Jasager ICS question

[Joe C]

Hey guys,

I have managed to get Jasager installed on my fon 2100, everything seems to be working well with that. However when i try and set up the ICS as per the wiki, i seem to lock myself out of the fon. I can not ping the 192.168.0.250. I have followed the wiki exactly. Anything you guys can think of that may help, I have the exact ip scheme as the wiki so feel free to reference it if that helps.

Thanks

[DingleBerries]

What OS... Linux, Window, Mac? I havent read the wiki but i have done ICS before. Do you have a dhcp running on your computer to assign an IP to the fon?

[Joe C]

What OS... Linux, Window, Mac? I havent read the wiki but i have done ICS before. Do you have a dhcp running on your computer to assign an IP to the fon?

I am using windows xp, i do not have a dhcp server setup on it.. the wiki does not mention one however i remember Darren talking about one on the episode of hak5.

[colforbin]

Install Angry IP Scanner and sweep the 192.168.0.0 and 192.168.1.0 networks (all possible addresses). You should be able to find your fonera's IP hiding in there somewhere. I don't know why this is happening to you, but I've seen others reporting the same behavior.

[Whig]

It would be really cool if somebody could write good tutorial for idiots like me about ICS with Jasager and Linux.

[digininja]

I don't exactly do ICS in linux, I setup routing so that my fon can route traffic through my normal lan. To be able to do this you need to be able to set routing rules on your default gateway. Mine is an Asus running openwrt so setting this is easy.

This way the victims are kept on their own network, my internal is 192.168, the wifi is 10.0. It means that they have less access to the network than if they were dumped directly on it as I think you get when you do ICS with windows.

If you want to know how to get this working shout and I'll try to document it.

[colforbin]

It would be really cool if somebody could write good tutorial for idiots like me about ICS with Jasager and Linux.

First of all you are not an idiot.

Next take a look at this. I haven't tried this myself, but I'm going to assume (and also ask anyone who can answer) that you could have a tiny Linux distro, set up as a virtual machine, inside a physical Linux distro to perform the task of masquerading, without mucking around with the settings of the host machine.?

[walts]

I don't exactly do ICS in linux, I setup routing so that my fon can route traffic through my normal lan. To be able to do this you need to be able to set routing rules on your default gateway. Mine is an Asus running openwrt so setting this is easy.

This way the victims are kept on their own network, my internal is 192.168, the wifi is 10.0. It means that they have less access to the network than if they were dumped directly on it as I think you get when you do ICS with windows.

If you want to know how to get this working shout and I'll try to document it.

Yes, please document it!

I've been going nuts trying to get this working with Windows, with my WIFI network in 10.100 and the Jasager in 192.168.

I have a Mac, and I'm fairly sure your Linux solution would work using the uderlying Unix on the Mac.

Walt

[digininja]

will try. If I haven't given you an answer by Sunday, PM me to remind me.

[shodanime]

I have the same problem. The first thing i tried to bridge the 2 connections (wire and wireless) so I can get internet from my linksys router wireless for the fon so it can share it.(The fon is hooked up by Ethernet) That did not work what would happen is that it would only connect one of the 2 networks. Then i found ICS where all the problems really begins. I have set the fon to a static IP to 192.168.0.1 (I set it like this because i am not sure what is the best ip settings for the fon) my linksys router is 192.168.1.1. When i follow the ICS wiki the fon wouldn't even let me in to jasager anymore. In fact i wasn't even able to see a default gateway anymore. What i am really asking is how can I set the fon to share my wireless internet from my computer. I am really sorry for being such a noob.

[digininja]

First a diagram.

on the fon I have a default route of 192.168.2.1 so

route add default gw 192.168.2.1

Make sure you have ip forwarding enabled

echo 1 > /proc/sys/net/ipv4/ip_forward

To enable a dhcp server on the fon

/usr/sbin/dnsmasq -K -d -F 10.1.1.100,10.1.1.200

This will give out the IP addresses in the range specified and will also tell clients that it is the default gateaway. The fon then knows where its default gateway is so it will then route traffic through 192.168.2.1.

The problem comes when traffic comes back into the network, it hits 192.168.2.1 which looks at the subnet, doesn't recognise it as its own so sends it back out to the internet, this means traffic can flow from a client out to the net but when it comes back in it hits a barrier at the router and just gets reflected back.

To solve this you need to tell the router how to get to the 10.1.1.0 subnet. My router runs openwrt so I do this with this command

route add -net 10.1.1.0 netmask 255.255.255.0 gw 192.168.2.2

So, all traffic to net 10.1.1.0 with subnet mask 255.255.255.0 gets routed through 192.168.2.2 rather than bounced back to the net.

The last thing I had to do was to do this on the router

iptables -I FORWARD -i br0 -o br0 -j ACCEPT

and this on the Fon

iptables -I FORWARD -i eth0 -o ath0 -j ACCEPT
iptables -I FORWARD -o eth0 -i ath0 -j ACCEPT

One of the above is redundant but I can't remember which one. This basically tells iptables to allow traffic through.

Hopefully all this makes sense, if not, I'm sure people will ask questions.

[walts]

HMMM....

I get what you're doing, but unfortunately the BSD Unix that underlies OS X does not have an iptables command. Instead that is replaced by ipfw which has a forwarding function, in you example it would be

ipfw add allow ip from 10.1.1.0/24 to any fwd 192.168.2.1

(If I read the man pages correctly)

Unfortunately that comes back with

ipfw: unrecognized option [-1] fwd\n

and further reading reveals that this only works if the kernel was compiled with IPFIREWALL_FORWARD.

So, unless there's a Mac expert reading this who can clarify, I will probably go back to Windows and fight with that some more.

Walt

[digininja]

You may not need it, try it without it.

[walts]

Thanks.

I'm beginning to think that my problem is more basic than that.

Sorry for not being "artistic" but I'll try to describe what's happening.

I have the FON connected to my Mac via wireless, connected to OpenWrt. with Karma "on" I connect to the FON from a Nokia N800 (Basically a Linux box with WIFI)

N800 (192.168.0.216) <----> (?.?.?.?) FON (192.168.10.1) <--------> (192.168.0.180) Mac

ifconfig on the FON does not show an IP address for ath0 or wifi0.

With Wireshark running on the Mac, I can see web traffic for the control program going back and forth to the FON, but no traffic from the N800 passing through the FON to get to the outside. I do see a number of DNS refusals aimed at the FON but being sent to the Mac instead. So it looks to me as if the FON is not performing its bridging function correctly. I could re-flash it, but before I do I'd like to try to figure out what's going wrong.

The web interface to OpenWrt doesn't seem to be all that friendly (per the wiki and my experience, the Network tab doesn't work reliably) so I've been working with /etc/config/network directly. Here is how it stands:

root@OpenWrt:~# cat /etc/config/network
# Copyright (C) 2006 OpenWrt.org

config interface loopback
    option ifname    lo
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0

config interface lan
    option ifname    eth0
    option type     bridge
    option proto    'static'
    option ipaddr    '192.168.10.1'
    option netmask    255.255.0.0



root@OpenWrt:~#

I don't understand why there is no entry for ath0 or wifi0, and when you configure eth0 as "bridge", don't you need to say bridged to what?

TIA for the help!

Walt

[digininja]

With my solution there is no bridge, a bridge puts two physically separate networks together onto the same one by joining two network interfaces. What I do is setup routing so that data that comes in on ath0 is then routed across to eth0 and out.

You should have an ip address on both ath0 and eth0, wifi0 is just the parent of ath0 and can be ignored.

Do a brctl -show (I think) and see what is there, if it shows anything, delete it, you don't want it.

Your N800 should get an IP address on the subnet that you are using for the wifi clients, 10.1.1.0 in my example, ath0 should also be on that subnet (10.1.1.1). eth0 should be on the same network as your MAC (192.168.2.0).

To help debug things, drop dhcp and give everything static ip addresses, set all the routing by hand and then test where you can ping to and from. The more tcpdump/wireshark monitors you can have the better, I found at one stage that traffic was flowing one way through a device but never getting back, tcpdump allowed me to spot that.

See if this helps.

[walts]

Thanks.

I think the confusion about bridging came about from the ambiguity of the webif maintenance page. That's why I was thinking of re-flashing to get a "clean" start, but I like your idea better, of setting up static IP addresses for testing. I will try that tomorrow and post back what I find.

Walt

[Whig]

First of all you are not an idiot.

Next take a look at this. I haven't tried this myself, but I'm going to assume (and also ask anyone who can answer) that you could have a tiny Linux distro, set up as a virtual machine, inside a physical Linux distro to perform the task of masquerading, without mucking around with the settings of the host machine.?

I was lazy... I had one spare laptop so I installed Windows XP to it and now that works via ethernet cable.

Is it possible to do everything wirelessly?

Now I have:

Jasager@Fon -- CAT5 cable --> Laptop --> USB-cable --> Nokia E90 (3G) ---> Internet

and that's probably not the best way to do that =)