1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Capive Portal BW limiter on br1

Discussion in 'Tomato Firmware' started by radionerd, May 20, 2013.

  1. radionerd

    radionerd Serious Server Member

    My friend has a Pizza store. I setup a Captive Portal Hot Spot that has no access to the business side of the network. Captive Portal is on br1, bandwidth limit to keep the business side flowing. Customer's access the open Captive Portal which Splash's to the business web page. RT-N66U running Shibby 109, similar results with Victek latest betas.

    If BW limiter is turned on download limits OK on br0 and br1, but upload limiting is broken on br1. Here is the kicker, If I make a small change and save, (example; Uncheck SIP NAT Helper on advanced/Conntrack/Netfilter, save), without reboot, the BW limiter works great up and down on both br0 and br1, Captive Portal is then broken allowing all connections until router is rebooted. Then it's back to OK splash, but no upload limiting on br1.

    Has any one else run into this? Any fix?

    I have complete iptables before and after reboot.

    iptables on startup everything works eccept BW limiter upload on br1
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
      10  400 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      630 77721 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
      748 56894 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
    13212  13M NoCat      all  --  *      *      0.0.0.0/0            0.0.0.0/0         
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.0.0/255.255.255.0 name: lan
      35  5237            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.2.0/255.255.255.0 name: lan1
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0         
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
        4  208 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
      33  5133 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0         
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0         
        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0         
        2  104 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
        2  104 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
     
    Chain OUTPUT (policy ACCEPT 69 packets, 82040 bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain NoCat (1 references)
    pkts bytes target    prot opt in    out    source              destination       
    13212  13M NoCat_Upload  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    13212  13M NoCat_Download  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    13212  13M NoCat_Ports  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    13212  13M NoCat_Inbound  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br1    *      192.168.2.0/24      0.0.0.0/0          MARK match 0x1
        0    0 ACCEPT    all  --  br1    *      192.168.2.0/24      0.0.0.0/0          MARK match 0x2
    7646 8478K ACCEPT    all  --  br1    *      192.168.2.0/24      0.0.0.0/0          MARK match 0x3
        0    0 ACCEPT    tcp  --  *      *      192.168.2.0/24      192.168.0.1        tcp dpt:80
        0    0 ACCEPT    tcp  --  *      *      192.168.2.0/24      192.168.0.1        tcp dpt:443
        0    0 ACCEPT    tcp  --  *      br1    0.0.0.0/0            192.168.2.0/24      tcp spt:53
        0    0 ACCEPT    tcp  --  br1    *      192.168.2.0/24      0.0.0.0/0          tcp dpt:53
        0    0 ACCEPT    udp  --  *      br1    0.0.0.0/0            192.168.2.0/24      udp spt:53
        0    0 ACCEPT    udp  --  br1    *      192.168.2.0/24      0.0.0.0/0          udp dpt:53
      60 15248 DROP      all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
        0    0 DROP      all  --  *      br1    0.0.0.0/0            0.0.0.0/0         
     
    Chain NoCat_Download (1 references)
    pkts bytes target    prot opt in    out    source              destination       
    5502 4898K RETURN    all  --  *      br1    0.0.0.0/0            192.168.2.246     
     
    Chain NoCat_Inbound (1 references)
    pkts bytes target    prot opt in    out    source              destination       
    5502 4898K ACCEPT    all  --  *      *      0.0.0.0/0            192.168.2.246      state RELATED,ESTABLISHED
     
    Chain NoCat_Ports (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain NoCat_Upload (1 references)
    pkts bytes target    prot opt in    out    source              destination       
    7646 8478K RETURN    all  --  br1    *      192.168.2.246        0.0.0.0/0         
     
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain PREROUTING (policy ACCEPT 651 packets, 75705 bytes)
    pkts bytes target    prot opt in    out    source              destination       
        2  406 WANPREROUTING  all  --  *      *      0.0.0.0/0            192.168.1.13       
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.0.0/24     
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.2.0/24     
      716 79069 NoCat_Capture  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
     
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
      42  2898 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
        0    0 SNAT      all  --  *      br0    192.168.0.0/24      192.168.0.0/24      to:192.168.0.1
        8  2348 SNAT      all  --  *      br1    192.168.2.0/24      192.168.2.0/24      to:192.168.2.1
     
    Chain OUTPUT (policy ACCEPT 20 packets, 2816 bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain NoCat_Capture (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        9  468 RETURN    tcp  --  *      *      192.168.2.0/24      192.168.0.1        tcp dpt:80
        0    0 RETURN    tcp  --  *      *      192.168.2.0/24      192.168.0.1        tcp dpt:443
      65  3364 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          MARK match 0x4 tcp dpt:80 to:192.168.2.1:5280
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.0.1
     
    Chain PREROUTING (policy ACCEPT 13346 packets, 13M bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 MARK      all  --  *      *      192.168.0.0/24      !192.168.0.0/24      MARK set 0x64
    9499 8650K MARK      all  --  *      *      192.168.2.0/24      0.0.0.0/0          MARK set 0x1f5
    15026  14M NoCat      all  --  *      *      0.0.0.0/0            0.0.0.0/0         
     
    Chain INPUT (policy ACCEPT 136 packets, 21461 bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain FORWARD (policy ACCEPT 13148 packets, 13M bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain OUTPUT (policy ACCEPT 73 packets, 86534 bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain POSTROUTING (policy ACCEPT 13221 packets, 13M bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 MARK      all  --  *      *      !192.168.0.0/24      192.168.0.0/24      MARK set 0x64
    6334 5140K MARK      all  --  *      *      0.0.0.0/0            192.168.2.0/24      MARK set 0x191
     
    Chain NoCat (1 references)
    pkts bytes target    prot opt in    out    source              destination       
    9347 8639K MARK      all  --  br1    *      0.0.0.0/0            0.0.0.0/0          MARK set 0x4
    7825 8502K MARK      all  --  *      *      192.168.2.246        0.0.0.0/0          MAC E0:46:9A:A9:8C:E4 MARK set 0x3
    

    iptables after unchecking SIP NAS helper. BW limiter works, but Captive Portal is broken
    Code:
    Chain INPUT (policy DROP 7 packets, 700 bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      88 25197 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
      556 44478 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.0.0/255.255.255.0 name: lan
    11985  11M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.2.0/255.255.255.0 name: lan1
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0         
        7  280 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      28  1416 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    11946  11M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0         
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0         
        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0         
      32  4718 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
      32  4718 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
     
    Chain OUTPUT (policy ACCEPT 102 packets, 103K bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain PREROUTING (policy ACCEPT 578 packets, 72912 bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 WANPREROUTING  all  --  *      *      0.0.0.0/0            192.168.1.13       
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.0.0/24     
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.2.0/24     
     
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
      32  4718 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
        0    0 SNAT      all  --  *      br0    192.168.0.0/24      192.168.0.0/24      to:192.168.0.1
        6  1968 SNAT      all  --  *      br1    192.168.2.0/24      192.168.2.0/24      to:192.168.2.1
     
    Chain OUTPUT (policy ACCEPT 6 packets, 1968 bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.0.1
     
    Chain PREROUTING (policy ACCEPT 13156 packets, 12M bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 MARK      all  --  *      *      192.168.0.0/24      !192.168.0.0/24      MARK set 0x64
    5742 2183K MARK      all  --  *      *      192.168.2.0/24      0.0.0.0/0          MARK set 0x1f5
     
    Chain INPUT (policy ACCEPT 653 packets, 70455 bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain FORWARD (policy ACCEPT 11985 packets, 11M bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain OUTPUT (policy ACCEPT 106 packets, 108K bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain POSTROUTING (policy ACCEPT 12084 packets, 12M bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 MARK      all  --  *      *      !192.168.0.0/24      192.168.0.0/24      MARK set 0x64
    7349 9488K MARK      all  --  *      *      0.0.0.0/0            192.168.2.0/24      MARK set 0x191
    
    Thanks,
    radionerd
     
  2. Frequenzy

    Frequenzy Networkin' Nut Member

    just want to confirm, is QOS enabled? if yes then you need to disable it for BW limiter to work
     
  3. radionerd

    radionerd Serious Server Member

    Nope,
    I don't run QOS. I read way back about not running both at the same time. (Every time I have tried QOS, Captive Portal is completely broken on br1).

    I do reset NVRAM
    I have reset NVRAM, and started fresh over and over, making small changes. Tested Shibby and Victek from current to about five revisions back. I get the same results no limiting on upload to br1 with CP enabled. br1 does limit correctly up and down with CP off.

    Thanks,
    Alan
     

Share This Page