Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Session Start: Sat Jan 07 21:14:03 2012
- Session Ident: FennyFatal
- 01[Sat 21:14:08 pm] <GH0> Or I will just PM the whole thing to you.
- [Sat 21:14:15 pm] <FennyFatal> kk
- 01[Sat 21:14:29 pm] <GH0> I have a WRT350N which is the gateway router. This router works perfectly. Connected to Port 3, I have a secondary router, configured using the Wireless Access Point wiki guide, and the Multiple SSID's wiki guide.
- [Sat 21:14:55 pm] <FennyFatal> Okay, and what is the issue you are seeing?
- 01[Sat 21:15:00 pm] <GH0> The Primary Router has a 10.10.10.1 and the wap has a 10.10.10.2 IP address, with the secondary SSID having a 10.10.11.1 address.
- [Sat 21:15:14 pm] <FennyFatal> okay.
- 01[Sat 21:15:19 pm] <GH0> HTTP Traffic isn't being passed through.
- 01[Sat 21:15:35 pm] <GH0> However, I get an IP address under the .11.* address
- [Sat 21:15:44 pm] <FennyFatal> okay, what can you ping?
- [Sat 21:16:21 pm] <FennyFatal> Also, is DNS resolving?
- 01[Sat 21:16:42 pm] <GH0> I can't ping anything, and DNS doesn't seem to be resolving.
- 01[Sat 21:17:01 pm] <GH0> When I ping, I just receive a
- 01[Sat 21:17:07 pm] <GH0> Destination Host Unreachable
- [Sat 21:17:22 pm] <FennyFatal> okay, can you ping the 10.10.11.1? but not 10.10.10.1?
- 01[Sat 21:18:09 pm] <GH0> No. If I ping 11.1 it times out the request. If I ping 10.1 it responds with "Destination Host Unreachable
- 01[Sat 21:18:17 pm] <GH0> Also, here is my firewall script:
- 01[Sat 21:18:18 pm] <GH0> iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
- 01[Sat 21:18:18 pm] <GH0> iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
- 01[Sat 21:18:18 pm] <GH0> iptables -I INPUT -i br1 -m state --state NEW -j DROP
- 01[Sat 21:18:18 pm] <GH0> iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
- 01[Sat 21:18:18 pm] <GH0> iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
- 01[Sat 21:18:18 pm] <GH0> iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
- [Sat 21:19:34 pm] <FennyFatal> Okay, So let's get it working without the firewall script first.
- 01[Sat 21:20:26 pm] <GH0> Alright, removed the interfaces
- 01[Sat 21:20:28 pm] <GH0> Err
- 01[Sat 21:20:30 pm] <GH0> Firewall script.
- [Sat 21:21:01 pm] <FennyFatal> okay, in fact disable the spi firewall completely.
- 01[Sat 21:21:07 pm] <GH0> It is disabled.
- [Sat 21:21:11 pm] <FennyFatal> kk
- [Sat 21:21:57 pm] <FennyFatal> now, what pings work?
- 01[Sat 21:22:00 pm] <GH0> I can ping 10.10.11.1 now though, however, I still can't ping anything outside that.
- [Sat 21:22:16 pm] <FennyFatal> okay, that is better.
- [Sat 21:23:29 pm] <FennyFatal> now, what are your bridging settings?
- 01[Sat 21:25:13 pm] <GH0> http://i.imgur.com/BkV0z.png
- [Sat 21:28:00 pm] <FennyFatal> 10.10.10.1 is the DNS server?
- [Sat 21:28:08 pm] <FennyFatal> does it run a valid DNS server?
- 01[Sat 21:28:17 pm] <GH0> It has pixelserv running on it.
- [Sat 21:28:21 pm] <FennyFatal> kk
- 01[Sat 21:28:45 pm] <GH0> However, I don't think it is caching anything from an authorative DNS server.
- 01[Sat 21:28:54 pm] <GH0> Even then, I can't ping yahoo's IP Address.
- [Sat 21:29:07 pm] <FennyFatal> right so we still have a routing issue.
- [Sat 21:32:12 pm] <FennyFatal> Okay, so it should come down to the iptables entries now.
- [Sat 21:32:48 pm] <FennyFatal> We need to see why it was blocking you from accessing 10.10.11.1
- 01[Sat 21:33:09 pm] <GH0> Well, I know that I require these: iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
- 01[Sat 21:33:09 pm] <GH0> iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
- 01[Sat 21:33:18 pm] <GH0> As DHCP is disabled, and WAN is also disabled.
- [Sat 21:33:23 pm] <FennyFatal> Refollow the guide but leave out all of the drop rules.
- 01[Sat 21:33:48 pm] <GH0> Alright
- [Sat 21:33:55 pm] <FennyFatal> For the Restricting Access Section.
- [Sat 21:34:19 pm] <FennyFatal> oh, and btw, does the SSID for 10.10.10.2 work correctly?
- [Sat 21:34:31 pm] <FennyFatal> if not there is more to be done.
- 01[Sat 21:34:52 pm] <GH0> Yes, I believe so. Was on it earlier, but, it's a Wireless Extender of the primary Access Point.
- 01[Sat 21:35:06 pm] <GH0> So, it can be hard to tell which one I am on sometimes.
- [Sat 21:35:13 pm] <FennyFatal> right...
- [Sat 21:35:39 pm] <FennyFatal> Well, if we have to we can switch that to be a new SSID just to test.
- 01[Sat 21:35:57 pm] <GH0> So, I tried pinging the yahoo IP.
- [Sat 21:35:57 pm] <FennyFatal> But let's try redoing the iptables first.
- [Sat 21:36:08 pm] <FennyFatal> and?
- 01[Sat 21:36:10 pm] <GH0> 2 Destination Host Unreachable, 2 Request Timed outs.
- 01[Sat 21:36:22 pm] <GH0> I can still ping 10.10.11.1
- [Sat 21:36:31 pm] <FennyFatal> can you ping 10.10.10.1?
- 01[Sat 21:36:33 pm] <GH0> And I still can't ping 10.10.10.1
- [Sat 21:36:36 pm] <FennyFatal> kk
- 01[Sat 21:36:44 pm] <GH0> 10.10.10.1 - request timed out
- 01[Sat 21:37:05 pm] <GH0> And one destination host unreachable.
- 01[Sat 21:37:30 pm] <GH0> Hm, I wonder what would happen if I were to set a static DNS on the client.
- [Sat 21:37:57 pm] <FennyFatal> if you can't talk to 10.10.10.1 you won't get out to the internet.
- 01[Sat 21:38:18 pm] <GH0> Or, it would help if I disabled the static IP address on the wireless device.
- 01[Sat 21:38:19 pm] <GH0> :\
- [Sat 21:38:47 pm] <FennyFatal> hmm, so we don't know if it is getting one on it's own?
- [Sat 21:38:57 pm] <FennyFatal> yeah, reconnect with DNS on.
- 01[Sat 21:39:04 pm] <GH0> No, I do now. It isn't. It thinks the DNS server is 10.10.11.1
- [Sat 21:39:05 pm] <FennyFatal> er DHCP
- [Sat 21:39:25 pm] <FennyFatal> okay, that is interesting...
- [Sat 21:42:24 pm] <FennyFatal> just for fun replace the dhcp-option line with "dhcp-option=br1,6,8.8.8.8,8.8.4.4"
- [Sat 21:42:56 pm] <FennyFatal> er... add that line
- 01[Sat 21:43:02 pm] <GH0> Yeah. :)
- 01[Sat 21:43:59 pm] <GH0> It recognizes 8.8.8.8 and 10.10.10.1 as it's DNS servers now.
- 01[Sat 21:44:03 pm] <GH0> However, I still can't ping anything.
- [Sat 21:44:25 pm] <FennyFatal> well, the DNS thing should be resolved as soon as we resolve the routing issue.
- [Sat 21:45:53 pm] <FennyFatal> this : should be the important line in question: iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
- 01[Sat 21:46:14 pm] <GH0> That is the first line in the firewall script.
- [Sat 21:47:15 pm] <FennyFatal> What are the lines now?
- 01[Sat 21:47:21 pm] <GH0> iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
- 01[Sat 21:47:21 pm] <GH0> iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
- 01[Sat 21:47:21 pm] <GH0> iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
- 01[Sat 21:47:21 pm] <GH0> iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
- 01[Sat 21:47:36 pm] <GH0> Not sure if I really need the last three lines.
- [Sat 21:47:45 pm] <FennyFatal> add these too:
- [Sat 21:47:50 pm] <FennyFatal> iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
- [Sat 21:47:50 pm] <FennyFatal> iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- [Sat 21:49:13 pm] <FennyFatal> and the last three only override the block setting we don't have in there at the moment.
- 01[Sat 21:49:27 pm] <GH0> No, still can't ping yahoo by IP
- 01[Sat 21:49:39 pm] <GH0> and can't ping 10.10.10.1
- [Sat 21:49:53 pm] <FennyFatal> Okay, let's test the other AP. make it new, and not repeat.
- 01[Sat 21:49:55 pm] <GH0> Combination of Request Timed Out, and Destination Host Unreachable for both.
- [Sat 21:49:59 pm] <FennyFatal> see if that is working.
- [Sat 21:51:53 pm] <FennyFatal> Okay... SSH into the router, and run dmesg to see if it is giving us any good information.
- 01[Sat 21:51:57 pm] <GH0> Yep, if I switch it over to SSID-Test and disable WPA2, it pings 10.10.10.1 fine
- [Sat 21:52:04 pm] <FennyFatal> hood.
- [Sat 21:52:07 pm] <FennyFatal> *good
- 01[Sat 21:54:05 pm] <GH0> http://pastebin.com/1nniZ2Ar
- [Sat 21:55:34 pm] <FennyFatal> Looks like the vlan is going up and down repeatedly, that might account for the two different errors we are getting.
- [Sat 21:56:00 pm] <FennyFatal> were there any time stamps?
- 01[Sat 21:56:02 pm] <GH0> I didn't mess with anything under the Vlan tab
- 01[Sat 21:56:12 pm] <GH0> Nope, that is the full output of dmesg straight from ssh
- [Sat 21:59:02 pm] <FennyFatal> Hmm, you have two vlans?
- [Sat 21:59:24 pm] <FennyFatal> nvm just being crazy
- 01[Sat 21:59:31 pm] <GH0> Everything under the Vlan tab is set to stock.
- 01[Sat 21:59:49 pm] <GH0> 10
- 01[Sat 21:59:55 pm] <GH0> Well.. that didn't copy and paste...
- 01[Sat 21:59:58 pm] <GH0> http://i.imgur.com/FGoWl.png
- [Sat 22:02:26 pm] <FennyFatal> If this works... remove the comments from your DNSMasq settings.
- 01[Sat 22:02:41 pm] <GH0> Already did that too.
- [Sat 22:02:44 pm] <FennyFatal> kk
- 01[Sat 22:02:50 pm] <GH0> I thought that might have been an issue.
- [Sat 22:07:26 pm] <FennyFatal> Grr everything looks right to me...
- [Sat 22:07:45 pm] <FennyFatal> these are at the beginning of your iptables scripts right?
- [Sat 22:07:48 pm] <FennyFatal> iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
- [Sat 22:07:50 pm] <FennyFatal> iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- 01[Sat 22:08:10 pm] <GH0> Yep
- 01[Sat 22:08:40 pm] <GH0> This is the same problem I had at some point. Everything was working fine. Went to go connect, bam didn't work. So I thought starting from a new build and scratch would help.
- 01[Sat 22:08:52 pm] <GH0> iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
- 01[Sat 22:08:52 pm] <GH0> iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- 01[Sat 22:08:52 pm] <GH0> iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
- 01[Sat 22:08:52 pm] <GH0> iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
- 01[Sat 22:08:52 pm] <GH0> iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
- 01[Sat 22:08:52 pm] <GH0> iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
- 01[Sat 22:09:01 pm] <GH0> Bah
- 01[Sat 22:09:07 pm] <GH0> Copy and paste isn't wanting to work with me today.
- 01[Sat 22:09:11 pm] <GH0> http://pastebin.com/dS7VvZr6
- 01[Sat 22:11:52 pm] <GH0> And yes, this router DOES support multiple wireless SSID's. It has a corerev of 7. ;)
- [Sat 22:11:58 pm] <FennyFatal> kk
- [Sat 22:12:03 pm] <FennyFatal> :D
- [Sat 22:12:33 pm] <FennyFatal> Let me add a vwlan to one of the two bridged ones I have on my network, and see if I can recreate your issue.
- 01[Sat 22:35:11 pm] <GH0> I wonder if I should try using a lan port isntead of the wan port.
- [Sat 22:35:29 pm] <FennyFatal> can't hurt.
- 01[Sat 22:36:42 pm] <GH0> Would the firewall script stay the same? Since the third line is for the WAN port, I think
- 01[Sat 22:46:22 pm] <GH0> Hm, didn't change anything.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement