Trying to use Mark IV as wifi-router - no internet for clients

[theVoiD]

Hey!

I'm trying to use 2 pineapples to provide wifi for two storeys of the same building (office with roundabout 10-15 persons each).

I got them configured, they have access to the internet but they don't relay it to their clients (be it eth or wifi). Any clients connected to a pineapple can ping the pineapple only. traceroutes fail right after the pineapple (tried this for Macs and Win7/8-machines - also for an android phone - except for the traceroute-part of course).

- I tried to correct the config files (/etc/config/ network, dhcp, wireless, firewall)

- I tried to leave wide open the firewall (which isn't installed on a pineapple, if I understand correctly)

- I flushed the iptables (iptables -F)

- I tried setting the route: route add default gw 192.168.178.1

to no avail, even with a couple of restarts (barring the iptables which would be reestablished if I understood correctly).

I tried a search, but except for this Post of computerchris I couldn't find anything. As I don't have any linux-machines at hand I couldn't start the wp4.sh-file from anywhere and the first of the iptables commands in the quote would give me the error that I may not use the -s parameter twice.

Posted 18 August 2013 - 03:14 PM

ERMAGHERD https://forums.hak5....-phished-pages/

https://github.com/W...quickstartguide

iptables -A FORWARD -i wlan0 -o eth0 -s 172.16.42.0/24 -m state –state NEW -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

The pineapples are connected to a switch (netgear) via ethernet, which in turn leads to the router (192.168.178.1 - 192.168.178.0/24) which also functions as a dsl-modem (Germany - Fritz Box 7390) and a wifi-router (I wanted to install the pineapples to give the network a cleaner layout and have the dsl-modem not do everything - well and also to play around with the pineapples whenever there is a chance ^_^).

They can ping to anywhere in the internet, as well as to the dsl-modem. Also they can be reached from any station connected to the dsl-modem (being the wifi-router as well) or connected to the pineapple itself.

Because I want to use the pineapples with only the ethernet-cable, I switched the devices in the network-config-file so that wan would lie on the poe-enabled port.

The pineapples are supposed to connect to the dsl-router via dhcp and distribute via wifi and the former wan port; 192.168.177.0/24 (SVR6) and 192.168.176.0/24 (SVR5).

I just received the devices and I tried all day to get them running. I am quite desperate. They run on 3.0 (SVR5) and 2.8.1 (SVR6 - I had to flash one of them as it almost bricked and then would not react to any changes in the config files). Both have the exact same problem. Albeit flashing the iptables and setting the routes I only tried on one of them (SVR5).

I will post the config files at the end of the post for one of them (SVR5) and also attach the zip-files with the config-folders of both:

SVR5.zip

SVR6.zip

Here a little map:

Internet

|

DSL-Modem 192.168.178.1

|

Switch

| \

SVR5 SVR6 192.168.176.1 192.168.177.1

| \

clients clients

I would like to configure them correctly

- in order to have the clients get throught to the internet

- to have a deeper understanding of the inner workings of openwrt and the pineapples

I don't get anywhere on my own anymore.

Please help and inform me about my mistakes. I am eager to learn =D

contents of /etc/config/ network wireless dhcp firewall

## NETWORK

# Copyright (C) 2006 OpenWrt.org

config interface loopback
    option ifname    lo
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0

config interface wan
    option ifname    eth0
    option proto    dhcp
#    option ipaddr    192.168.178.4
#    option netmask    255.255.255.0

config interface lan
    option ifname    eth1
    option type     bridge
    option proto    static
    option ipaddr    192.168.176.1
    option netmask    255.255.255.0
    option gateway 192.168.178.1
    option dns    192.168.178.1

config switch eth0
option enable_vlan 1

config switch_vlan
option device eth0
option vlan 1
option ports "0 1"

config interface usb
option ifname usb0
option proto dhcp

config interface 'wan2'
    option ifname ' '
    option proto ' '
    option service ' '
    option device ' '
    option apn ' '
    option username ' '
    option password ' '
    option defaultroute ' '
    option ppp_redial ' '
    option peerdns ' '
    option dns ' '
    option keepalive ' '
    option pppd_options ' '



## WIRELESS


config wifi-device radio0
    option type mac80211
    option channel 1
    option hwmode    11ng
    option macaddr    00:c0:ca:67:e5:be
    option htmode    HT20
    list ht_capab    SHORT-GI-20
    list ht_capab    SHORT-GI-40
    list ht_capab    RX-STBC1
    list ht_capab    DSSS_CCK-40
    # REMOVE THIS LINE TO ENABLE WIFI:
    # option disabled 1

config wifi-iface
    option device radio0
    option network lan
    option mode ap
    option ssid "SSID"
    option encryption psk2
    option key 'password'



## DHCP

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'filterwin2k' '0'
    option 'localise_queries' '1'
    option 'rebind_protection' '1'
    option 'rebind_localhost' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'nonegcache' '0'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '50'
    option 'limit' '150'
    option 'leasetime' '12h'
    option 'ignore' '0'
#    list 'dhcp_option' '3,172.16.42.42'
#    list 'dhcp_option' '3,172.16.42.1'
#    list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
#    list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

#config 'dhcp' 'wan'
#    option 'interface' 'wan'
#    option 'ignore' '1'
#    option 'start' '100'
#    option 'limit' '150'
#    option 'leasetime' '12h'
#    list 'dhcp_option' '3,172.16.42.42'
#    list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
#    list 'dhcp_option' '6,172.16.42.1,208.67.222.222'
    



## FIREWALL


config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    option network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT    

config zone
    option name        wan
    option network        'wan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT
    option masq        1
    option mtu_fix        1

config forwarding
    option src     lan
    option dest     wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option dest        wan
#    option proto    tcp
#    option target    REJECT

# block a specific mac on wan
#config rule
#    option dest        wan
#    option src_mac    00:11:22:33:44:66
#    option target    REJECT

# block incoming ICMP traffic on a zone
#config rule
#    option src        lan
#    option proto    ICMP
#    option target    DROP

# port redirect port coming in on wan to lan
#config redirect
#    option src            wan
#    option src_dport    80
#    option dest            lan
#    option dest_ip        192.168.16.235
#    option dest_port    80
#    option proto        tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#    option src        wan
#    option src_dport    22001
#    option dest        lan
#    option dest_port    22
#    option proto        tcp

# allow IPsec/ESP and ISAKMP passthrough
#config rule
#    option src        wan
#    option dest        lan
#    option protocol        esp
#    option target        ACCEPT

#config rule
#    option src        wan
#    option dest        lan
#    option src_port        500
#    option dest_port    500
#    option proto        udp
#    option target        ACCEPT

### FULL CONFIG SECTIONS
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port    80
#    option dest        wan
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp
#    option target    REJECT

#config redirect
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port        1024
#    option src_dport    80
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp

Edited August 25, 2013 by theVoiD

[thesugarat]

As you have altered the normal configuration of the pineapple I'm not surprised this isn't working... You've commented out the dhcp settings for 'lan'? Are you're wireless devices even getting an IP address? If yes, what range? Can you even get to the pineapples configuration page? I'm just guessing here but you might want to uncomment this line = list 'dhcp_option' '3,172.16.42.1' and change it to list 'dhcp_option' '3,192.168.178.1' . Again that's just a guess, you might need to do the next line down which seems to be for dns. I'm out of my depth on this one... Good luck.

[inTheDMZ]

Are these just for general internet or specifically for the features of the pineapple?

I'd guess you would be better using a router that supports openWRT and turn them into 'dumb' access points so the DSL routers control the address range, your double NAT'ing in your current setup and this would seem pointless

[theVoiD]

As you have altered the normal configuration of the pineapple I'm not surprised this isn't working... You've commented out the dhcp settings for 'lan'? Are you're wireless devices even getting an IP address? If yes, what range? Can you even get to the pineapples configuration page? I'm just guessing here but you might want to uncomment this line = list 'dhcp_option' '3,172.16.42.1' and change it to list 'dhcp_option' '3,192.168.178.1' . Again that's just a guess, you might need to do the next line down which seems to be for dns. I'm out of my depth on this one... Good luck.

I supposed, that this would be only an optional line, in case other servers should provide DNS-functions.

I changed it as You recommended. Also I tried to provide the DNS-Server of our TeleComm-Provider, just in case.

I also tried only offering SVR5 or the router as DNS-Server by commenting the other lines out. None did work. I also checked the routes in the client. It showed 192.168.178.1 as Gateway once and 192.168.176.1 the other time. Both times no connection to the internet.

But I can always reach SVR5 via SSH and the config-page from the client as well as from any clients connected to the Fritz-Modem(/Router).

The config Page (accessed via ethernet-cable on eth0) shows this (followed by one of the configs I tried for dhcp):

Network

Wifi Enabled

Internet IP: Show [is correct]

POE / LAN: 192.168.176.1

WAN / LAN: N/A

WAN / Mobile: N/A

## DHCP

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'filterwin2k' '0'
    option 'localise_queries' '1'
    option 'rebind_protection' '1'
    option 'rebind_localhost' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'nonegcache' '0'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '50'
    option 'limit' '150'
    option 'leasetime' '12h'
    option 'ignore' '0'
    list 'dhcp_option' '3,192.168.176.1'
    list 'dhcp_option' '3,192.168.178.1'
    list 'dhcp_option' '3,217.237.151.51'
#    list 'dhcp_option' '3,172.16.42.42'
#    list 'dhcp_option' '3,172.16.42.1'
#    list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
#    list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

#config 'dhcp' 'wan'
#    option 'interface' 'wan'
#    option 'ignore' '1'
#    option 'start' '100'
#    option 'limit' '150'
#    option 'leasetime' '12h'
#    list 'dhcp_option' '3,172.16.42.42'
#    list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
#    list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

Are these just for general internet or specifically for the features of the pineapple?

I'd guess you would be better using a router that supports openWRT and turn them into 'dumb' access points so the DSL routers control the address range, your double NAT'ing in your current setup and this would seem pointless

They are just for general internet. I wanted to use pineapples instead of some random device in order to have them at ready to occasional use their features and to support hak5 of course.

Also I didn't think that they wouldn't work in this setup.

I would like to get the pineapples to work rather then sending them back especially as I suppose that I might run into the same problems with any other router based on OpenWRT (or even more, as pineapples at least come with it pre-installed). And how would I configure them to be dumb routers? And is there a reason why I couldn't do that with a pineapple?

Also I really want to understand why it doesn't work.

Edited August 25, 2013 by theVoiD

[inTheDMZ]

I would just flash the to stock openWRT and go from there, pineapple firmware has custom configurations

Edit: try here http://wiki.openwrt.org/toh/alfa.network/hornet-ub

Edited August 25, 2013 by inTheDMZ

[potato]

Did you enable nat?

iptables -A POSTROUTING -t nat -j MASQUERADE

[theVoiD]

Did you enable nat?

iptables -A POSTROUTING -t nat -j MASQUERADE

That worked!

Thank You so much! I love You man! Thanks to inTheDMZ too :)

It was not just plain stupidity but rather ignorance on my side. I still don't quite get how iptables and NAT works but I am going to read that up, I promise! =)

Now I am fighting with making this rule persistent and to create an exception for the printer's IP :)

I'll keep You posted ^_^

Edited August 27, 2013 by theVoiD