i've spent about 3 weeks trying to get the wireless network in my apartment to work and need just a bit of assistance, but nobody ever seems to respond to my networking questions when i post them here or in the networking forum. i chose to post here in the slack forum b/c network configuration is slightly different across distros.

bitching aside, i don't know what i need to do to get my routing to work on my wireless AP. this is not an issue specialized to wireless (i believe), so i think all that is required is some basic networking know-how. my situation is as follows:

[conventions: AP = access point (just like a 2nd ethernet card in a router box)]

i have one box w/ a wireless AP and a wired ethernet card that connects via PPPOE over ADSL, and the other box has a wireless card that successfully connects with the AP (pinging both directions works) via DHCP; when i try to ping IPs on the internet from the remote computer, i get nothing; i've enabled IP FORWARDING in my rc.firewall script and added the rule

iptables -A FORWARD -p ALL -i wlan0 -j ACCEPT

to allow forwarding of packets received from the wireless AP; the IPs of the 2 boxes are 192.168.1.10 for the AP (running dhcpd) and 192.168.1.200 for the other (running dhcpcd).

my question is what to do next? do i have to add a route from the wlan0 (AP) to either eth0 or ppp0 (on the AP as well)? i am pretty in-the-dark on routing, so any suggestions would be great.

thx for reading,
y-p

wlan enabled in your kernel config?

i have the following options set on the AP kernel:

#
# Wireless LAN (non-hamradio)
#
CONFIG_NET_RADIO=y
# CONFIG_STRIP is not set
# CONFIG_WAVELAN is not set
# CONFIG_ARLAN is not set
# CONFIG_AIRONET4500 is not set
# CONFIG_AIRO is not set
CONFIG_HERMES=m
# CONFIG_PLX_HERMES is not set
CONFIG_PCI_HERMES=m

i don't use either of the hermes/orinoco modules b/c this box runs hostap_pci (i.e. it's an access point, not an adapter). my remote box loads and uses the orinoco_pci module for its adapter.

so i believe i have the wlan option enabled...

seems like it. i dont really know, it was just a suggestion. you should try get a guru's atention

that's a good point, kjetil. maybe i'll try doing something obnoxiously visible if i can't get any help soon .

it's just kinda spirit-crushing to spend dozens of hours reading through various howtos, websites, and documents, and not finding information that gets you closer to solving your problem. i've been at this crap for quite a while and progress is only slow b/c nobody points me in the right direction. you'd figure more ppl in this forum (or networking) would know about setting up wireless networks, DHCP and routing, but nobody wants to dole out any info.

another thing worth noting is that the time of day you post determines your response level to a rather large extent, as the older posts get pushed down in the listings and are sooner ignored. this means that if i am really irritated after trying to make things work/reading and i post in the morning, nobody answers because my post gets pushed to the bottom of the listings by the afternoon/evening. as such, the purpose of this current reply is twofold: (1) to thank for your suggestion kjetil (2) to attract attention of more users by pushing this to the top of the list. were it not for the fact that i've already started 3 or 4 threads on topics closely related to this one and gotten no responses, i would not be doing this, but alas, i must.

thx kjetil

I am far from a network expert, but from reading some of the posts on routing, it looks to me like you don't have it set up quite right. I don't think that just adding the FORWARD table is enough. I think you have to enable forwarding with a separate command (something like echo 1 >/proc/sys/net/ipv4/ip_forward) and then enable NAT and MASQUERADE in iptables with something like:

iptables -t nat -A POSTROUTING -o external_interface -j MASQUERADE

I did a quick search using NAT and MASQUERADE here at LQO, and came up with a bunch of threads like this that talk about setting up a router. These kinds of threads are probably where you want to be looking for help.

And that folks, about finishes off my knowledge of routing.

well, i've already got all that in my rc.firewall script:
(these are all sections of the firewall relevant to the w-lan)

# /proc setup

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
...
# rules for INPUT

# let ALL w-lan traffic in
$IPTABLES -A INPUT -p ALL -i wlan0 -j ACCEPT
...
# rules for FORWARD

# allow forwarding of w-lan traffic
$IPTABLES -A FORWARD -p ALL -i wlan0 -j ACCEPT
...
# rules for OUTPUT

# allow outgoing signals on w-lan
$IPTABLES -A OUTPUT -p ALL -o wlan0 -j ACCEPT
...
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

thx for the link and suggestions, i'll read that link now
y-p

One more suggestion would be to toss a few log statements into your firewall and see if the packets from wlan0 are traversing your rules the way you think they are.

I'm also not sure how much stock to put in that particular link, but rather to point out that LQO has a lot of threads on routing.

i added the 2 lines that were different from what i had in my iptables:

/sbin/iptables -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT

but that didn't change anything. i've yet to find where packets are dying in the router for want of my not knowing how to do it easily (do i have to add some logging rules to my script, and if so, where?).

it may be that i'm not setting up the remote box (it runs vanilla slack 9) correctly, but here's what i did:

run /sbin/netconfig; have it connect via a fixed IP where the remote computer's address is 192.168.1.200, the netmask is 255.255.255.0, the gateway is 192.168.1.10 (the AP) and the DNS is 207.141.196.50 (my augmented DNS from the ISP). this does not work

(this above procedure is as outlined in the linked thread in previous post)

one notable (i think) fact is that i can ssh from the remote computer to the AP and from there to the internet.

btw, what did you search for to find that thread? i've spent a bunch of time searching already...

Adding log statements to your iptables is pretty easy. You just need to add a line like:

iptables -A TABLENAME -p tcp -j LOG --log-prefix "TEXT HERE"

You might not need the -p tcp bit and I'd put a different piece of text in the TEXT HERE for each log rule. The prefix basically allows you to easily find the log entry in syslog and if you change it from rule to rule, will tell you exactly where the logging is happening. By the way, when you start hunting through your syslog for the log entries, grep will be your new best friend. I'd grep on the ip address of the remote computer's IP.

So I would start by putting LOG statements at the end of each of your tables. Iptables uses LOG kind of like DROP, so once a packet matches a LOG rule, it isn't available anymore. That means you always want to put the LOG rule AFTER the point you want to check. For tons of details, check out the iptables tutorial at FrozenTux .


As for the search, I used the logical and to connect the words nat and masquerade, so I typed

nat and masquerade

into the search box and clicked on search. Using and in searches here REALLY can cut down on the noise. Of course, if you use enough ands, you can make it so specific you don't get any results .

i thought that search words had an implied "and" between words, my bad. i'll be explicit from now on.

what i've managed to discern using the LOG target method you suggested:

1) that inbound packets from the remote computer to the AP are accepted by the first rule in the INPUT chain:

# let ALL w-lan traffic in
$IPTABLES -A INPUT -p ALL -i wlan0 -j ACCEPT

2) that there are no packets from the remote box that are bound for the internet; this is seen by pinging external address when the logging rule

# log outgoing w-lan traffic
$IPTABLES -A OUTPUT -p ALL -s 192.168.1.200 -j LOG --log-prefix "from horatio "

is at the beginning of the OUTPUT rules and noting that no log entries are made

3) that no packets from the remote box even enter the FORWARD chain; this is noted as above (no log entries when the following rule is put at the beginning of the FORWARD rules

# check if forward receives and w-lan packets
$IPTABLES -A FORWARD -p ALL -i wlan0 -j LOG --log-prefix "FORWARD? "

this makes me suspect the following: that i have not routed traffic through the forward chain at all. my suspicion about routing might be correct, so here's the output of route -v -n:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
64.83.120.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 64.83.120.1 0.0.0.0 UG 0 0 0 ppp0

i'm confused as to how packets should enter the FORWARD chain...

thx hangdog,
y-p

I hate to jump ship at this point, but I'm on holiday for the next few days.

I suspect you're right about not routing through the FORWARD chain, but since I don't use my linux box as a router, I don't have any practical experience in setting it up.

For what its worth, your FORWARD rule looks fine. I have no idea why nothing is showing there.

thx for all the help hangdog, but i figured out what i had done incorrectly: i hadn't set a default gateway on my remote computer. all i had to do was issue

route add default gatetway 192.168.1.10

and bang, everything works. what a kick in the nuts that was.... i'm so glad my network is finally up

thx for the assistance,
y-p