<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello everyone.</p>
<p>I would like to ask for help with the issue I'm struggling with
for two weeks.<br>
After a large system upgrade (didn't notice unattended upgrades
failing due the upgrade prompt for a long time), my Freedombox
router stopped allowing client computers to connect to it and to
the internet; DHCP request were ignored.<br>
</p>
<p>Everything else worked, Freedombox itself had the internet
connection, I was able to connect to all provided services from
the <b>external</b> network and so reach Plinth and shell via
ssh.<br>
I was eventually able to get the DHCP working (by manually
allowing the service in firewalld), but not the connection to the
internet.<br>
</p>
<p><b>My network setup:</b><br>
<tt><WAN> -- <Modem> -- <Freedombox> --
<LAN></tt></p>
<p><LAN> is connected to Fbx through two separate interfaces -
wired and wireless, both set as internal zone in firewall.<br>
LAN connections are both using "Shared" ipv4 setting; no settings
were adjusted.<br>
</p>
<p><b>Freedombox System:</b><br>
Debian GNU/Linux buster/sid and FreedomBox version 0.39.0. <br>
</p>
<p>I'm not filling bug report, as this may have been caused by
something I've chosen during the manual system upgrade - I'm just
not able to pinpoint it yet.<br>
</p>
<p>Regards,<br>
D.</p>
<p><br>
</p>
<hr width="100%" size="2"><b>PS:</b> Many details about what I've
tried follow.
<p>1. I've inspected the outputs of tcpdump and dhcpdump when trying
to obtain the IP address. These showed many DHCP requests with no
reply.</p>
<p>2. Inspected the logs for dnsmasq outputs:<br>
<tt>grep -ir --exclude-dir=dist-upgrade dnsmasq /var/log/</tt><br>
These contained requests in various stages - DHCPREQUEST, DHCPACK
... - in the past, but not in the present.</p>
<p>3. Manually drilled a hole in the firewall for dhcp:<br>
<tt><span style="color:#000000;background-color:#ffffff;">firewall-cmd
--zone=internal --permanent --add-service=dhcp</span></tt><tt><br>
</tt><tt><span style="color:#000000;background-color:#ffffff;">firewall-cmd
--zone=internal --add-service=dhcp</span></tt></p>
<p><span style="color:#000000;background-color:#ffffff;">This
worked. DHCP requests were fulfilled now. I've compared the
settings file with the backup I had from before - this setting
was not present and needed before.<br>
Now I could connect to the box from the internal network, but
weren't allowed further, to the internet.</span></p>
<p><span style="color:#000000;background-color:#ffffff;">4. Due to
the previous step, I've suspected firewall, so I've enabled the
logging via:<br>
<tt>firewall-cmd --set-log-denied=all</tt></span></p>
<p><span style="color:#000000;background-color:#ffffff;">Systemlog
was now filled with notifications of rejected packets from the
LAN, like this one:<br>
<tt>FreedomBox kernel: [49255.732023] FINAL_REJECT: IN=wlp5s0
OUT=enp3s0 MAC=f0:42:1c:cb:33:ec:94:87:e0:69:80:ce:08:00
SRC=10.42.0.8 8 DST=206.81.26.84 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=34843 DF PROTO=TCP SPT=48731 DPT=443 WINDOW=65535
RES=0x00 SYN URGP=0</tt></span></p>
<p><span style="color:#000000;background-color:#ffffff;">5. I've
inspected iptables rules with:</span><br>
<tt><span style="color:#000000;background-color:#ffffff;">iptables
-L -v -n</span></tt></p>
<p><span style="color:#000000;background-color:#ffffff;">and seen
following suspicious rules in the FORWARD chain:</span></p>
<p><span style="color:#000000;background-color:#ffffff;"><tt>0 0
REJECT all -- * wlp5s0 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable </tt><tt><br>
</tt><tt> 0 0 REJECT all -- wlp5s0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable</tt> <br>
</span></p>
<p><span style="color:#000000;background-color:#ffffff;">6. I
thought I've nailed it, but dropping one or both of them had no
effect on packet rejection :(<br>
Systemlog is still full of FINAL_REJECT notices, both from this
interface and protocol and others (docker, ipv6, udp...)</span></p>
<p><span style="color:#000000;background-color:#ffffff;">7. I've
deleted and recreated the LAN wifi connection => no change.</span></p>
<p><span style="color:#000000;background-color:#ffffff;">8. I've
tried the same diagnosis using the wired adapter, behavior seems
to be the same.</span></p>
<p><span style="color:#000000;background-color:#ffffff;"></span></p>
<hr width="100%" size="2">
<p>Even more details, my current iptables settings as output by
iptables-save:</p>
<p><tt># Generated by iptables-save v1.6.2 on Mon Oct 8 11:28:12
2018</tt><tt><br>
</tt><tt>*nat</tt><tt><br>
</tt><tt>:PREROUTING ACCEPT [1252:205947]</tt><tt><br>
</tt><tt>:INPUT ACCEPT [37:2884]</tt><tt><br>
</tt><tt>:OUTPUT ACCEPT [353:48088]</tt><tt><br>
</tt><tt>:POSTROUTING ACCEPT [353:48088]</tt><tt><br>
</tt><tt>:DOCKER - [0:0]</tt><tt><br>
</tt><tt>-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER</tt><tt><br>
</tt><tt>-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL
-j DOCKER</tt><tt><br>
</tt><tt>-A POSTROUTING -s 172.18.0.0/16 ! -o br-699ed9280e00 -j
MASQUERADE</tt><tt><br>
</tt><tt>-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j
MASQUERADE</tt><tt><br>
</tt><tt>-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp
-m tcp --dport 5432 -j MASQUERADE</tt><tt><br>
</tt><tt>-A DOCKER -i br-699ed9280e00 -j RETURN</tt><tt><br>
</tt><tt>-A DOCKER -i docker0 -j RETURN</tt><tt><br>
</tt><tt>-A DOCKER ! -i docker0 -p tcp -m tcp --dport 15432 -j
DNAT --to-destination 172.17.0.2:5432</tt><tt><br>
</tt><tt>COMMIT</tt><tt><br>
</tt><tt># Completed on Mon Oct 8 11:28:12 2018</tt><tt><br>
</tt><tt># Generated by iptables-save v1.6.2 on Mon Oct 8
11:28:12 2018</tt><tt><br>
</tt><tt>*mangle</tt><tt><br>
</tt><tt>:PREROUTING ACCEPT [8979:5649964]</tt><tt><br>
</tt><tt>:INPUT ACCEPT [8235:5605804]</tt><tt><br>
</tt><tt>:FORWARD ACCEPT [708:42480]</tt><tt><br>
</tt><tt>:OUTPUT ACCEPT [7541:2091521]</tt><tt><br>
</tt><tt>:POSTROUTING ACCEPT [7915:2228709]</tt><tt><br>
</tt><tt>COMMIT</tt><tt><br>
</tt><tt># Completed on Mon Oct 8 11:28:12 2018</tt><tt><br>
</tt><tt># Generated by iptables-save v1.6.2 on Mon Oct 8
11:28:12 2018</tt><tt><br>
</tt><tt>*raw</tt><tt><br>
</tt><tt>:PREROUTING ACCEPT [8985:5650614]</tt><tt><br>
</tt><tt>:OUTPUT ACCEPT [7541:2091521]</tt><tt><br>
</tt><tt>COMMIT</tt><tt><br>
</tt><tt># Completed on Mon Oct 8 11:28:12 2018</tt><tt><br>
</tt><tt># Generated by iptables-save v1.6.2 on Mon Oct 8
11:28:12 2018</tt><tt><br>
</tt><tt>*security</tt><tt><br>
</tt><tt>:INPUT ACCEPT [7385:5307699]</tt><tt><br>
</tt><tt>:FORWARD ACCEPT [0:0]</tt><tt><br>
</tt><tt>:OUTPUT ACCEPT [7541:2091521]</tt><tt><br>
</tt><tt>COMMIT</tt><tt><br>
</tt><tt># Completed on Mon Oct 8 11:28:12 2018</tt><tt><br>
</tt><tt># Generated by iptables-save v1.6.2 on Mon Oct 8
11:28:12 2018</tt><tt><br>
</tt><tt>*filter</tt><tt><br>
</tt><tt>:INPUT ACCEPT [8216:5602225]</tt><tt><br>
</tt><tt>:FORWARD ACCEPT [707:42420]</tt><tt><br>
</tt><tt>:OUTPUT ACCEPT [7515:2070405]</tt><tt><br>
</tt><tt>:DOCKER - [0:0]</tt><tt><br>
</tt><tt>:DOCKER-ISOLATION - [0:0]</tt><tt><br>
</tt><tt>-A FORWARD -j DOCKER-ISOLATION</tt><tt><br>
</tt><tt>-A FORWARD -o br-699ed9280e00 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT</tt><tt><br>
</tt><tt>-A FORWARD -o br-699ed9280e00 -j DOCKER</tt><tt><br>
</tt><tt>-A FORWARD -i br-699ed9280e00 ! -o br-699ed9280e00 -j
ACCEPT</tt><tt><br>
</tt><tt>-A FORWARD -i br-699ed9280e00 -o br-699ed9280e00 -j
ACCEPT</tt><tt><br>
</tt><tt>-A FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT</tt><tt><br>
</tt><tt>-A FORWARD -o docker0 -j DOCKER</tt><tt><br>
</tt><tt>-A FORWARD -i docker0 ! -o docker0 -j ACCEPT</tt><tt><br>
</tt><tt>-A FORWARD -i docker0 -o docker0 -j ACCEPT</tt><tt><br>
</tt><tt>-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp
-m tcp --dport 5432 -j ACCEPT</tt><tt><br>
</tt><tt>-A DOCKER-ISOLATION -j RETURN</tt><tt><br>
</tt><tt>COMMIT</tt><tt><br>
</tt><tt># Completed on Mon Oct 8 11:28:12 2018</tt></p>
<p>My internal zone settings (internal.xml):</p>
<p><tt><?xml version="1.0" encoding="utf-8"?></tt><tt><br>
</tt><tt><zone></tt><tt><br>
</tt><tt> <service name="http"/></tt><tt><br>
</tt><tt> <service name="https"/></tt><tt><br>
</tt><tt> <service name="ntp"/></tt><tt><br>
</tt><tt> <service name="tor-socks"/></tt><tt><br>
</tt><tt> <service name="tor-orport"/></tt><tt><br>
</tt><tt> <service name="tor-obfs3"/></tt><tt><br>
</tt><tt> <service name="tor-obfs4"/></tt><tt><br>
</tt><tt> <service name="xmpp-client"/></tt><tt><br>
</tt><tt> <service name="xmpp-server"/></tt><tt><br>
</tt><tt> <service name="xmpp-bosh"/></tt><tt><br>
</tt><tt> <service name="dhcp"/></tt><tt><br>
</tt><tt> <service name="dns"/></tt><tt><br>
</tt><tt> <service name="ssh"/></tt><tt><br>
</tt><tt> <service name="mdns"/></tt><tt><br>
</tt><tt> <port port="4430" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="22" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="443" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="80" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="8080" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="8384" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="8880" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="15432" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="5432" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="3306" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="8200" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="4567" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="2375" protocol="tcp"/></tt><tt><br>
</tt><tt> <port port="3389" protocol="tcp"/></tt><tt><br>
</tt><tt></zone></tt><tt><br>
</tt><tt><br>
</tt></p>
<p><tt><br>
</tt></p>
<p><span style="color:#000000;background-color:#ffffff;"><br>
</span></p>
</body>
</html>