Geekly Articles each Day
📜 ⬆️ ⬇️

Opensource billing ABillS - installation on FreeBSD

0. Background
About two years ago, before a relatively small but developing network, in which I, by fate, turned out to be a system administrator, the task was to introduce a new billing. The requirements turned out to be simple and rather banal for those places where the Internet costs not a penny and far from everyone is willing to pay for unlimited money:


Out of a large number of candidates, there are only two abruptly left: NeTAMS and ABillS .
After a detailed review, NeTAMS was also dropped - his methods of work were certainly not suitable for me, and it was noticeably felt that billing was just a module for him. Moreover, the user web-interface, to put it mildly, did not work. Having no alternatives, I proceeded to install ABillS.
Perhaps I will refrain from telling all the twists and turns of learning a new software, and offer you the quintessence of my knowledge of installing the best, in my opinion, opensource billing.

1. Installation
In this post, I will consider installing exclusively for FreeBSD, moreover, version 7.0 (the installation on 6.x has minor, but different). If you are the lucky owner of Linux on the server - I advise you to refer to this article by the Glooom haber man .

1.1 Cooking the core
Since billing is still quite a serious system, I prefer to use all functions used in the work in the core rather than in the modules. Therefore, we add the following options to our kernel build configuration:
options NETGRAPH # NETGRAPH
options NETGRAPH_IPFW # ng_ipfw

options LIBALIAS # ng_nat
options NETGRAPH_NAT # ng_nat
options NETGRAPH_NETFLOW # ng_netflow
### MPD ###
options NETGRAPH_SPLIT
options NETGRAPH_KSOCKET

options NETGRAPH_SOCKET
options NETGRAPH_BPF
options NETGRAPH_IFACE
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_TCPMSS
options NETGRAPH_VJC
options NETGRAPH_TEE
options NETGRAPH_CAR
### --- ###

options IPFIREWALL #ipfw.
options IPFIREWALL_VERBOSE #
options IPFIREWALL_FORWARD # transparent-proxy
options IPFIREWALL_DEFAULT_TO_ACCEPT #

1.2 ng_nat and all-all-all
Unfortunately at the moment we can not provide each user with a real IP. Therefore, I had the task of organizing NAT. After reviewing the existing options, the choice fell on ng_nat + ng_ipfw.
To begin with, we add the following lines in /etc/rc.conf :
gateway_enable="YES" # :)
firewall_enable="YES" # ipfw
firewall_script="/usr/scripts/ipfw_load.sh" #

Create a file /usr/script/ipfw_load.sh with the following contents:
#!/bin/sh
fwcmd="/sbin/ipfw"
ngctl="/usr/sbin/ngctl"

ext_if="re0" #
ext_ip="1.2.3.4" # IP NAT'

# ng_nat
${ngctl} mkpeer ipfw: nat 60 out
${ngctl} name ipfw:60 nat
${ngctl} connect ipfw: nat: 61 in
${ngctl} msg nat: setaliasaddr ${ext_ip}

#
${fwcmd} -f flush #

# ( 127)
${fwcmd} table 127 flush #
${fwcmd} table 127 add 10.39.0.0/16 # ip

# loopback
${fwcmd} add 00001 allow ip from any to any via lo0
# NAT
${fwcmd} add 00003 netgraph 61 all from any to ${ext_ip} in via ${ext_if}
# - - NAT
${fwcmd} add 60021 netgraph 60 ip from "table(127)" to any

In this script, we organize NAT users with IP 10.39.0.0/16 to IP 1.2.3.4. All this is implemented on the tables, because sometimes it becomes necessary to NAT non-contiguous ranges.
')
1.3 Required software

For the normal operation of billing, I use the following software (all of the ports):


#Admin interface
<Directory "/ usr / local / abills / cgi-bin / admin">
AddHandler cgi-script .cgi
Options Indexes ExecCGI FollowSymLinks
AllowOverride none
DirectoryIndex index.cgi
order deny, allow
allow from all




In the case of receiving the 500th error, be sure to look at error.log - almost certainly either something with a database, or Perl is missing some module.

2.5 Configuring ABillS
Here we come to the most delicious. Nevertheless, I will allow myself not to dwell in detail on all the features. The resulted configs will allow to receive efficient system in the minimum time.
Download the billing files to the created database named abills
# mysql -D abills < abills.sql
# mysql -D abills < db/Ipn.sql

The second file activates the IPN extension, which we will use

First of all, we modify the config.pl
@MODULES = ('Dv',
'Abon',
# 'Docs',
'Sqlcmd',
'Ipn',
# 'Cards');
);

Ipn module is important for us to calculate traffic. The Cards module is paid ($ 60), so I left it commented out.
$conf{default_language}='russian'; # - :)
$conf{default_charset}='windows-1251';
$conf{periodic_check}='yes';
$conf{IPN_DEPOSIT_OPERATION}=1; # IPN
$conf{IPN_USERMENU}=1; #

Also note $conf{IPN_FW_START_RULE} and $conf{IPN_FW_STOP_RULE} . Here you can specify scripts that are executed when opening and closing the connection. You can ignore any $conf{IPN_FW_FIRST_RULE} - we will organize the cutting of speed with another method. After unsuccessful experiments, I personally refused to control the firewall from ABillS and therefore, in principle, I do not use the linkupdown script that linkupdown with ABillS.

One effective method for limiting the speed of clients when using MPD is to return the corresponding filters in the RADIUS Start packet. Thus, for example, to create a limit on the tariff plan 64, it is sufficient to include the following line in the RADIUS parameters of this tariff plan:
mpd-limit+=out#1=all shape 64000 pass,mpd-limit+=in#1=all shape 64000 pass

In this case, the speed limit will be performed via the ng_car node, which, as my practice has shown, is much more efficient than cutting with ipfw + dummynet.
Unfortunately, for unknown reasons, ABillS out of the box incorrectly handles the "+ =" operator in the tariff plans. To correct this annoying misunderstanding, find the following lines in Auth.pm:
$RAD_PAIRS->{"$left"} =~ s/\"//g;
$RAD_PAIRS->{"$left"}="\"". $RAD_PAIRS->{"$left"} .",$right\"";
}
else {
$RAD_PAIRS->{"$left"}="\"$right\"";
}

and replace with the following:

$RAD_PAIRS->{"$left"} =~ s/\"//g;
push( @ {$RAD_PAIRS->{"$left"} }, $right );
}
else {
$RAD_PAIRS->{"$left"}= [ $right ];
}

After this, ABillS will correctly transfer attributes in the "+ =" format.

It now remains to log in to the ABillS admin panel with the abills username and password and in the “System” - “NAS” section (aka “System -” Access Servers "in the Russian version) create a new NAS with the type“ mpd4 ”and address“ 127.0. 0.1: 5005 "

NAS will receive a number (most likely it will be "1"). Now open crontab and enter the following line into it:
*/5 * * * * /usr/local/abills/libexec/traffic2sql 1
flowdir=/usr/local/abills/var/log/ipn

Do not forget to replace 1 with the number of your NAS. Now all traffic data of your users will be taken into account by billing.
You can also add calls to periodic scripts in crontab:
1 0 * * * root /usr/abills/libexec/periodic daily
1 0 * * * root /usr/abills/libexec/periodic monthly

Do not make a billd -all to Cron as recommended by management. In our case, it is not needed — and moreover, harmful — it will disassociate users at the boundaries of the time intervals.

This completes the basic setup, and your VPM server should be ready to go.

3. Personal impressions - a barrel of honey
I have been using ABillS as a battle server for over 2 years now. During this time, not a single serious failure occurred, and the total downtime probably did not add up to 2 hours, of which an hour is the transition to new versions of billing. Only once, on New Year's Eve, due to a minor error, billing began to drop all users on time-limit. It took me 15 minutes to eliminate this error.
In general, the system provides very convenient reports on users, all the necessary information is stored in the database, a lot of different modules make life easier - only pleasant impressions. Our friends bought UTM and had more problems with it, even if they had paid support

4. Personal impressions - a spoon of tar
However, ABillS is not perfect. I don’t use a lot of functionality (linkupdown, periodic-scripts) at all, but rather I use my own “substitutes”, because the authors do not suit me for one reason or another.
Sometimes current makes stupid enough mistakes. So after one of the updates (on average, we update the billing every six months), users with a loan lost the ability to go online because of the wrong “>” sign when checking the credit limit of the tariff plan and the user. Traffic2sql itself works in its original form rather slowly ( patch on the ABillS forum ), and when dynamically issuing IP from the pool, traffic may not be considered correctly ( bugreport + patch on the ABillS forum ).
Also, once I turned on the Msgs module, which provides the basic functionality of “contacting technical support” from billing, two days later I was horrified to find that no tags are cut in messages at all, which allows for example using the IFRAME to change the tariff plan to the user as an administrator will look at his message.
This is especially sad for the reason that 95% of the modules that “appear” for ABillS are not cheap commercial orders, which are then issued “for everyone”.


DISCLAIMER instead of an epilogue Everything written above is my personal experience in using this system. My opinion is purely subjective, I do not guarantee the absolute correctness and smoothness of the proposed solutions. Also I, like any person, could be wrong. If you have something to supplement and improve this article - I am always glad to constructive criticism in the comments or email (there is a profile)

Source: https://habr.com/ru/post/30174/

More articles:


All Articles