Re: How do I connect my new wifi router (Mi Router 4C)?
On 08/11/2023 20:39, Martin wrote:
Here is output from phone connected to WiFi setup program:
Default gateway: 192.168.231.3
It seems dnsmasq is able to serve reasonable settings with minimal
configuration.
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade
You had a rule that was working for you.
I do not see obvious issues with this one besides docker0 instances are
likely inaccessible from the phone.
10:47:52.614642 enp3s0 In IP 192.168.231.243.48257 > 192.168.231.3.53: 29809+
A? www.google.com. (32)
10:47:52.614851 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.14.53:
10155+ A? www.google.com. (32)
10:47:52.614902 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.44.53:
10155+ A? www.google.com. (32)
10:47:52.791389 wlxe8de27a5ab1c In IP 81.24.247.14.53 > 192.168.0.16.34673:
10155 1/0/0 A 142.251.208.132 (62)
10:47:52.791559 enp3s0 Out IP 192.168.231.3.53 > 192.168.231.243.48257: 29809
1/0/0 A 142.251.208.132 (62)
10:47:52.794704 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags
[S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19413 ecr
0,nop,wscale 6], length 0
10:47:52.846385 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags
[S], seq 1626803236, win 29200, options [mss 1460,sackOK,TS val 19418 ecr
0,nop,wscale 6], length 0
Since packets from wlxe8de27a5ab1c to 142.251.208.132:80 are missed,
perhaps IP forwarding is disabled or there is a blocking forwarding rule
in the firewall. If I am not wrong, masquerading should affect source IP
address of forwarded packets, but not their presence.
Warning: if you have not configured network interfaces for DHCP in dnsmasq
then do it. Otherwise other computers connected to the upstream WiFi link
may receive DHCP leases emitted from wlxe8de27a5ab1c.
Only thing I added to dnsmasq configuration is one line in
/etc/dnsmasq.d/myHomeDHCPrange file:
dhcp-range=192.168.231.241,192.168.231.254,12h
Dnsmasq may be smart enough to not send DHCP leases to interfaces with
addresses inconsistent with the specified range, but I would still limit
interfaces that dnsmasq listens to.
On 08/11/2023 21:30, Anssi Saari wrote:
systemctl start nftables.service
So if you're experimenting, you edit /etc/nftables.conf and after
editing run systemctl restart nftables.service
And be prepared that this command flushes away rules added by docker. It
is a reason why earlier I suggested to create a dedicated file that may
reload specific set of rules using "nft -f".
Current set of rules is more important than state of the service.
Re: How do I connect my new wifi router (Mi Router 4C)?
Martin writes: > I just enabled it (again) now: > root@redmoon:~# systemctl enable nftables.service > Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → > /lib/systemd/system/nftables.service. > root@redmoon:~# systemctl status nftables.service > ○ nftables.service - nftables > Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: > enabled) > Active: inactive (dead) >Docs: man:nft(8) > http://wiki.nftables.org In case it's unclear, enabling a service just means it'll be started at boot. In practice it just creates a symlink as shown above. If you want to start the service manually you do systemctl start nftables.service So if you're experimenting, you edit /etc/nftables.conf and after editing run systemctl restart nftables.service
Re: How do I connect my new wifi router (Mi Router 4C)?
On Sun, Nov 05, 2023 at 10:55:12PM +0700, Max Nikulin wrote:
> It should be checked first and
>
> journalctl -b -u nftables.service
>
> alongside with searching for any nft messages in "journalctl -b". I
> suggested earlier to read /usr/share/doc/nftables/README.Debian It
> explicitly recommends to enable the service.
I just enabled it (again) now:
root@redmoon:~# systemctl enable nftables.service
Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service →
/lib/systemd/system/nftables.service.
root@redmoon:~# systemctl status nftables.service
○ nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset:
enabled)
Active: inactive (dead)
Docs: man:nft(8)
http://wiki.nftables.org
root@redmoon:~# journalctl -b -u nftables.service
-- No entries --
> > 2: enp3s0: mtu 1500 qdisc fq_codel state
> > UP group default qlen 1000
> > inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0
>
> I hope, your router allows to view configuration received from the DHCP
> server. Since static addresses were working (and it can be rechecked), I
> guess, gateway is not explicitly configured, so the router tries to send
> packets to 192.168.231.1. Either change the interface IP or configure
> dnsmasq to send 192.168.231.3.
I think WiFi is configured properly (with automatic setup it does have same
settings as I did with manual settings)
Here is output from phone connected to WiFi setup program:
Connectino type: DHCP
IP address: 192.168.231.243
Subnet mask: 255.255.255.0
Default gateway: 192.168.231.3
DNS: 192.168.231.3
Those are same values I was providing previously when I used manual setup too.
> To debug run wireshark or tcpdump on enp3s0 and wlxe8de27a5ab1c to check
> that packets from the phone are properly received and routed.
Well this is the part where my knowledge is thin as it can be, sadly.
I have read part of manual page for tcpdump, some web page with tutorials
and all I came with is to issue command:
$ sudo tcpdump -s 0 -i any -w any-0.pcap
$ tcpdump -r any-0.pcap > any-0.tcpdump
While tcpdump was recording what was going on network I issued those commands
from my phone:
connect to with browser: http://www.google.com
In terminal program that I downloaded on phone I issued those commands
(2 top ping worked third did not)
ping -c1 192.168.0.16
ping -c1 192.168.231.3
ping -c1 google.come
connect to with browser: http://192.168.231.3/test.html
The connection to www.google.com did not worked, but connection to my own
web server did showed test.html page (which I created for this)
I have run this commands 2 times once right after rebooting when my changes to
nftables where not done yet and second time after I added this to nftables:
table ip masqrule {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade
}
}
and here are the outputs of tcpdump (I did post them to pastebin as they are
not tiny)
(tcpdump -r any-0-no_masq.pcap > any-0-no_masq.tcpdump) (pastebinit -i
any-0-no_masq.tcpdump)
https://paste.debian.net/hidden/be2f7994/
(tcpdump -r any-0.pcap > any-0.tcpdump) (pastebinit -i any-0.tcpdump)
https://paste.debian.net/hidden/1589ec04/
There are also same outputs with '-n' (to print IP numbers instead of names)
option too:
(tcpdump -r any-0-no_masq.pcap -n > any-0-no_masq-n.tcpdump) (pastebinit -i
any-0-no_masq-n.tcpdump)
https://paste.debian.net/hidden/08ecfd39/
(tcpdump -r any-0.pcap -n > any-0-n.tcpdump) (pastebinit -i any-0-n.tcpdump)
https://paste.debian.net/hidden/a55e6f77/
Here is extract from https://paste.debian.net/hidden/a55e6f77/ that I thing is
doing connection to google:
10:47:52.614642 enp3s0 In IP 192.168.231.243.48257 > 192.168.231.3.53: 29809+
A? www.google.com. (32)
10:47:52.614851 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.14.53:
10155+ A? www.google.com. (32)
10:47:52.614902 wlxe8de27a5ab1c Out IP 192.168.0.16.34673 > 81.24.247.44.53:
10155+ A? www.google.com. (32)
10:47:52.791389 wlxe8de27a5ab1c In IP 81.24.247.14.53 > 192.168.0.16.34673:
10155 1/0/0 A 142.251.208.132 (62)
10:47:52.791559 enp3s0 Out IP 192.168.231.3.53 > 192.168.231.243.48257: 29809
1/0/0 A 142.251.208.132 (62)
10:47:52.794704 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags
[S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19413 ecr
0,nop,wscale 6], length 0
10:47:52.846385 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags
[S], seq 1626803236, win 29200, options [mss 1460,sackOK,TS val 19418 ecr
0,nop,wscale 6], length 0
10:47:53.819034 enp3s0 In IP 192.168.231.243.46639 > 142.251.208.132.80: Flags
[S], seq 4183167263, win 29200, options [mss 1460,sackOK,TS val 19513 ecr
0,nop,wscale 6], length 0
10:47:53.843797 enp3s0 In IP 192.168.231.243.46640 > 142.251.208.132.80: Flags
[S],
Re: How do I connect my new wifi router (Mi Router 4C)?
On Sun, Nov 05, 2023 at 06:48:47AM +, Tixy wrote: > On Sat, 2023-11-04 at 20:08 +0100, Martin wrote: > [...] > > BTW putting above script into /etc/nftables.conf (at the bottom of file) > > did not ever worked - I had always to run that file manualy as root. > > Command 'nft list ruleset' only then showed this table. > > I have no idea why. To me it seemed as if /etc/nftables.conf file > > was not executed (I have rebooted many times so this file should run). > [...] > > Did you enable the nftables service? To do that, use: > > # systemctl enable nftables.service > > and to see status of the service > > # systemctl status nftables.service It was not enabled by default. I enabled it now. That is great - now i know where to put script when it start working. Unfortunately I am not there yet :( Thank you. Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
On Sun, Nov 05, 2023 at 10:26:17AM +0200, Anssi Saari wrote:
> Anyways, a typical masquerade rule would specify the source network and
> an outgoing interface. For example, I have in my Linux router:
>
> ip saddr 10.0.2.0/24 oifname "enp1s0" masquerade
>
> so for you that would become
>
> ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade
I tried this line too, unforutately it does not work either.
I mean after executing the config file with this line it shows itself in
output of command 'nft list ruleset' but I still can not connect to
internet from my phone.
I tried many lines similar to this, none works:
ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
ip saddr 192.168.231.0/24 ip daddr != 192.168.231.0/24 masquerade
ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade
oifname "wlxe8de27a5ab1c" masquerade
I also noticed in output of 'nft list ruleset' that other rules there are
using capitalized letter so i try it too:
istead of chain postrouting {
I used chain POSTROUTING {
I also tried to put this command in table that already exist instead of
creating new one (masqrule) - instead of running my whole script I run
only one command (after reboot so there are no more changes made by me before):
nft add rule ip nat POSTROUTING oifname wlxe8de27a5ab1c masquerade
(note that here I used 'ip nat' table that is added autmaticaly by
docker server i guess)
Since nothing I tried does work I guess my next step should be to see
where/how those packets from phone are handled. I guess program for that
is tcpdump which I have installed. But since I am unfamiliar with this tool
I would need help from mailing list to guide me what to look for and how
to use this tool.
So please can you give me some info what command should I use with
tcpdump to see where packets from phone are going - or why they do not
go where they should?
Just a reminder - I can connect from phone to my computers web server - which
I also installed just for debugging this. The problem is I can not connect from
phone to internet (let say google.com)
Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
On 05/11/2023 13:48, Tixy wrote: On Sat, 2023-11-04 at 20:08 +0100, Martin wrote: [...] BTW putting above script into /etc/nftables.conf (at the bottom of file) did not ever worked - I had always to run that file manualy as root. Command 'nft list ruleset' only then showed this table. I have no idea why. To me it seemed as if /etc/nftables.conf file was not executed (I have rebooted many times so this file should run). [...] Did you enable the nftables service? To do that, use: # systemctl enable nftables.service and to see status of the service # systemctl status nftables.service It should be checked first and journalctl -b -u nftables.service alongside with searching for any nft messages in "journalctl -b". I suggested earlier to read /usr/share/doc/nftables/README.Debian It explicitly recommends to enable the service. 2: enp3s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0 I hope, your router allows to view configuration received from the DHCP server. Since static addresses were working (and it can be rechecked), I guess, gateway is not explicitly configured, so the router tries to send packets to 192.168.231.1. Either change the interface IP or configure dnsmasq to send 192.168.231.3. To debug run wireshark or tcpdump on enp3s0 and wlxe8de27a5ab1c to check that packets from the phone are properly received and routed. Warning: if you have not configured network interfaces for DHCP in dnsmasq then do it. Otherwise other computers connected to the upstream WiFi link may receive DHCP leases emitted from wlxe8de27a5ab1c.
Re: How do I connect my new wifi router (Mi Router 4C)?
Martin writes:
> #!/usr/sbin/nft -f
>
> table ip masqrule {}
> flush table ip masqrule
> table ip masqrule {
> chain postrouting {
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
> }
> }
>
> When I execute this file with sudo unfortunately nothing changes, I can
> not connect to the internet (trying www.google.com from phone).
I might guess it's because your masquerade rule does nothing. I'm not
sure though.
Anyways, a typical masquerade rule would specify the source network and
an outgoing interface. For example, I have in my Linux router:
ip saddr 10.0.2.0/24 oifname "enp1s0" masquerade
so for you that would become
ip saddr 192.168.231.0/24 oifname "wlxe8de27a5ab1c" masquerade
Re: How do I connect my new wifi router (Mi Router 4C)?
On Sat, 2023-11-04 at 20:08 +0100, Martin wrote: [...] > BTW putting above script into /etc/nftables.conf (at the bottom of file) > did not ever worked - I had always to run that file manualy as root. > Command 'nft list ruleset' only then showed this table. > I have no idea why. To me it seemed as if /etc/nftables.conf file > was not executed (I have rebooted many times so this file should run). [...] Did you enable the nftables service? To do that, use: # systemctl enable nftables.service and to see status of the service # systemctl status nftables.service -- Tixy
Re: How do I connect my new wifi router (Mi Router 4C)?
On Thu, Oct 26, 2023 at 10:00:08PM +0700, Max Nikulin wrote:
> On 26/10/2023 17:06, Martin wrote:
> > On Thu, Oct 26, 2023 at 09:54:22AM +0700, Max Nikulin wrote:
> > >
> > > #!/usr/sbin/nft -f
> > > table inet sharedconnection {}
> > > flush table inet sharedconnection
> > > table ip sharedconnection { ... } from above
> I wrote "FILE" in caps trying to express that you can choose any name.
> Debian has /etc/nftables.conf and nft supports the "include" directive, see
> nft(8). So you may put your file to /etc or to create a dedicated directory,
> e.g. /etc/nftables.conf.d, for your settings and include your file from the
> main conf file, so it should be applied on each boot by nftables.service.
> You may put "table ip shared ..." content directly into /etc/nftables.conf
> as well, however I prefer to minimize changes in files provided by packages
> when it is possible to use additional ones.
> By the way, since you have dnsmasq running, you may enable its DHCP server
> (dhcp-range=192.168.231.5,192.168.231.254) and may switch mi router from
> static network configuration to DHCP.
Sorry for long pause in reply (my hard disk was dieing so I replaced HD and
installed whole debian from scratch).
Now (after reinstall everything) I am the point where I want to make my
router to work. I set up dnsmasq to enable DHCP with line in config:
dhcp-range=192.168.231.241,192.168.231.254,12h
and reseted my WiFi router after little configuring with my phone I can
connect my phone to WiFi router and to my computer (that still has address
192.168.231.3). I can access http server on my computer when I type in my
phone address to connect in web browser: http://192.168.231.3/text.html
(I created on my computer file /var/www/html/test.html)
That is all without changing anything with nft program.
I created a file with exatly this content:
#!/usr/sbin/nft -f
table ip masqrule {}
flush table ip masqrule
table ip masqrule {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
}
}
When I execute this file with sudo unfortunately nothing changes, I can
not connect to the internet (trying www.google.com from phone).
[[ this is about old system I had on old HD:
I remeber before reinstalling whole system at this point I had connection
from my phone to the internet (I could see google and then some videos on
youtube worked too on the phone) After I rebooted my old system I could not
connect to internet anymore from the phone. I slightly changed the script
from your post to current state (namely using ip allways instead of inet at
first two lines of script and using 'masqrule'as table name) I thing those
changes are ok.
]]
I have no idea what else should I try to make this work. Maybe I forgot
to issue some command (but I do not think so).
BTW putting above script into /etc/nftables.conf (at the bottom of file)
did not ever worked - I had always to run that file manualy as root.
Command 'nft list ruleset' only then showed this table.
I have no idea why. To me it seemed as if /etc/nftables.conf file
was not executed (I have rebooted many times so this file should run).
Bye
Martin
My current network connections, and 'ip route' command:
(I see 2 changes from my prevoius setup: missing tun0 and br-7bfdce95ff27
they were before created automaticaly so I hope it does not matter they
are not present now - both where doing local addresses 10.1.1.1/24 and
172.18.0.1/16, maybe they will appeear when I install more programs from
repository - i am not worried about them, just mentioning to be complete)
root@redmoon:~# ip address list
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp3s0: mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 fe80::e2d5:5eff:fe73:c9d3/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: wlxe8de27a5ab1c: mtu 1500 qdisc noqueue
state UP group default qlen 1000
link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c
valid_lft 591334sec preferred_lft 591334sec
inet6 fe80::eade:27ff:fea5:ab1c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state
DOWN group default
link/ether 02:42:33:88:62:ce brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@redmoon:~# ip route
default via 192.168.0.1 dev wlxe8de27a5ab1c
Re: How do I connect my new wifi router (Mi Router 4C)?
On 26/10/2023 17:06, Martin wrote:
On Thu, Oct 26, 2023 at 09:54:22AM +0700, Max Nikulin wrote:
#!/usr/sbin/nft -f
table inet sharedconnection {}
flush table inet sharedconnection
# table ip shared connection { ... } from above
I did create FILE.conf and after executing it I can connect to internet from
my phone. THANK YOU!
Now where do I put this FILE.conf? I would like for it to run everytime
I turn on my computer.
I wrote "FILE" in caps trying to express that you can choose any name.
Debian has /etc/nftables.conf and nft supports the "include" directive,
see nft(8). So you may put your file to /etc or to create a dedicated
directory, e.g. /etc/nftables.conf.d, for your settings and include your
file from the main conf file, so it should be applied on each boot by
nftables.service. You may put "table ip shared ..." content directly
into /etc/nftables.conf as well, however I prefer to minimize changes in
files provided by packages when it is possible to use additional ones.
Instead of installing dnsmasq you may specify a public dns server in
your router settings (8.8.8.8, etc.). Or if you are sure that DNS
configuration provided by the upstream router 192.168.0.1 is stable then
you may use servers from DHCP lease. However having a local caching DNS
server (dnsmasq or systemd-resolved) should not harm.
By the way, since you have dnsmasq running, you may enable its DHCP
server (dhcp-range=192.168.231.5,192.168.231.254) and may switch mi
router from static network configuration to DHCP.
As a final note, NetworkManager allows to create "shared" connections
(ipv4.method). It starts dnsmasq and adds necessary firewall nat rules.
I used it in both directions: with ethernet upstream connection to share
wifi or to leverage 1G ethernet link to copy files between laptops while
one of them has an active wifi connection.
Re: How do I connect my new wifi router (Mi Router 4C)?
On Thu, Oct 26, 2023 at 09:54:22AM +0700, Max Nikulin wrote:
> On 26/10/2023 02:20, Martin wrote:
> > On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:
> > > should have something like
> > >
> > > table ip sharedconnection {
> > >chain postrouting {
> > > type nat hook postrouting priority srcnat; policy accept;
> > > ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
> > >}
> > > }
>
> "sharedconnection" is an arbitrary name. It should be chosen to not conflict
> with other applications. Actually you have nat masquerading rules created by
> docker for other interfaces. Read /usr/share/doc/nftables/README.Debian and
> choose a convenient for you way to add rules. You may add the following
> heading and may save rules to a file that may be read by either "nft -f
> FILE.conf" or just executing it.
>
> #!/usr/sbin/nft -f
> table inet sharedconnection {}
> flush table inet sharedconnection
> # table ip shared connection { ... } from above
I did create FILE.conf and after executing it I can connect to internet from
my phone. THANK YOU!
Now where do I put this FILE.conf? I would like for it to run everytime
I turn on my computer. Is there some standard place for it - perhaps in
/etc directory? Maybe i should create some script in /etc/init.d/
directory?
Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
On 26/10/2023 02:20, Martin wrote:
On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:
should have something like
table ip sharedconnection {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
}
}
I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'.
"sharedconnection" is an arbitrary name. It should be chosen to not
conflict with other applications. Actually you have nat masquerading
rules created by docker for other interfaces. Read
/usr/share/doc/nftables/README.Debian and choose a convenient for you
way to add rules. You may add the following heading and may save rules
to a file that may be read by either "nft -f FILE.conf" or just
executing it.
#!/usr/sbin/nft -f
table inet sharedconnection {}
flush table inet sharedconnection
# table ip shared connection { ... } from above
---
Upstream WiFi router does not know that packets addressed to
192.168.231.5 (mi router) should be sent to your computer
(192.168.0.16), so you computer should make upstream router believing
that all packets from your phone originates from 192.168.0.16.
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed 25 Oct 2023 at 11:04:59 (+0300), Anssi Saari wrote: > Martin writes: > > With wifi antena I receive a (rather weak) signal that connect my > > computer to internet. I have to use windsurfer antena booster > > (http://members.multiweb.nl/schaaijw/windsurfer_wifi_en.pdf) > > to get usable signal. So my computer have internet signal from > > wifi antena - yay great thing :) > > > > Now I also want to connect to internet with my mobile phone! > > You mean you want to use some unspecified wifi signal with your phone > also? Share the connection to your phone and computer? The link to this > "windsurfer" doesn't work so it's a little hard to help if you can't > describe what you have. I presume what's going on here is that the Internet is provided by a wifi access point that is distant and inaccessible (say, next door). The windsurfer is a shaped piece of aluminium foil that pops over the aerial to make a sort of parabola. Normally, you'd put this over your modem/router's (external) aerial to increase the signal transmitted to parts of your house (though it decreases it in the opposite direction). But I'm guessing that here the windsurfer is on the computer's wifi aerial, to improve the received signal. That's why the OP's router (which, again presumably, has no Internet Service) is connected "backwards", so the computer is the WAN, and the mobile phone is the sole device on the LAN. IOW Max's reply represents a string↔of↔connected↔devices rather than - a - bullet - list. > You have some kind of mysterious internet connection from > something. That needs to connect to the router's WAN port. That's how I would cascade two routers: a LAN port on the main router connects by a plumbed-in Cat5 cable to a port on the secondary router. The latter port would be the WAN connection, but that's broken on mine, so I have to connect the cable to a LAN port. I guess that makes my secondary router a switch? Cheers, David.
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 02:15:36PM +0200, Marco M. wrote: > Am 25.10.2023 um 13:33:48 Uhr schrieb Martin: > > > On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote: > > > > > > Why don't you use DHCP like your phone does? > > > > Because I used this computer before I had WiFi and phone. > > Why it is a problem to change it? > Do you really want to deal with manually addressing machines? I only have one computer, and now this new router. Because I only have one computer I did not feel need to use DHCP to automaticaly assing me an IP address. Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:
> On 25/10/2023 18:24, Martin wrote:
> > On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
> > >
> > > So packet forwarding should be enabled on the computer.
>
> sysctl net.ipv4.ip_forward
>
> almost certainly enabled since you have the docker0 network interface
You are right, it is enabled:
$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
> I hope, you have a DNS server running on this machine
>
> host debian.org 192.168.231.3
I did not had dig installed but host worked, alas it showed me that I do
not have installed DNS server. So I installed dnsmasq package and
wonders happened (without me editing any config files - just installing
dnsmasq) - on my mobile phone when I connected to 192.168.31.1 address
(default router address when I look from phone) It showed now green line
from router to internet.
But unfortunatelly phone does not connect to internet yet. I guess I will
need to issue some 'sudo route' command to add path from my router to
outside world (actually I do not have idea if this is the problem).
> Check that you do not have blocking rules in firewall
I do not use firewall anymore, since I stoped using wired home phone
(dialup modem) to connect to internet with ppp protocol. Since I am now
connected to internet via my weak antena which is connected to router(A)
and then to internet I know that distant router(A) is protected enough
(after all it uses only local address that i can see 192.168.0.1).
> and that masquerading
> is enabled for your downstream link enp3s0
>
> nft list ruleset
>
> should have something like
>
> table ip sharedconnection {
> chain postrouting {
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
> }
> }
I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'. I remember using iptables
command to make firewall and masquerading my computer while I was using
dialup modem internet connection. I do not set up use any iptable rules
manualy anymore.
So this is probably what I need to figure out how to use masquerading
and other firewall rules to enable my new router to connect to outside
internet. (I must admit that I forgot what rules should I use to enable
this setup - so I need your help)
Here is output of 'nft list ruleset' 'iptables -S' and 'iptables -L' command:
(I am not sure they provide different info, but here they are)
Thanks a lot
Martin
$ sudo nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-7bfdce95ff27" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "wlxe8de27a5ab1c" ip saddr 10.1.1.0/24 counter packets
192 bytes 11818 masquerade
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0
bytes 0 masquerade
oifname != "br-7bfdce95ff27" ip saddr 172.18.0.0/16 counter
packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 7727 bytes 479748 jump
DOCKER
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 3
bytes 196 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes
0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter
packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 27 bytes 1780 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-7bfdce95ff27" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 57740 bytes 51358193 accept
counter packets 25 bytes 1644 jump DOCKER-USER
counter packets 25 bytes 1644 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets
0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0
Re: How do I connect my new wifi router (Mi Router 4C)?
On 25/10/2023 18:24, Martin wrote:
On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
So packet forwarding should be enabled on the computer.
sysctl net.ipv4.ip_forward
almost certainly enabled since you have the docker0 network interface
However I suspect an issue with IP addresses.
I was wrong.
2: enp3s0: mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0
[...]
3: wlxe8de27a5ab1c: mtu 1500 qdisc noqueue
state UP group default qlen 1000
link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c
looks consistent from router settings you posted earlier
IP address: 192.168.231.5
Subnet mask: 255.255.255.0
Default gateway: 192.168.231.3
DNS: 192.168.231.3
I hope, you have a DNS server running on this machine
dig debian.org @192.168.231.3
or
host debian.org 192.168.231.3
Check that you do not have blocking rules in firewall and that
masquerading is enabled for your downstream link enp3s0
nft list ruleset
should have something like
table ip sharedconnection {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
}
}
A tool for further debugging is tcpdump or wireshark.
Re: How do I connect my new wifi router (Mi Router 4C)?
Am 25.10.2023 um 13:33:48 Uhr schrieb Martin: > On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote: > > > > Why don't you use DHCP like your phone does? > > Because I used this computer before I had WiFi and phone. Why it is a problem to change it? Do you really want to deal with manually addressing machines? > > Show > > ip a > > I posted output of that command to Max Nikulin email. > > (Do not want to to post same info twice again as first email) This is a mailing list, please keep the discussion here on the list and do not send emails directly to subscribers. Nobody else can read them.
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote: > > Why don't you use DHCP like your phone does? Because I used this computer before I had WiFi and phone. > Show > ip a I posted output of that command to Max Nikulin email. (Do not want to to post same info twice again as first email) Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote: > On 25/10/2023 15:04, Anssi Saari wrote: > > You have some kind of mysterious internet connection from something. > > That needs to connect to the router's WAN port. > > My guess is the following: > > - Source of weak WiFi > - WiFi booster > - WiFi adapter in computer > - ethernet port in computer > - ethernet port of Mi router > - WiFi provided by Mi router > - WiFi adapter inside the phone > > So packet forwarding should be enabled on the computer. However I suspect an > issue with IP addresses. Martin, please, provide output of > > ip address list You are absolutely correct with your guess - although it take me some time to understand what you are talking about - which is all my fault. here is result of 'ip address list' and also 'ip route' command: $ ip address list 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: enp3s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0 valid_lft forever preferred_lft forever inet6 fe80::e2d5:5eff:fe73:c9d3/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 3: wlxe8de27a5ab1c: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c valid_lft 535000sec preferred_lft 535000sec inet6 fe80::eade:27ff:fea5:ab1c/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 4: docker0: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:42:5b:a7:3b brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 5: br-7bfdce95ff27: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:52:ec:22:75 brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 brd 172.18.255.255 scope global br-7bfdce95ff27 valid_lft forever preferred_lft forever 6: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.1.1.1/24 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::f84d:e9fc:4ea5:f7fa/64 scope link stable-privacy proto kernel_ll valid_lft forever preferred_lft forever $ ip route default via 192.168.0.1 dev wlxe8de27a5ab1c 10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-7bfdce95ff27 proto kernel scope link src 172.18.0.1 linkdown 192.168.0.0/24 dev wlxe8de27a5ab1c proto kernel scope link src 192.168.0.16 192.168.231.0/24 dev enp3s0 proto kernel scope link src 192.168.231.3
Re: How do I connect my new wifi router (Mi Router 4C)?
On 25/10/2023 15:04, Anssi Saari wrote: You have some kind of mysterious internet connection from something. That needs to connect to the router's WAN port. My guess is the following: - Source of weak WiFi - WiFi booster - WiFi adapter in computer - ethernet port in computer - ethernet port of Mi router - WiFi provided by Mi router - WiFi adapter inside the phone So packet forwarding should be enabled on the computer. However I suspect an issue with IP addresses. Martin, please, provide output of ip address list
Re: How do I connect my new wifi router (Mi Router 4C)?
Martin writes: > Hello, > > With wifi antena I receive a (rather weak) signal that connect my > computer to internet. I have to use windsurfer antena booster > (http://members.multiweb.nl/schaaijw/windsurfer_wifi_en.pdf) > to get usable signal. So my computer have internet signal from > wifi antena - yay great thing :) > > Now I also want to connect to internet with my mobile phone! You mean you want to use some unspecified wifi signal with your phone also? Share the connection to your phone and computer? The link to this "windsurfer" doesn't work so it's a little hard to help if you can't describe what you have. > As it turn out I am not so bright to make this whole setup working :( > I pluged in new router to power and connected ethernet cable from my > computer to router WAN connection. (I belive this is how it should be > connected togheder) The WAN connection is for the internet, not your computer. It says as much in the Xiaomi manual. > While I was seting up router as described in > https://manuals.plus/_mi/mi-router-4c-manual > in Step 2 (point 3) it said I do not have internet. > So I choose to manualy set up 'Static address' for > router as folows (my computer has IP address 192.168.231.3): > > IP address: 192.168.231.5 > Subnet mask: 255.255.255.0 > Default gateway: 192.168.231.3 > DNS: 192.168.231.3 > > After all this setup I could issue those commands on my desktop: > > (this is my desktop IP address - just to show it works) So you created a LAN between your computer and the router. > I hope someone will be able to give me some hint how to solve > this issue and be able to connect to internet from router - and > connected phone. You have some kind of mysterious internet connection from something. That needs to connect to the router's WAN port.
Re: How do I connect my new wifi router (Mi Router 4C)?
Am 25.10.2023 um 08:45:26 Uhr schrieb Martin: > I am using /etc/network and here is whole /etc/network/interfaces > file: > > auto lo > iface lo inet loopback > > auto enp3s0 > iface enp3s0 inet static > address 192.168.231.3 > netmask 255.255.255.0 Why don't you use DHCP like your phone does? Show ip a
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 07:24:10AM +0200, Marco M. wrote: > > Please specify the EXACT model names and the exact wiring of your > devices. There is no other name than 'Mi Router 4C' made by Xiaomi. 2 links that I provided are for exact model I have. (here they are again: https://www.mi.com/global/product/mi-router-4c/ https://manuals.plus/_mi/mi-router-4c-manual) The wiring is as folow: a) power cable goes from wall to the far right socket (when looking from front of modem) b) ethernet cable is connected from my desktop to far left scoket of router. (there are also 2 middle ethernet cable sockets which i do not use my guess is they are for connecting other devices -like desktop- to subnetwork that wifi router uses which is 192.168.31.X - my phone is geting adress from this subnetwork when connected to wifi router) > Please also tell us if you use NetworkManager or /etc/network for > configuration. I am using /etc/network and here is whole /etc/network/interfaces file: auto lo iface lo inet loopback auto enp3s0 iface enp3s0 inet static address 192.168.231.3 netmask 255.255.255.0 # auto wlxe8de27a5ab1c iface wlxe8de27a5ab1c inet dhcp wpa-ssid Thomson wpa-psk mybigsecret Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 06:52:09AM +0200, Geert Stappers wrote: > On Wed, Oct 25, 2023 at 06:15:00AM +0200, Martin wrote: > > I tried lot of setup and none worked. > > And also missed https://lists.debian.org/debian-user/2023/10/msg00684.html > and https://lists.debian.org/debian-user/2023/10/msg00685.html > and https://lists.debian.org/debian-user/2023/10/msg00688.html > and https://lists.debian.org/debian-user/2023/10/msg00690.html Now I am very, very embarased. When I first posted this message i got the error message back that it cculd not be delivered. So I send more same message but did not receive any response from mailing list. This is when I started looking at browser on the link https://lists.debian.org/debian-user/2023/10/threads.html but could not find my message there (note that it shows only first page of 2 pages of emails) I did not realize that this list have 2 pages, I always looked only on the first page. And so I tried to use my different email addresses that I had and post same message again few times. I also did not receive any message back from mailing list that i send (some of addresses were not subscribed to mailing list). Finaly I made a post from this address and got the message back as posted in mailing list. I guess it all boils down that I did not realized that https://lists.debian.org/debian-user/2023/10/threads.html page have 2 pages, I was always looking at first page :( Now I will hide under the rock and be ashamed. But I really do need some advice about the problem I described in (lot of the) messages I posted. Martin
Re: How do I connect my new wifi router (Mi Router 4C)?
Am 25.10.2023 um 06:15:00 Uhr schrieb Martin: > As it turn out I am not so bright to make this whole setup working :( > I pluged in new router to power and connected ethernet cable from my > computer to router WAN connection. (I belive this is how it should be > connected togheder) Please specify the EXACT model names and the exact wiring of your devices. Please also tell us if you use NetworkManager or /etc/network for configuration.
Re: How do I connect my new wifi router (Mi Router 4C)?
On Wed, Oct 25, 2023 at 06:15:00AM +0200, Martin wrote: > Hello, > snip > > I tried lot of setup and none worked. And also missed https://lists.debian.org/debian-user/2023/10/msg00684.html and https://lists.debian.org/debian-user/2023/10/msg00685.html and https://lists.debian.org/debian-user/2023/10/msg00688.html and https://lists.debian.org/debian-user/2023/10/msg00690.html It is not how it works Groeten Geert Stappers -- Silence is hard to parse
