theVoiD Posted August 23, 2013 Share Posted August 23, 2013 (edited) Hey! I'm trying to use 2 pineapples to provide wifi for two storeys of the same building (office with roundabout 10-15 persons each). I got them configured, they have access to the internet but they don't relay it to their clients (be it eth or wifi). Any clients connected to a pineapple can ping the pineapple only. traceroutes fail right after the pineapple (tried this for Macs and Win7/8-machines - also for an android phone - except for the traceroute-part of course). - I tried to correct the config files (/etc/config/ network, dhcp, wireless, firewall) - I tried to leave wide open the firewall (which isn't installed on a pineapple, if I understand correctly) - I flushed the iptables (iptables -F) - I tried setting the route: route add default gw 192.168.178.1 to no avail, even with a couple of restarts (barring the iptables which would be reestablished if I understood correctly). I tried a search, but except for this Post of computerchris I couldn't find anything. As I don't have any linux-machines at hand I couldn't start the wp4.sh-file from anywhere and the first of the iptables commands in the quote would give me the error that I may not use the -s parameter twice. Posted 18 August 2013 - 03:14 PM ERMAGHERD https://forums.hak5....-phished-pages/ https://github.com/W...quickstartguide iptables -A FORWARD -i wlan0 -o eth0 -s 172.16.42.0/24 -m state –state NEW -j ACCEPTiptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPTiptables -A POSTROUTING -t nat -j MASQUERADE The pineapples are connected to a switch (netgear) via ethernet, which in turn leads to the router (192.168.178.1 - 192.168.178.0/24) which also functions as a dsl-modem (Germany - Fritz Box 7390) and a wifi-router (I wanted to install the pineapples to give the network a cleaner layout and have the dsl-modem not do everything - well and also to play around with the pineapples whenever there is a chance ^_^). They can ping to anywhere in the internet, as well as to the dsl-modem. Also they can be reached from any station connected to the dsl-modem (being the wifi-router as well) or connected to the pineapple itself. Because I want to use the pineapples with only the ethernet-cable, I switched the devices in the network-config-file so that wan would lie on the poe-enabled port. The pineapples are supposed to connect to the dsl-router via dhcp and distribute via wifi and the former wan port; 192.168.177.0/24 (SVR6) and 192.168.176.0/24 (SVR5). I just received the devices and I tried all day to get them running. I am quite desperate. They run on 3.0 (SVR5) and 2.8.1 (SVR6 - I had to flash one of them as it almost bricked and then would not react to any changes in the config files). Both have the exact same problem. Albeit flashing the iptables and setting the routes I only tried on one of them (SVR5). I will post the config files at the end of the post for one of them (SVR5) and also attach the zip-files with the config-folders of both: SVR5.zip SVR6.zip Here a little map: Internet | DSL-Modem 192.168.178.1 | Switch | \ SVR5 SVR6 192.168.176.1 192.168.177.1 | \ clients clients I would like to configure them correctly - in order to have the clients get throught to the internet - to have a deeper understanding of the inner workings of openwrt and the pineapples I don't get anywhere on my own anymore. Please help and inform me about my mistakes. I am eager to learn =D contents of /etc/config/ network wireless dhcp firewall ## NETWORK # Copyright (C) 2006 OpenWrt.org config interface loopback option ifname lo option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 config interface wan option ifname eth0 option proto dhcp # option ipaddr 192.168.178.4 # option netmask 255.255.255.0 config interface lan option ifname eth1 option type bridge option proto static option ipaddr 192.168.176.1 option netmask 255.255.255.0 option gateway 192.168.178.1 option dns 192.168.178.1 config switch eth0 option enable_vlan 1 config switch_vlan option device eth0 option vlan 1 option ports "0 1" config interface usb option ifname usb0 option proto dhcp config interface 'wan2' option ifname ' ' option proto ' ' option service ' ' option device ' ' option apn ' ' option username ' ' option password ' ' option defaultroute ' ' option ppp_redial ' ' option peerdns ' ' option dns ' ' option keepalive ' ' option pppd_options ' ' ## WIRELESS config wifi-device radio0 option type mac80211 option channel 1 option hwmode 11ng option macaddr 00:c0:ca:67:e5:be option htmode HT20 list ht_capab SHORT-GI-20 list ht_capab SHORT-GI-40 list ht_capab RX-STBC1 list ht_capab DSSS_CCK-40 # REMOVE THIS LINE TO ENABLE WIFI: # option disabled 1 config wifi-iface option device radio0 option network lan option mode ap option ssid "SSID" option encryption psk2 option key 'password' ## DHCP config 'dnsmasq' option 'domainneeded' '1' option 'boguspriv' '1' option 'filterwin2k' '0' option 'localise_queries' '1' option 'rebind_protection' '1' option 'rebind_localhost' '1' option 'local' '/lan/' option 'domain' 'lan' option 'expandhosts' '1' option 'nonegcache' '0' option 'authoritative' '1' option 'readethers' '1' option 'leasefile' '/tmp/dhcp.leases' option 'resolvfile' '/tmp/resolv.conf.auto' config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '50' option 'limit' '150' option 'leasetime' '12h' option 'ignore' '0' # list 'dhcp_option' '3,172.16.42.42' # list 'dhcp_option' '3,172.16.42.1' # list 'dhcp_option' '6,172.16.42.1,8.8.8.8' # list 'dhcp_option' '6,172.16.42.1,208.67.222.222' #config 'dhcp' 'wan' # option 'interface' 'wan' # option 'ignore' '1' # option 'start' '100' # option 'limit' '150' # option 'leasetime' '12h' # list 'dhcp_option' '3,172.16.42.42' # list 'dhcp_option' '6,172.16.42.1,8.8.8.8' # list 'dhcp_option' '6,172.16.42.1,208.67.222.222' ## FIREWALL config defaults option syn_flood 1 option input ACCEPT option output ACCEPT option forward ACCEPT # Uncomment this line to disable ipv6 rules # option disable_ipv6 1 config zone option name lan option network 'lan' option input ACCEPT option output ACCEPT option forward ACCEPT config zone option name wan option network 'wan' option input ACCEPT option output ACCEPT option forward ACCEPT option masq 1 option mtu_fix 1 config forwarding option src lan option dest wan # We need to accept udp packets on port 68, # see https://dev.openwrt.org/ticket/4108 config rule option src wan option proto udp option dest_port 68 option target ACCEPT option family ipv4 # Allow IPv4 ping config rule option src wan option proto icmp option icmp_type echo-request option family ipv4 option target ACCEPT # Allow essential incoming IPv6 ICMP traffic config rule option src wan option dest * option proto icmp list icmp_type echo-request list icmp_type destination-unreachable list icmp_type packet-too-big list icmp_type time-exceeded list icmp_type bad-header list icmp_type unknown-header-type option limit 1000/sec option family ipv6 option target ACCEPT # include a file with users custom iptables rules config include option path /etc/firewall.user ### EXAMPLE CONFIG SECTIONS # do not allow a specific ip to access wan #config rule # option src lan # option src_ip 192.168.45.2 # option dest wan # option proto tcp # option target REJECT # block a specific mac on wan #config rule # option dest wan # option src_mac 00:11:22:33:44:66 # option target REJECT # block incoming ICMP traffic on a zone #config rule # option src lan # option proto ICMP # option target DROP # port redirect port coming in on wan to lan #config redirect # option src wan # option src_dport 80 # option dest lan # option dest_ip 192.168.16.235 # option dest_port 80 # option proto tcp # port redirect of remapped ssh port (22001) on wan #config redirect # option src wan # option src_dport 22001 # option dest lan # option dest_port 22 # option proto tcp # allow IPsec/ESP and ISAKMP passthrough #config rule # option src wan # option dest lan # option protocol esp # option target ACCEPT #config rule # option src wan # option dest lan # option src_port 500 # option dest_port 500 # option proto udp # option target ACCEPT ### FULL CONFIG SECTIONS #config rule # option src lan # option src_ip 192.168.45.2 # option src_mac 00:11:22:33:44:55 # option src_port 80 # option dest wan # option dest_ip 194.25.2.129 # option dest_port 120 # option proto tcp # option target REJECT #config redirect # option src lan # option src_ip 192.168.45.2 # option src_mac 00:11:22:33:44:55 # option src_port 1024 # option src_dport 80 # option dest_ip 194.25.2.129 # option dest_port 120 # option proto tcp Edited August 25, 2013 by theVoiD Quote Link to comment Share on other sites More sharing options...
thesugarat Posted August 24, 2013 Share Posted August 24, 2013 As you have altered the normal configuration of the pineapple I'm not surprised this isn't working... You've commented out the dhcp settings for 'lan'? Are you're wireless devices even getting an IP address? If yes, what range? Can you even get to the pineapples configuration page? I'm just guessing here but you might want to uncomment this line = list 'dhcp_option' '3,172.16.42.1' and change it to list 'dhcp_option' '3,192.168.178.1' . Again that's just a guess, you might need to do the next line down which seems to be for dns. I'm out of my depth on this one... Good luck. Quote Link to comment Share on other sites More sharing options...
inTheDMZ Posted August 24, 2013 Share Posted August 24, 2013 Are these just for general internet or specifically for the features of the pineapple? I'd guess you would be better using a router that supports openWRT and turn them into 'dumb' access points so the DSL routers control the address range, your double NAT'ing in your current setup and this would seem pointless Quote Link to comment Share on other sites More sharing options...
theVoiD Posted August 25, 2013 Author Share Posted August 25, 2013 (edited) As you have altered the normal configuration of the pineapple I'm not surprised this isn't working... You've commented out the dhcp settings for 'lan'? Are you're wireless devices even getting an IP address? If yes, what range? Can you even get to the pineapples configuration page? I'm just guessing here but you might want to uncomment this line = list 'dhcp_option' '3,172.16.42.1' and change it to list 'dhcp_option' '3,192.168.178.1' . Again that's just a guess, you might need to do the next line down which seems to be for dns. I'm out of my depth on this one... Good luck. I supposed, that this would be only an optional line, in case other servers should provide DNS-functions. I changed it as You recommended. Also I tried to provide the DNS-Server of our TeleComm-Provider, just in case. I also tried only offering SVR5 or the router as DNS-Server by commenting the other lines out. None did work. I also checked the routes in the client. It showed 192.168.178.1 as Gateway once and 192.168.176.1 the other time. Both times no connection to the internet. But I can always reach SVR5 via SSH and the config-page from the client as well as from any clients connected to the Fritz-Modem(/Router). The config Page (accessed via ethernet-cable on eth0) shows this (followed by one of the configs I tried for dhcp): Network Wifi Enabled Internet IP: Show [is correct] POE / LAN: 192.168.176.1 WAN / LAN: N/A WAN / Mobile: N/A ## DHCP config 'dnsmasq' option 'domainneeded' '1' option 'boguspriv' '1' option 'filterwin2k' '0' option 'localise_queries' '1' option 'rebind_protection' '1' option 'rebind_localhost' '1' option 'local' '/lan/' option 'domain' 'lan' option 'expandhosts' '1' option 'nonegcache' '0' option 'authoritative' '1' option 'readethers' '1' option 'leasefile' '/tmp/dhcp.leases' option 'resolvfile' '/tmp/resolv.conf.auto' config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '50' option 'limit' '150' option 'leasetime' '12h' option 'ignore' '0' list 'dhcp_option' '3,192.168.176.1' list 'dhcp_option' '3,192.168.178.1' list 'dhcp_option' '3,217.237.151.51' # list 'dhcp_option' '3,172.16.42.42' # list 'dhcp_option' '3,172.16.42.1' # list 'dhcp_option' '6,172.16.42.1,8.8.8.8' # list 'dhcp_option' '6,172.16.42.1,208.67.222.222' #config 'dhcp' 'wan' # option 'interface' 'wan' # option 'ignore' '1' # option 'start' '100' # option 'limit' '150' # option 'leasetime' '12h' # list 'dhcp_option' '3,172.16.42.42' # list 'dhcp_option' '6,172.16.42.1,8.8.8.8' # list 'dhcp_option' '6,172.16.42.1,208.67.222.222' Are these just for general internet or specifically for the features of the pineapple? I'd guess you would be better using a router that supports openWRT and turn them into 'dumb' access points so the DSL routers control the address range, your double NAT'ing in your current setup and this would seem pointless They are just for general internet. I wanted to use pineapples instead of some random device in order to have them at ready to occasional use their features and to support hak5 of course. Also I didn't think that they wouldn't work in this setup. I would like to get the pineapples to work rather then sending them back especially as I suppose that I might run into the same problems with any other router based on OpenWRT (or even more, as pineapples at least come with it pre-installed). And how would I configure them to be dumb routers? And is there a reason why I couldn't do that with a pineapple? Also I really want to understand why it doesn't work. Edited August 25, 2013 by theVoiD Quote Link to comment Share on other sites More sharing options...
inTheDMZ Posted August 25, 2013 Share Posted August 25, 2013 (edited) I would just flash the to stock openWRT and go from there, pineapple firmware has custom configurations Edit: try here http://wiki.openwrt.org/toh/alfa.network/hornet-ub Edited August 25, 2013 by inTheDMZ Quote Link to comment Share on other sites More sharing options...
potato Posted August 25, 2013 Share Posted August 25, 2013 Did you enable nat? iptables -A POSTROUTING -t nat -j MASQUERADE Quote Link to comment Share on other sites More sharing options...
theVoiD Posted August 27, 2013 Author Share Posted August 27, 2013 (edited) Did you enable nat? iptables -A POSTROUTING -t nat -j MASQUERADE That worked! Thank You so much! I love You man! Thanks to inTheDMZ too :) It was not just plain stupidity but rather ignorance on my side. I still don't quite get how iptables and NAT works but I am going to read that up, I promise! =) Now I am fighting with making this rule persistent and to create an exception for the printer's IP :) I'll keep You posted ^_^ Edited August 27, 2013 by theVoiD Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.