Jump to content

Clearfog pro network : make a gateway

deb2016

By deb2016
in Marvell mvebu

 Share

Recommended Posts

deb2016

deb2016

Posted
Posted

Hello,

 

I installed the latest armbian mainline image on my clearfog pro. I plugged a wifi card on it.

 

I would like to set up the armbian network so as to use it as a gateway towards the ISP box.

 

Concretely, here the scheme :  internet <---- ADSL----->  ISP box <------- RJ45 ----------> clearfog <-------- wifi --------> PC1, tablet, ...

                                                                                                                                                        <------- RJ45 -------> PC2, printer, ...

 

Currently I use this scheme with an old router (linksys/dd-wrt) which is configured as a gateway :

- all dhcp request are forwarded to the ISP box

- there is only one network 192.168.1.0/24 : the ISP box is 192.168.1.1 (local) and assigns all other devices (connected indirectly by the router) an IP like 192.168.1.XXX

 

I would like to do the same with clearfog, but could not find any relevant guide or tutorial to do so, after days googling.

Yet, there are some useful posts on this forum, but not enough detailing the way they do.

 

Could anyone detail me what I would need to do ? Do i need to set up a bridge ?

 

Thanks for your kind help

 

Regards

Link to comment
Share on other sites
Heisath

Heisath

Posted
Posted

Hi 

 

as a matter of fact I'm running a similar configuration except that my clearfog does also provide dns / dhcp. And is in an different network to the isp box.

 

Yes a network bridge is what you've got to do. But it depends if you're using NetworkManager or plain interfaces file and which program for the wifi host.

 

I'd suggest using iptables, ifupdown and hostapd to do what you want. Maybe throw in dnsmasq for dns resolve and dhcp depending if you want it or not.

 

Using the packet names you can get alot of info online, tipp also google for stuff like raspberry pi router (there are many good example for that crap piece of hardware).

 

I also attached my config as reference to this post, maybe check them. But be warned they can't be used 1:1.

 

Greetings,

count-doku

 

...

In my configuration using hostapd (Wlan), ifupdown (Interfaces) and iptables a sample configuration could look like this:

( note file name included in top row) 

root@clearfogpro:~# nano /etc/network/interfaces
Nano:

auto lo 
# Autoup the external isp facing interface eth0
auto eth0     
# Autoup first the switch port, then the subsystem lan ports and last the bridge
auto eth1 lan1 lan2 lan3 lan4 lan5 lan6 br0

iface lo inet loopback

allow-hotplug eth0

# Use eth0 for ipv4/6 with dhcp, restore iptables from file on up
iface eth0 inet dhcp
        post-up # !!! Call ip tables init file here. Check online on different ways (if-up.d folder)
        

# Configure eth1 (switch) as manual eg. no ip4 only linklocal ipv6, goes up through auto up 
iface eth1 inet manual

# Disables eth2 (sfp)
iface eth2 inet manual

# Configure all lans as manual (go up through auto up)
iface lan1 inet manual
iface lan2 inet manual
iface lan3 inet manual
iface lan4 inet manual
iface lan5 inet manual
iface lan6 inet manual

# Configure the bridge, give bridge_ports and configure adress etc. 
iface br0 inet static
        bridge_ports lan1 lan2 lan3 lan4 lan5 lan6
                address 192.168.1.1
                netmask 255.255.255.0
                network 192.168.1.0
                broadcast 192.168.1.255

  

root@clearfogpro:~# nano /etc/hostapd.conf
Nano:

interface=wlp2s0
bridge=br0 			# This adds the wifi port to our bridge defined in /etc/network/interfaces
driver=nl80211

[...] More configuration for ssid and settings following. 
I cut them out - but there are plenty hostapd tutorials out there...
root@clearfogpro:~# nano iptables-conf/iptables.user.conf
Nano:

#!/bin/sh
PATH='/sbin'

### INIT ###

# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

# Default policies
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

# Enable kernel settings for ip forwarding and some other related entries. This can also be fixed
echo -n '1' > /proc/sys/net/ipv4/ip_forward
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo -n '1' > /proc/sys/net/ipv6/conf/all/forwarding
#echo -n '2' > /proc/sys/net/ipv6/conf/eth0/accept_ra


# Enable loopback traffic
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Enable statefull rules (after that, only need to allow NEW conections)
iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop invalid state packets
iptables -A INPUT   -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT  -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

#####################################################################################################################
### nat - PREROUTING ###

#####################################################################################################################
### filter - INPUT ###

# Allow incoming icmp
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT

# Allow all incoming traffic from local area network interface
iptables -A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT

#####################################################################################################################
### filter - OUTPUT ###

# Enable all outgoing traffic to internet
iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT

# Enable access traffic, from the firewall to the LAN network only in valid ip range
iptables -A OUTPUT -o br0 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

#####################################################################################################################
### filter - FORWARD ###

# Forward packages from the internal network (br0) to the internet (eth0)
iptables        -A FORWARD      -i br0 -o eth0 -s 192.168.1.0/24 \
                                -m conntrack --ctstate NEW -j ACCEPT

#####################################################################################################################
### nat - POSTROUTING ###

# Masquerade packets going into the internet (eth0)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#####################################################################################################################
## LOGGING

#iptables -A INPUT   -j LOG --log-level DEBUG --log-prefix '[FW INPUT]:    '
#iptables -A OUTPUT  -j LOG --log-level DEBUG --log-prefix '[FW OUTPUT]:   '
#iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix '[FW FORWARD ]: '

 

 

Link to comment
Share on other sites
deb2016

deb2016

Posted
  • Author
Posted

Hi,

Many thanks for this detailed answeer.

I will look into it carefully.

I already have a couple of questions.

You said that you have two independent network between your isp box and the clearfogpro lan. eth0 is the clearfog interface which faces your isp box, so I guess it receives a local IP (in the range of 192.168.1.0/24), however the bridge br0 is assigned a static IP in the same local range. So it looks like it is the same network ?

Also, eth1 and lanX interfaces are configured automatically with "auto eth1 lan1 ...", but later they are said to be set up manually. Does it mean you assign them a local IP manually ?

Regards

Link to comment
Share on other sites
Heisath

Heisath

Posted
Posted

Answer to question 1:

Yes eth0 goes to the isp box. And br0 to my network. But I forward my global ipv4 from the isp box directly so they are not the same network. 

 

Internet ---- ISP Box (Modem) ------  Clearfog -------- br0   ------ lan1-6

                                         77.11.22.33        192.168.1.1           \-- wlan

 

So the clearfog is directly connected with the internet and the isp box is a completely transparent ethernet / dsl bridge.

 

---

 

Answer to second question: 

yes they are configured manually. The auto stanza only means the interfaces get ifup'ed automatically.

 

The actual lan ports (1-6) don't get IPs themselves. They only got MAC Addresses (like a switch). Only the br0 interfaces has a local ip (192.168.1.1).

Then all packets from lan1-6 go over the br0 interface. All the routing etc. is based on that.

 

Greetings

Link to comment
Share on other sites
deb2016

deb2016

Posted
  • Author
Posted

 

Hi,

 

I finally got it working the way I wanted it, I post the /etc/network/interfaces for anyone interested :

  

# Local loopback
auto lo
iface lo inet loopback


# Autoup first the switch port, then the subsystem lan ports and last the bridge
auto eth0 eth1 eth2 lan1 lan2 lan3 lan4 lan5 lan6 wlp2s0
iface eth0 inet manual
iface eth1 inet manual
iface eth2 inet manual
iface lan1 inet manual
iface lan2 inet manual
iface lan3 inet manual
iface lan4 inet manual
iface lan5 inet manual
iface lan6 inet manual
iface wlp2s0 inet manual

# Configure the bridge, give ports and configure address
auto br0
iface br0 inet dhcp
	bridge_ports eth0 lan1 lan2 lan3 lan4 lan5 lan6 wlp2s0
#	pre-up iw dev wlp2s0 set 4addr on
#	post-down iw dev wlp2s0 set 4addr off

 

The bridge receives its IP dynamically from the ISP box (facing eth0).

 

I run "dhcp-helper -b eth0" so that any dhcp request on any bridged interfaces (lan and wifi) is forwarded to the ISP box.

 

This way, there is only one network (192.168.1.0/24).

 

Hopes this helps.

 

Regards

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines

  I accept