double NAT peer to peer wifi crashing
 

I've got an ethernet VOIP phone that I'd like to connect to the ethernet port of my wireless laptop. I've basically got it working, but the laptop networking is flakey.

Here is the setup:

cable modem-> wireless router-> air-> wirless laptop (wlan0) -> ethernet port (eth0) -> crossover ethernet cable-> VOIP phone.

The wireless router does NAT from the broadband connection to the local network and the laptop will be doing NAT from the local network to the phone.

btw: ethernet bridging doesn't work with a wifi network card.

The laptop running Fedora core 3. THe phone is a Grandstream BT-100, which has a built in webserver and speaks SIP. I'm using firestarter to set up the NAT. It seems a bit flaky.

The big problem I have is setting up the peer to peer NAT.

wlan0 is configured via DHCP and works fine. It gets an address of 192.168.1.x I set the gateway for wlan0 to 192.168.1.1, which is the wireless router. I've got a route for 0.0.0.0 to the wireless router as well.

The configuration of eth0 is causing me problems. First of all, the only devices on this network are eth0 of the laptop and the phone, so there is no DHCP server. So I have to manually configure both the phone and the laptop.

So... I give eth0 an IP address of 192.168.2.1. What do I set its gateway to ? What do I set its subnet mask to ? Do I have to add a route for this device and if so, what would it be ? ( I think the gateway should be the phone IP and I think the route should be 192.168.2.0 255.255.255.0 198.168.2.100, but when I use that, wlan0 stops working.

I set the phone IP to 192.168.2.100 I set its gateway to eth0, which is 192.168.2.1. The phone wants a DNS address because it uses URLs for SIP provider addresses. So I use the DNS from the wireless router.

I use firestarter to set up the NAT. I don't enter any NAT rules, ie there is no port forward used, but I tell firestarter that wlan0 is connected to the Internet and 192.168.2.100 is an acceptable host.

THe setup kind of works. Once in a while I lose my internet connection. I can always log into the phone. The laptop crashes once in a while.

Any ideas ?

btw: the phone works great plugged into the wireless router.

Hi,

I've read many articles talking about bridging from lan to wlan, strange...

A route doesn't apply to an interface but to a machine, so on your laptop you'll have only one default gateway, the one you allready have towards 192.168.1.1.
Defining two gateways, so two defaults routes will cause problems !
As for the netmask, 255.255.255.0 will be OK, you could use subnets like 255.255.255.240 but, to my mind, it's something to avoid when you don't _have_ to use it.

that seems right.

Laz

Thanks for replying !

If you've got a reference that says wifi bridging works, I'd love to see it.

re:
A route doesn't apply to an interface but to a machine, so on your laptop you'll have only one default gateway, the one you allready have towards 192.168.1.1.
Defining two gateways, so two defaults routes will cause problems !
As for the netmask, 255.255.255.0 will be OK, you could use subnets like 255.255.255.240 but, to my mind, it's something to avoid when you don't _have_ to use it.

OK, I'll get rid of the second route. In system-config-network in FC3, routes are attached to devices. Are you sure that one shouldn't have a route on each device ? I'll remove the second route and retest.

quote:
I set the phone IP to 192.168.2.100 I set its gateway to eth0, which is 192.168.2.1

that seems right.

Good. THanks for the feedback.

I removed the second route. Now when I enable eth0, I don't have any internet access. I am going to reconfigure and restart firestarter and see what happens.

Re,

when you configure a network interface, you specify an IP & a netmask (for classical IP, such as 192... a default netmask may be used).
ifconfig eth0 192.168.0.80 255.255.255.0

then, it automatically creates the route, just as if you had typed
route add 192.168.0.0 dev eth0

But, a default gateway is the default gw for the whole network layers... so that when the destination IP isn't in an attached network (network directly connected to an interface) it sends the packets to the default gw (so 2 default gateways has no meaning at all).

So yes there's a route for each interace, but not a default one.

good luck

Comments below. I wish there was a way to quote quickly and easily on this forum...

Re,
when you configure a network interface, you specify an IP & a netmask (for classical IP, such as 192... a default netmask may be used).
ifconfig eth0 192.168.0.80 255.255.255.0

>I'm using system-config-network, but yes.

then, it automatically creates the route, just as if you had typed
route add 192.168.0.0 dev eth0

>OK, so if I give eth0 an IP of 192.168.2.1, it is automatically going to add route 192.168.2.0. I guess I could check it.

But, a default gateway is the default gw for the whole network layers... so that when the destination IP isn't in an attached network (network directly connected to an interface) it sends the packets to the default gw (so 2 default gateways has no meaning at all).

>Then why does system-config-network allow a bunch of routes to be identified. It there is only one gateway, why do we need a bunch of routes ?

So yes there's a route for each interace, but not a default one.

> OK.

I removed the second route and reconfigured firestarter. As soon as I enable eht0, I lose access to wlan0. I am beginning to suspect firestarter is the problem here, not anything else.

Can you recommend a NATing firewall tool other than firestarter ? Does Guarddog/GuideDog do this ? I find firewallbuilder a bit too buggy and complex.

Click the "quote" button.


So am I.

Try manipulating iptables directly. Give us the contents of "route" both before and after enabling eth0. Do "iptables -L" and let us know what is displayed.

I got NATing working OK now. The issue was having the phone's IP as the default gateway for eth0. That would stop Internet access on wlan0. I removed it and all works well.

So, this is the situation:

a) the phone has access to the SIP server via the laptop NATing.

b) I can call the phone and have a good conversation. I can hang up and everything works OK.

c) I can call out with the phone and have a good conversation. However, when I hang up the phone my laptop freezes up.

Questions:

a) should it be possible for a network device issuing an incorrect network packet to freeze a computer ?

b) how does one trace such a freeze to find the root cause ?

Does this sound like a kernel issue ?

Thanks

I don't know enough about iptables to do that.

I am going to try removing the default gateway setting from the phone. Maybe the laptop is receving some sort of connection attempt from the phone it can't handle and crashing that way. I've checked syslogs and there are no entries that suggest any sort of a problem. I just hang up and the laptop dies.

Here is another clue: I changed the phone "default router" from the eth0 to 0.0.0.0 The phone couldn't connect to the Internet. I changed it back and again it couldn't connect to the internet. I opened firestarter and even though it had a rule to accept NTP connections, it was disallowing them.

When I changed the default router setting in the phone and rebooted it, it crashed the laptop. No telephone call was involved.

I now suspect that the phone is issuing a request for network service that is crashing the kernel, iptables or firestarter. Firestarter is just an interface, right ? It doesn't actually do anything, right ? Thus either the kernel or iptables is crashing.

I'll dig up info on iptables and report back.

Why doesn't this table say anyting about eth0 and wlan0 ?

I noticed that firestarter is a service. What exactly does it do at startup ?


/sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- nsc1.so.xxx.net anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- nsc1.so.xxx.net anywhere
ACCEPT tcp -- nsc2.so.xxx.net anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- nsc2.so.xxx.net anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
NR all -- !192.168.1.0/24 anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.1.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LS all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
INBOUND all -- anywhere 192.168.2.1
INBOUND all -- anywhere 192.168.1.100
INBOUND all -- anywhere 192.168.2.255
LOG all -- anywhere anywhere LOG level info prefix `Unknown '

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.2.0/24 tcp dpts:1024:65535
state RELATED,ESTABLISHED
ACCEPT udp -- anywhere 192.168.2.0/24 udp dpts:1023:65535
state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level info prefix `Unknown '

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.100 nsc1.xxx.net tcp dpt:domain
ACCEPT udp -- 192.168.1.100 nsc1.xxx.net udp dpt:domain
ACCEPT tcp -- 192.168.1.100 nsc2.so.xxx.net tcp dpt:domain
ACCEPT udp -- 192.168.1.100 nsc2.so.xxx.net udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
OUTBOUND all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown '

Chain INBOUND (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535
state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1023:65535
state RELATED,ESTABLISHED
ACCEPT all -- 192.168.1.1 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:ntp
LS all -- anywhere anywhere

Chain LS (91 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere

Chain NR (1 references)
target prot opt source destination
LS all -- 0.0.0.0/8 192.168.1.0/24
LS all -- 1.0.0.0/8 192.168.1.0/24
LS all -- 2.0.0.0/8 192.168.1.0/24
LS all -- 5.0.0.0/8 192.168.1.0/24
LS all -- 7.0.0.0/8 192.168.1.0/24
LS all -- 10.0.0.0/8 192.168.1.0/24
LS all -- 23.0.0.0/8 192.168.1.0/24
LS all -- 27.0.0.0/8 192.168.1.0/24
LS all -- 31.0.0.0/8 192.168.1.0/24
LS all -- 36.0.0.0/8 192.168.1.0/24
LS all -- 37.0.0.0/8 192.168.1.0/24
LS all -- 39.0.0.0/8 192.168.1.0/24
LS all -- 41.0.0.0/8 192.168.1.0/24
LS all -- 42.0.0.0/8 192.168.1.0/24
LS all -- 49.0.0.0/8 192.168.1.0/24
LS all -- 50.0.0.0/8 192.168.1.0/24
LS all -- 71.0.0.0/8 192.168.1.0/24
LS all -- 72.0.0.0/8 192.168.1.0/24
LS all -- 73.0.0.0/8 192.168.1.0/24
LS all -- 74.0.0.0/8 192.168.1.0/24
LS all -- 75.0.0.0/8 192.168.1.0/24
LS all -- 76.0.0.0/8 192.168.1.0/24
LS all -- 77.0.0.0/8 192.168.1.0/24
LS all -- 78.0.0.0/8 192.168.1.0/24
LS all -- 79.0.0.0/8 192.168.1.0/24
LS all -- 89.0.0.0/8 192.168.1.0/24
LS all -- 90.0.0.0/8 192.168.1.0/24
LS all -- 91.0.0.0/8 192.168.1.0/24
LS all -- 92.0.0.0/8 192.168.1.0/24
LS all -- 93.0.0.0/8 192.168.1.0/24
LS all -- 94.0.0.0/8 192.168.1.0/24
LS all -- 95.0.0.0/8 192.168.1.0/24
LS all -- 96.0.0.0/8 192.168.1.0/24
LS all -- 97.0.0.0/8 192.168.1.0/24
LS all -- 98.0.0.0/8 192.168.1.0/24
LS all -- 99.0.0.0/8 192.168.1.0/24
LS all -- 100.0.0.0/8 192.168.1.0/24
LS all -- 101.0.0.0/8 192.168.1.0/24
LS all -- 102.0.0.0/8 192.168.1.0/24
LS all -- 103.0.0.0/8 192.168.1.0/24
LS all -- 104.0.0.0/8 192.168.1.0/24
LS all -- 105.0.0.0/8 192.168.1.0/24
LS all -- 106.0.0.0/8 192.168.1.0/24
LS all -- 107.0.0.0/8 192.168.1.0/24
LS all -- 108.0.0.0/8 192.168.1.0/24
LS all -- 109.0.0.0/8 192.168.1.0/24
LS all -- 110.0.0.0/8 192.168.1.0/24
LS all -- 111.0.0.0/8 192.168.1.0/24
LS all -- 112.0.0.0/8 192.168.1.0/24
LS all -- 113.0.0.0/8 192.168.1.0/24
LS all -- 114.0.0.0/8 192.168.1.0/24
LS all -- 115.0.0.0/8 192.168.1.0/24
LS all -- 116.0.0.0/8 192.168.1.0/24
LS all -- 117.0.0.0/8 192.168.1.0/24
LS all -- 118.0.0.0/8 192.168.1.0/24
LS all -- 119.0.0.0/8 192.168.1.0/24
LS all -- 120.0.0.0/8 192.168.1.0/24
LS all -- 121.0.0.0/8 192.168.1.0/24
LS all -- 122.0.0.0/8 192.168.1.0/24
LS all -- 123.0.0.0/8 192.168.1.0/24
LS all -- 124.0.0.0/8 192.168.1.0/24
LS all -- 125.0.0.0/8 192.168.1.0/24
LS all -- 126.0.0.0/8 192.168.1.0/24
LS all -- 127.0.0.0/8 192.168.1.0/24
LS all -- 169.254.0.0/16 192.168.1.0/24
LS all -- 172.16.0.0/12 192.168.1.0/24
LS all -- 173.0.0.0/8 192.168.1.0/24
LS all -- 174.0.0.0/8 192.168.1.0/24
LS all -- 175.0.0.0/8 192.168.1.0/24
LS all -- 176.0.0.0/8 192.168.1.0/24
LS all -- 177.0.0.0/8 192.168.1.0/24
LS all -- 178.0.0.0/8 192.168.1.0/24
LS all -- 179.0.0.0/8 192.168.1.0/24
LS all -- 180.0.0.0/8 192.168.1.0/24
LS all -- 181.0.0.0/8 192.168.1.0/24
LS all -- 182.0.0.0/8 192.168.1.0/24
LS all -- 183.0.0.0/8 192.168.1.0/24
LS all -- 184.0.0.0/8 192.168.1.0/24
LS all -- 185.0.0.0/8 192.168.1.0/24
LS all -- 186.0.0.0/8 192.168.1.0/24
LS all -- 187.0.0.0/8 192.168.1.0/24
LS all -- 189.0.0.0/8 192.168.1.0/24
LS all -- 190.0.0.0/8 192.168.1.0/24
LS all -- 192.0.2.0/24 192.168.1.0/24
LS all -- 192.168.0.0/16 192.168.1.0/24
LS all -- 197.0.0.0/8 192.168.1.0/24
LS all -- 198.18.0.0/15 192.168.1.0/24
LS all -- 223.0.0.0/8 192.168.1.0/24
LS all -- BASE-ADDRESS.MCAST.NET/3 192.168.1.0/24

Chain OUTBOUND (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

/sbin/route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 255.255.255.0 UG 0 0 0 wlan0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
169.254.0.0 * 255.255.0.0 U 0 0 0 wlan0
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0

One other thing: when I first added eth0, without changing any routes, wlan0 stopped. When I checked why, the default route had changed.

I solved the problem. It turned out to be crashing because I was running ndiswrapper-0.12 with a 4K stack in a stock FC3 2.6.10 kernel.

I downloaded the kernel source and rebuilt the kernel without the 4K stack option and I don't have any more problems.

ndiswrapper requires 8k stack?

Yep, ndiswrapper requires an 8K stack. You'll notice a warning about this if you watch the build spewage when you build ndiswrapper for a kernel with a 4K stack.

I've seen this when building ndiswrapper-0.12 for kernel 2.6.10-1.753. (Fedora core kernel, similar to -ac10.) It occurs with earlier kernels too.

BTW: I've got a HOWTO on building a custom kernel if anyone needs it.

Ahhh....
Being a gentoo user, I just 'emerge'd ndiswrapper.... didn't see the warning. Good to know. I'll have to submit a bug report for them to add that as a warning.

On another note, how does 4k/8k stack affect normal processes?