Discussion:
[Shorewall-users] wifi clients added to working lan zone can't access net. static route needed?
d***@123mail.org
2017-03-15 17:59:52 UTC
Permalink
Well, I just can't get this to work.

For this simpleset scenario I can envision:

net (ISP-assigned IP = XX.XX.XX.XX)
| ( eth 0 )
router
|
|- ( eth1, static IP addr: 10.0.0.1 )
| -- wired LAN, all static IPs in 10.0.0.50-100
|
|- ( wlan1, static IP addr: 10.0.0.2 )
-- AccessPoint SSID provided by hostapd
-- wireless LAN, all dhcpd-assigned IPs in 10.0.0.150-200

In shorewall config

zones
fw firewall
net ipv4
lan ipv4

hosts
lan INTIF:10.0.0.0/24 broadcast

interfaces
net EXTIF optional,physical=eth0,dhcp,tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
lan WIFIUIF optional,physical=wlan1,dhcp,tcpflags,logmartians=1,routefilter=0
- INTIF physical=eth1,dhcp,tcpflags,logmartians=1,routefilter=0

snat
SNAT(XX.XX.XX.XX) 10.0.0.0/24 EXTIF

With this config

ALL my wired clients have access to the NET

ALL my wireless clients
-- are logged in
-- have IPs assigned in the 'lan'
NONE of my wireless clients can access the net

Do I need to manually add a static route somewhere ?

DT
Simon Hobson
2017-03-15 21:06:07 UTC
Permalink
Post by d***@123mail.org
Well, I just can't get this to work.
net (ISP-assigned IP = XX.XX.XX.XX)
| ( eth 0 )
router
|
|- ( eth1, static IP addr: 10.0.0.1 )
| -- wired LAN, all static IPs in 10.0.0.50-100
|
|- ( wlan1, static IP addr: 10.0.0.2 )
-- AccessPoint SSID provided by hostapd
-- wireless LAN, all dhcpd-assigned IPs in 10.0.0.150-200
There's a fundamental issue there, you have two separate networks sharing the same subnet and that's a big no-no.

If you must have the WiFi and wired LAN clients on the same subnet then you will need to bridge the two networks together - the interfaces won't have their own IP addresses, but the bridge will.

If you want the two networks separate, then they need to have non-overlapping IP subnets.

I suspect that if you do some packet sniffing, you'll find that the reason the wireless clients don't have a working connection is because the return packets are being sent out on eth1 rather than wlan1.
d***@123mail.org
2017-03-15 21:27:38 UTC
Permalink
Simon
Post by Simon Hobson
There's a fundamental issue there,
and THEN some! :-/
Post by Simon Hobson
you have two separate networks sharing the same subnet and that's a big no-no.
I'd thought that to add both interfaces to the same some, that had to be the case.

Got THAT wrong.
Post by Simon Hobson
If you want the two networks separate, then they need to have non-overlapping IP subnets.
Ok, got that now. Need to get dhcp etc sorted here in a minute.
Post by Simon Hobson
I suspect that if you do some packet sniffing, you'll find that the reason the wireless clients don't have a working connection is because the return packets are being sent out on eth1 rather than wlan1.
I did tcpdump on the wlan interface -- and saw lots of packets going OUT, but not returning. Couldn't even get a ping response when pinging from my phone to the AP ip. Which has me confused, since I'm obviously "hearing" from the DHCP server.

Let me get that non-overlapping bit straightened out ...

DT
d***@123mail.org
2017-03-15 22:10:14 UTC
Permalink
I removed the overlap, moving the WiFi LAN into its own segment

net (ISP-assigned IP = XX.XX.XX.XX)
|
|
| ( eth 0 )
router
|
|- ( eth1, static IP addr: 10.0.0.1/24 ) --> wired LAN
|
|- ( wlan1, static IP addr: 10.0.1.1/24 ) --> wifi LAN

Now, when I connect/login, I *do* get a 10.0.1.150 address assigned to the phone

AND,

I can ping from the phone, @ IP = 10.0.1.150 to

wlan1 @ IP = 10.0.1.1
eth1 @ IP = 10.0.0.1
any machine @ IP on the WiFi LAN
any machine @ IP on the wireless LAN

I can NOT ping (100% loss) to eth0, @ my ISP-assigned IP (xx.xx.xx.xx), or beyond to the net.

So, apparently, even though both the INTIF and WIFIIF are in the same zone, 'lan', that's not yet enough.

Fwiw, according to netstat, my routes are

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 XX.XX.XX.1 0.0.0.0 UG 0 0 0 eth0
XX.XX.XX.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
XX.XX.XX.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1


DT
Tom Eastep
2017-03-15 22:24:13 UTC
Permalink
Post by d***@123mail.org
I removed the overlap, moving the WiFi LAN into its own segment
net (ISP-assigned IP = XX.XX.XX.XX) | | | ( eth 0 ) router | |- (
eth1, static IP addr: 10.0.0.1/24 ) --> wired LAN | |- ( wlan1,
static IP addr: 10.0.1.1/24 ) --> wifi LAN
Now, when I connect/login, I *do* get a 10.0.1.150 address assigned to the phone
AND,
(xx.xx.xx.xx), or beyond to the net.
So, apparently, even though both the INTIF and WIFIIF are in the
same zone, 'lan', that's not yet enough.
Fwiw, according to netstat, my routes are
netstat -nr Kernel IP routing table Destination Gateway
Genmask Flags MSS Window irtt Iface 0.0.0.0
XX.XX.XX.1 0.0.0.0 UG 0 0 0 eth0
XX.XX.XX.0 0.0.0.0 255.255.252.0 U 0 0
0 eth0 XX.XX.XX.1 0.0.0.0 255.255.255.255 UH 0
0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U
0 0 0 eth1 10.0.1.0 0.0.0.0 255.255.255.0
U 0 0 0 wlan1
What default gateway are you assigning to the phone?

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
d***@123mail.org
2017-03-15 22:34:58 UTC
Permalink
Tom
Post by Tom Eastep
What default gateway are you assigning to the phone?
I was JUST looking at that.

In the dhcpd settings, I've got

subnet 10.0.1.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option routers 10.0.1.1;
option broadcast-address 10.0.1.255
default-lease-time 14400;
max-lease-time 172800;
pool {
range 10.0.1.150 10.0.1.200;
}
}

Iiuc, that serves up the IP address of 'wlan1', the AP's IP, as the gateway.

DT
Tom Eastep
2017-03-15 22:36:31 UTC
Permalink
Post by d***@123mail.org
Tom
Post by Tom Eastep
What default gateway are you assigning to the phone?
I was JUST looking at that.
In the dhcpd settings, I've got
subnet 10.0.1.0 netmask 255.255.255.0 { option subnet-mask
255.255.255.0; option routers 10.0.1.1; option broadcast-address
10.0.1.255 default-lease-time 14400; max-lease-time 172800; pool {
range 10.0.1.150 10.0.1.200; } }
Iiuc, that serves up the IP address of 'wlan1', the AP's IP, as the gateway.
If you 'shorewall clear', can you ping the eth0 IP address from the phone?

Be sure to 'shorewall start' after the test.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
d***@123mail.org
2017-03-15 22:40:02 UTC
Permalink
Post by Tom Eastep
If you 'shorewall clear', can you ping the eth0 IP address from the phone?
That's a nifty test. And YES, I *can* ping after 'shorewall clear'.
Post by Tom Eastep
Be sure to 'shorewall start' after the test.
Yep, thanks.

So it's something IN, or NOT in, the firewall setup.

DT
Tom Eastep
2017-03-15 22:45:23 UTC
Permalink
Post by d***@123mail.org
Post by Tom Eastep
If you 'shorewall clear', can you ping the eth0 IP address from the phone?
That's a nifty test. And YES, I *can* ping after 'shorewall
clear'.
Post by Tom Eastep
Be sure to 'shorewall start' after the test.
Yep, thanks.
So it's something IN, or NOT in, the firewall setup.
One again, the fastest way to get this solved is to send me the output
of 'shorewall dump'.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
d***@123mail.org
2017-03-15 23:50:27 UTC
Permalink
Post by d***@123mail.org
So it's something IN, or NOT in, the firewall setup.
Not *just* the firewall maybe.

I noticed the following

at every client on the wired-LAN,

ip route
default via 10.0.0.1 dev enp4s0
10.0.0.0/24 dev enp4s0 proto kernel scope link src 10.0.0.7


at a connected phone, on the WiFi LAN

ip route
10.0.1.0/24 dev wlan0 proto kernel scope link src 10.0.1.150

It appears to be missing a default route.

Which is SUPPOSED to be set by dhcpd's service of

option routers 10.1.1.1;


I've tried adding

ip route add default via 10.0.1.0 dev wlan0

in a terminal opened on the phone, but if I try to do it with `sudo`, it reboots the silly thing.

So need to figure out how to get that route manually ONTO the phone, to see if it makes a difference.

DT
Lennart Sorensen
2017-03-16 15:00:29 UTC
Permalink
Post by d***@123mail.org
Post by d***@123mail.org
So it's something IN, or NOT in, the firewall setup.
Not *just* the firewall maybe.
I noticed the following
at every client on the wired-LAN,
ip route
default via 10.0.0.1 dev enp4s0
10.0.0.0/24 dev enp4s0 proto kernel scope link src 10.0.0.7
at a connected phone, on the WiFi LAN
ip route
10.0.1.0/24 dev wlan0 proto kernel scope link src 10.0.1.150
It appears to be missing a default route.
Which is SUPPOSED to be set by dhcpd's service of
option routers 10.1.1.1;
10.1.1.1 is NOT in the subnet 10.0.1.0/24

You meant 10.0.1.1
Post by d***@123mail.org
I've tried adding
ip route add default via 10.0.1.0 dev wlan0
That is not a valid IP for via (since .0 is not the router).
Post by d***@123mail.org
in a terminal opened on the phone, but if I try to do it with `sudo`, it reboots the silly thing.
So need to figure out how to get that route manually ONTO the phone, to see if it makes a difference.
--
Len Sorensen
d***@123mail.org
2017-03-16 15:24:56 UTC
Permalink
Post by Lennart Sorensen
You meant 10.0.1.1
Yep. Typo, here.
Post by Lennart Sorensen
Post by d***@123mail.org
I've tried adding
ip route add default via 10.0.1.0 dev wlan0
That is not a valid IP for via (since .0 is not the router).
And

ip route add default via 10.0.1.1 dev wlan0

doesn't do any good either. Or anything else I've tried so far.

DT
Simon Hobson
2017-03-16 16:41:15 UTC
Permalink
Post by d***@123mail.org
ip route add default via 10.0.1.1 dev wlan0
doesn't do any good either. Or anything else I've tried so far.
You really should not be having to do that - the device should be setting the default route from the DHCP offer. I'd be looking to try and fix that, if nothing else because you'll have to fix it for your WiFi to be usable for "non geeks".

Then, when you've got to a stage where the clients get a working network connection, you can diagnose where the packets are (or aren't) going.
d***@123mail.org
2017-03-16 17:36:26 UTC
Permalink
Simon
Post by Simon Hobson
You really should not be having to do that - the device should be setting the default route from the DHCP offer. I'd be looking to try and fix that, if nothing else because you'll have to fix it for your WiFi to be usable for "non geeks".
Then, when you've got to a stage where the clients get a working network connection, you can diagnose where the packets are (or aren't) going.
Yep, working on it!

I'm staring at multiple shells with various tcpdump probes, trying to figure out what is & isn't happening.

I *DO* have a working network connection -- just not to ALL networks. Namely I don't get to the net.

Using hostpad, that is. With a standalone WiFi router attached to the LAN, everything works.

I do know the following so far:

The phone, when connected

In this config:

net
|
|
router
|
|-- ethernet switch
|
|-- Standalone Wifi Router
| |
| phone
|
|-- { hardwired LAN mmachines }

The phone is given an IP on the 10.0.0.0/24 segment,

10.0.0.150

and has

ip route
ip route 10.0.0.0/24 dev wlan0 proto kernel scope link src 10.0.0.150

It has full/unfettered access to the net.

OTOH, in this config:

net
|
|
router
|
|-- USB WiFi dongle + Hostapd AP
| |
| phone
|
|-- ethernet switch
|
|-- { hardwired LAN mmachines }


The phone is given an IP on the 10.0.1.0/24 segment,

10.0.1.150

and has

ip route
ip route 10.0.1.0/24 dev wlan proto kernel scope link src 10.0.1.150

It can access everything on my LAN, but NOTHING on the 'net.

This smells like a routing problem to me.

Unless I missed it in the docs or in the thread abouve there's been no specific routing settings I should use.

I'm guessing something clearly different than what I have.

I just have to figure out & understand what needs to get set and where.

DT
d***@123mail.org
2017-03-16 19:11:59 UTC
Permalink
Bingo.

Changing

providers
- ISP 1 0x100 main EXTIF detect track,balance INTIF
+ ISP 1 0x100 main EXTIF detect track,balance INTIF,WIFIIF

Now I can ping from the hostapd-connected phone to the Internet, as well as to everything on my LAN.

I can't access any WebSites on the net from a browser, or Mail on my lan.

Yet.

That may be rules. Need to look around a bit.
d***@123mail.org
2017-03-16 19:21:42 UTC
Permalink
Post by d***@123mail.org
That may be rules
It was.

Done !

Loading...