h3 nat

[thorn]

Hi,

 

I'm using the very latest armbian build fpr orangepi+, and i'm trying to nat the network from a wireless interface to another wireless interface. My own LAN works, dns server works too, so i can connect to the orangepi+ but i can't make nat working. Is there some known issue about it, or a custom tutorial for nat with this build?

 

thanks for help

[Igor]

Please provide your network configuration.

[thorn]

i have these interfaces:

 

eth0      Link encap:Ethernet  HWaddr da:b6:f9:06:ce:bb  
          inet addr:192.168.0.21  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2a02:ab88:82:5880:dab6:f9ff:fe06:cebb/128 Scope:Global
          inet6 addr: 2a02:ab88:82:5880:d8b6:f9ff:fe06:cebb/128 Scope:Global
          inet6 addr: fe80::d8b6:f9ff:fe06:cebb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2856 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1742 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:400193 (390.8 KiB)  TX bytes:247854 (242.0 KiB)
          Interrupt:114 


lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1180 (1.1 KiB)  TX bytes:1180 (1.1 KiB)


wlan0     Link encap:Ethernet  HWaddr 28:f3:66:4a:91:1e  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:1010 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0   TX bytes:0 (0.0 


wlan1     Link encap:Ethernet  HWaddr 28:f3:66:4a:91:1c  
          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fe80::2af3:66ff:fe4a:911c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:79897 errors:0 dropped:5 overruns:0 frame:0
          TX packets:739 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:85119 (83.1 KiB)  TX bytes:78621 (76.7 KiB)

i have a hostapd, and an isc-dhcp-server on wlan1. my iptables policies:

 

 

Chain PREROUTING (policy ACCEPT 4 packets, 280 bytes)
 pkts bytes target     prot opt in     out     source               destination         


Chain INPUT (policy ACCEPT 4 packets, 280 bytes)
 pkts bytes target     prot opt in     out     source               destination         


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         


Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eht0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    192.168.8.0/24       0.0.0.0/0  

 

  

[slinde]

Did you enable ip forwarding in the kernel?

[thorn]

yes, i did:

root@orangepiplus:~# cat /proc/sys/net/ipv4/ip_forward 
1

i uncommented the line

net.ipv4.ip_forward=1

in sysctl.conf, so it shouldn't be the problem. should i do something more?

[arox]

Et avec un traceroute, vous bloquez où ?

[thorn]

well i don't really know what you mean, but my only rule in iptables

iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -o eth0 -j MASQUERADE

[arox]

Traceroute is a tool to test network routing. You connect in a shell on a host on lan 192.168.8.0 an do a traceroute to a host behind your router/nat, for example in 192.168.1.x or in Internet.

(apt-get install inetutils-traceroute)

 

Ex : traceroute www.sncf.com

1  192.168.1.1 (192.168.1.1)  1.607 ms  3.134 ms  2.470 ms
 2  do-5-8-189-207-254.fbx.pad.net (88.111.207.254)  29.190 ms  28.712 ms  29.376 ms
 3  43.228.12.190 (43.228.12.190)  31.137 ms  31.738 ms  31.446 ms
...

...

 

It will send ICMP echo request with a limited and progressive "cross router" allowance (Time To Leave). Then each router in the path will send back an TTL exceeded and the tool will present 1 line per hop that succeed with  3 response time sample. (and * * * when it fails)

 

If you just reach your nat/router and don't see a address ping beyond, then your routing/translation fail. If you get no response or it presents more lines, then it is another problem.

[thorn]

upps sorry i didn't missread your post. well, i only tested this network with android devices. if i ping google dns, than it says that the destination host is unreachable. so for the first time i tried this network with windows and android devices too:

 

Windows:

Tracing route to google-public-dns-a.google.com [8.8.8.8] over maximum 30 hops:
1  *   *  *  Request timed out.
 2  7 ms  8 ms  7 ms  hu-bud02a-ra4-ae54-0.aorta.net [84.116.240.205]
 3  9 ms  7 ms  7 ms 84.116.137.82
 4  7 ms  13 ms  7 ms 72.14.209.116
 5  7 ms  7 ms  7 ms 72.14.238.119
 6  6 ms  7 ms  7 ms  google-public-dns-a.google.com [8.8.8.8]

Android:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 bytes packets
 1  192.168.8.11 (192.168.8.11)  2990.518 ms !H  726.875 ms  !H  2998.021 ms  !H

after this result i tried with an odroid debian 8:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.8.13 (192.168.8.13)  2997.242 ms !H  2997.044 ms !H  2996.976 ms !H

so now i really have no idea why it doesn't work with linux os :/

[arox]

You should verify you netmask and your default router on 192.168.8.11 and 192.168.8.13 !

 

(netstat -rn)

 

Your default router should be 192.168.8.1 if I understand your network configuration and the mask 255.255.255.0

[thorn]

and it is true, i set everything to static in my devices and it is working now. the netstat -rn result is:

 

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0

0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0

192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

192.168.8.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan1

 

so i guess here the gateway missing is the problem and i think i don't have any default nameserver set on my orangepi+. thanks

[arox]

To point to a nameserver, put 'nameserver 8.8.8.8' in /etc/resolv.conf on your workstations.

 

Your isc-dhcp-server config is probably bad. It should distribute everything properly to your hosts.

 

And if I were you, I would use dnsmasq that can serve as DHCP server and DNS cache/relay server.

 

Nota Bene :

 

"so i guess here the gateway missing is the problem and i think i don't have any default nameserver set on my orangepi+."

 

Your orangepi+ is your nat/router, it doesn't really need to point to a nameserver. A nameserver pointer is just a user interface help to avoid using addresses or fill /etc/hosts. But it is the best place to provide name service for the users worstation (with dnsmasq - much lighter than bind), and in that case you will probably want to fill /etc/resolv.conf on orangepi+

[thorn]

here is my conf file of isc-dhcp-server:

subnet 192.168.8.0 netmask 255.255.255.0 {
        range 192.168.8.10 192.168.8.254;
        option routers 192.168.8.2;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.8.254;
        option ntp-servers 192.168.8.1;
        option netbios-name-servers 192.168.8.1;
        option netbios-node-type 8;
}

so added the line:

option domain-name-servers 8.8.8.8, 8.8.4.4;

and change the router ip to 192.186.8.1. 

and now it is working. 

 

I tried dnsmasq before, but -probably i couldn't configure it properly- it didn't work as dhcp server, so than i decided to change to isc-dhcp-server. Maybe, if i will have time for it, i will try to check the dnsmasq again. Thanks for the help

[arox]

 

here is my conf file of isc-dhcp-server:

subnet 192.168.8.0 netmask 255.255.255.0 {
        range 192.168.8.10 192.168.8.254;
        option routers 192.168.8.2;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.8.254;
        option ntp-servers 192.168.8.1;
        option netbios-name-servers 192.168.8.1;
        option netbios-node-type 8;
}

so added the line:

option domain-name-servers 8.8.8.8, 8.8.4.4;

and change the router ip to 192.186.8.1. 

and now it is working. 

 

I tried dnsmasq before, but -probably i couldn't configure it properly- it didn't work as dhcp server, so than i decided to change to isc-dhcp-server. Maybe, if i will have time for it, i will try to check the dnsmasq again. Thanks for the help

 

 

 

"option netbios-name-servers 192.168.8.1;"

 

Note sure dnsmasq can do netbios name service ... But with a simple line :

 

dhcp-range=192.168.8.10,192.168.8.254,255.255.255.0,12h

 

it should works. (By default, it will advertise itself as router)