Bridging wireless and wired network

Guys,

I have just got a wireless access point that plugs into a switch. My
setup is like this:

Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
PCs on 192.168.0.2 and 3 to see the internet - this works fine using
iptables.

I have the wireless access point on the same switch at 192.168.0.50 and
it is giving my laptop an IP of 169.254.5.126 on the wireless side.

If I attempt to ping 192.168.0.1 from the wireless, I can see the
lights flicker on the wireless gateway, and the lights on the switch
that 192.168.0.1 is connected to, but I never get a reply.

I have set the default gateway on the access point to 192.168.0.1, but
I cannot see the internet from the wireless network at all.

I know I need to setup some sort of routes, but I dont know what or
where! Can anyone help?

(E-Mail Removed) wrote:
> Guys,
>
> I have just got a wireless access point that plugs into a switch. My
> setup is like this:
>
> Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
> PCs on 192.168.0.2 and 3 to see the internet - this works fine using
> iptables.
>
> I have the wireless access point on the same switch at 192.168.0.50 and
> it is giving my laptop an IP of 169.254.5.126 on the wireless side.
>
> If I attempt to ping 192.168.0.1 from the wireless, I can see the
> lights flicker on the wireless gateway, and the lights on the switch
> that 192.168.0.1 is connected to, but I never get a reply.
>
> I have set the default gateway on the access point to 192.168.0.1, but
> I cannot see the internet from the wireless network at all.
>
> I know I need to setup some sort of routes, but I dont know what or
> where! Can anyone help?

O O
| |
+-----+ ^ ^ +-------+ +-+----+-+ +--------+ /######\
+ NTB +-1-/ \-2-+ WI-FI +-3---+ SWITCH +---4-+ ROUTER +-5-+@#$#@#|
+-----+ +-------+ +--------+ +--------+ \######/

1 is 169.254.5.126
2 is 169.254.something
3 is 192.168.0.50
4 is 192.168.0.1

You need WI-FI act either {both as a router and snat, i.e. L3 -- there's
something broken with snat setup on WI-FI} or {as a simple switch, i.e. L2 --
then you will have on 1 and 2 interfaces 192.168.0/24 subnet too}. What traffic
is on the 4th interface, when you pinging from WI-FI? And what from NTB? (I.e.
what does wireshark/tcpdump/tshark/whatever say?)

regards,
--
http://www.fi.muni.cz/~xslaby/ Jiri Slaby

Jiri Slaby wrote:

> (E-Mail Removed) wrote:
> > Guys,
> >
> > I have just got a wireless access point that plugs into a switch. My
> > setup is like this:
> >
> > Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
> > PCs on 192.168.0.2 and 3 to see the internet - this works fine using
> > iptables.
> >
> > I have the wireless access point on the same switch at 192.168.0.50 and
> > it is giving my laptop an IP of 169.254.5.126 on the wireless side.
> >
> > If I attempt to ping 192.168.0.1 from the wireless, I can see the
> > lights flicker on the wireless gateway, and the lights on the switch
> > that 192.168.0.1 is connected to, but I never get a reply.
> >
> > I have set the default gateway on the access point to 192.168.0.1, but
> > I cannot see the internet from the wireless network at all.
> >
> > I know I need to setup some sort of routes, but I dont know what or
> > where! Can anyone help?
>
> O O
> | |
> +-----+ ^ ^ +-------+ +-+----+-+ +--------+ /######\
> + NTB +-1-/ \-2-+ WI-FI +-3---+ SWITCH +---4-+ ROUTER +-5-+@#$#@#|
> +-----+ +-------+ +--------+ +--------+ \######/
>
> 1 is 169.254.5.126
> 2 is 169.254.something
> 3 is 192.168.0.50
> 4 is 192.168.0.1
>
> You need WI-FI act either {both as a router and snat, i.e. L3 -- there's
> something broken with snat setup on WI-FI} or {as a simple switch, i.e. L2 --
> then you will have on 1 and 2 interfaces 192.168.0/24 subnet too}. What traffic
> is on the 4th interface, when you pinging from WI-FI? And what from NTB? (I.e.
> what does wireshark/tcpdump/tshark/whatever say?)

OK, tcp dump shows


15:36:04.683251 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 297

So it looks like the access point is taking whatever comes in on WiFi
and mirroring it on its wired interface, so machine 192.168.0.1 is
attempting to reply to 169.252.5.126 but probably cannot find that
address as its on a different subnet.

Do i need to setup a route so that anything going to 169.252.5.X is
sent to 192.168.0.5 (ie point 3 in the diagram above)?

Netstat -rn shows:

Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
my.pub.ip 0.0.0.0 255.255.252.0 U 0 0 0
eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth1
0.0.0.0 82.29.240.1 0.0.0.0 UG 0 0
0 eth1

I didn't add that route for 169.254.0.0 so I am not sure how it got
there!

stephen.odonn...@gmail.com wrote:

> Jiri Slaby wrote:
>
> > (E-Mail Removed) wrote:
> > > Guys,
> > >
> > > I have just got a wireless access point that plugs into a switch. My
> > > setup is like this:
> > >
> > > Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
> > > PCs on 192.168.0.2 and 3 to see the internet - this works fine using
> > > iptables.
> > >
> > > I have the wireless access point on the same switch at 192.168.0.50 and
> > > it is giving my laptop an IP of 169.254.5.126 on the wireless side.
> > >
> > > If I attempt to ping 192.168.0.1 from the wireless, I can see the
> > > lights flicker on the wireless gateway, and the lights on the switch
> > > that 192.168.0.1 is connected to, but I never get a reply.
> > >
> > > I have set the default gateway on the access point to 192.168.0.1, but
> > > I cannot see the internet from the wireless network at all.
> > >
> > > I know I need to setup some sort of routes, but I dont know what or
> > > where! Can anyone help?
> >
> > O O
> > | |
> > +-----+ ^ ^ +-------+ +-+----+-+ +--------+ /######\
> > + NTB +-1-/ \-2-+ WI-FI +-3---+ SWITCH +---4-+ ROUTER +-5-+@#$#@#|
> > +-----+ +-------+ +--------+ +--------+ \######/
> >
> > 1 is 169.254.5.126
> > 2 is 169.254.something
> > 3 is 192.168.0.50
> > 4 is 192.168.0.1
> >
> > You need WI-FI act either {both as a router and snat, i.e. L3 -- there's
> > something broken with snat setup on WI-FI} or {as a simple switch, i.e. L2 --
> > then you will have on 1 and 2 interfaces 192.168.0/24 subnet too}. What traffic
> > is on the 4th interface, when you pinging from WI-FI? And what from NTB? (I.e.
> > what does wireshark/tcpdump/tshark/whatever say?)
>
> OK, tcp dump shows
>
>
> 15:36:04.683251 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
> seq 297
>
> So it looks like the access point is taking whatever comes in on WiFi
> and mirroring it on its wired interface, so machine 192.168.0.1 is
> attempting to reply to 169.252.5.126 but probably cannot find that
> address as its on a different subnet.
>
> Do i need to setup a route so that anything going to 169.252.5.X is
> sent to 192.168.0.5 (ie point 3 in the diagram above)?
>
> Netstat -rn shows:
>
> Destination Gateway Genmask Flags MSS Window
> irtt Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> my.pub.ip 0.0.0.0 255.255.252.0 U 0 0 0
> eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth1
> 0.0.0.0 82.29.240.1 0.0.0.0 UG 0 0
> 0 eth1
>
> I didn't add that route for 169.254.0.0 so I am not sure how it got
> there!

Also, when I attempt to ping 169.254.5.126 from 192.168.0.1, it returns

>From my.public.ip icmp_seq=1 Destination Host Unreachable

So it looks like my setup is attempting to route traffic to teh 169.254
subnet onto the internet.

(E-Mail Removed) wrote:
> Guys,
>
> I have just got a wireless access point that plugs into a switch. My
> setup is like this:
>
> Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
> PCs on 192.168.0.2 and 3 to see the internet - this works fine using
> iptables.
>
> I have the wireless access point on the same switch at 192.168.0.50 and
> it is giving my laptop an IP of 169.254.5.126 on the wireless side.
^^^^^^^^^^^^^
This is probably the culprit. It's a zeroconf address which should not
be used here. For details, Google on 'zeroconf'.

The address should never be given by any server, including the access
point. Please check that your access point gives a sensible address
instead. There are basicalloy two approaches:

- keep wired and wireless network in the same subnet by setting
the access point to act as a bridge only, or

- give an own RFC 1918 subnet to the wireless link and set up
the access point to route it properly, maybe with NAT.

I'm using the first approach on my network (172.19.19.xxx).

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

(E-Mail Removed) wrote:
> Jiri Slaby wrote:
>> You need WI-FI act either {both as a router and snat, i.e. L3 -- there's
>> something broken with snat setup on WI-FI} or {as a simple switch, i.e. L2 --
>> then you will have on 1 and 2 interfaces 192.168.0/24 subnet too}. What traffic
>> is on the 4th interface, when you pinging from WI-FI? And what from NTB? (I.e.
>> what does wireshark/tcpdump/tshark/whatever say?)
>
> OK, tcp dump shows
>
>
> 15:36:04.683251 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
> seq 297

And the other way? Are there any 169.254.5.126 arp whois requests or something?

> So it looks like the access point is taking whatever comes in on WiFi
> and mirroring it on its wired interface, so machine 192.168.0.1 is
> attempting to reply to 169.252.5.126 but probably cannot find that
> address as its on a different subnet.
>
> Do i need to setup a route so that anything going to 169.252.5.X is
> sent to 192.168.0.5 (ie point 3 in the diagram above)?
>
> Netstat -rn shows:
>
> Destination Gateway Genmask Flags MSS Window
> irtt Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> my.pub.ip 0.0.0.0 255.255.252.0 U 0 0 0
> eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth1
> 0.0.0.0 82.29.240.1 0.0.0.0 UG 0 0
> 0 eth1
>
> I didn't add that route for 169.254.0.0 so I am not sure how it got
> there!

Hmm, that address is from rfc for local PCs (bound with non-DHCP nets), try to
change the net to something other and then do something like this
ip route add THE_NEW_NET/MASK via 192.168.1.50 dev eth1
on box with 192.168.0.1. You may try to use THE_NEW_NET=169.254 and MASK=16 with
an unknown result.

regards,
--
http://www.fi.muni.cz/~xslaby/ Jiri Slaby

Tauno Voipio wrote:

> (E-Mail Removed) wrote:
> > Guys,
> >
> > I have just got a wireless access point that plugs into a switch. My
> > setup is like this:
> >
> > Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
> > PCs on 192.168.0.2 and 3 to see the internet - this works fine using
> > iptables.
> >
> > I have the wireless access point on the same switch at 192.168.0.50 and
> > it is giving my laptop an IP of 169.254.5.126 on the wireless side.
> ^^^^^^^^^^^^^
> This is probably the culprit. It's a zeroconf address which should not
> be used here. For details, Google on 'zeroconf'.
>
> The address should never be given by any server, including the access
> point. Please check that your access point gives a sensible address
> instead. There are basicalloy two approaches:
>
> - keep wired and wireless network in the same subnet by setting
> the access point to act as a bridge only, or
>
> - give an own RFC 1918 subnet to the wireless link and set up
> the access point to route it properly, maybe with NAT.
>
> I'm using the first approach on my network (172.19.19.xxx).
>
> HTH
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi

OK, I don't think I can change the config of the access point. There
is nothing in the menus that lets me control the IP addresses it is
handing out, which seems strange.

If that address is zeroconfig and should not be use, then I take it its
not a good idea to change my wired network to work on that subnet?

I must have a hunt for a firmware upgrade for this thing to see if that
gives me any more options.

Jiri Slaby wrote:

> (E-Mail Removed) wrote:
> > Jiri Slaby wrote:
> >> You need WI-FI act either {both as a router and snat, i.e. L3 -- there's
> >> something broken with snat setup on WI-FI} or {as a simple switch, i.e. L2 --
> >> then you will have on 1 and 2 interfaces 192.168.0/24 subnet too}. What traffic
> >> is on the 4th interface, when you pinging from WI-FI? And what from NTB? (I.e.
> >> what does wireshark/tcpdump/tshark/whatever say?)
> >
> > OK, tcp dump shows
> >
> >
> > 15:36:04.683251 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
> > seq 297
>
> And the other way? Are there any 169.254.5.126 arp whois requests or something?

OK, here is the complete log - I cannot see any whois requests for
169....


16:54:42.392310 fe80::217:f2ff:fe51:77a0 > ff02::2: icmp6: router
solicitation
16:54:42.415069 arp who-has 192.168.0.1 tell 169.254.5.126
16:54:42.415096 arp reply 192.168.0.1 is-at 00:13:8f:4e:4b:82
16:54:42.417611 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 0
16:54:43.415101 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 1
16:54:43.954229 IP 169.254.5.126.5353 > 224.0.0.251.5353: 0*- [0q]
9/0/0[|domain]
16:54:43.954464 fe80::217:f2ff:fe51:77a0.5353 > ff02::fb.5353: 0*-
[0q] 9/0/0[|domain]
16:54:44.415275 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 2
16:54:45.415469 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 3
16:54:46.415706 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 4
16:54:46.955368 IP 169.254.5.126.5353 > 224.0.0.251.5353: 0
[5q][|domain]
16:54:46.955536 fe80::217:f2ff:fe51:77a0.5353 > ff02::fb.5353: 0
[5q][|domain]
16:54:47.415909 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 5
16:54:47.971194 arp who-has cache2.ntli.net tell 169.254.5.126
16:54:48.416115 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 6
16:54:49.416331 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 7
16:54:49.594101 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:17:f2:51:77:a0, length: 300
16:54:50.416433 fe80::217:f2ff:fe51:77a0 > ff02::2: icmp6: router
solicitation
16:54:50.416603 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 8
16:54:51.416571 IP 169.254.5.126 > 192.168.0.1: icmp 64: echo request
seq 9
16:54:52.692195 IP 192.168.0.2.1903 > 192.168.0.1.ssh: P 53:105(52) ack
132 win 64727
16:54:52.692240 IP 192.168.0.1.ssh > 192.168.0.2.1903: . ack 105 win
8576


>
> > So it looks like the access point is taking whatever comes in on WiFi
> > and mirroring it on its wired interface, so machine 192.168.0.1 is
> > attempting to reply to 169.252.5.126 but probably cannot find that
> > address as its on a different subnet.
> >
> > Do i need to setup a route so that anything going to 169.252.5.X is
> > sent to 192.168.0.5 (ie point 3 in the diagram above)?
> >
> > Netstat -rn shows:
> >
> > Destination Gateway Genmask Flags MSS Window
> > irtt Iface
> > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> > 0 eth0
> > my.pub.ip 0.0.0.0 255.255.252.0 U 0 0 0
> > eth1
> > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> > 0 eth1
> > 0.0.0.0 82.29.240.1 0.0.0.0 UG 0 0
> > 0 eth1
> >
> > I didn't add that route for 169.254.0.0 so I am not sure how it got
> > there!
>
> Hmm, that address is from rfc for local PCs (bound with non-DHCP nets), try to
> change the net to something other and then do something like this
> ip route add THE_NEW_NET/MASK via 192.168.1.50 dev eth1
> on box with 192.168.0.1. You may try to use THE_NEW_NET=169.254 and MASK=16 with
> an unknown result.

Trying to add the route you suggested didnt work:

[root ~]# ip route add 169.254/16 via 192.169.0.50 dev eth1
RTNETLINK answers: Network is unreachable

(E-Mail Removed) wrote:
> Tauno Voipio wrote:
>
>
>>(E-Mail Removed) wrote:
>>
>>>Guys,
>>>
>>>I have just got a wireless access point that plugs into a switch. My
>>>setup is like this:
>>>
>>>Linux box performing NAT using two ethernet cards on 192.168.0.1 allows
>>>PCs on 192.168.0.2 and 3 to see the internet - this works fine using
>>>iptables.
>>>
>>>I have the wireless access point on the same switch at 192.168.0.50 and
>>>it is giving my laptop an IP of 169.254.5.126 on the wireless side.
>>
>> ^^^^^^^^^^^^^
>>This is probably the culprit. It's a zeroconf address which should not
>>be used here. For details, Google on 'zeroconf'.
>>
>>The address should never be given by any server, including the access
>>point. Please check that your access point gives a sensible address
>>instead. There are basicalloy two approaches:
>>
>> - keep wired and wireless network in the same subnet by setting
>> the access point to act as a bridge only, or
>>
>> - give an own RFC 1918 subnet to the wireless link and set up
>> the access point to route it properly, maybe with NAT.
>>
>>I'm using the first approach on my network (172.19.19.xxx).
>>
>>HTH
>>
>>--
>>
>>Tauno Voipio
>>tauno voipio (at) iki fi
>
>
> OK, I don't think I can change the config of the access point. There
> is nothing in the menus that lets me control the IP addresses it is
> handing out, which seems strange.
>
> If that address is zeroconfig and should not be use, then I take it its
> not a good idea to change my wired network to work on that subnet?
>
> I must have a hunt for a firmware upgrade for this thing to see if that
> gives me any more options.
>

Are you sure that the access point gives any IP address at all?

Many systems, Windows and Mac OSX included, will configure a
zeroconf address if nothing else is available. This is true for
some Linux distributions as well.

--

Tauno Voipio
tauno voipio (at) iki fi

>
> Are you sure that the access point gives any IP address at all?
>
> Many systems, Windows and Mac OSX included, will configure a
> zeroconf address if nothing else is available. This is true for
> some Linux distributions as well.
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi

Good question - how can I tell? The OS is Mac OS. It connects to the
wireless network successfully but my routing table looks a bit strange
with entries like

Inet dest | Gateway | flags | Use | NetIF
169.254 | link#5 | UCS | 0 | en1