www.zeroshell.net

[AMDFabio]

Grazie Fulvio,
installata e funzionate senza problemi.
_________________
skype: amdfabio91

Le sfide dell'informatica:
1) Windows vs Linux vs Mac
2) AMD vs Intel
3) Nvidia vs Ati(aquisita dall'AMD)
4) Windows 7 vs Windows XP

[theguru]

Grazie per la nuova release! provata e ottima come sempre
ho una richiesta per le prossime release sarebbe possibile integrare dasnguardian direttamente all'interno della release? ricordo che in una situazione dove ho avuto bisogno di content filter ho dovuto mettere la beta13 perchè con la 14 non c'era verso di far girare dasnguardian
Grazie per l'ottimo lavoro

[xvince]

Mi ricordo che da qualche parte Fulvio aveva scritto che non era possibile integrare DansGuardian per un problema relativo alle condizioni di utilizzo (vedi licenza).

Cmq se tale problema fosse superabile...

Vince

[theguru]

[alebot]

Salve, installata la nuova versione ma non sono riuscito a trovare la funzione per evitare di far aprire il popup a determinati browser, dove la trovo?

[fulvio]

Nella pagina di configurazione [Captive Portal][Gateway] dentro [Gateway Parameters] trovi il tasto [Popup] da cui puoi disabilitare completamente la finestra di popup di rinnovo dell'autenticazione oppure disabilitarla in base al tipo di browser.

Ciao
Fulvio

[VITO]

Visto la semplicità di realizzare un reset dei contatori giornalieri su time e traffic potresti creare una pach per poter testare il tutto ?
Saluti Vito

[fulvio]

In realta' non e' poi cosi' banale se si vogliono fare le cose per bene. Nel senso che l'ideale sarebbe mantenere sia limiti assoluti che giornalieri. In questo caso bisogna introdurre altri contatori di traffico e controllarli.
Invece si puo' fare un cron job che a mezzanotte azzeri i contatori di traffico gia' esistenti. Questo e' piu' semplice, ma anche in questo caso richiede un certo sforzo per gestire le connessione aperte durante l'azzeramento. Pertanto direi di aspettare a meno che qualcuno non voglia anticipare i tempi.

Ciao
Fulvio

[VITO]

Per gestire le connessioni attive si potrebbe fare un riavvio della macchina e con job magari verso le 4 di mattina e dopo il riavvio impostare come post boot il reset dei contatori .
Potrebbe tutto avvenire tramite un flag oppure uno script .
Il prossimo problema da affrontare sarà quello delle autenticazioni autogestite.Saluti Vito

[fulvio]

Il captive portal di Zeroshell mantiene aperte le connessioni anche dopo un riavvio sempre che questo non ci impieghi troppo, tanto da far scadere l'authenticator (5 minuti per default).
Quello dell'autocreazione degli utenti e' sicuramente uno dei problemi da affrontare anche se penso che qualcuno si sia organizzato con degli script in PHP che fanno degli ssh sul captive portal.

Ciao
Fulvio

[zerolinux]

piccolo contributo....forse un pò banale....ma magari utile a qualcuno.

http://www.paolo.pavan.name/pdf/zeroshell-accounting-b15.pdf

Saluti

paolo

[fulvio]

Altro che banale. I tuoi documenti sono sempre stati preziosi e quest'ultimo sull'accounting non fa eccezione. Sarebbe bello che qualcuno li traducesse in Inglese per renderli disponibili a piu' persone. Qualcuno li tradurrebbe?

Saluti
Fulvio

[zerolinux]

[FireFoxII]

Salve

con la nuova versione b15 non riesco a creare un nuovo profilo nell'apposita pagina...
Ottengo l'errore
ERROR: LDAP Base malformed (ex. dc=example,dc=com or o=example.com)

Come posso risolvere?
Thanks

[Vanni]

Ho tentato una rapida traduzione in formato testo, se vuoi impaginarla la incollo qui di seguito sperando di fare cosa gradita.

Vale come contributo per sbloccare le caratteristiche, Fulvio? ;-)

--- --- --- --- --- --- cut here --- --- ---

Zeroshell B15: Accounting

Introduzione

This long awaited feature was badly needed to fully use Zeroshell when traffic accounting was necessary and to use seamlessly from mobile devices.
Now ZS allows this with a simple and effective configuration. This is the text of the news announcement:

July 15, 2011
* The new release 1.0.beta15 of Zeroshell contains RADIUS Accounting module that allows you to count the connection time, the connection traffic and the connection charge either for Captive Portal or Access Point with WPA/WPA2 Enterprise connections. You can set time/traffic limits and manage prepaid connections. The captive portal has been enhanced with new features such as protection against DoS attacks and the ability to disable the pop-up network access on mobile devices (iPhone, IPad, Android SmartPhones, ...).

My focus, not completely satisfied in the previous release (b14) was to enable a captive portal without wireless authentication, just like an internet point or airport, where the connection is allowed for all devices, but internet access is forced through a web page on the portal. Moreover, the popup window used to track and keep up the connection had problems with mobile device's browsers that couldn't work with that. My need was to completely remove that window, at least for mobile devices like Iphone, Blackberry, Android and so.

Now this array of instruments is at our fingertips, let's see if and how they work with some field testing.

Just as a reminder, my default configuration has ZS sitting between a pool of access points with no authentication and an ADSL internet connection, so we need to setup the lan interfaces, NAT, Proxy and Firewalling and whatever suits your needs: for more help on those points the other HowTo are available, and far more detailed.

Accounting Configuration

Installing is always the same, be it from ISO or USB drive doesn't matter; the real difference can be seen in some menus like Accounting and Captive Portal, now fully operative.
First I made some users, then assigning them to a CLASS to keep track of their kind of access and accounting.

After the users, I made the classes through the Accounting section, just clicking on the Add button. The browser pops up the acconting class creation page, allowing to state a name for the class and the payment values (pre or post paid) and the traffic limits (Traffic, Time, Bandwidth)

(Accounting Class Image: image 1)

If Prepaid is chosen, limits will be subtracted from one's starting credit. When the credit is over the account is allowed no more.

If Postpaid is chosen, the limits will create a final bill to be paid that sums up the time or traffic costs.

(Image from total zeroshell screen: image 2)

It's better not to mistake the two methods, the first is preferable if "selling" the access service and to shut it down after the credit is over. The second way is preferable when just conting the traffic users are making, to be paid in the end.

So the limits can be based on the following values:

- Time (h)
- Download (MB)
- Band (Mbit/s)

My need was to limit access and to instruct users to manage their traffic and not overuse it. I had to create two postpaid Classes, with far different limits.

(image 3)

Here are my two classes with their names and limits:

- STUDENTS 10 h, 250 MB, 500 Mb/s
- OFFICE 100 h, 1000 MB, 1000 Mb/s

Now we need to go back to the user card and pair users with their class. If you want to do a test use two classes with different limits, preferably one lower to have it extinguished quickly.

Users>Edit

(image 4)

In the RADIUS Acconting section a class can be sticked to a user.



Captive Portal Setup

Now we can set the captive portal up, introducing some neat new features.

Users>Captive portal

The CP screen shows us two new functions, the DOS protection where we can set the protection level, and the option to disable the popup window for some specific devices. i suggest to keep that open for systems where a normal browser is available like Firefox, Chrome o Internet Explorer since it helps users to keep track of their traffic (when the refresh button is clicked), while keeping it disabled for the other devices which is the default configuration.

(Image 5)

The first thing I noticed once the CP was enabled is my mobile Symbian devices works, they authenticate and access internet with their native browser. The only thing to remember is to accept the SSL certificate selecting "Continue" the first time we access.


Accounting trial

In my case I tested the Postpaid method as the first thing, Since the admin isn't required to issue a credit before the connection can occur. If we try to setup a very low traffic value, like 5 MB, we can see that the session ends as soon as the limit is reached, with a clear indication the credit is over.

(Image Limit reached: image 6)

Should we try to connect again, ZS would stop it from happening since the user has no more traffic available. When this happens the user can't connect anymore.

(Image Access denied)

To re-enable the user we need to go to the user status under the Accounting page, select the user and click the "Remove" button.

(Image 7)

This way the accounting is blanked and the user can connect again until the limit is reached again.

If you choose the PrePaid method you need to set a starting credit high enough for the limit, otherwise we will receive a "No credit available" even having an account.

To do that we need to go to the user card and set a starting value in the Credits section on the low dx side. This will be the total credit the user is allowed. Once this expires, the user will not be able to connect anymore.

(Image 8)

This filter is stricter than the other since with no credit we don't allow the connection. We can stil use the class to state limits and prices.

The postpaid method allows immediate access and while stating prices and limits for the user class, allows user access until limit expiry.

In this case the popup window shows traffic and costs with each refresh, allowing to track user credit. When the limit is exceeded the browser is disconnected, eventually showing the exceeding limit.

(image 9)

The system proved very efficient, with both methods. Once the limit is reached or the credit is over the connection is closed.
One very useful feature is the time limit for each session. This way we can disable users leaving the browser window open to download large files.
On the admin side we can track this data and system utilization by users; ZS has a small but very useful log file.

(image 10)

This log file tracks every account's status, with each credit end or traffic limit excess.

The default class (accounting)

This class is very important since in this class are put users that are not assigned in other classes. It starts with no limits set, so it's a kind of open class, but in some configurations a limit can be useful like in press rooms or hotels with daily users created and then reset without assigning them a specific class. It proves very useful when using automatic user creation scripts, so there's no need to manually access ZS admin interface.

QoS and band limiting

Another major feature that can be simply set up on ZS is QoS or Quality of Service, allowing us to limit the band on each system's interface. I was asked to limit the total bandwidth available to the wi-fi network since that was part of a greater LAN.
Let's see how to accomplish that. Enter Network > QoS

(Image 10)

Here we select the DEFAULT class paired with interface ETH01, which is where the wi-fi I want to limit is connected. This way that network won't hog my whole bandwidth.
It's better to keep in mind that when you apply a QoS class to a network interface you want to limit the outgoing traffic flowing out of that interface. In my case the need was to regulate the outgoing traffic on the ETH01 interrface.

(Image 11)

Selecting the DEFAULT class and clicking on the MODIFY CLASS button we can assign new values expressed in kbit/s to the MAXIMUM BANDWIDTH and GUARANTEED BANDWIDTH, the names are pretty self explanatory.

Let's see some examples: if I assign a maximum value of 100 kbit, dividing by eight I have the download speed in bytes/sec, so 12,5 Kb/s. With some tests we can discover that the filter is operative and efficient.
We need to carefully evaluate the available bandwidth and decide how much will be reserved to the wi.fi network, this makes for a safer system and avoind dangerous bandwidth congestion.
Every bandwidth variation is to be confirmed by clicking on the ACTIVATE LAST CHANGES button, be also wary that the shaping might not always be precise since it's a mean value dinamically calculated form the data stream, and then tries to manage the traffic on the limits set.

Together with shaping and Qos, also Bandwidthd might be useful, allowing us to track the traffic amount from various IP and to plot graphic reports to evaluate bandwidth usage, single IP traffic, and protocols used.

NETWORK>Bandwidthd

On the top line we need to select which subnet we want to check.

(image 12)

The IP list and the protocol graph quickly allows to track the bandwidth usage and modifications to the firewall programming.
The QoS is well paired with a tool to regulate and keep accounting of the user's access and traffic.

Updating from B14 to B15

Theres a way to upgrade from b14 to b15, using a script: zeroshell-b14tob15.sh.

Clear operating instructions can be found on this thread on the forum.

I personally find ZS so simple and automatic that a configuration and the following user creation is faster for me. This script seems like a very clever solution to upgrade complex situations.


Final thoughts

We've been waiting so long for this user accounting solution. Now with all due reserve we can fully use ZS to manage traffic accounting with time and credit limits in spots like kiosks, internet points and wifi zones, where users buy timed traffic.

What's more, the popup window can now be fully configured not to appear on mobile devices, in fact making the Captive Portal solution highly usable and getting rid of the more complex wireless authentication, relying on the Captive Portal itself for the authentication.
I strongly suggest to all those who want to use the setup in a production site to carefully plan the deployment and accounting class creation, and only after this traffic accounting system has been thorougly understood.

Doc: zeroshell-b15.pdf
Dott. Paolo PAVAN [Netlink Sas]– admin@sistemistiindipendenti.org
Data: July 2011

final notes:
- this document is for divulgative use only
- the author (and translator) takes no responsibility for direct or indirect damage derived from use of programs or from applying configurations stated in this article.
- the trade marks specified are property of the respective owners and used merely for educational or divulgative purpose
- this document is released under CC license
- Errors and mistakes are to be kindly pointed out writing to admin@sistemistiindipendenti.org
- whoever wants to implement this document can send his thoughts to admin@sistemistiindipendenti.org
- this document was published on http://www.sistemistiindipendenti.org


--- --- --- --- --- --- cut here --- --- ---

[fulvio]

Grazie della traduzione. Spero che Paolo la impagini in un documento. Ovviamente mandami i feature code cosi' ti mando le chiavi dei grafici.

Saluti