On Sun, Nov 05, 2023 at 10:55:12PM +0700, Max Nikulin wrote: > It should be checked first and > > journalctl -b -u nftables.service > > alongside with searching for any nft messages in "journalctl -b". I > suggested earlier to read /usr/share/doc/nftables/README.Debian It > explicitly recommends to enable the service.
I just enabled it (again) now: root@redmoon:~# systemctl enable nftables.service Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → /lib/systemd/system/nftables.service. root@redmoon:~# systemctl status nftables.service ○ nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled) Active: inactive (dead) Docs: man:nft(8) http://wiki.nftables.org root@redmoon:~# journalctl -b -u nftables.service -- No entries -- > > 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state > > UP group default qlen 1000 > > inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0 > > I hope, your router allows to view configuration received from the DHCP > server. Since static addresses were working (and it can be rechecked), I > guess, gateway is not explicitly configured, so the router tries to send > packets to 192.168.231.1. Either change the interface IP or configure > dnsmasq to send 192.168.231.3. I think WiFi is configured properly (with automatic setup it does have same settings as I did with manual settings) Here is output from phone connected to WiFi setup program: Connectino type: DHCP IP address: 192.168.231.243 Subnet mask: 255.255.255.0 Default gateway: 192.168.231.3 DNS: 192.168.231.3 Those are same values I was providing previously when I used manual setup too. > To debug run wireshark or tcpdump on enp3s0 and wlxe8de27a5ab1c to check > that packets from the phone are properly received and routed. Well this is the part where my knowledge is thin as it can be, sadly. I have read part of manual page for tcpdump, some web page with tutorials and all I came with is to issue command: $ sudo tcpdump -s 0 -i any -w any-0.pcap $ tcpdump -r any-0.pcap > any-0.tcpdump While tcpdump was recording what was going on network I issued those commands from my phone: connect to with browser: http://www.google.com In terminal program that I downloaded on phone I issued those commands (2 top ping worked third did not) ping -c1 192.168.0.16 ping -c1 192.168.231.3 ping -c1 google.come connect to with browser: http://192.168.231.3/test.html The connection to www.google.com did not worked, but connection to my own web server did showed test.html page (which I created for this) I have run this commands 2 times once right after rebooting when my changes to nftables where not done yet and second time after I added this to nftables: table ip masqrule { chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade } } and here are the outputs of tcpdump (I did post them to pastebin as they are not tiny) (tcpdump -r any-0-no_masq.pcap > any-0-no_masq.tcpdump) (pastebinit -i any-0-no_masq.tcpdump) https://paste.debian.net/hidden/be2f7994/ (tcpdump -r any-0.pcap > any-0.tcpdump) (pastebinit -i any-0.tcpdump) https://paste.debian.net/hidden/1589ec04/ There are also same outputs with '-n' (to print IP numbers instead of names) option too: (tcpdump -r any-0-no_masq.pcap -n > any-0-no_masq-n.tcpdump) (pastebinit -i any-0-no_masq-n.tcpdump) https://paste.debian.net/hidden/08ecfd39/ (tcpdump -r any-0.pcap -n > any-0-n.tcpdump) (pastebinit -i any-0-n.tcpdump) https://paste.debian.net/hidden/a55e6f77/ Here is extract from https://paste.debian.net/hidden/a55e6f77/ that I thing is doing connection to google: 10:47:52.614642 enp3s0 In IP 192.168.231.243.48257 > 192.168.231.3.53: 29809+ A? www.google.com. (32) 10:47:52.614851 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.14.53: 10155+ A? www.google.com. (32) 10:47:52.614902 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.44.53: 10155+ A? www.google.com. (32) 10:47:52.791389 wlxe8de27a5ab1c In IP 81.24.247.14.53 > 192.168.0.16.34673: 10155 1/0/0 A 142.251.208.132 (62) 10:47:52.791559 enp3s0 Out IP 192.168.231.3.53 > 192.168.231.243.48257: 29809 1/0/0 A 142.251.208.132 (62) 10:47:52.794704 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags [S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19413 ecr 0,nop,wscale 6], length 0 10:47:52.846385 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags [S], seq 1626803236, win 29200, options [mss 1460,sackOK,TS val 19418 ecr 0,nop,wscale 6], length 0 10:47:53.819034 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags [S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19513 ecr 0,nop,wscale 6], length 0 10:47:53.843797 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags [S], seq 1626803236, win 29200, options [mss 1460,sackOK,TS val 19518 ecr 0,nop,wscale 6], length 0 Last 4 lines here are similar and there I can not find any response from server (142.251.208.132.80) to them. One thing that is suspicious to me is that it is using 192.168.231.243 address - maybe my masquerade is not working properly? I would like this packet to be rewriten as if it is comming from 192.168.231.3 (main main computer) not from 192.168.231.243. Is that reasanoble? And how do I achieve that? > Warning: if you have not configured network interfaces for DHCP in dnsmasq > then do it. Otherwise other computers connected to the upstream WiFi link > may receive DHCP leases emitted from wlxe8de27a5ab1c. Only thing I added to dnsmasq configuration is one line in /etc/dnsmasq.d/myHomeDHCPrange file: dhcp-range=192.168.231.241,192.168.231.254,12h This seems to work as you can see above WiFi is getting address 192.168.231.243 Is there anything else I should change for dnsmasq setting? Bye Martin