| View previous topic :: View next topic |
| Author |
Message |
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
 Posted: Mon May 06, 2013 5:16 pm Post subject: Gentoo wifi hotspot -> "destination host unreachable |
 |
|
Hey there,
during the last days, I tried to set up a Gentoo based wifi hotspot using hostapd, dhcpd, iptables and two wifi USB adapters (TP-Link TL-WN821N). I set up hostapd and dhcpd, since I was able to connect to the wireless network. The client gets its IP address, but it is not able to ping / reach anything inside or outside my local net ("Destination Host unreachable"). Since iptables does not log any drops or rejects, I have no idea what could be the reason for this behavior.
This is my config:
hostapd (2.0):
| Code: | interface=wlp0s29u1u1
bridge=br0
driver=nl80211
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=Test-AP
utf8_ssid=1
country_code=DE
ieee80211d=1
hw_mode=g
channel=6
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
eapol_key_index_workaround=0
wpa=2
wpa_passphrase=secretsecretpassphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
wpa_group_rekey=600
wpa_gmk_rekey=86400
wpa_ptk_rekey=600
rsn_preauth=1
rsn_preauth_interfaces=wlp0s29u1u1
|
/etc/conf.d/net:
| Code: | config_enp3s0="dhcp"
dhcp_enp3s0="release nodns"
config_enp1s0f0="10.0.0.1/24"
mode_wlp0s29u1u1="master"
modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"
routes_wlp0s29u1u1="default via 10.0.0.1"
config_wlp0s29u1u2="10.0.1.61/24"
mode_wlp0s29u1u2="master"
modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"
brctl_br0="stp br0 off"
bridge_br0="enp1s0f1 wlp0s29u1u1"
config_enp1s0f1="null"
config_wlp0s29u1u1="null"
config_br0="10.0.0.3/24"
|
dhcpd (4.2.5_p1):
| Code: | subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.101 10.0.0.200;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
allow unknown-clients;
}
|
iptables (1.4.16.3) (shortened):
| Code: | #!/bin/sh
echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
lan="enp1s0f0"
wlan1="wlp0s29u1u1"
wlan2="wlp0s29u1u2"
wan="enp3s0"
intern=10.0.0.0/24
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -A FORWARD -s $intern -i $lan -o $wan -j ACCEPT
iptables -A FORWARD -s $intern -i $wlan1 -o $wan -j ACCEPT
iptables -A FORWARD -s $intern -i br0 -o $wan -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
### DHCP
iptables -A INPUT -i br0 -p udp --sport 68 --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $lan -p udp --sport 68 --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $wlan1 -p udp --sport 68 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $wan -p udp --dport 68 -j REJECT
iptables -A OUTPUT -o $lan -d $intern -p udp --dport 68 -m conntrack --ctstate NEW -j ACCEPT
### ICMP
iptables -A INPUT -p icmp -s $intern -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp ! -s $intern -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "REJECTED_FORWARD: " --log-level=5
iptables -A FORWARD -j REJECT
iptables -A OUTPUT -j LOG --log-prefix "REJECTED_OUTPUT: " --log-level=5
iptables -A OUTPUT -j REJECT
iptables -A INPUT -i $wan -j REJECT
iptables -A INPUT -j LOG --log-prefix "REJECTED_INPUT: " --log-level=5
iptables -A INPUT -j REJECT
|
And finally the log entries, when a client connects:
| Code: | May 6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e IEEE 802.11: authenticated
May 6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e IEEE 802.11: associated (aid 1)
May 6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e RADIUS: starting accounting session 51873C85-00000001
May 6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e WPA: pairwise key handshake completed (RSN)
May 6 19:13:50 Aleph dhcpd: DHCPDISCOVER from 00:0e:35:51:db:5e (Nyx) via br0
May 6 19:13:51 Aleph dhcpd: DHCPOFFER on 10.0.0.101 to 00:0e:35:51:db:5e (Nyx) via br0
May 6 19:13:52 Aleph dhcpd: Wrote 3 leases to leases file.
May 6 19:13:52 Aleph dhcpd: DHCPREQUEST for 10.0.0.101 (10.0.0.3) from 00:0e:35:51:db:5e (Nyx) via br0
May 6 19:13:52 Aleph dhcpd: DHCPACK on 10.0.0.101 to 00:0e:35:51:db:5e (Nyx) via br0 |
Any help would be REALLY appreciated.
Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
 |
Aiken
Apprentice
Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia
|
| Posted: Tue May 07, 2013 12:30 am Post subject: |
|
|
1st thing, as you are using udev names (wlp0s29u1u1) for the interfaces instead of kernel names (wlan0) you will have to keep in mind that something as simple as moving the usb wifi adaptors to different usb ports will break hostapd and your script as udev will give your wifi adaptors new names if you move them to different usb ports.
Have not worked out what the 2nd wifi adaptor with your setup is for. I have 2 always on machines acting as access points. On the machine with a static ip it's /etc/conf/net is
| Code: |
config_eth0="null"
config_eth1="null"
bridge_br0="eth0 eth1"
config_br0="172.16.31.1/24"
routes_br0="default via 172.16.31.254"
depend_br0() {
need net.eth0 net.eth1
}
|
Hostapd adds wlan0 to the bridge when it starts so I do nothing about configuring wlan0. The router is separate and it handles the firewall rules. As hostapd adds wlan0 to the bridge this is enough for client machines to connect to the access point and have access to the network.
A 3rd access point I sometimes start is for when I want to use my eeepc as an ap with my phone acting as a 3g modem. If I want to change from desktop type use to access point I use this script.
| Code: |
#!/bin/bash
/etc/init.d/xdm stop
/etc/init.d/wicd stop
modprobe ath5k
rfkill unblock all
killall wpa_supplicant
while [ 4 -lt 5 ]
do
ifconfig wlan0 0.0.0.0 up
if [ "$?" == "0" ]
then
break
fi
sleep 1
done
#echo nameserver 127.0.0.1 > /etc/resolv.conf
ifconfig wlan0 10.45.0.1/24
/etc/init.d/hostapd -D start
/etc/init.d/sshd -D start
/etc/init.d/dhcpd -D start
/etc/init.d/named -D start
sysctl net.ipv4.ip_forward=1
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -j DROP
iptables -A FORWARD -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -j DROP
./wvdial
|
This kills kde and the current networking then starts up just what services I want giving me an access point with a simple firewall. I suggest starting with something simpler than what you have and once that is working then add to it.
Still not sure what your 2nd wifi adaptor is for but something that can sometimes be useful is use 1 wifi adaptor to connect to an existing access point and start hostapd on the other. Have done that a few times with the eeepc to temporarily extend the wireless range. That eeepc also spends time providing a wireless link back to the main network for an isolated wired network.
_________________
Beware the grue. |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Tue May 07, 2013 4:10 am Post subject: |
|
|
Aiken,
thank you for your reply.
1) The router normally works completely "untouched" - so it runs 24/7 without any interaction. Regarding this, it should be no problem how I name the adapters.
2) At the moment, the second adapter is not in use. It is plugged in, but I don't use it. In the future, I would like to create a second wireless network with this adapter.
If I get you right, it looks as if you leave the wifi adapters completely unconfigured, right? So you bridge eth0 and eth1 and add wlan0 to this bridge afterwards via hostapd?
Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
Aiken
Apprentice
Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia
|
| Posted: Tue May 07, 2013 5:43 am Post subject: |
|
|
With the machines that act as access points I leave the wifi unconfigured. Hostapd configures and adds wlan0 to br0 for me. Based on your 1st post you already have the appropriate line in hostapd.conf "bridge=br0". I have the net.br0 -> net.lo sym link and net.br0 in /etc/runlevels/default
When setting up an access point the only machine I do anything with wlan0 is the eeepc with the above script and that is only because wlan0 will be stand alone and not part of a bridge.
Also have a look at the ieee80211n=1 option to enable N speeds. I think by default the max is 802.11g without that option.
The problem is not how you name the adaptors. The problem is if the adaptors get moved to other usb slots then udev will rename them for you.
_________________
Beware the grue. |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Tue May 07, 2013 11:04 pm Post subject: |
|
|
It seems to me the line
routes_wlp0s29u1u1="default via 10.0.0.1"
should not be there. |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Wed May 08, 2013 6:06 am Post subject: |
|
|
Aiken and jamapii, thank you for your replies which helped me to get back on the track.
I changed my net-config as follows:
| Code: | config_enp3s0="dhcp"
dhcp_enp3s0="release nodns"
mode_wlp0s29u1u1="master"
modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"
config_wlp0s29u1u2="10.0.1.61/24"
mode_wlp0s29u1u2="master"
modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"
brctl_br0="stp br0 off"
bridge_br0="enp1s0f0 wlp0s29u1u1"
config_enp1s0f0="null"
config_wlp0s29u1u1="null"
config_br0="10.0.0.1/24"
routes_br0="default via 10.0.0.1"
rc_net_br0_need="net.enp1s0f0 net.wlp0s29u1u1 hostapd" |
And everything works!
Now the only problem is, that syslog-ng refuses to start during the boot process - any idea?
Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Wed May 08, 2013 6:18 am Post subject: |
|
|
| Jimini wrote: | | Now the only problem is, that syslog-ng refuses to start during the boot process - any idea? |
Jimini ... syslog-ng has a conditional for 'need net':
| Code: | depend() {
# Make networking dependency conditional on configuration
case $(sed 's/#.*//' /etc/syslog-ng/syslog-ng.conf) in
*source*tcp*|*source*udp*|*destination*tcp*|*destination*udp*)
need net
use stunnel ;;
esac |
Its possible you have have such a configuration and so 'need net' (which your new setup isn't providing). You could try the following:
/etc/rc.conf
| Code: | rc_depend_strict="NO"
rc_syslog_ng_need="!net" |
There are possibly other reasons why it might not start but the above would seem the most obvious.
best ... khay |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Thu May 09, 2013 11:37 am Post subject: |
|
|
khayyam, of course you are right. Thank you for your hint!
Now I would like to add another wireless network using the second wifi adapter. The configuration is similar to the first one, and I can join this second network without problems. But again, the client can not reach anything - as described in my first posting in this thread.
My config:
| Code: | config_enp3s0="dhcp"
dhcp_enp3s0="release nodns"
config_enp1s0f0="null"
config_enp1s0f1="null"
config_wlp0s29u1u1="null"
mode_wlp0s29u1u1="master"
modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"
config_wlp0s29u1u2="null"
mode_wlp0s29u1u2="master"
modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"
brctl_br0="stp br0 off"
bridge_br0="enp1s0f0 wlp0s29u1u1"
config_br0="10.0.0.1/24"
routes_br0="default via 10.0.0.1"
rc_net_br0_need="net.enp1s0f0 net.wlp0s29u1u1"
brctl_br1="stp br1 off"
bridge_br1="enp1s0f1 wlp0s29u1u2"
config_br1="10.0.0.3/24"
routes_br1="default via 10.0.0.1"
rc_net_br1_need="net.enp1s0f1 net.wlp0s29u1u2" |
| Code: |
Aleph jimini # tcpdump -i br1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:30:51.439339 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:52.439449 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:53.456933 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:54.455540 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:55.455525 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:58.472231 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
[...] |
I am convinced, that it is only a very little mistake that I made, but I simply can't find it.
Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Thu May 09, 2013 8:52 pm Post subject: |
|
|
Okay, I could solve the problem partially by myself - I simply connected the second NIC to the switch, which connects the router with my network.
| Code: |
NIC2 (enp1s0f0)---br0---WLAN1 (wlp0s29u1u1)
| |
WAN---NIC1---Router--------------------------
| |
NIC3 (enp1s0f1)---br1---WLAN2 (wlp0s29u1u2)
|
Now it the systems, which connect to WLAN2, can ping local systems, too. But shouldn't that be possible without a physical connection between NIC3 and the switch? At the moment, the clients in WLAN2 can not reach anything outside my network, I'm still trying to figure out why.
Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
