Skip to main content

Issues

Network

MGMT slow

Slow access to HOME from laptop on MGMT wi-fi.

VPN clients coming from outside are NAT'ed

They will looks like justine, not their actual VPN IP, since devices can use caroline as their default G/W.

No access to SERVER VLAN from HOME with justine G/W

VPN clients can access justine MGMT interface IP

11:06:10.811023 vpn   In  IP 172.17.1.10 > 192.168.100.2: ICMP echo request, id 44951, seq 814, length 64
11:06:10.811041 vpn   Out IP 192.168.100.2 > 172.17.1.10: ICMP echo reply, id 44951, seq 814, length 64

I have set up more strict forwarding rules:

Chain FORWARD (policy DROP 52 packets, 4368 bytes)
num   pkts bytes target     prot opt in     out     source               destination
9       35  5441 ACCEPT     all  --  enp1s0 vpn     192.168.0.0/24       0.0.0.0/0
10      32  5244 ACCEPT     all  --  vpn    enp1s0  0.0.0.0/0            192.168.0.0/24

but this does not help.

This is because it is not going through FORWARD but through INPUT:

iptables -A INPUT -i vpn -d 192.168.100.0/24 -j LOG
[604557.640819] IN=vpn OUT= MAC= SRC=172.17.1.10 DST=192.168.100.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56812 DF PROTO=ICMP TYPE=8 CODE=0 ID=44951 SEQ=1064

Adding the above rule will block it. But is this normal that any IP assigned to any interface can be used when routing to a G/W?

FIXED: I have added the following rule:

iptables -A INPUT ! -i mgmt -d 192.168.100.0/24 -j DROP

FOLLOWUP: Is this the same for other devices? Try static route to them and access MGMT IP.

ip route add 192.168.100.50 via 192.168.0.50 dev wlan0

And it will ping on 192.168.100.50. So services bound only to 192.168.100.50 will be exposed to HOME VLAN devices.

CONCLUSION: Binding to selected IP address does not protect service from being accessed from another network interface without extra firewall rule to prevent this!

What makes localhost (lo) interface special - services bound to it are not accessible from other interfaces? It uses kernel protocol and has local routing tables set up by default.

Same problem for caroline

Same with caroline:

ip route add 192.168.100.1 via 192.168.0.1 dev wlan0

I can now access https://192.168.100.1/cgi-bin/luci/ while on HOME VLAN, probably will work form SERVER and any other as well!

FIXED: DROP all INPUT on all interfaces apart from MGMT. Added ACCEPT rules for LAN and SERVER VLANs for DHCP (UDP 67), DNS (TCP/UDP: 53) and ICMP.

I could not use the negative interface setup as in case of justine. Probably should use default INPUT DROP on justine as well and only allow mgmt interface traffic as well.

Access to web services from internal network

Need to manually add static route for devices using default DHCP G/W (justine) when going to local server services like video.hexadust.net.

ip route add 46.7.126.16 dev eth0 via 192.168.0.1
ping video.hexadust.net

Things to try:

  1. Try to push static routes from DHCP - this did not work for some reason
  2. Set up static route on justine
  3. Set up SNAT on justnie
  4. Set up split DNS
    1. video.hexadust.net 192.168.50.159
    2. This would require justine to forward to SERVER VLAN since ann uses 0.2 as default G/W
  5. Set up separate DNS for internal access

No more IPs on DHCP

Looks like Horizon box eats up leases: https://www.boards.ie/discussion/2057720465/my-new-virgin-media-stb-issued-two-lan-i-ps

I have removed leases from /var/lib/dhcp.lease file on caroline.

Justine access is laggy; DNS is slow

Happens after OpenWRT updates.

Try disconnecting and connecting network cables for Haru and uplink on goro.

Back to top