Shorewall users - Feb 2005 - Wireless - routing or bridging - Part Deux

I have added a 4th NIC to my setup, and want to set up wireless.  I have 
stared at the configuration Tom has for the last week, and my eyes are 
crossing.

eth0 "net" goes to my internet connected firewall with a 192.168
address
eth1 "loc" goes to my switch connected to local switch also 192.168.x
eth2 "work" goes to my office with a 172. address

eth3  Trying to follow Tom''s "My Shorewall Configuration" I
gave the eth3
NIC 192.168.y.1 and a Cisco AP350 a 192.168.y.2 address.  In trying to be 
"visitor friendly" (the intent is just add your MAC address) and let
the
visitor act like they''re at their local Starbucks and get a DHCP
address.

The Cisco hands out a 169. something address via DHCP.

So, I''ll ask the question and duck....  Am I looking at solving
routing,
or do I have to do bridging ?   Or, which section of the RTFM did I miss?

My test laptop can browse the AP350, and this shorewall box can browse the 

AP350.  I can also browse the AP350 from other local machines (windoze or 
linux).  I am running shorewall 2.2.0.

- Bill

=======================
By "browse" I mean I can see the Cisco AP350 setup screens...

NOT browse the internet from the laptop

========================

I don''t know how far you''ve gotten...

Bill.Light@kp.org wrote:
> 
> The Cisco hands out a 169. something address via DHCP.
> 
As Tom pointed out, you aren''t getting a DHCP response at all if
you''re
seeing a 169 address.
> 
> My test laptop can browse the AP350, and this shorewall box can browse the 
> 
> AP350.  I can also browse the AP350 from other local machines (windoze or 
> linux).  I am running shorewall 2.2.0.
If your laptop, wirelessly connected to the AP350, is getting a real IP 
address and can ping the AP350 *and* the firewall, then you network is 
setup. Now all you need to do is correct the firewall rules so as to let 
you get out to the Net.

Try reading the Shorewall logs to see what is being blocked.

A.

I don''t know how far you''ve gotten...

Bill.Light@kp.org wrote:
> 
> The Cisco hands out a 169. something address via DHCP.
> 
As Tom pointed out, you aren''t getting a DHCP response at all if
you''re
seeing a 169 address.
> 
> My test laptop can browse the AP350, and this shorewall box can browse 
the 
> 
> AP350.  I can also browse the AP350 from other local machines (windoze 
or 
> linux).  I am running shorewall 2.2.0.
If your laptop, wirelessly connected to the AP350, is getting a real IP 
address and can ping the AP350 *and* the firewall, then you network is 
setup. Now all you need to do is correct the firewall rules so as to let 
you get out to the Net.

Try reading the Shorewall logs to see what is being blocked.

A.

================================
I took Tom''s suggestion and installed/turned on DHCP for the interface.
I can now get a 192 address/lease through the AP350, but nothing else
goes through it...   i.e. I can''t run YasT  or browse (SuSE) ...
when I boot the windoze side - no web browsing, no internet access, etc.

The current interface file has   wlan  eth3 jhcp,routeback
The current policy file has
loc             wlan            ACCEPT
$FW             wlan            ACCEPT          info
net             wlan            ACCEPT
wlan            loc             ACCEPT
wlan            $FW             ACCEPT          info
wlan            net             ACCEPT

Pretty darn open, if I understand anything

The curious observation was a ping to suse.com from the laptop gave:

Feb 23 08:23:39 machinename kernel: Shorewall:wlan2fw:ACCEPT:IN=eth3 OUT= 
MAC=00:02:b3:1c:39:0d:00:02:2d:24:76:bc:08:00 SRC=xx.xx.18.68 
DST=xx.xx.18.50 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=19672 PROTO=ICMP 
TYPE=3 CODE=2 [SRC=xx.xx.18.50 DST=192.168.18.68 LEN=84 TOS=0x00 PREC=0x00 
TTL=64 ID=5913 PROTO=ICMP TYPE=0 CODE=00 ID=43536 SEQ=18 ]

.68 was the leased address given to the laptop
.50 is the static IP for eth3 of this box
fwiw .51 is the static IP of the cisco

Whether windoze or linux  this laptop gets .68 for an IP

Does anyone have a working AP350 setup that they would care to share ?
I''t as though the AP swallows certain routing, but I sure
can''t find
where.

I suppose I could put the AP350 up on eBay and go buy something with the
new 54 Mb spec.  There seem to be more people with the Linksys box that
don''t appear to have half these troubles...

- Bill

Bill.Light@kp.org wrote:
> 
> I took Tom''s suggestion and installed/turned on DHCP for the
interface.
> I can now get a 192 address/lease through the AP350, but nothing else
> goes through it...   i.e. I can''t run YasT  or browse (SuSE) ...
> when I boot the windoze side - no web browsing, no internet access, etc.
That problem description doesn''t tell us much.
> 
> The current interface file has   wlan  eth3 jhcp,routeback
> The current policy file has
<snip>
> 
> Pretty darn open, if I understand anything
Are you masquerading the wireless network to the net? You need to.
> 
> The curious observation was a ping to suse.com from the laptop gave:
> 
> Feb 23 08:23:39 machinename kernel: Shorewall:wlan2fw:ACCEPT:IN=eth3 OUT= 
> MAC=00:02:b3:1c:39:0d:00:02:2d:24:76:bc:08:00 SRC=xx.xx.18.68 
> DST=xx.xx.18.50 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=19672 PROTO=ICMP 
> TYPE=3 CODE=2 [SRC=xx.xx.18.50 DST=192.168.18.68 LEN=84 TOS=0x00 PREC=0x00 
> TTL=64 ID=5913 PROTO=ICMP TYPE=0 CODE=00 ID=43536 SEQ=18 ]
> 
> .68 was the leased address given to the laptop
> .50 is the static IP for eth3 of this box
> fwiw .51 is the static IP of the cisco
Bill -- Why are you trying to obfuscate things with the xx.xx
nonsense??? I''m not going to help you further if I have to look at crap
like that, especially since I suspect that these are all internal IP
addresses.
> 
> Whether windoze or linux  this laptop gets .68 for an IP
> I suppose I could put the AP350 up on eBay and go buy something with the
> new 54 Mb spec.  There seem to be more people with the Linksys box that
> don''t appear to have half these troubles...
I seriously doubt that your AP has anything to do with your problem. I
suspect that it is a combination of missing SNAT/masquerade and/or
missing/wrong default gateways on the wireless systems (e.g., the laptop).

Have you looked at the chapter in the Two-interface guide
(http://shorewall.net/two-interface.htm) entitled "Adding a wireless
Segment to your Two-interface Firewall"? You should.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
>>The curious observation was a ping to suse.com from the laptop gave:
>>
>>Feb 23 08:23:39 machinename kernel: Shorewall:wlan2fw:ACCEPT:IN=eth3
OUT=
>>MAC=00:02:b3:1c:39:0d:00:02:2d:24:76:bc:08:00 SRC=xx.xx.18.68 
>>DST=xx.xx.18.50 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=19672 PROTO=ICMP 
>>TYPE=3 CODE=2 [SRC=xx.xx.18.50 DST=192.168.18.68 LEN=84 TOS=0x00
PREC=0x00
>>TTL=64 ID=5913 PROTO=ICMP TYPE=0 CODE=00 ID=43536 SEQ=18 ]
>>
>>.68 was the leased address given to the laptop
>>.50 is the static IP for eth3 of this box
>>fwiw .51 is the static IP of the cisco
> 
> 
> Bill -- Why are you trying to obfuscate things with the xx.xx
> nonsense??? I''m not going to help you further if I have to look at
crap
> like that, especially since I suspect that these are all internal IP
> addresses.
My objection stems from the fact that some of the addresses have been
obfuscated but one hasn''t!! So if xx.xx == 192.168 then there is one
explanation and if xx.xx != 192.168 then something else is going on.

You may be right that the AP is returning a "protocol not reachable"
ICMP to the ping reply -- running Ethereal on the Laptop while you are
trying to ping would solve the mystery though...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
>>The curious observation was a ping to suse.com from the laptop gave:
>>
>>Feb 23 08:23:39 machinename kernel: Shorewall:wlan2fw:ACCEPT:IN=eth3 
OUT= 
>>MAC=00:02:b3:1c:39:0d:00:02:2d:24:76:bc:08:00 SRC=xx.xx.18.68 
>>DST=xx.xx.18.50 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=19672 PROTO=ICMP 
>>TYPE=3 CODE=2 [SRC=xx.xx.18.50 DST=192.168.18.68 LEN=84 TOS=0x00 
PREC=0x00 
>>TTL=64 ID=5913 PROTO=ICMP TYPE=0 CODE=00 ID=43536 SEQ=18 ]
>>
>>.68 was the leased address given to the laptop
>>.50 is the static IP for eth3 of this box
>>fwiw .51 is the static IP of the cisco
> 
> 
> Bill -- Why are you trying to obfuscate things with the xx.xx
> nonsense??? I''m not going to help you further if I have to look at
crap
> like that, especially since I suspect that these are all internal IP
> addresses.
My objection stems from the fact that some of the addresses have been
obfuscated but one hasn''t!! So if xx.xx == 192.168 then there is one
explanation and if xx.xx != 192.168 then something else is going on.

You may be right that the AP is returning a "protocol not reachable"
ICMP to the ping reply -- running Ethereal on the Laptop while you are
trying to ping would solve the mystery though...

-Tom

====================================
Tom -

Sorry - Yes the addresses are internal, wasn''t trying to obfuscate,
I just didn''t think they would matter, and I missed one.

I re-read and re-read the docs again, and gave up on what I was doing.
I was trying to set "wlan" as a separate zone, rather than combining
with "loc"   I stripped out all of that and went back to the
"standard"
example you have at the end of a two-interface setup.

Ran tcpdump on the laptop and discovered my errors:
    Brain fart - had masq for eth3 backwards  (who knows why)
    routeback option is NOT what I wanted.

Now working...  I have the maclist option now on, tonight I will turn on 
WEP.

We were replacing some switches last night, so did not respond last night.

As usual, thanks for your effort.

The Sufficiently Talented Fool

- Bill