RE: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)

Ray Olszewski Mon, 10 Feb 2003 17:50:55 -0800

I'm responding via leaf-user rather than privately mainly because I'm running out of ideas, so I'm hoping the additional information you provided here will give someone else an idea.

Based on this new information, it looks like whatever the problem is, it is NOT a problem at the network layer (so the firewall rulesets are not involved). In any case, the OUTPUT table is ACCEPT'ing ping output. The failure is at the link layer, where the Bering router is unable to arp the wireless host (but the wireless host apparently can arp the Bering router, based on what you reported before). This leads me to think the problem either is in the Linksys or is something peculiar to the way the Linux kernel forms arp packets.

One wild thought ... have you tried connecting the Bering router to a different port on the Linksys? I don't really see how changing ports can affect things, since the wireless host, from your report, does get a DHCP lease from the Bering router (and arps it successfully) ... but I'm getting down to long shots here.

Another long shot ... is the routing table on the XP host correctly configured after it gets its DHCP lease?

More interspersed below. Sorry I cannot offer more or better help; I'm really out of ideas.

At 07:11 PM 2/10/03 -0500, Camille King wrote:
[...]

>>>>>Just a thought here ... does the wireless host run any sort of firewalling
>>>>>package? If so, what are its details? (And what OS does this client run,
>>>>>BTW?)

No the client machine is WinXP machine that does not have the XP firewall turned
on.

>>>>>>OK. What message are you getting here (on the Bering) when the ping fails?

>>>>>Does it just fail silently (that is, do nothing until you enter CTRL-C,
>>>>>then report 100% failure)? Or is there a different result? And just to be
>>>>>clear ... another wireline host CAN ping this same wireless host
>>>>>successfully, right? And that same wireline host CAN ping the Bering
>>>>>router?

The ping is dead silent, the Bering router is just stuck and I have to Ctrl-C to
quit the ping action. Yes, the wireline host can ping Bering successfully and
vice versa.

And this SAME wireline host can also ping the same wireless host that the Bering router cannot find? (A prior message said a wireline host can ping a wireless host and vice versa; i'm only double checking that those hosts are the same ones you are talking aqbout here.)

I tried arp on Bering and it displayed the working wireline host with the proper
IP and it's MAC address. The wireless host has it's IP address but the HWaddress
is incomplete. What arp displays on Bering is attached below.

Thanks a lot.

CK

arp -va (from Bering)
? (192.168.1.2) at 00:08:74:94:6E:55 [ether] on eth1
? (192.168.1.3) at <incomplete> on eth1
? (192.168.1.4) at 00:04:5A:7B:AC:A1 [ether] on eth1
Entries: 3 Skipped: 0 Found: 3

I assume .2 and .4 are two different wireline hosts and .3 is the wireless host.

iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

167 15158 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0

78 23011 ppp0_in ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0

239 32477 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0

0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0

0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

4 184 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
12 5344 ppp0_fwd ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0

12 1659 eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0

0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0

0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
167 15158 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0

158 12938 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED
68 4242 fw2net ah -- * ppp0 0.0.0.0/0 0.0.0.0/0

1 96 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0

0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0

0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain all2all (3 references)
pkts bytes target prot opt in out source destination

1 96 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
176 27442 common ah -- * * 0.0.0.0/0 0.0.0.0/0

0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain common (5 references)
pkts bytes target prot opt in out source destination

0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
113 13094 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
39 6260 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
26 8244 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4

0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
192.168.1.255

Chain dynamic (4 references)
pkts bytes target prot opt in out source destination

Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination

12 1659 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0

12 1659 loc2net ah -- * ppp0 0.0.0.0/0 0.0.0.0/0

Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination

239 32477 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0

6 306 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
233 32171 loc2fw ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)
pkts bytes target prot opt in out source destination

0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
68 4242 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8

Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination

56 4668 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
1 61 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
176 27442 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination

10 1563 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2 96 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2all (2 references)
pkts bytes target prot opt in out source destination

84 28007 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
6 348 common ah -- * * 0.0.0.0/0 0.0.0.0/0

4 192 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
4 192 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain newnotsyn (5 references)
pkts bytes target prot opt in out source destination

0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination

12 5344 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0

12 5344 net2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination

78 23011 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
78 23011 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject (6 references)
pkts bytes target prot opt in out source destination

0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination

--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski					-- Han Solo
Palo Alto, California, USA			  [EMAIL PROTECTED]
-------------------------------------------------------------------------------




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)

Reply via email to