Skip to main content

Issues

Network

MGMT slow

Slow access to HOME from laptop on MGMT wi-fi.

UPDATE: 2023-10-28

Looks like laptop gets very low Rx rate (throughput from haru to Morgana) of ~17Mbit or even 6Mbit:

iperf3 -c 192.168.100.20 -p 2345 -R -t 9999
Connecting to host 192.168.100.20, port 2345
Reverse mode, remote host 192.168.100.20 is sending
[  5] local 192.168.100.161 port 42966 connected to 192.168.100.20 port 2345
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  1.75 MBytes  14.7 Mbits/sec
[  5]   1.00-2.00   sec  1.64 MBytes  13.8 Mbits/sec
[  5]   2.00-3.00   sec  1.64 MBytes  13.8 Mbits/sec
[  5]   3.00-4.00   sec  1.55 MBytes  13.0 Mbits/sec
[  5]   4.00-5.00   sec  1.62 MBytes  13.6 Mbits/sec
[  5]   5.00-6.00   sec  1.63 MBytes  13.6 Mbits/sec
^C[  5]   6.00-6.14   sec   252 KBytes  14.4 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-6.14   sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-6.14   sec  10.1 MBytes  13.8 Mbits/sec                  receiver

At theĀ  same time I get like 60Mbit sending data out:

iperf3 -c 192.168.100.20 -p 2345 -t 9999
Connecting to host 192.168.100.20, port 2345
[  5] local 192.168.100.161 port 45200 connected to 192.168.100.20 port 2345
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  10.1 MBytes  85.0 Mbits/sec    0    469 KBytes
[  5]   1.00-2.00   sec  6.71 MBytes  56.3 Mbits/sec    0    469 KBytes
[  5]   2.00-3.00   sec  7.08 MBytes  59.4 Mbits/sec    0    502 KBytes
[  5]   3.00-4.00   sec  6.40 MBytes  53.7 Mbits/sec    0    529 KBytes
[  5]   4.00-5.00   sec  7.77 MBytes  65.2 Mbits/sec    0    529 KBytes
[  5]   5.00-6.00   sec  7.77 MBytes  65.2 Mbits/sec    0    529 KBytes
[  5]   6.00-7.00   sec  7.01 MBytes  58.8 Mbits/sec    0    587 KBytes
[  5]   7.00-8.00   sec  8.47 MBytes  71.0 Mbits/sec    0    621 KBytes
^C[  5]   8.00-8.40   sec  2.41 MBytes  50.4 Mbits/sec    0    621 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-8.40   sec  63.8 MBytes  63.7 Mbits/sec    0             sender
[  5]   0.00-8.40   sec  0.00 Bytes  0.00 bits/sec                  receiver

Haru reports low MCS values of 10 or lower.

Server
 SSID
 Channel
 Client
 Location
 Client -> Server Mbit
 Server <- Client Mbit
Justine Haru Legacy
 6
 L (android)
 living room 25
 25
Justine Haru Legacy 6
 futaba
 living room 21
 9
Justine Haru Legacy 6
 futaba
 kitchen
 25
 10
Justine Haru Legacy 6
 futaba
 by Haru
 26
 11
Justine Haru Legacy 11
 futaba living room 26
 11
Justine Haru MGMT 11
 morgana living room 53
 23
Justine Haru Legacy 6
 morgana
 living room 50
 11
Justine Haru
 6
 morgana living room 89
 72

Config changes:

  • Set max power to 30dBm
    • channel switched to 5 (was 6): 15-25 on morgana and 13 on futaba
    • channel 11: 10 to 25 on moragna, 16 on futaba

VPN clients coming from outside are NAT'ed

They will looks like justine, not their actual VPN IP, since devices can use caroline as their default G/W.

No access to SERVER VLAN from HOME with justine G/W

VPN clients can access justine MGMT interface IP

11:06:10.811023 vpn   In  IP 172.17.1.10 > 192.168.100.2: ICMP echo request, id 44951, seq 814, length 64
11:06:10.811041 vpn   Out IP 192.168.100.2 > 172.17.1.10: ICMP echo reply, id 44951, seq 814, length 64

I have set up more strict forwarding rules:

Chain FORWARD (policy DROP 52 packets, 4368 bytes)
num   pkts bytes target     prot opt in     out     source               destination
9       35  5441 ACCEPT     all  --  enp1s0 vpn     192.168.0.0/24       0.0.0.0/0
10      32  5244 ACCEPT     all  --  vpn    enp1s0  0.0.0.0/0            192.168.0.0/24

but this does not help.

This is because it is not going through FORWARD but through INPUT:

iptables -A INPUT -i vpn -d 192.168.100.0/24 -j LOG
[604557.640819] IN=vpn OUT= MAC= SRC=172.17.1.10 DST=192.168.100.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56812 DF PROTO=ICMP TYPE=8 CODE=0 ID=44951 SEQ=1064

Adding the above rule will block it. But is this normal that any IP assigned to any interface can be used when routing to a G/W?

FIXED: I have added the following rule:

iptables -A INPUT ! -i mgmt -d 192.168.100.0/24 -j DROP

FOLLOWUP: Is this the same for other devices? Try static route to them and access MGMT IP.

ip route add 192.168.100.50 via 192.168.0.50 dev wlan0

And it will ping on 192.168.100.50. So services bound only to 192.168.100.50 will be exposed to HOME VLAN devices.

CONCLUSION: Binding to selected IP address does not protect service from being accessed from another network interface without extra firewall rule to prevent this!

What makes localhost (lo) interface special - services bound to it are not accessible from other interfaces? It has local routing tables set up by default.

Same problem for caroline

Same with caroline:

ip route add 192.168.100.1 via 192.168.0.1 dev wlan0

I can now access https://192.168.100.1/cgi-bin/luci/ while on HOME VLAN, probably will work form SERVER and any other as well!

FIXED: DROP all INPUT on all interfaces apart from MGMT. Added ACCEPT rules for LAN, GUEST and SERVER VLANs for DHCP (UDP 67), DNS (TCP/UDP: 53) and ICMP.

I could not use the negative interface setup as in case of justine. Probably should use default INPUT DROP on justine as well and only allow mgmt interface traffic as well.

Would this be same for goro and haru?

They don't have IP on HOME network but they have interface. Injecting packet for MGMT IP to their HOME interface may be (using MAC/ARP) possible but they would not respond since they have no routing to HOME network?

Access to web services from internal network

Need to manually add static route for devices using default DHCP G/W (justine) when going to local server services like video.hexadust.net.

ip route add 46.7.126.16 dev eth0 via 192.168.0.1
ping video.hexadust.net

Things to try:

  1. Try to push static routes from DHCP - this did not work for some reason
  2. Set up static route on justine
  3. Set up SNAT on justnie
  4. Use bridge layer DNAT: https://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
  5. Set up split DNS
    1. video.hexadust.net 192.168.50.159
    2. This would require justine to forward to SERVER VLAN since ann uses 0.2 as default G/W
  6. Set up separate DNS for internal access

No more IPs on DHCP

Looks like Horizon box eats up leases: https://www.boards.ie/discussion/2057720465/my-new-virgin-media-stb-issued-two-lan-i-ps

I have removed leases from /var/lib/dhcp.lease file on caroline.

Justine access is laggy; DNS is slow

Happens after OpenWRT updates.

Try disconnecting and connecting network cables for Haru and uplink on goro.

Igor does not set it's default route after boot

While it is configured in web UI it is not taking effect on boot and results in it unable to find local network. VMs stuff will work OK though.

Back to top