Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo wifi hotspot -> "destination host unreachable"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
l33t
l33t


Joined: 31 Oct 2006
Posts: 601
Location: Germany

PostPosted: Mon May 06, 2013 5:16 pm    Post subject: Gentoo wifi hotspot -> "destination host unreachable Reply with quote

Hey there,

during the last days, I tried to set up a Gentoo based wifi hotspot using hostapd, dhcpd, iptables and two wifi USB adapters (TP-Link TL-WN821N). I set up hostapd and dhcpd, since I was able to connect to the wireless network. The client gets its IP address, but it is not able to ping / reach anything inside or outside my local net ("Destination Host unreachable"). Since iptables does not log any drops or rejects, I have no idea what could be the reason for this behavior.

This is my config:

hostapd (2.0):
Code:
interface=wlp0s29u1u1
bridge=br0
driver=nl80211
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=Test-AP
utf8_ssid=1
country_code=DE
ieee80211d=1
hw_mode=g
channel=6
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
eapol_key_index_workaround=0
wpa=2
wpa_passphrase=secretsecretpassphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
wpa_group_rekey=600
wpa_gmk_rekey=86400
wpa_ptk_rekey=600
rsn_preauth=1
rsn_preauth_interfaces=wlp0s29u1u1


/etc/conf.d/net:
Code:
config_enp3s0="dhcp"
dhcp_enp3s0="release nodns"
config_enp1s0f0="10.0.0.1/24"
mode_wlp0s29u1u1="master"
modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"
routes_wlp0s29u1u1="default via 10.0.0.1"
config_wlp0s29u1u2="10.0.1.61/24"
mode_wlp0s29u1u2="master"
modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"
brctl_br0="stp br0 off"
bridge_br0="enp1s0f1 wlp0s29u1u1"
config_enp1s0f1="null"
config_wlp0s29u1u1="null"
config_br0="10.0.0.3/24"


dhcpd (4.2.5_p1):
Code:
subnet 10.0.0.0 netmask 255.255.255.0 {
        range 10.0.0.101 10.0.0.200;
        default-lease-time 259200;
        max-lease-time 518400;
        option subnet-mask 255.255.255.0;
        option broadcast-address 10.0.0.255;
        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
        allow unknown-clients;
}


iptables (1.4.16.3) (shortened):
Code:
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -t nat -F
iptables -t mangle -F

lan="enp1s0f0"
wlan1="wlp0s29u1u1"
wlan2="wlp0s29u1u2"
wan="enp3s0"
intern=10.0.0.0/24

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -A FORWARD -s $intern -i $lan -o $wan -j ACCEPT
iptables -A FORWARD -s $intern -i $wlan1 -o $wan -j ACCEPT
iptables -A FORWARD -s $intern -i br0 -o $wan -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE

### DHCP
iptables -A INPUT -i br0 -p udp --sport 68 --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $lan -p udp --sport 68 --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $wlan1 -p udp --sport 68 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $wan -p udp --dport 68 -j REJECT
iptables -A OUTPUT -o $lan -d $intern -p udp --dport 68 -m conntrack --ctstate NEW -j ACCEPT

### ICMP
iptables -A INPUT -p icmp -s $intern -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp ! -s $intern -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A FORWARD -j LOG --log-prefix "REJECTED_FORWARD: " --log-level=5
iptables -A FORWARD -j REJECT
iptables -A OUTPUT -j LOG --log-prefix "REJECTED_OUTPUT: " --log-level=5
iptables -A OUTPUT -j REJECT
iptables -A INPUT -i $wan -j REJECT
iptables -A INPUT -j LOG --log-prefix "REJECTED_INPUT: " --log-level=5
iptables -A INPUT -j REJECT


And finally the log entries, when a client connects:
Code:
May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e IEEE 802.11: authenticated
May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e IEEE 802.11: associated (aid 1)
May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e RADIUS: starting accounting session 51873C85-00000001
May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e WPA: pairwise key handshake completed (RSN)
May  6 19:13:50 Aleph dhcpd: DHCPDISCOVER from 00:0e:35:51:db:5e (Nyx) via br0
May  6 19:13:51 Aleph dhcpd: DHCPOFFER on 10.0.0.101 to 00:0e:35:51:db:5e (Nyx) via br0
May  6 19:13:52 Aleph dhcpd: Wrote 3 leases to leases file.
May  6 19:13:52 Aleph dhcpd: DHCPREQUEST for 10.0.0.101 (10.0.0.3) from 00:0e:35:51:db:5e (Nyx) via br0
May  6 19:13:52 Aleph dhcpd: DHCPACK on 10.0.0.101 to 00:0e:35:51:db:5e (Nyx) via br0


Any help would be REALLY appreciated.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Aiken
Apprentice
Apprentice


Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia

PostPosted: Tue May 07, 2013 12:30 am    Post subject: Reply with quote

1st thing, as you are using udev names (wlp0s29u1u1) for the interfaces instead of kernel names (wlan0) you will have to keep in mind that something as simple as moving the usb wifi adaptors to different usb ports will break hostapd and your script as udev will give your wifi adaptors new names if you move them to different usb ports.

Have not worked out what the 2nd wifi adaptor with your setup is for. I have 2 always on machines acting as access points. On the machine with a static ip it's /etc/conf/net is

Code:

config_eth0="null"
config_eth1="null"
bridge_br0="eth0 eth1"
config_br0="172.16.31.1/24"
routes_br0="default via 172.16.31.254"

depend_br0() {
   need net.eth0 net.eth1
}


Hostapd adds wlan0 to the bridge when it starts so I do nothing about configuring wlan0. The router is separate and it handles the firewall rules. As hostapd adds wlan0 to the bridge this is enough for client machines to connect to the access point and have access to the network.

A 3rd access point I sometimes start is for when I want to use my eeepc as an ap with my phone acting as a 3g modem. If I want to change from desktop type use to access point I use this script.

Code:

#!/bin/bash

/etc/init.d/xdm stop
/etc/init.d/wicd stop
modprobe ath5k
rfkill unblock all

killall wpa_supplicant

while [ 4 -lt 5 ]
do
   ifconfig wlan0 0.0.0.0 up
   if [ "$?" == "0" ]
   then
      break
   fi
   sleep 1
done

#echo nameserver 127.0.0.1 > /etc/resolv.conf

ifconfig wlan0 10.45.0.1/24
/etc/init.d/hostapd -D start
/etc/init.d/sshd -D start
/etc/init.d/dhcpd -D start
/etc/init.d/named -D start

sysctl net.ipv4.ip_forward=1

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -j DROP
iptables -A FORWARD -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -j DROP

./wvdial


This kills kde and the current networking then starts up just what services I want giving me an access point with a simple firewall. I suggest starting with something simpler than what you have and once that is working then add to it.

Still not sure what your 2nd wifi adaptor is for but something that can sometimes be useful is use 1 wifi adaptor to connect to an existing access point and start hostapd on the other. Have done that a few times with the eeepc to temporarily extend the wireless range. That eeepc also spends time providing a wireless link back to the main network for an isolated wired network.
_________________
Beware the grue.
Back to top
View user's profile Send private message
Jimini
l33t
l33t


Joined: 31 Oct 2006
Posts: 601
Location: Germany

PostPosted: Tue May 07, 2013 4:10 am    Post subject: Reply with quote

Aiken,

thank you for your reply.
1) The router normally works completely "untouched" - so it runs 24/7 without any interaction. Regarding this, it should be no problem how I name the adapters.
2) At the moment, the second adapter is not in use. It is plugged in, but I don't use it. In the future, I would like to create a second wireless network with this adapter.

If I get you right, it looks as if you leave the wifi adapters completely unconfigured, right? So you bridge eth0 and eth1 and add wlan0 to this bridge afterwards via hostapd?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Aiken
Apprentice
Apprentice


Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia

PostPosted: Tue May 07, 2013 5:43 am    Post subject: Reply with quote

With the machines that act as access points I leave the wifi unconfigured. Hostapd configures and adds wlan0 to br0 for me. Based on your 1st post you already have the appropriate line in hostapd.conf "bridge=br0". I have the net.br0 -> net.lo sym link and net.br0 in /etc/runlevels/default

When setting up an access point the only machine I do anything with wlan0 is the eeepc with the above script and that is only because wlan0 will be stand alone and not part of a bridge.

Also have a look at the ieee80211n=1 option to enable N speeds. I think by default the max is 802.11g without that option.

The problem is not how you name the adaptors. The problem is if the adaptors get moved to other usb slots then udev will rename them for you.
_________________
Beware the grue.
Back to top
View user's profile Send private message
jamapii
l33t
l33t


Joined: 16 Sep 2004
Posts: 637

PostPosted: Tue May 07, 2013 11:04 pm    Post subject: Reply with quote

It seems to me the line

routes_wlp0s29u1u1="default via 10.0.0.1"

should not be there.
Back to top
View user's profile Send private message
Jimini
l33t
l33t


Joined: 31 Oct 2006
Posts: 601
Location: Germany

PostPosted: Wed May 08, 2013 6:06 am    Post subject: Reply with quote

Aiken and jamapii, thank you for your replies which helped me to get back on the track.

I changed my net-config as follows:
Code:
config_enp3s0="dhcp"
dhcp_enp3s0="release nodns"
mode_wlp0s29u1u1="master"
modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"
config_wlp0s29u1u2="10.0.1.61/24"
mode_wlp0s29u1u2="master"
modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"
brctl_br0="stp br0 off"
bridge_br0="enp1s0f0 wlp0s29u1u1"
config_enp1s0f0="null"
config_wlp0s29u1u1="null"
config_br0="10.0.0.1/24"
routes_br0="default via 10.0.0.1"
rc_net_br0_need="net.enp1s0f0 net.wlp0s29u1u1 hostapd"


And everything works!

Now the only problem is, that syslog-ng refuses to start during the boot process - any idea?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Wed May 08, 2013 6:18 am    Post subject: Reply with quote

Jimini wrote:
Now the only problem is, that syslog-ng refuses to start during the boot process - any idea?

Jimini ... syslog-ng has a conditional for 'need net':

Code:
depend() {
   # Make networking dependency conditional on configuration
   case $(sed 's/#.*//' /etc/syslog-ng/syslog-ng.conf) in
      *source*tcp*|*source*udp*|*destination*tcp*|*destination*udp*)
         need net
         use stunnel ;;
   esac

Its possible you have have such a configuration and so 'need net' (which your new setup isn't providing). You could try the following:

/etc/rc.conf
Code:
rc_depend_strict="NO"
rc_syslog_ng_need="!net"

There are possibly other reasons why it might not start but the above would seem the most obvious.

best ... khay
Back to top
View user's profile Send private message
Jimini
l33t
l33t


Joined: 31 Oct 2006
Posts: 601
Location: Germany

PostPosted: Thu May 09, 2013 11:37 am    Post subject: Reply with quote

khayyam, of course you are right. Thank you for your hint!

Now I would like to add another wireless network using the second wifi adapter. The configuration is similar to the first one, and I can join this second network without problems. But again, the client can not reach anything - as described in my first posting in this thread.

My config:
Code:
config_enp3s0="dhcp"
dhcp_enp3s0="release nodns"

config_enp1s0f0="null"
config_enp1s0f1="null"

config_wlp0s29u1u1="null"
mode_wlp0s29u1u1="master"
modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"

config_wlp0s29u1u2="null"
mode_wlp0s29u1u2="master"
modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"

brctl_br0="stp br0 off"
bridge_br0="enp1s0f0 wlp0s29u1u1"
config_br0="10.0.0.1/24"
routes_br0="default via 10.0.0.1"
rc_net_br0_need="net.enp1s0f0 net.wlp0s29u1u1"

brctl_br1="stp br1 off"
bridge_br1="enp1s0f1 wlp0s29u1u2"
config_br1="10.0.0.3/24"
routes_br1="default via 10.0.0.1"
rc_net_br1_need="net.enp1s0f1 net.wlp0s29u1u2"

Code:

Aleph jimini # tcpdump -i br1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:30:51.439339 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:52.439449 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:53.456933 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:54.455540 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:55.455525 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
13:30:58.472231 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28
[...]


I am convinced, that it is only a very little mistake that I made, but I simply can't find it.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Jimini
l33t
l33t


Joined: 31 Oct 2006
Posts: 601
Location: Germany

PostPosted: Thu May 09, 2013 8:52 pm    Post subject: Reply with quote

Okay, I could solve the problem partially by myself - I simply connected the second NIC to the switch, which connects the router with my network.

Code:

                      NIC2 (enp1s0f0)---br0---WLAN1 (wlp0s29u1u1)
                         |                                     |     
WAN---NIC1---Router--------------------------
                         |                                     |
                      NIC3 (enp1s0f1)---br1---WLAN2 (wlp0s29u1u2)


Now it the systems, which connect to WLAN2, can ping local systems, too. But shouldn't that be possible without a physical connection between NIC3 and the switch? At the moment, the clients in WLAN2 can not reach anything outside my network, I'm still trying to figure out why.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum