# router problems [SOLVED]

## doileir

Other computers can't connect to router

wlan0 = 192.168.1.150 (internet)

eth0 = 10.0.0.1 (internal network)

conf.d/net config

```

# wireless card

#modules=("iwconfig")

essid_wlan0="linksys"

config_wlan0=("192.168.1.150 broadcast 192.168.1.255 netmask 255.255.255.0")

routes_wlan0=("default gw 192.168.1.1")

# onboard eth0

config_eth0=("10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0")

```

iptables config from the 2nd example from guero61 from this thread

```

iptables -F

iptables -t nat -F

iptables -X

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP 

```

dnsmasq.conf

```

interface=eth0

dhcp-range=10.0.0.100,10.0.0.150,255.255.255.0,35h

```

i can ping google on the router but now my other pc's can't get an ip address or get on the netLast edited by doileir on Tue Apr 01, 2008 11:19 pm; edited 1 time in total

----------

## chainsawbike

if you set the ip statically on the client's does it work?

and make sure your router's kernel is set to forward packets

----------

## vad3r

 *chainsawbike wrote:*   

> if you set the ip statically on the client's does it work?
> 
> and make sure your router's kernel is set to forward packets

 

Or set it manually for testing:

```
# echo 1 > /proc/sys/net/ipv4/ip_forward
```

----------

## Erulabs

First, "wlan0 = 192.168.1.150 (internet)"

Unless you have a complex network setup, which I assume you don't by virtue of the fact that you're posting a DHCP question here, this wont work.

A 192.168.0.0/8 address is NON-ROUTABLE and would never be assigned as a WAN address. Also, you refer to it as 'wLan', which makes sense. So... What does "(internet)" mean?

Edit: This technically could work, but be aware it would work as a router between two private (Local Area, LAN) networks. Perhaps this is what you want?

Edit2: Also, I notice you say "couldnt get an IP or ping google". Try assigning an IP that DHCP should give out and see if NATing works.

For example, give a box behind this a '10.0.0.1' and see if it can't get online.

----------

## Hu

 *doileir wrote:*   

> 
> 
> iptables config from the 2nd example from guero61 from this thread
> 
> ```
> ...

 

Of course they cannot get on the Internet.  You specifically told the system to deny forwarded traffic.

Please post the output of ip addr ; ip route ; iptables-save -c.  Also, please explain your network topology.  I suspect from the brief description that wlan0 is a Wireless LAN interface and that you are using some proprietary wireless router as the gateway between your wireless network and the Internet.

Erulabs: technically, not all addresses matching 192.168.0.0/8 are non-routable.  The /8 means that only the first octet should be honored.  Traditionally, all non-honored bits are set to 0.  Thus, any address starting 192.x.x.x matches that expression and there exist routable addresses that have 192 as a first octet and a value other than 168 as their second octet.  I assume you meant 192.168.0.0/16, which is a non-routable range?  :Smile: 

----------

## Erulabs

Hu: You beat me. It is /16

Shame. I haz it   :Rolling Eyes: 

Good catch, you're totally correct.

----------

## think4urs11

just to get this even more correct

Of course also 192.168.x.y addresses are routable - it is 'just' due to RFC1918/3330 that (nearly) all ISPs do not route them across public lines (i.e. the internet). Within a LAN or otherwise private infrastructure those addresses as the other two well-known ranges (10.0.0.0/8 + 172.16.0.0/12) they can be routed and netmasked as needed. (/8 - /30)

----------

## doileir

thanks for all the help

 *Erulabs wrote:*   

> 
> 
> Edit: This technically could work, but be aware it would work as a router between two private (Local Area, LAN) networks. Perhaps this is what you want?
> 
> 

 

yes this is what i'm trying to do. just a fun project that i want to get to work.

ifconfig shows

```

eth0      Link encap:Ethernet  HWaddr 00:E0:18:52:7E:F3

          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::2e0:18ff:fe52:7ef3/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1436 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:419334 (409.5 Kb)  TX bytes:588 (588.0 b)

          Interrupt:3 Base address:0xd000

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:76 (76.0 b)  TX bytes:76 (76.0 b)

wlan0     Link encap:Ethernet  HWaddr 00:0F:66:A1:5A:4F

          inet addr:192.168.1.150  Bcast:192.168.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20f:66ff:fea1:5a4f/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:9167 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2192 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1136330 (1.0 Mb)  TX bytes:354525 (346.2 Kb)

          Interrupt:3 Memory:ed800000-ed800800

```

iptables-save -c shows

```

# Generated by iptables-save v1.3.8 on Mon Mar 31 19:20:15 2008

*nat

:PREROUTING ACCEPT [10531:1743727]

:POSTROUTING ACCEPT [120:9315]

:OUTPUT ACCEPT [120:9315]

COMMIT

# Completed on Mon Mar 31 19:20:15 2008

# Generated by iptables-save v1.3.8 on Mon Mar 31 19:20:15 2008

*mangle

:PREROUTING ACCEPT [13489:1998315]

:INPUT ACCEPT [12922:1925773]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2533:375806]

:POSTROUTING ACCEPT [2533:375806]

COMMIT

# Completed on Mon Mar 31 19:20:15 2008

# Generated by iptables-save v1.3.8 on Mon Mar 31 19:20:15 2008

*filter

:INPUT DROP [18:6543]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [2149:331847]

[0:0] -A INPUT -i lo -j ACCEPT

[463:33164] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

COMMIT

# Completed on Mon Mar 31 19:20:15 2008

```

i took out the  iptables -P FORWARD DROP

still no go with the routing to other pc on the network

route shows

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.0.0.0         *                 255.255.255.0   U     0      0        0 eth0

192.168.1.0    *                 255.255.255.0   U     0      0        0 wlan0

loopback        *                 255.0.0.0          U     0      0        0 lo

default         192.168.1.1     0.0.0.0         UG    2000   0        0 wlan0

```

----------

## Hu

 *doileir wrote:*   

> 
> 
> iptables-save -c shows
> 
> ```
> ...

 

iptables -P CHAIN TARGET is not reset by a flush.  You may have removed the command from your script, but since you have not actively given the kernel a new target for the FORWARD chain, the target assigned by your original script still holds.  Use iptables -P FORWARD ACCEPT to return FORWARD to the standard default.

It is often useful in complex rulesets to have FORWARD default to DROP all traffic, but only after rules to allow desired traffic have been written.  Since you are still debugging your setup, it is probably better to ACCEPT by default.  Once you are ready to lock down what types of traffic are forwarded, then you can use a default DROP.

----------

## doileir

```

# Generated by iptables-save v1.3.8 on Mon Mar 31 22:04:20 2008

*nat

:PREROUTING ACCEPT [11404:1878228]

:POSTROUTING ACCEPT [127:10150]

:OUTPUT ACCEPT [127:10150]

COMMIT

# Completed on Mon Mar 31 22:04:20 2008

# Generated by iptables-save v1.3.8 on Mon Mar 31 22:04:20 2008

*mangle

:PREROUTING ACCEPT [15464:2215052]

:INPUT ACCEPT [14785:2128346]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3608:510435]

:POSTROUTING ACCEPT [3608:510435]

COMMIT

# Completed on Mon Mar 31 22:04:20 2008

# Generated by iptables-save v1.3.8 on Mon Mar 31 22:04:20 2008

*filter

:INPUT DROP [1:48]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3224:466476]

[0:0] -A INPUT -i lo -j ACCEPT

[15:964] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

COMMIT

# Completed on Mon Mar 31 22:04:20 2008

```

still no change...think i just have to find a new script

edit: 

im also using dnsmasq 

do i need to add iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE 

to use it with dnsmasq config

edit:

just to clarify network config

internet > standard netger router > my gentoo router (over wlan0) > switch > other pc's

want my gentoo box route internet traffic to any pc that is connected to the switch

for those that have been helping me i changed a few things with my iptables

```

# Generated by iptables-save v1.3.8 on Tue Apr  1 01:07:44 2008

*nat

:PREROUTING ACCEPT [901:164052]

:POSTROUTING ACCEPT [8:1012]

:OUTPUT ACCEPT [17:1730]

[0:0] -A POSTROUTING -o wlan0 -j MASQUERADE

COMMIT

# Completed on Tue Apr  1 01:07:44 2008

# Generated by iptables-save v1.3.8 on Tue Apr  1 01:07:44 2008

*mangle

:PREROUTING ACCEPT [6824:595809]

:INPUT ACCEPT [6500:550617]

:FORWARD ACCEPT [9:432]

:OUTPUT ACCEPT [5177:926216]

:POSTROUTING ACCEPT [5188:927361]

COMMIT

# Completed on Tue Apr  1 01:07:44 2008

# Generated by iptables-save v1.3.8 on Tue Apr  1 01:07:44 2008

*filter

:INPUT DROP [192:47917]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [5177:926216]

[15:964] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A INPUT -i wlan0 -p icmp -j ACCEPT

[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A FORWARD -i wlan0 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -i wlan0 -o eth0 -j ACCEPT

COMMIT

# Completed on Tue Apr  1 01:07:44 2008

```

again thanks for the help this is a fun project. i just wish i can get it to work

----------

## Hu

No traffic is traversing your FORWARD chain.  Did you remember to turn on IPv4 forwarding with the command given by vad3r?

What are you doing to test whether the configuration works?  What happens when you do it?  What do you expect to have happen?  What does net-analyzer/tcpdump report for activity on each interface?  That is, does it confirm that the LAN traffic is reaching your Gentoo box?

----------

## cyrillic

 *doileir wrote:*   

> do i need to add iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE 

 

Yes, try using only this rule, and get rid of all the others.

If it works, then add the others back one at a time.

----------

## doileir

I got it up and running. with all the work using iptables i learn what does what and went back to use the gentoo home router guide and changed what needed to be changed

----------

## krenshala

 *doileir wrote:*   

> I got it up and running. with all the work using iptables i learn what does what and went back to use the gentoo home router guide and changed what needed to be changed

 

Could you post a bit more detail on what got this working for you?  I've got a very similar problem that I can't seem to wrap my brain around properly. 

[If this should be its own thread please let me know and I'll be happy to not hijack things here.  :Wink: ]

[edit]

i decided to make my own thread since i've got a different problem.

----------

