On Sun, Nov 05, 2023 at 10:55:12PM +0700, Max Nikulin wrote:
> It should be checked first and
>
> journalctl -b -u nftables.service
>
> alongside with searching for any nft messages in "journalctl -b". I
> suggested earlier to read /usr/share/doc/nftables/README.Debian It
> explicitly recommends to enable the service.
I just enabled it (again) now:
root@redmoon:~# systemctl enable nftables.service
Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service →
/lib/systemd/system/nftables.service.
root@redmoon:~# systemctl status nftables.service
○ nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset:
enabled)
Active: inactive (dead)
Docs: man:nft(8)
http://wiki.nftables.org
root@redmoon:~# journalctl -b -u nftables.service
-- No entries --
> > 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
> > UP group default qlen 1000
> > inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0
>
> I hope, your router allows to view configuration received from the DHCP
> server. Since static addresses were working (and it can be rechecked), I
> guess, gateway is not explicitly configured, so the router tries to send
> packets to 192.168.231.1. Either change the interface IP or configure
> dnsmasq to send 192.168.231.3.
I think WiFi is configured properly (with automatic setup it does have same
settings as I did with manual settings)
Here is output from phone connected to WiFi setup program:
Connectino type: DHCP
IP address: 192.168.231.243
Subnet mask: 255.255.255.0
Default gateway: 192.168.231.3
DNS: 192.168.231.3
Those are same values I was providing previously when I used manual setup too.
> To debug run wireshark or tcpdump on enp3s0 and wlxe8de27a5ab1c to check
> that packets from the phone are properly received and routed.
Well this is the part where my knowledge is thin as it can be, sadly.
I have read part of manual page for tcpdump, some web page with tutorials
and all I came with is to issue command:
$ sudo tcpdump -s 0 -i any -w any-0.pcap
$ tcpdump -r any-0.pcap > any-0.tcpdump
While tcpdump was recording what was going on network I issued those commands
from my phone:
connect to with browser: http://www.google.com
In terminal program that I downloaded on phone I issued those commands
(2 top ping worked third did not)
ping -c1 192.168.0.16
ping -c1 192.168.231.3
ping -c1 google.come
connect to with browser: http://192.168.231.3/test.html
The connection to www.google.com did not worked, but connection to my own
web server did showed test.html page (which I created for this)
I have run this commands 2 times once right after rebooting when my changes to
nftables where not done yet and second time after I added this to nftables:
table ip masqrule {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade
}
}
and here are the outputs of tcpdump (I did post them to pastebin as they are
not tiny)
(tcpdump -r any-0-no_masq.pcap > any-0-no_masq.tcpdump) (pastebinit -i
any-0-no_masq.tcpdump)
https://paste.debian.net/hidden/be2f7994/
(tcpdump -r any-0.pcap > any-0.tcpdump) (pastebinit -i any-0.tcpdump)
https://paste.debian.net/hidden/1589ec04/
There are also same outputs with '-n' (to print IP numbers instead of names)
option too:
(tcpdump -r any-0-no_masq.pcap -n > any-0-no_masq-n.tcpdump) (pastebinit -i
any-0-no_masq-n.tcpdump)
https://paste.debian.net/hidden/08ecfd39/
(tcpdump -r any-0.pcap -n > any-0-n.tcpdump) (pastebinit -i any-0-n.tcpdump)
https://paste.debian.net/hidden/a55e6f77/
Here is extract from https://paste.debian.net/hidden/a55e6f77/ that I thing is
doing connection to google:
10:47:52.614642 enp3s0 In IP 192.168.231.243.48257 > 192.168.231.3.53: 29809+
A? www.google.com. (32)
10:47:52.614851 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.14.53:
10155+ A? www.google.com. (32)
10:47:52.614902 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.44.53:
10155+ A? www.google.com. (32)
10:47:52.791389 wlxe8de27a5ab1c In IP 81.24.247.14.53 > 192.168.0.16.34673:
10155 1/0/0 A 142.251.208.132 (62)
10:47:52.791559 enp3s0 Out IP 192.168.231.3.53 > 192.168.231.243.48257: 29809
1/0/0 A 142.251.208.132 (62)
10:47:52.794704 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags
[S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19413 ecr
0,nop,wscale 6], length 0
10:47:52.846385 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags
[S], seq 1626803236, win 29200, options [mss 1460,sackOK,TS val 19418 ecr
0,nop,wscale 6], length 0
10:47:53.819034 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags
[S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19513 ecr
0,nop,wscale 6], length 0
10:47:53.843797 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags
[S], seq 1626803236, win 29200, options [mss 1460,sackOK,TS val 19518 ecr
0,nop,wscale 6], length 0
Last 4 lines here are similar and there I can not find any response from
server (142.251.208.132.80) to them. One thing that is suspicious to me
is that it is using 192.168.231.243 address - maybe my masquerade is not
working properly?
I would like this packet to be rewriten as if it is comming
from 192.168.231.3 (main main computer) not from 192.168.231.243.
Is that reasanoble? And how do I achieve that?
> Warning: if you have not configured network interfaces for DHCP in dnsmasq
> then do it. Otherwise other computers connected to the upstream WiFi link
> may receive DHCP leases emitted from wlxe8de27a5ab1c.
Only thing I added to dnsmasq configuration is one line in
/etc/dnsmasq.d/myHomeDHCPrange file:
dhcp-range=192.168.231.241,192.168.231.254,12h
This seems to work as you can see above WiFi is getting address 192.168.231.243
Is there anything else I should change for dnsmasq setting?
Bye
Martin
