PDA

Bekijk de volledige versie : Internet unreachable for LAN


Luxa
06-09-2007, 12:06
Hello!
I've bought an ASUS WL-500GP router this march, and with the help of the tutorials here and some other places I configured it with Oleg`s firmware. (It took some time and trial-and-error, but I was quite content with the result, thanks everyone!)
It worked well for months (had some minor issues, but nothing serious), until monday, when after a reboot, my computers couldn't access the net anymore.
They can reach the router (ssh, samba, webadmin pages, dns) but nothing on the net. They can see each other as well. The router can download torrents, can ping outside etc.
I've tried rebooting everything (including the ADSL router) but it didn't help. I rechecked the settings on the webadmin page, took a look at the iptables chains, but found no obvious reasons for this. After some thinking I used tcpdump and ethereal to take a look at the traffic, the ping requests reach the WAN (vlan1) interface, but no reply at all. (Not sure if it helps, but who knows...)
Using direct connection between the ADSL router and my computer everything is OK.
Now I can't think anything else to try (am pretty new to routers and linux), so I welcome every suggestions and help.
Thank in advance,
Luxa
wengi
06-09-2007, 13:08
Is DNS working on the PCs? router configuered as dns server?
Try to resolv a name with nslookup.

wengi
avberk
06-09-2007, 13:09
Try shutting down the router and remove the powercord.

Leave the powercord disconnected for a minute before reconnecting.


If you have latest OLeg firmware and router is running in AP mode then check that
/etc/resolv.conf has your nameserver inside.

e.g. nameserver x.x.x.x

If it doesn't that add it. do the flashfs save, commit and enable routine and you should be fine..
Luxa
06-09-2007, 19:03
Hello!

Wengi:
Yes, DNS is working, with router as DNS sever.

avberk:
Tried power off and on, no luck, etc/resolv.conf has my nameserver in it.

Luxa
wengi
07-09-2007, 07:35
So you can resolve names from your PCs but not ping the received IP adresses?
Two possibilities for me: iptables (but you checked this) or routing.

Double check your iptables and the routes on router and PCs.

wengi
Luxa
08-09-2007, 19:12
Hi!

Well, I've took another look at iptables and routes (even had a friend who is supposed to be more expert in these things help), but I couldn't find any obvious problems. Apart from not understanding why are there two instances of the same rule under each other, and why are there rules after one that accepts everything. (At least I think so.) Or from where most rules come...
I think I shall post the results of the at the end of the post and I would really appreciate it, if someone took a look at them.

I used tcpdump again on the ppp0 interface and noticed something, that I haven't noticed before: the packets from my LAN reach the interface, but Ethereal said that they have the internal IP of my computer (192.168.1.x), so if this is correct, than it means that all my packet are automatically dropped by the destinations. So something is wrong with the address translation. Am I right? The problem is, that I have no idea where can I control that. (I've searched the forums for NAT, and came up with the /tmp/nat_rules, but I don't really know how that works, or what is missing.)

So my iptables results:

[admin@Router root]$ iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
3 ACCEPT tcp -- anywhere anywhere tcp dpt:65534 flags:SYN,RST,ACK/SYN
4 ACCEPT tcp -- anywhere anywhere tcp dpt:8008 flags:SYN,RST,ACK/SYN
5 DROP all -- anywhere anywhere state INVALID
6 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
7 ACCEPT all -- anywhere anywhere state NEW
8 ACCEPT all -- anywhere anywhere state NEW
9 SECURITY all -- anywhere anywhere state NEW
10 DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 DROP all -- anywhere anywhere state INVALID
3 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1453:65535TCPMSS set 1452
4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
5 DROP all -- anywhere anywhere
6 DROP all -- anywhere anywhere
7 SECURITY all -- anywhere anywhere state NEW
8 ACCEPT all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain MACS (0 references)
num target prot opt source destination

Chain SECURITY (2 references)
num target prot opt source destination
1 RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
2 RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
3 RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
4 RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
5 DROP all -- anywhere anywhere

Chain logaccept (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
2 ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
2 DROP all -- anywhere anywhere

My ip route list (Long version):

[admin@Router root]$ ip route list table all
194.149.1.52 dev ppp0 proto kernel scope link src 91.120.115.156
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
default via 194.149.1.52 dev ppp0
local 192.168.1.1 dev br0 table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.0 dev br0 table local proto kernel scope link src 192.168.1.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 91.120.115.156 dev ppp0 table local proto kernel scope host src 91.120.115.156
broadcast 91.120.115.156 dev ppp0 table local proto kernel scope link src 91.120.115.156
broadcast 192.168.1.255 dev br0 table local proto kernel scope link src 192.168.1.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local ::1 via :: dev lo metric 0 mtu 16436 advmss 16376
local fe80::217:31ff:febf:6ffe via :: dev lo metric 0 mtu 16436 advmss 16376
fe80::/10 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 dev vlan0 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 dev br0 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 dev vlan1 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev vlan0 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev br0 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev vlan1 proto kernel metric 256 mtu 1500 advmss 1440
unreachable default dev lo metric -1 error -128

Thanks for the help in advance!
Luxa
wengi
10-09-2007, 08:44
I am not a iptables expert. But just to find the problem: Disable iptables or allow everything to determine if your problem is iptables. Only discuss about the rules if you _know_ that there is a prob in the rules.

Disable iptables. If you can access internet you can go on with rules. If not: there is something different.

sorry.
wengi