[Freedombox-discuss] Please help: Freedombox as a router, "not working" anymore (details inside)

Daddy daddy at autistici.org
Mon Oct 8 10:32:43 BST 2018 

Hello everyone.

I would like to ask for help with the issue I'm struggling with for two 
weeks.
After a large system upgrade (didn't notice unattended upgrades failing 
due the upgrade prompt for a long time), my Freedombox router stopped 
allowing client computers to connect to it and to the internet; DHCP 
request were ignored.

Everything else worked, Freedombox itself had the internet connection, I 
was able to connect to all provided services from the *external* network 
and so reach Plinth and shell via ssh.
I was eventually able to get the DHCP working (by manually allowing the 
service in firewalld), but not the connection to the internet.

*My network setup:*
<WAN> -- <Modem> -- <Freedombox> -- <LAN>

<LAN> is connected to Fbx through two separate interfaces - wired and 
wireless, both set as internal zone in firewall.
LAN connections are both using "Shared" ipv4 setting; no settings were 
adjusted.

*Freedombox System:*
Debian GNU/Linux buster/sid and FreedomBox version 0.39.0.

I'm not filling bug report, as this may have been caused by something 
I've chosen during the manual system upgrade - I'm just not able to 
pinpoint it yet.

Regards,
D.


------------------------------------------------------------------------
*PS:* Many details about what I've tried follow.

1. I've inspected the outputs of tcpdump and dhcpdump when trying to 
obtain the IP address. These showed many DHCP requests with no reply.

2. Inspected the logs for dnsmasq outputs:
grep -ir --exclude-dir=dist-upgrade dnsmasq /var/log/
These contained requests in various stages  - DHCPREQUEST, DHCPACK ... - 
in the past, but not in the present.

3. Manually drilled a hole in the firewall for dhcp:
firewall-cmd --zone=internal --permanent --add-service=dhcp
firewall-cmd --zone=internal --add-service=dhcp

This worked. DHCP requests were fulfilled now. I've compared the 
settings file with the backup I had from before - this setting was not 
present and needed before.
Now I could connect to the box from the internal network, but weren't 
allowed further, to the internet.

4. Due to the previous step, I've suspected firewall, so I've enabled 
the logging via:
firewall-cmd --set-log-denied=all

Systemlog was now filled with notifications of rejected packets from the 
LAN, like this one:
FreedomBox kernel: [49255.732023] FINAL_REJECT: IN=wlp5s0 OUT=enp3s0 
MAC=f0:42:1c:cb:33:ec:94:87:e0:69:80:ce:08:00 SRC=10.42.0.8 8 
DST=206.81.26.84 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=34843 DF PROTO=TCP 
SPT=48731 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

5. I've inspected iptables rules with:
iptables -L -v -n

and seen following suspicious rules in the FORWARD chain:

0 0 REJECT all -- * wlp5s0 0.0.0.0/0 0.0.0.0/0 reject-with 
icmp-port-unreachable
0 0 REJECT all -- wlp5s0 * 0.0.0.0/0 0.0.0.0/0 reject-with 
icmp-port-unreachable

6. I thought I've nailed it, but dropping one or both of them had no 
effect on packet rejection :(
Systemlog is still full of FINAL_REJECT notices, both from this 
interface and protocol and others (docker, ipv6, udp...)

7. I've deleted and recreated the LAN wifi connection => no change.

8. I've tried the same diagnosis using the wired adapter, behavior seems 
to be the same.

------------------------------------------------------------------------

Even more details, my current iptables settings as output by iptables-save:

# Generated by iptables-save v1.6.2 on Mon Oct  8 11:28:12 2018
*nat
:PREROUTING ACCEPT [1252:205947]
:INPUT ACCEPT [37:2884]
:OUTPUT ACCEPT [353:48088]
:POSTROUTING ACCEPT [353:48088]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.18.0.0/16 ! -o br-699ed9280e00 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 
5432 -j MASQUERADE
-A DOCKER -i br-699ed9280e00 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 15432 -j DNAT 
--to-destination 172.17.0.2:5432
COMMIT
# Completed on Mon Oct  8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct  8 11:28:12 2018
*mangle
:PREROUTING ACCEPT [8979:5649964]
:INPUT ACCEPT [8235:5605804]
:FORWARD ACCEPT [708:42480]
:OUTPUT ACCEPT [7541:2091521]
:POSTROUTING ACCEPT [7915:2228709]
COMMIT
# Completed on Mon Oct  8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct  8 11:28:12 2018
*raw
:PREROUTING ACCEPT [8985:5650614]
:OUTPUT ACCEPT [7541:2091521]
COMMIT
# Completed on Mon Oct  8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct  8 11:28:12 2018
*security
:INPUT ACCEPT [7385:5307699]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7541:2091521]
COMMIT
# Completed on Mon Oct  8 11:28:12 2018
# Generated by iptables-save v1.6.2 on Mon Oct  8 11:28:12 2018
*filter
:INPUT ACCEPT [8216:5602225]
:FORWARD ACCEPT [707:42420]
:OUTPUT ACCEPT [7515:2070405]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-699ed9280e00 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -o br-699ed9280e00 -j DOCKER
-A FORWARD -i br-699ed9280e00 ! -o br-699ed9280e00 -j ACCEPT
-A FORWARD -i br-699ed9280e00 -o br-699ed9280e00 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 
5432 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Mon Oct  8 11:28:12 2018

My internal zone settings (internal.xml):

<?xml version="1.0" encoding="utf-8"?>
<zone>
   <service name="http"/>
   <service name="https"/>
   <service name="ntp"/>
   <service name="tor-socks"/>
   <service name="tor-orport"/>
   <service name="tor-obfs3"/>
   <service name="tor-obfs4"/>
   <service name="xmpp-client"/>
   <service name="xmpp-server"/>
   <service name="xmpp-bosh"/>
   <service name="dhcp"/>
   <service name="dns"/>
   <service name="ssh"/>
   <service name="mdns"/>
   <port port="4430" protocol="tcp"/>
   <port port="22" protocol="tcp"/>
   <port port="443" protocol="tcp"/>
   <port port="80" protocol="tcp"/>
   <port port="8080" protocol="tcp"/>
   <port port="8384" protocol="tcp"/>
   <port port="8880" protocol="tcp"/>
   <port port="15432" protocol="tcp"/>
   <port port="5432" protocol="tcp"/>
   <port port="3306" protocol="tcp"/>
   <port port="8200" protocol="tcp"/>
   <port port="4567" protocol="tcp"/>
   <port port="2375" protocol="tcp"/>
   <port port="3389" protocol="tcp"/>
</zone>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20181008/48fb13bd/attachment-0001.html>

More information about the Freedombox-discuss mailing list