Acess point with ip_forward causes problem to the ethernet

thankarezosLB · December 20, 2020 at 3:21 PM

I am running librelec on my rasberry pi 4 connected on an external router with 192.168.0.1 gateway.

I have enabled access point so I can use it as a vpn hotspot. I had no intnernet access so I enabled ip_forwading.

Now If i set ip adress manually my ethernet card stays in ready state no matter if I disonect and reconnect, thats easy solvable with Ip binding so I use dhcp.

But it still causes problems. The first one is that I have to diconnect and reconnect ethernet (via menu not physically) to get online

The second one is that it causes interfere to my alexa's tv's wifi. I was playing some music on spotify via alexa and when I was booting it stoped and both tv and alexa dissapeared from spotify for some time. then they came back.

I mostly dont turn off my pi but some times I need to switch to rasberry OS so I will have to reconnect ethernet.

elonesna · December 20, 2020 at 3:39 PM

Try this in /storage/.config/autostart.sh (I use it to connect the zerotier interface with the ethernet interface), it works very well for me.

You will have to find out the name of your hotspot interface (use the ifconfig command) and substitute it in <interface>. If eth0 has another name, change it too.

Code

# bridge <interface> >>> eth0
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <interface> -o eth0 -j ACCEPT

thankarezosLB · December 20, 2020 at 4:20 PM

Quote from elonesna
Try this in /storage/.config/autostart.sh (I use it to connect the zerotier interface with the ethernet interface), it works very well for me.
You will have to find out the name of your hotspot interface (use the ifconfig command) and substitute it in <interface>. If eth0 has another name, change it too.
Code
# bridge <interface> >>> eth0
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <interface> -o eth0 -j ACCEPT

Still the same problem. Also I noticed that I if connect to the vpn I dont have internet access via access point, also I dont find where interface name is

elonesna · December 20, 2020 at 4:30 PM

I understand your complaint but you do not provide any information to diagnose the problem. The analysis of ifconfig and route SSH commands can help you find the solution to your problem. Everything works fine for me and when a target (special IP address) is not reachable I add routing rules (route command), everything is very easy. Remember that forwarding and routing rules remain active until the next reboot. If you write two contradictory rules in the same session, it will never work.

thankarezosLB · December 20, 2020 at 5:00 PM

Code

br-129e8c79991e Link encap:Ethernet  HWaddr 02:42:1F:6E:61:ED
inet addr:172.18.0.1  Bcast:172.18.255.255  Mask:255.255.0.0
inet6 addr: fe80::42:1fff:fe6e:61ed/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1688 (1.6 KiB)  TX bytes:29954 (29.2 KiB)


docker0   Link encap:Ethernet  HWaddr 02:42:D8:6C:C1:7D
inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
UP BROADCAST MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth0      Link encap:Ethernet  HWaddr DC:A6:32:CF:65:A5
inet addr:192.168.0.194  Bcast:192.168.0.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:4742 errors:0 dropped:0 overruns:0 frame:0
TX packets:4881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1651259 (1.5 MiB)  TX bytes:2468022 (2.3 MiB)


lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:65536  Metric:1
RX packets:178 errors:0 dropped:0 overruns:0 frame:0
TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16314 (15.9 KiB)  TX bytes:16314 (15.9 KiB)


tether    Link encap:Ethernet  HWaddr DC:A6:32:CF:65:A6
inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
inet6 addr: fe80::e088:5cff:fe89:5a6e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:4091 errors:0 dropped:0 overruns:0 frame:0
TX packets:3404 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2252433 (2.1 MiB)  TX bytes:1423607 (1.3 MiB)


veth852dab3 Link encap:Ethernet  HWaddr 36:4B:2D:38:CC:7F
inet6 addr: fe80::344b:2dff:fe38:cc7f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1940 (1.8 KiB)  TX bytes:46464 (45.3 KiB)


wlan0     Link encap:Ethernet  HWaddr DC:A6:32:CF:65:A6
inet6 addr: fe80::dea6:32ff:fecf:65a6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:4091 errors:0 dropped:0 overruns:0 frame:0
TX packets:3503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2252433 (2.1 MiB)  TX bytes:1535045 (1.4 MiB)

Display More

Tell me if there are any sensitive information I need to delete. I havent seen my ip in that.

Also I noticed that my devices get 192.168.1.1 gateway. That seems weird because there is a router with different gateway in the way and rasberry pi is acting as a gateway too. wasnt it supposed to be pi's ip or 192.168.0.1 that is the router's ip(not modem's)? I am very familiar with computers but networking is my weak spot.

elonesna · December 20, 2020 at 5:38 PM

I have not seen sensitive information. You have a lot of interfaces which is normal when docker is installed. That there is more than one gateway is also normal but there will only be one gateway that has an Internet connection, it will be the router.

If you want to establish a route to the internet for unresolved IP addresses you can write:

route add -net 0.0.0.0 netmask 0.0.0.0 gw <router-ip>

Another thing: The interfaces of a device (which can be many) do not see each other, to do this you have to establish forwarding rules (iptables commands). If you want the rules to be absolutely bidirectional you have to remove "iptables -A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT" and put instead "iptables -A FORWARD -i eth0 -o <interface> -j ACCEPT ".

If you have problems with docker services, they can be solved very easily by adding the parameter "--net=host" during the creation of the container, in this case the listening ports of the service can interfere with those of LE.

More examples:

Suppose device 192.168.10.12 wants to access device 192.168.20.45. Both domains 192.168.10.0/24 and 192.168.20.0/24 join in a third device with two interfaces and addresses 192.168.10.88 and 192.168.20.98.

In the device 192.168.10.12, a routing rule must be established "route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.10.88". And in the device 192.168.10.88 and 192.168.20.98 we will have to establish forwarding rules to create a bridge between domains.

thankarezosLB · December 20, 2020 at 6:10 PM

when I do "route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.1" I get file aready exists

Also I still dont understand what should i put in <interface> is it tether?

elonesna · December 20, 2020 at 6:46 PM

Your device has the address 192.168.0.194 on the eth0 interface whose domain matches the router.

Your device also has the address 192.168.1.1 on the tether interface.

Your device knows that the exit route to the internet is 192.168.0.1 because the router told it through dhcp or you told it with the manual address assignment.

For a device 192.168.1.2 in the 192.168.1.0/24 domain to know how to go to the internet, it will be necessary to establish a route to 192.168.1.1. This is done by manually setting the tether connection parameters (gateway = 192.168.1.1) for the device 192.168.1.2. But this is not enough because it is also necessary to bridge 192.168.1.1. For example like this in the 192.168.1.1 device:

# bridge tether <-> eth0

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o tether -j ACCEPT

iptables -A FORWARD -i tether -o eth0 -j ACCEPT

thankarezosLB · December 20, 2020 at 7:14 PM

Well, the problem was my VPN provider after all, i asked them, they block tethering. Are there any workarounds? My hunch says that bridging ethernet with tether will do the trick right?

I found this that was bridging my gateway with tether and tether had internet with vpn enabled but it had my normal ip. Can I modify it to pass through vpn?

Code

1.Configure a static ip address, gateway for ethernet

(my values, ip-address 192.168.1.14, gateway 192.168.1.73)

2.Enable tethered and assign a SSID name and password

3. Add the following lines to .config/autostart.sh:



# create a bridge interface with name br0

ip link add name br0 type bridge

ip link set br0 up



# assign eth0 to the bridge

ip link set eth0 up

ip link set eth0 master br0



# move ip address to br0 (replace with your own ip address)

ip addr del 192.168.1.14/24 dev eth0

ip addr add 192.168.1.14/24 dev br0

# make sure we have an internet gateway (replace ip address with your own)

route add -net default gw 192.168.1.73



# assign wlan0 to the bridge

ip link set wlan0 master br0

Display More

elonesna · December 20, 2020 at 7:40 PM

I do not understand what the problem is. My question is where do you install the VPN client? If you are installing it on a tether client, for example 192.168.1.2, there should be no problem and you should follow the instructions above. Otherwise, you must repeat the previous steps with the VPN service installed and do an analysis again.

There is no reason for your VPN provider to block the connection unless it counts the number of connected devices. The provider has no means of knowing if you are using tether or not, it can only count the number of connected devices with the same public IP address.

thankarezosLB · December 20, 2020 at 8:41 PM

I installed vpn via vpn manager on kodi. Yes they blocked it and they count my devices. They stated that they block tethering to avoid sharing. I havent maxed my device count either.