Issue: CoovaChilli Performance and Errors with xt_coova on OpenWrt 23.05.5

For Developers
1

Issue: CoovaChilli Performance and Errors with xt_coova on OpenWrt 23.05.5

Setup Details

  • CoovaChilli Version: 1.6
  • Platform: OpenWrt 23.05.5
  • Architecture: MT7621
  • Firewall: firewall3 + iptables_zz_legacy
  • Additional Support: xt_coova
  • ISP Speed: 100 Mbps (Real-world)

Problem 1: Speed Capping on Download

When performing a speed test via CoovaChilli:

  • Download Speed: 30-40 Mbps (tested using Ookla)
  • Upload Speed: 100 Mbps (matches ISP speed)
  • On the regular network (without CoovaChilli), both download and upload speeds match the ISP-provided 100 Mbps.

Additional Testing

Performed an iperf test:

  • Setup: Iperf server on one CoovaChilli client, Iperf client on another CoovaChilli client.
  • Result: Download and upload speeds via CoovaChilli WAN were approximately 300-400 Mbps, indicating no bottleneck in internal data flow.

Problem 2: Errors When Using kname="chilli"

After setting kname="chilli" in the configuration, the following errors are observed in the logs:

Tue Jan  7 10:47:43 2025 daemon.err chilli[8361]: chilli[8361]: PID 8361 reloaded binary options file
Tue Jan  7 10:47:43 2025 daemon.info chilli[8361]: CoovaChilli 1.6. Copyright 2002-2005 Mondru AB. Licensed under GPL. Copyright 2006-2012 David Bird (Coova Technologies). Licensed under GPL. See http://coova.github.io/ for details.
Tue Jan  7 10:47:43 2025 daemon.info chilli[8361]: TX queue length set to 100
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.445245] device br-network4 entered promiscuous mode
Tue Jan  7 10:47:43 2025 daemon.err chilli[8361]: No such file or directory: could not open /proc/net/coova/chilli
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.605612] xt_coova: looking for chilli
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.609731] xt_coova: created chilli refcnt=1
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.614072] xt_coova: match ret=0
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.632326] xt_coova: looking for chilli
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.636280] xt_coova: found chilli refcnt=2
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.640524] xt_coova: match ret=0
Tue Jan  7 10:47:43 2025 daemon.err chilli[8361]: bad idx (-1)
Tue Jan  7 10:47:43 2025 daemon.warn chilli[8361]: RADIUS id 0 was not found in queue!
Tue Jan  7 10:47:52 2025 kern.info kernel: [  213.969309] seq_file: buggy .next function 0x835ee0d8 did not update position index
Tue Jan  7 10:47:53 2025 kern.info kernel: [  214.978726] seq_file: buggy .next function 0x835ee0d8 did not update position index
Tue Jan  7 10:47:54 2025 kern.info kernel: [  215.988028] seq_file: buggy .next function 0x835ee0d8 did not update position index

Problem 3: Upload Speed is Unlimited, Bandwidth Limitation Not Working

  • Observation: Upload speeds through CoovaChilli are now unlimited and match the ISP-provided speed (100 Mbps). However, any bandwidth limit (set manually or from RADIUS) for the upload is ignored.
  • This issue occurs even when download bandwidth limitations are applied correctly.
  • No errors appear in the logs specific to this problem, but the bandwidth control feature for uploads seems to be bypassed.

Configuration Details

Custom up.sh Script changes for xt_coova:


set_xt_coova_rules() {
    case $TUNTAP in
        "tun1") NETWORK_RANGE="172.21.100.0/24" ;;
        "tun2") NETWORK_RANGE="172.22.100.0/24" ;;
        "tun3") NETWORK_RANGE="172.23.100.0/24" ;;
        "tun4") NETWORK_RANGE="172.24.100.0/24" ;;
        *) echo "Unknown TUNTAP device: $TUNTAP"; return ;;
    esac
    ipt -I FORWARD -o wan --src $NETWORK_RANGE -m coova --name chilli -j ACCEPT
    ipt -I FORWARD -i wan --dst $NETWORK_RANGE -m coova --name chilli --dest -j ACCEPT
    ipt -I FORWARD --src $NETWORK_RANGE -j ACCEPT
    ipt -I FORWARD --dst $NETWORK_RANGE -j ACCEPT
}
run_up() {
    if [ -n "$TUNTAP" ]; then
        if [ "$KNAME" != "" ]; then
            ipt -I FORWARD -i $DHCPIF -m coova --name $KNAME -j ACCEPT 
            ipt -I FORWARD -o $DHCPIF -m coova --name $KNAME --dest -j ACCEPT
        fi
        set_xt_coova_rules
    fi
    [ -e /etc/chilli/ipup.sh ] && . /etc/chilli/ipup.sh
}

Chilli Configuration:

tundev="tun4"
net="172.24.100.0/24"
dynip="172.24.100.0/24"
dns1="8.8.8.8"
dns2="8.8.4.4"
ipup="/etc/chilli/up.sh"
ipdown="/etc/chilli/down.sh"
radiusserver1="x.x.x.x"
radiusserver2="x.x.x.x"
radiussecret="xxxxx"
dhcpif="br-network4"
uamserver="https://example.com"
uamlisten="172.24.100.1"
uamallowed="example.com"
uamdomain=".example.com"
wwwdir="/etc/chilli/www"
wwwbin="/etc/chilli/wwwsh"
radiusnasid="x-x-x"
kname="chilli"

Could you guys please look into this and help if you find anything wrong? Or anyone can suggest a way to implement coova with iptables-nft thinking that it would solve the issue? Any sort of help would be appreciated. Thanks

2

coova have been abandoned, you should really switch to openNDS.

3

Thanks @frollic for your reply. I was prioritizing coova chilli's built in radius authentication support which made me not going towards openNDS. Does openNDS have something which facilitates radius Auth?

4

@bluewavenet would probably know more about this.

1 Like
5

Thanks @frollic for you reply. I'll test FAS support on openNDS if it supports radius auth and will post it here.