ABillS + FreeRADIUS + Accel-PPP only issue one DNS

Once after installation ABillS + FreeRADIUS2 + Accel-PPP (ipoe) noticed that for DHCP clients receive only one DNS server.
Access-Accept from FreeRADIUS was this:

Sending Access-Accept of id 1 to port 57481
        Session-Timeout = 604800
        PPPD-Downstream-Speed-Limit = 51200
        Framed-IP-Netmask +=
        Framed-IP-Netmask +=
        Acct-Interim-Interval = 600
        DHCP-Domain-Name-Server +=
        DHCP-Domain-Name-Server +=
        PPPD-Upstream-Speed-Limit = 51200
        Framed-IP-Address =
Finished request 40.
Continue reading “ABillS + FreeRADIUS + Accel-PPP only issue one DNS”

Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change”

Once on the access server, Ubuntu Server 16.04 and Accel-ppp noticed the following messages in the /var/log/kern.log file:

kernel: [365970.550498] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365970.550547] HTB: quantum of class 10A49 is big. Consider r2q change.
kernel: [365979.545580] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365979.545621] HTB: quantum of class 10BD6 is big. Consider r2q change.
kernel: [365995.601973] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365995.602031] HTB: quantum of class 11705 is big. Consider r2q change.

First I tried to track which interfaces are being raised at this moment:

tail -f /var/log/kern.log | grep "quantum of class 10001 is big"
tail -f /var/log/accel-ppp/accel-ppp.log | grep "create interface"

Continue reading “Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change””

The script for adding IP addresses from a file to ipset

It took one day to write a script to add to ipset all the IP for which the session was started on the access server, Abills billing was used, so I decided to take IP addresses from the MySQL billing table.

The first step is to create a test ipset:

ipset create test iphash

Continue reading “The script for adding IP addresses from a file to ipset”

The solution to the error “Another app is currently holding the xtables lock”

Recently noticed on one server with the billing system ABillS, that when the script /etc/ppp/ip-up is executed in bulk, an error occurs:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Having looked at the script code, I found that there are two rules among the iptables rules that can slow down the work, namely, the search for ipoe interfaces by two commands:

EXIST=`${IPTABLES} -t nat -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} -L -v | grep DROP | grep "${IFNAME} "`

To raise 3000 sessions, it took more than 30 minutes and some rules could not be added at all or deleted by the script.
By default, if the -L option is used, iptables resolves the IP addresses and tries to display DNS names instead of them, which takes a long time, and so that this does not happen, you need to add the -n option, and just in case I added the -w 20 switch, which will cause the new rules to be postponed until 20 seconds if iptables is already busy executing another command:

EXIST=`${IPTABLES} $IPTABLES_WAIT -t nat -n -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} $IPTABLES_WAIT -n -L -v | grep DROP | grep "${IFNAME} "`

After that, the script with iptables rules began to work out instantly.
Since the old rules are not all fulfilled, I checked this by counting some by the team:

iptables -n -L -t nat -v | grep DNAT | wc -l

And I checked with the number of sessions, the rules were obviously smaller, so I had to clear all rules and restart the session so that the /etc/ppp/ip-up script worked correctly, this time at 3000 sessions it did its job in less than a minute.
Note that in the / etc / ppp / scripts, it’s better not to use iptables rules.

Installing the Netlist for ABillS

On the test, I install the Netlist module for ABillS in Ubuntu Server.

We import the tables into the database:

mysql -D abills --default-character-set=utf8 < /usr/abills/db/Netlist.sql

Open the billing configuration file:

nano /usr/abills/libexec/config.pl

Make sure that the module is activated:


Install nmap and Perl module for it:

sudo apt-get install nmap
sudo cpanm Nmap::Parser

Let’s see where nmap is located:

which nmap

Open the billing configuration file again:

sudo nano /usr/abills/libexec/config.pl

Let’s specify the path to nmap:


Add to sudoers:

echo 'www-data ALL=(ALL) NOPASSWD: /usr/bin/nmap' >> /etc/sudoers.d/abills_sudoers

After installation, the module will be available in the menu /Settings/Netlist

Configuring FreeRADIUS DHCP for ABillS

Suppose you installed FreeRADIUS 2 as written in this article – Installation and configuration of the ABillS billing system
Now copy the dhcp.conf file into the FreeRADIUS configuration:

sudo cp /usr/abills/misc/freeradius/v2/dhcp.conf /usr/local/freeradius/etc/raddb/sites-enabled/

Continue reading “Configuring FreeRADIUS DHCP for ABillS”

Adding vlan to Ubuntu for ABillS

Here is an example of adding a VLAN to Ubuntu Server for ABillS.

Switch to the root user:

sudo su

First of all, install the vlan package and load the 8021q module:

apt-get install vlan
modprobe 8021q

To autorun it after restarting the system, open the file /etc/modules, for example, in the text editor nano (Ctrl+X to exit, y/n to save or cancel changes):

nano /etc/modules

And add if it’s not there:


Create a script:

nano /etc/network/vlan.sh

Add content to it (in IFACE we specify the network interface for vlan, in VLANS – the VLAN list):


  /sbin/vconfig set_name_type VLAN_PLUS_VID_NO_PAD
  VLANS=`echo ${VLANS} | sed 'N;s/\n/ /' |sed 's/,/ /g'`
  for i in $VLANS; do
    if [[ $i =~ - ]]; then
      IFS='-' read -a start_stop <<< "$i"
      for cur_iface in `seq ${start_stop[0]} ${start_stop[1]}`;
        echo "${cur_iface}";
        /sbin/vconfig add ${IFACE} ${cur_iface}
        /sbin/ifconfig vlan${cur_iface} up
    echo "$i";
      /sbin/vconfig add ${IFACE} ${i}
      /sbin/ifconfig vlan${i} up

We make the script executable:

chmod +x /etc/network/vlan.sh

Run the script:


To autorun the script, open the configuration of the network interfaces:

nano /etc/network/interfaces

And add at the end of the line:

post-up /etc/network/vlan.sh

See also my articles:
Configuring VLANs in Ubuntu
Install and configure accel-ppp (IPoE) for ABillS

Ubuntu IP Masquerading (NAT)

For example, I will configure IPv4 masquerading (NAT) on Ubuntu Server.
First you need to enable packet forwarding in /etc/sysctl.conf so that traffic can walk between different network interfaces.
Let’s check the current status:

sysctl net.ipv4.conf.all.forwarding
cat /proc/sys/net/ipv4/ip_forward

If it is 0, then enable it with the following command:

sysctl -w net.ipv4.conf.all.forwarding=1

To keep this after the system restart, open the file /etc/sysctl.conf for example in the nano editor (Ctrl + X to exit, y / n to save or discard changes):

nano /etc/sysctl.conf

And add the line:


If necessary, you can clear existing NAT rules:

iptables -t nat --flush

Now it remains to add a rule to iptables, for example:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source

Where, internal network, and the address through which you need to go to the Internet, similarly prescribed other internal networks.
Let me remind the mask for private networks:

If the IP address on the external network interface changes (dynamic), then instead of SNAT we specify MASQUERADE:

iptables -t nat -A POSTROUTING -s -j MASQUERADE

Do not forget to save the added iptables rules.
For example, you can open the network interface configuration file (its contents are loaded at system startup):

nano /etc/network/interfaces

And at the end add iptables rules, for example I will indicate the masquerading of this network at once to several IP addresses, and also with the indication of the network interface:

post-up /sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent

Or add to the file:

nano /etc/rc.local
/sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent

I recommend to specify the outgoing network interface, if you do not specify it, then local traffic will return to the network under NAT IP.
If there are several outgoing interfaces, let’s say the load is balanced through BGP, etc., then we indicate with two rules:

/sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent
/sbin/iptables -t nat -A POSTROUTING -s -o eth4 -j SNAT --to-source --persistent

See also my articles:
Difference between MASQUERADE and SNAT
Configuring IPTables
How to fix the error “nf_conntrack: table full, dropping package”
Using Linux ISG