query list

AA-AA-03-00-00-00 0.0.0.0 none 616fe2fe00000001 0 - 0/0 0/0 0/0 0/0 0 0 0/0 0/0 - C0-4A-09-27-D6-CA 192.168.182.1 dnat 616fe23d00000002 0 - 0/0 0/0 0/0 0/0 0 0 0/0 0/0 - 58-C5-CB-2E-AF-83 192.168.182.20 dnat 616fdaa900000005 0 58-C5-CB-2E-AF-83 0/0 0/0 2380417/0 986801/0 0 0 0/0 0/0 http://connectivitycheck.gstatic.com/generate_204 90-97-F3-0F-00-B4 192.168.182.18 dnat 616fda7300000004 0 90-97-F3-0F-00-B4 0/0 0/0 63807645/0 5308684/0 0 0 0/0 0/0 http://portal.fb.com/mobile/status.php F6-DC-7B-B7-6A-42 192.168.182.19 dnat 616fda7200000003 0 F6-DC-7B-B7-6A-42 0/0 0/0 301893165/0 23958160/0 0 0 0/0 0/0 http://assets-news-bcdn.dailyhunt.in/cmd/resize/100x90_60/fetchdata16/images/54/56/ae/5456aea30c5378a6b0df3c37ba00b9ce40e74906c5fd9bfb8d09c4ca74e68e7c.png?src=notifications

ALL THE COUNTERS HAVE CHANGED??? WHO HOW WHAT WHY??

Why are they changing counters while using data and being in DNAT... there is not limit???

[xewonder]

Just to give this topic a "bump"

Here are the logs of a live router (via vpn)

1 is chilli -fd 2 is tcpdump (after removing entries to the VPN) aradlog.txt

aradtcpdump.txt

As you can see, clients are in dnat but traffic is still going through!

[xewonder]

The problem was caused by a "kill -9 " we had in our /etc/init.d/chilli script.

When our 4G re-connects, we reload chilli with "/etc/init.d/chilli" restart and this was killing chilli with the -9 leaving all sort of things behind!

connections like the below (in chilli_query list) were basicaly connected with unlimited internet access!

6A-60-B3-4A-79-06 192.168.182.15 dnat 6173a62500000003 0 6A-60-B3-4A-79-06 0/0 0/0 16948871/0 2189134/0 0 0 0/0 0/0 - 08-C5-E1-3B-ED-F8 192.168.182.16 dnat 6173a62500000001 0 08-C5-E1-3B-ED-F8 0/0 0/0 17564000/0 1645223/0 0 0 0/0 0/0 http://11.1.0.1:3990/favicon.ico

Iclose this issue!