Mark
asked on
wireless access point not quite working on Linux
I have the following /etc/rc.d/rc.inet1.conf:
# Internet facing interface
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# This is the LAN interface
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Config information for wlan0:
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.128"
NETMASK[2]="255.255.255.0"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
I have the following hostapd.conf:
interface=wlan0
driver=nl80211
ssid=ALLUNEEDIZLUV
hw_mode=g
channel=11
wpa=1
wpa_passphrase=mypass
wpa_key_mgmt=WPA-PSK
and the following dhcpd.conf:
authoritative;
option domain-name "alluneedizluv.local";
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.128 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.127;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
subnet 192.168.0.128 netmask 255.255.255.128 {
option routers 192.168.0.128;
range 192.168.0.129 192.168.0.254;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
host rover {
hardware ethernet 44:1E:A1:C8:E8:9B;
fixed-address 192.168.0.102;
}
I have the following iptables settings:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
I start dhcp as: dhcpd eth1 wlan0
The wired interfaces have worked for some time. The wireless is recent. Everything *appears* to work with the wireless. I can see the ALLUNEEDIZLUV SSID from iPad and Android, and I can connect to them successfully. I see the connection and DHCP address assignment in /var/log/messages.
But, I can't connect to the Internet from these devices. Something must be wrong. I have a feeling it is in my iptables settings, but not sure. What am I doing wrong?
# Internet facing interface
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# This is the LAN interface
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Config information for wlan0:
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.128"
NETMASK[2]="255.255.255.0"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
I have the following hostapd.conf:
interface=wlan0
driver=nl80211
ssid=ALLUNEEDIZLUV
hw_mode=g
channel=11
wpa=1
wpa_passphrase=mypass
wpa_key_mgmt=WPA-PSK
and the following dhcpd.conf:
authoritative;
option domain-name "alluneedizluv.local";
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.128 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.127;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
subnet 192.168.0.128 netmask 255.255.255.128 {
option routers 192.168.0.128;
range 192.168.0.129 192.168.0.254;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
host rover {
hardware ethernet 44:1E:A1:C8:E8:9B;
fixed-address 192.168.0.102;
}
I have the following iptables settings:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
I start dhcp as: dhcpd eth1 wlan0
The wired interfaces have worked for some time. The wireless is recent. Everything *appears* to work with the wireless. I can see the ALLUNEEDIZLUV SSID from iPad and Android, and I can connect to them successfully. I see the connection and DHCP address assignment in /var/log/messages.
But, I can't connect to the Internet from these devices. Something must be wrong. I have a feeling it is in my iptables settings, but not sure. What am I doing wrong?
Julian Parker
Do you have forwarding enabled in the sysctl.conf?
ASKER
yes:
$ cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
$ cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
The issue is that on the wifi side, there is no path to 192.168.0.1 or/and a request might go out, but the response is being directed by iptables through eth0 instead of wlan0
Either use two separate segments and have the iptables entries dealing with traffic originating from wlan0 NAT output through eth1 and then have an entry on the filter forward side dealing with wlan0 segment being directed to wlan0 similar to a rule dealing with eth0 and the 192.168.0.0 segment.
Either use two separate segments and have the iptables entries dealing with traffic originating from wlan0 NAT output through eth1 and then have an entry on the filter forward side dealing with wlan0 segment being directed to wlan0 similar to a rule dealing with eth0 and the 192.168.0.0 segment.
ASKER
As I mentioned elsewhere, I'm no iptables guru. I currently have:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
I basically monkey-typed the 1st two entries from a router-HOWTO I found on the web -- and that worked -- and I simply cloned the eth1 line to make the wlan0. This was a guess on my part.
Could you send me what you think should be the right configuration and I'll give it a shot? eth0 is the Internet interface to the cable modem. eth1 is the interface to the LAN switch and wlan0 is also for the LAN.
THX
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
I basically monkey-typed the 1st two entries from a router-HOWTO I found on the web -- and that worked -- and I simply cloned the eth1 line to make the wlan0. This was a guess on my part.
Could you send me what you think should be the right configuration and I'll give it a shot? eth0 is the Internet interface to the cable modem. eth1 is the interface to the LAN switch and wlan0 is also for the LAN.
THX
The forward packet will match the first presumably the eth1 rule and route all traffic there.
Multi segment
The use of multiple segments will mean that you will add e IP segment to the check I.e.
Iptables --append FORWARD --in-interface eth1 -d 192.168.0.0/24 -j ACCEPT
Iptables --append FORWARD -d 192.168.1.0/24 --in-interface wlan0 -j ACCEPT
Switch the wireless to the other segment and then you can try positioning the wlan0 with the destination IP segment above the eth0 entry.
Multi segment
The use of multiple segments will mean that you will add e IP segment to the check I.e.
Iptables --append FORWARD --in-interface eth1 -d 192.168.0.0/24 -j ACCEPT
Iptables --append FORWARD -d 192.168.1.0/24 --in-interface wlan0 -j ACCEPT
Switch the wireless to the other segment and then you can try positioning the wlan0 with the destination IP segment above the eth0 entry.
ASKER
Hmmm, won't using 192.168.1. totally foop up my dhcp config?
subnet 192.168.0.0 netmask 255.255.255.128 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.127;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
subnet 192.168.0.128 netmask 255.255.255.128 {
option routers 192.168.0.128;
range 192.168.0.129 192.168.0.254;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
What if I stuck with that subnetting and did:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -d 192.168.0.0/25 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -d 192.168.0.128/25 -j ACCEPT
Would that be the same idea as what you are describing, but with something matching my dhcp subnets?
Also, your example didn't mention the iptables setting for eth0 (the Internet interface). Is that because the one I have is OK?
I'll hold off trying this until I get some feeback. THX
subnet 192.168.0.0 netmask 255.255.255.128 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.127;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
subnet 192.168.0.128 netmask 255.255.255.128 {
option routers 192.168.0.128;
range 192.168.0.129 192.168.0.254;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
What if I stuck with that subnetting and did:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -d 192.168.0.0/25 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -d 192.168.0.128/25 -j ACCEPT
Would that be the same idea as what you are describing, but with something matching my dhcp subnets?
Also, your example didn't mention the iptables setting for eth0 (the Internet interface). Is that because the one I have is OK?
I'll hold off trying this until I get some feeback. THX
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I modified the iptables commands as shown in my posting ID: 39264367. That didn't work at all. eth0 was unable to get a DHCP IP from the cable modem and I had no connection to the Internet. I reverted back to:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
but I did change the ranges per your advice:
/etc/dhcpd.conf (partial):
subnet 192.168.0.0 netmask 255.255.255.128 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.126;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
subnet 192.168.0.128 netmask 255.255.255.128 {
option routers 192.168.0.129;
range 192.168.0.130 192.168.0.254;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
/etc/rc.d/rc.inet1.conf:
# Config information for eth0:
# This is the Internet interface and is the built-in NIC
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# Config information for eth1:
# This is the LAN interface and is the add-in card
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.12
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Config information for wlan0:
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.129"
NETMASK[2]="255.255.255.12
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
Note the change of the wlan0 IP to 192.168.0.129 versus 128.
That must have been the problem. As soon as I restarted everything with the new IP for wlan0 I was able to have wireless devices connect!!!!!!!!!!
Thanks - I'll leave this open over the weekend (leaving town) in case you can see what I did wrong on the iptables commands.
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
but I did change the ranges per your advice:
/etc/dhcpd.conf (partial):
subnet 192.168.0.0 netmask 255.255.255.128 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.126;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
subnet 192.168.0.128 netmask 255.255.255.128 {
option routers 192.168.0.129;
range 192.168.0.130 192.168.0.254;
option domain-name-servers 209.18.47.61, 209.18.47.62;
}
/etc/rc.d/rc.inet1.conf:
# Config information for eth0:
# This is the Internet interface and is the built-in NIC
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# Config information for eth1:
# This is the LAN interface and is the add-in card
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.12
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Config information for wlan0:
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.129"
NETMASK[2]="255.255.255.12
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
Note the change of the wlan0 IP to 192.168.0.129 versus 128.
That must have been the problem. As soon as I restarted everything with the new IP for wlan0 I was able to have wireless devices connect!!!!!!!!!!
Thanks - I'll leave this open over the weekend (leaving town) in case you can see what I did wrong on the iptables commands.
Since it works, that is great.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've posted the complete solution in my final post.