Client isolation and software forwarding through linux - Please help!

Hi there!

I want to try something, but I'm not sure how. I've got a wireless access
point (192.168.0.254) that allows all our client machines to talk to each
other, and the server it's connected to (192.168.0.1). The server runs DHCP
and assigns clients ip's of 192.168.0.2-99.

Now, the wireless AP has an option called client isolation. If I enable it,
then all the clients can only see themselves and the server.

I want the server to allow them to see each other. I am running ntop on the
server, and I want it to monitor the traffic, as well as tc to
shape/prioritise it.

What info do you need to help me?

I suppose what is happening is that the server doesnt know that it should
send traffic for the 192.168.0.0/24 subnet back out via the interface it
picked the traffic up from. How do I tell it to do this?

Thanks





Coenraad Loubser

Coenraad Loubser wrote:
> Hi there!
>
> I want to try something, but I'm not sure how. I've got a wireless
access
> point (192.168.0.254) that allows all our client machines to talk to
each
> other, and the server it's connected to (192.168.0.1). The server
runs DHCP
> and assigns clients ip's of 192.168.0.2-99.
>
> Now, the wireless AP has an option called client isolation. If I
enable it,
> then all the clients can only see themselves and the server.
> I want the server to allow them to see each other. ...

This sounds like an AP configuration and certainly not something a DHCP
server can arrange other than by assinging IPs -- it has nothing to do
with _how_ packets are routed/switched.

> ... I am running ntop on the
> server, and I want it to monitor the traffic, as well as tc to
> shape/prioritise it.

Sounds like you want all traffic to pass through the "server", ie., you
want it to function as a router/forwarding host. Yes or no?

> What info do you need to help me?

-- The brand/model of the AP and a link to its user guide would be
nice.
-- Is the server connected to a "special" port? Eg., labeled DMZ or
Games or Server. Or is the DHCP server built into the AP? Just a
separate host?
-- Some hint as to what "client isolation" is meant to be used for.
Sounds like the AP is not forwarding packets _between_ hosts, just from
hosts to the "server" port. Do their netmasks change depending on
which mode is used?
-- Config info below
-- A simple statement of your setup goal and/or purpose.

> I suppose what is happening is that the server doesnt know that it
should
> send traffic for the 192.168.0.0/24 subnet back out via the interface
it
> picked the traffic up from. How do I tell it to do this?

No need to tell it anything as DHCP servers are _meant_ to reside on
the segment for which they dispense IPs. "Special" arrangements only
needed when DHCP server is _not_ on the local segment/subnet.

I take it that clients are not getting replies when they ask the DHCP
server for network configuration. You may want to sniff the wire with
tcpdump or ethereal to see just what packets are showing up and the
replies. Double check your dhcpd.conf on the server and make sure the
clients are properly asking for DHCP configuration. Check local docs
with your distro for file names and locations.

Manually configure a host to a static IP and confirm basic connectivity
to the server via ping, etc.

If this doesn't shake anything loose, you may have to send server and
static client output of:
$ ifcong -a
$ route -n
and perhaps your dhcpd.conf. Clients usually just need a gui
button/check box clicked to be set up.

hth,
prg

That is exactly the purpose of client isolation - it prevents the AP from
forwarding traffic between hosts. I want to force the traffic through the
server so I can shape it and fairly balance it.

I don't have any problems with DHCP or anything else. Only one simple
requirement. 192.168.0.2 needs to be able to speak to 192.168.0.3 in the
following setup. (It works if I turn client Isolation off, but then the
server doesn't see the traffic!)

ADSL Router:10.0.0.2
|
|10.0.0.3
SERVER
|192.168.0.1
|
AP:192.168.0.254-------Client:192.168.0.2
|
|
Client:192.168.0.3

I set my default gateway at each client to 10.0.0.2 which is the ADSL
router. Maybe i should change it to 192.168.0.1?



> Sounds like you want all traffic to pass through the "server", ie., you
> want it to function as a router/forwarding host. Yes or no?
Yes! That is absolutely correct.
>
> -- The brand/model of the AP and a link to its user guide would be
> nice.
SENAO SL2611CB3+DX http://www.miro.co.za/ProductSpecs/SL2611CB3+DX.htm
(userguide, everyhting there.. pretty nifty piece of equipment - about a
2km range on it's little dipole antenna.

> -- Is the server connected to a "special" port? Eg., labeled DMZ or
> Games or Server. Or is the DHCP server built into the AP? Just a
> separate host?
No DHCP in the AP; not sure what you mean about the "special" port.

> -- Some hint as to what "client isolation" is meant to be used for.
> Sounds like the AP is not forwarding packets _between_ hosts, just from
> hosts to the "server" port. Do their netmasks change depending on
> which mode is used?
That is correct!

> > I suppose what is happening is that the server doesnt know that it
> should
> > send traffic for the 192.168.0.0/24 subnet back out via the interface
> it
> > picked the traffic up from. How do I tell it to do this?
>
> No need to tell it anything as DHCP servers are _meant_ to reside on
> the segment for which they dispense IPs. "Special" arrangements only
> needed when DHCP server is _not_ on the local segment/subnet.
Nothing to do with DHCP I'd say.

> I take it that clients are not getting replies when they ask the DHCP
> server for network configuration. You may want to sniff the wire with
No, they're perfect, fine, dandy, happy...

> Manually configure a host to a static IP and confirm basic connectivity
> to the server via ping, etc.
No need, it works.

> If this doesn't shake anything loose, you may have to send server and
> static client output of:
> $ ifcong -a
> $ route -n
> and perhaps your dhcpd.conf. Clients usually just need a gui
> button/check box clicked to be set up.
>
> hth,
> prg
>


'hostfilter','hostfilterex','urlfilter','urlfilter ex','refererpagesfilter','
refererpagesfilterex',
'pluginmode','filterrawlog');

$QueryString='';
# AWStats use GATEWAY_INTERFACE to known if ran as CLI or CGI.
AWSTATS_DEL_GATEWAY_INTERFACE can
# be set to force AWStats to be ran as CLI even from a web page.
if ($ENV{'AWSTATS_DEL_GATEWAY_INTERFACE'}) { $ENV{'GATEWAY_INTERFACE'}=''; }
if ($ENV{'GATEWAY_INTERFACE'}) { # Run from a browser as CGI
if ($BuildReportFormat eq 'xml') { print
($ENV{'HTTP_USER_AGENT'}=~/MSIE|Googlebot/i?"Content-type:
text/html\n":"Content-type: text/xml\n"); }
else { print "Content-type: text/html\n"; }

# Prepare QueryString
if ($ENV{'CONTENT_LENGTH'}) {
binmode STDIN;
read(STDIN, $QueryString, $ENV{'CONTENT_LENGTH'});
}
if ($ENV{'QUERY_STRING'}) { $QueryString = $ENV{'QUERY_STRING'}; }

$QueryString = CleanFromCSSA($QueryString);
# No update but report by default when run from a browser
$UpdateStats=($QueryString=~/update=1/i?1:0);

if ($QueryString =~ /config=([^&]+)/i) {
$SiteConfig=&DecodeEncodedString("$1"); }
if ($QueryString =~ /logfile=([^&]+)/i) {
$LogFi






































www:/srv/www/cgi-bin # chmod +x radar.cgi

www:/srv/www/cgi-bin # cd ..
www:/srv/www # ls
.. .. cgi-bin fcgi-bin htdig htdocs icons js
www:/srv/www # cd htd


















































www:/srv/www/cgi-bin # wshaper stop
www:/srv/www/cgi-bin # rcwondershaper stop
Shutting down wondershaper done
www:/srv/www/cgi-bin # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http
redir ports 3128

Chain POSTROUTING (policy ACCEPT)



































www:/srv/www/cgi-bin # ifcong
-bash: ifcong: command not found ;-)
www:/srv/www/cgi-bin # ifconfig -a
br0 Link encap:Ethernet HWaddr 00:08:A1:40:47:B9
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::208:a1ff:fe40:47b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3597230 errors:0 dropped:0 overruns:0 frame:0
TX packets:1883207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3018262507 (2878.4 Mb) TX bytes:1350584539 (1288.0 Mb)

eth0 Link encap:Ethernet HWaddr 00:50:FC:82:98:C0
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::250:fcff:fe82:98c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1647219 errors:0 dropped:0 overruns:0 frame:0
TX packets:1877632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1256094139 (1197.9 Mb) TX bytes:1512104335 (1442.0 Mb)
Interrupt:15 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 00:E0:4C:77:11:7E
inet6 addr: fe80::2e0:4cff:fe77:117e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:566412 errors:0 dropped:0 overruns:0 frame:0
TX packets:1100344 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37703511 (35.9 Mb) TX bytes:1522873073 (1452.3 Mb)
Interrupt:15 Base address:0x1000

eth2 Link encap:Ethernet HWaddr 00:08:A1:40:47:B9
inet6 addr: fe80::208:a1ff:fe40:47b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3030818 errors:0 dropped:0 overruns:0 frame:0
TX packets:2396658 errors:0 dropped:0 overruns:0 carrier:0
collisions:586 txqueuelen:1000
RX bytes:3038070138 (2897.3 Mb) TX bytes:1365201778 (1301.9 Mb)
Interrupt:15 Base address:0xb000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:49407 errors:0 dropped:0 overruns:0 frame:0
TX packets:49407 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5073057 (4.8 Mb) TX bytes:5073057 (4.8 Mb)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

www:/srv/www/cgi-bin # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.0.2 0.0.0.0 UG 0 0 0 eth0
www:/srv/www/cgi-bin # >

Don't break you head on it!
eth0 (10.0.0.3) connects to an ADSL router
eth1+eth2 are tied to br0 (192.168.0.1) where my LAN sits. eth1 connects to
a switch and eth2 to the AP, but my linux machine doesnt need to know
this... it just sees br0, LAN

The default gateway is 192.168.0.1

I just need to know a command to issue on the server to send 192.168.0.0/24
packets back out via br0!!!

Coenraad Loubser wrote:
> The default gateway is 192.168.0.1
>
> I just need to know a command to issue on the server to send
192.168.0.0/24
> packets back out via br0!!!

I'll look more closely at your setup when I get a break today, but for
a quick attempt at a fix try:

$ cat /proc/sys/net/ipv4/conf/default/rp_filter
1
# echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
or just the interface(?):
# echo 0 > /proc/sys/net/ipv4/conf/[dev_name]/rp_filter

You may have to set /proc/sys/net/ipv4/conf/*/rp_filter = 0 if above
not enough. It's been a while since I've had to play with this reverse
path filter setting.

# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
> echo 0 > $i
> done

You may also have to check that the network start up script(s) is not
explicitly setting rp_filter=1 if this (rp_filter=0) fixes things.

hth,
prg

Thanks!

the rp_filter is/was 0!
Reverse path... hmm.. shouldnt I indeed make it 1 for the br0 interface?

Coenraad Loubser wrote:
> Thanks!
>
> the rp_filter is/was 0!
> Reverse path... hmm.. shouldnt I indeed make it 1 for the br0
interface?
Yes, I misunderstood the layout on my first, quick read. You can
always try changing it, but I don't think this is the problem per se.

Sorry to be so late getting back -- home internet connection went down
and remained down before going out of town Sat AM.

I'm still not quite clear just how your AP is connected to the wired
lan. I assume your other post describes the Client:192.168.0.2
connection out the AP's single ethernet port to _both_ the lan and
Client:192.168.0.2 via switch(?) as you said it was not a wireless
connection. Clarify?

Here's my current understanding:

ADSL Router 10.0.0.2
|
| (eth cable)
|
10.0.0.3<->SERVER<->192.168.0.1
?
? (how is this server/AP connection made?)
?
AP:192.168.0.254--(eth?)--Client:192.168.0.2
/
/ (wireless)
/
Client:192.168.0.3

The user guide leaves a _lot_ to be desired for what appears to be a
pretty good unit. Suspect it was never meant/marketed as a consumer
product.

Comparing to newer units out by them (802.11g) I'm not quite sure if
this unit can function as a wireless bridge _and_ AP at the same time.
Ie., in bridge mode it cannot transmit to client end stations -- just
to other bridges or APs. Thus AP mode necessary to connect wireless
clients. The guide does mention it functioning as a "repeater" in
stand alone setup, but I think this may be a misuse of the term
"repeater" as usually applied to wireless devices. Hard to tell
though.

The guide/specs indicate a single ethernet (RJ45) connection -- thus my
puzzlement as to how the AP is connecting to Client:192.168.0.3 _and_
server.

The RJ45 port should be connected to the wired lan (via a switch or a
router or forwarding host). In AP mode it acts as a "bridge" (switch)
between wireless clients and the wired lan net. It can be part of the
lan subnet or it can "bridge" to a separate (wireless clients) subnet
if the wired lan provides such a separate subnet. AFAICT, this unit
has _no_ routing capability -- it's just a link layer bridge/switch.

It is not at all clear from the guide just what the "Isolation"
function is meant for in typical use. Worse yet is that the
description goes counter to my notion of "Enabled/Disabled" buttons.
At any rate, _I_ assume if it _is_ Enabled, then (multiple) wireless
connections are isolated from each other. Ie., packets will not flow
between wireless clients, just forwarded from RJ45 side to wireless
side (and vice versa). This could be a nice feature when using the AP
to "broadcast" a presentation of some sort to wireless clients, eg.,
classroom or convention meeting. Probably not what you would want on a
lan.

I also doubt that you can get around this "Isolation" feature by
routing packets from clientA (meant for clientB) to the server and
routing them back to AP to be forwarded to clientB.

Well, I imagine you could do this but I can't imagine why you would
want to. By its very nature, wireless is a _shared_, half-duplex
media, so you want to allow _all_ the clients to communicate amongst
themselves or you want to allow _no_ inter-client communication. This
same situation holds on the local wired segments of a lan (except that
you cannot disallow inter-host communications).

The AP offers more than the usual amount of reporting/monitoring,
though most of it is geared to maintaining good wireless
connections/throughput. Backhauling lan traffic just so you can
monitor (wireless inter-client) communications (is that what you are
trying to do?) seems like a wrong approach. It's just not in the
nature of the shared media as opposed to traffic that "properly" flows
into/through a router. Anyway, there are Linux tools available to help
monitor wireless traffic. What have you tried?

So much for the AP.

I'm quite unclear about the purpose of running a bridge on the server.
While it is possible to do so (IIRC), I've never seen the advantage or
running a bridged interface _and_ IP routing on the same box. In fact,
I've never seen the advantage of running a Linux bridge at all unless
you absolutely must do so. In order for the bidging to work, the
interface(s) have to be put into promisc mode (which usually causes IP
routing troubles somewhere) and this makes the bridged interface
unfriendly to a wireless device. Been a while since I've played with
the bridging code, so maybe things have changed.

To be honest, I don't think I've ever seen a setup like yours, and I'm
pretty sure I don't "get it" -- have a feeling something eludes my
understanding. Main thing I know I don't understand is just what the
physical layout is and how packets are intended to be forwarded.

Post again if you can clear up anything and think I might be some help.
If nothing else, I'll read it and comment -- perhaps that will help
something fall into place ;-)

regards,
prg