[Freedombox-discuss] Please help: Freedombox as a router, "not working" anymore (details inside)
Daddy
daddy at autistici.org
Mon Oct 8 10:32:43 BST 2018
Hello everyone.
I would like to ask for help with the issue I'm struggling with for two
weeks.
After a large system upgrade (didn't notice unattended upgrades failing
due the upgrade prompt for a long time), my Freedombox router stopped
allowing client computers to connect to it and to the internet; DHCP
request were ignored.
Everything else worked, Freedombox itself had the internet connection, I
was able to connect to all provided services from the *external* network
and so reach Plinth and shell via ssh.
I was eventually able to get the DHCP working (by manually allowing the
service in firewalld), but not the connection to the internet.
*My network setup:*
<WAN> -- <Modem> -- <Freedombox> -- <LAN>
<LAN> is connected to Fbx through two separate interfaces - wired and
wireless, both set as internal zone in firewall.
LAN connections are both using "Shared" ipv4 setting; no settings were
adjusted.
*Freedombox System:*
Debian GNU/Linux buster/sid and FreedomBox version 0.39.0.
I'm not filling bug report, as this may have been caused by something
I've chosen during the manual system upgrade - I'm just not able to
pinpoint it yet.
Regards,
D.
------------------------------------------------------------------------
*PS:* Many details about what I've tried follow.
1. I've inspected the outputs of tcpdump and dhcpdump when trying to
obtain the IP address. These showed many DHCP requests with no reply.
2. Inspected the logs for dnsmasq outputs:
grep -ir --exclude-dir=dist-upgrade dnsmasq /var/log/
These contained requests in various stages - DHCPREQUEST, DHCPACK ... -
in the past, but not in the present.
3. Manually drilled a hole in the firewall for dhcp:
firewall-cmd --zone=internal --permanent --add-service=dhcp
firewall-cmd --zone=internal --add-service=dhcp
This worked. DHCP requests were fulfilled now. I've compared the
settings file with the backup I had from before - this setting was not
present and needed before.
Now I could connect to the box from the internal network, but weren't
allowed further, to the internet.
4. Due to the previous step, I've suspected firewall, so I've enabled
the logging via:
firewall-cmd --set-log-denied=all
Systemlog was now filled with notifications of rejected packets from the
LAN, like this one:
FreedomBox kernel: [49255.732023] FINAL_REJECT: IN=wlp5s0 OUT=enp3s0
MAC=f0:42:1c:cb:33:ec:94:87:e0:69:80:ce:08:00 SRC=10.42.0.8 8
DST=206.81.26.84 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=34843 DF PROTO=TCP
SPT=48731 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
5. I've inspected iptables rules with:
iptables -L -v -n
and seen following suspicious rules in the FORWARD chain:
0 0 REJECT all -- * wlp5s0 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
0 0 REJECT all -- wlp5s0 * 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
6. I thought I've nailed it, but dropping one or both of them had no
effect on packet rejection :(
Systemlog is still full of FINAL_REJECT notices, both from this
interface and protocol and others (docker, ipv6, udp...)
7. I've deleted and recreated the LAN wifi connection => no change.
8. I've tried the same diagnosis using the wired adapter, behavior seems
to be the same.
------------------------------------------------------------------------
Even more details, my current iptables settings as output by iptables-save:
# Generated by iptables-save v1.6.2 on Mon Oct 8 11:28:12 2018
*nat
:PREROUTING ACCEPT [1252:205947]
:INPUT ACCEPT [37:2884]
:OUTPUT ACCEPT [353:48088]
:POSTROUTING ACCEPT [353:48088]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.18.0.0/16 ! -o br-699ed9280e00 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport
5432 -j MASQUERADE
-A DOCKER -i br-699ed9280e00 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 15432 -j DNAT
--to-destination 172.17.0.2:5432
COMMIT
# Completed on Mon Oct 8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct 8 11:28:12 2018
*mangle
:PREROUTING ACCEPT [8979:5649964]
:INPUT ACCEPT [8235:5605804]
:FORWARD ACCEPT [708:42480]
:OUTPUT ACCEPT [7541:2091521]
:POSTROUTING ACCEPT [7915:2228709]
COMMIT
# Completed on Mon Oct 8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct 8 11:28:12 2018
*raw
:PREROUTING ACCEPT [8985:5650614]
:OUTPUT ACCEPT [7541:2091521]
COMMIT
# Completed on Mon Oct 8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct 8 11:28:12 2018
*security
:INPUT ACCEPT [7385:5307699]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7541:2091521]
COMMIT
# Completed on Mon Oct 8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct 8 11:28:12 2018
*filter
:INPUT ACCEPT [8216:5602225]
:FORWARD ACCEPT [707:42420]
:OUTPUT ACCEPT [7515:2070405]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-699ed9280e00 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
-A FORWARD -o br-699ed9280e00 -j DOCKER
-A FORWARD -i br-699ed9280e00 ! -o br-699ed9280e00 -j ACCEPT
-A FORWARD -i br-699ed9280e00 -o br-699ed9280e00 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
5432 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Mon Oct 8 11:28:12 2018
My internal zone settings (internal.xml):
<?xml version="1.0" encoding="utf-8"?>
<zone>
<service name="http"/>
<service name="https"/>
<service name="ntp"/>
<service name="tor-socks"/>
<service name="tor-orport"/>
<service name="tor-obfs3"/>
<service name="tor-obfs4"/>
<service name="xmpp-client"/>
<service name="xmpp-server"/>
<service name="xmpp-bosh"/>
<service name="dhcp"/>
<service name="dns"/>
<service name="ssh"/>
<service name="mdns"/>
<port port="4430" protocol="tcp"/>
<port port="22" protocol="tcp"/>
<port port="443" protocol="tcp"/>
<port port="80" protocol="tcp"/>
<port port="8080" protocol="tcp"/>
<port port="8384" protocol="tcp"/>
<port port="8880" protocol="tcp"/>
<port port="15432" protocol="tcp"/>
<port port="5432" protocol="tcp"/>
<port port="3306" protocol="tcp"/>
<port port="8200" protocol="tcp"/>
<port port="4567" protocol="tcp"/>
<port port="2375" protocol="tcp"/>
<port port="3389" protocol="tcp"/>
</zone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20181008/48fb13bd/attachment-0001.html>
More information about the Freedombox-discuss
mailing list