You are not logged in.

#1 2020-10-11 13:59:38

extcake
Member
Registered: 2008-11-11
Posts: 10

[SOLVED] Can't access services on server after changing LAN to 10.0.0.

I have weird problem with accessing my camera running DAFANG after changing LAN ip range to 10.0.0.*
I can ping it just fine, but cant access it rtsp or http service.
I can access them normally from all other device and Windows on same machine just fine.
I tried use dhcpcd, resetting all iptables, changing to LAN range to 10.1.1.*
All others things seems to works just fine and I ran out of ideas what could it be hmm
Any ideas what the culprit could be are highly appreciated smile

/etc/netctl/home:

Description='Home connection'
Interface=eth0
Connection=ethernet
IP=static
Address=('10.0.0.222/24')
Gateway='10.0.0.1'
DNS=('8.8.8.8')
➜  ~ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 70:85:c2:86:95:7f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.222/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::7285:c2ff:fe86:957f/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 94:b8:6d:ef:ff:47 brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:85:39:59 brd ff:ff:ff:ff:ff:ff
    inet 192.168.137.2/24 brd 192.168.137.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:85:39:59 brd ff:ff:ff:ff:ff:ff
➜  ~ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.137.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Last edited by extcake (2020-10-12 19:12:16)

Offline

#2 2020-10-11 14:56:19

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: [SOLVED] Can't access services on server after changing LAN to 10.0.0.

Is the camera in the same subnet?
Does nmap report the desired ports to be open?
If so, how exactly can't you access it? Do you get an error response or does the connection just time out…?
If this is "my browser does not works", can you curl/wget the IP?
Did you try to wireshark the connection?

Offline

#3 2020-10-11 16:50:46

extcake
Member
Registered: 2008-11-11
Posts: 10

Re: [SOLVED] Can't access services on server after changing LAN to 10.0.0.

So i think that camera network setup is ok (it's from dhcp, I included info below)
Nmap report ports as closed hmm
I get error: "Connection refused". I always get error instantly (no timeout).
I included outputs from wget and mpv that I use to play rtsp.

*Camera network setup info*
Interfaces:
lo Link encap:Local Loopback  
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:65536 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 2C:AA:8E:0E:DC:1A  
          inet addr:10.0.0.10 Bcast:10.0.0.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:46134 errors:0 dropped:320 overruns:0 frame:0
          TX packets:3236650 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18035783 (17.2 MiB) TX bytes:413647549 (394.4 MiB)

wlan0 IEEE 802.11bgn ESSID:"RanczoSzatana" Nickname:""
          Mode:Managed Frequency:2.462 GHz Access Point: 88:C3:97:C3:14:6A   
          Bit Rate:72.2 Mb/s Sensitivity:0/0  
          Retry:off RTS thr:off Fragment thr:off
          Encryption key:****-****-****-****-****-****-****-**** Security mode:open
          Power Management:off
          Link Quality=90/100 Signal level=100/100 Noise level=0/100
          Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
          Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Routes:
Kernel IP routing table
Destination Gateway     Genmask         Flags Metric Ref Use Iface
default     XiaoQiang   0.0.0.0         UG    0      0   0   wlan0
10.0.0.0    *           255.255.255.0   U     0      0   0   wlan0
➜  ~ wget 10.0.0.10    
--2020-10-11 18:41:29--  http://10.0.0.10/
Connecting to 10.0.0.10:80... failed: Connection refused.
➜  ~ mpv  --no-resume-playback --profile=low-latency --rtsp-transport=udp rtsp://10.0.0.10:666/unicast --framedrop=no --speed=1.01 
[ffmpeg] tcp: Connection to tcp://10.0.0.10:666?timeout=0 failed: Connection refused
[lavf] avformat_open_input() failed
Failed to recognize file format.
➜  ~ nmap -v 10.0.0.10                                                                                                                                                                                                                                
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-11 18:19 CEST
Initiating Ping Scan at 18:19
Scanning 10.0.0.10 [2 ports]
Completed Ping Scan at 18:19, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:19
Completed Parallel DNS resolution of 1 host. at 18:19, 0.00s elapsed
Initiating Connect Scan at 18:19
Scanning 10.0.0.10 [1000 ports]
Completed Connect Scan at 18:19, 0.01s elapsed (1000 total ports)
Nmap scan report for 10.0.0.10
Host is up (0.0019s latency).
All 1000 scanned ports on 10.0.0.10 are closed

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
➜  ~ nmap  10.0.0.10 -p 80 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-11 18:40 CEST
Nmap scan report for 10.0.0.10
Host is up (0.00042s latency).

PORT   STATE  SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
➜  ~ nmap  10.0.0.10 -p 666
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-11 18:41 CEST
Nmap scan report for 10.0.0.10
Host is up (0.00036s latency).

PORT    STATE  SERVICE
666/tcp closed doom

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Wireshark log when trying to connect with mpv:

1	0.000000000	10.0.0.222	10.0.0.10	TCP	74	35590 → 666 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=4054220120 TSecr=0 WS=128
2	0.000785635	10.0.0.10	10.0.0.222	TCP	60	666 → 35590 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface eth0, id 0
    Interface id: 0 (eth0)
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct 11, 2020 18:57:35.076862372 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1602435455.076862372 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 74 bytes (592 bits)
    Capture Length: 74 bytes (592 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: ASRockIn_86:95:7f (70:85:c2:86:95:7f), Dst: BeijingX_c3:14:6a (88:c3:97:c3:14:6a)
    Destination: BeijingX_c3:14:6a (88:c3:97:c3:14:6a)
    Source: ASRockIn_86:95:7f (70:85:c2:86:95:7f)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.222, Dst: 10.0.0.10
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 60
    Identification: 0xb9cf (47567)
    Flags: 0x4000, Don't fragment
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x6a03 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.222
    Destination: 10.0.0.10
Transmission Control Protocol, Src Port: 35590, Dst Port: 666, Seq: 0, Len: 0
    Source Port: 35590
    Destination Port: 666
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Sequence number (raw): 1297277177
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 0
    Acknowledgment number (raw): 0
    1010 .... = Header Length: 40 bytes (10)
    Flags: 0x002 (SYN)
    Window size value: 64240
    [Calculated window size: 64240]
    Checksum: 0x1718 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
        TCP Option - Maximum segment size: 1460 bytes
        TCP Option - SACK permitted
        TCP Option - Timestamps: TSval 4054220120, TSecr 0
        TCP Option - No-Operation (NOP)
        TCP Option - Window scale: 7 (multiply by 128)
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]
Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface eth0, id 0
    Interface id: 0 (eth0)
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct 11, 2020 18:57:35.077648007 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1602435455.077648007 seconds
    [Time delta from previous captured frame: 0.000785635 seconds]
    [Time delta from previous displayed frame: 0.000785635 seconds]
    [Time since reference or first frame: 0.000785635 seconds]
    Frame Number: 2
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: TCP RST]
    [Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: BeijingX_c3:14:6a (88:c3:97:c3:14:6a), Dst: ASRockIn_86:95:7f (70:85:c2:86:95:7f)
    Destination: ASRockIn_86:95:7f (70:85:c2:86:95:7f)
    Source: BeijingX_c3:14:6a (88:c3:97:c3:14:6a)
    Type: IPv4 (0x0800)
    Padding: 000000000000
Internet Protocol Version 4, Src: 10.0.0.10, Dst: 10.0.0.222
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 40
    Identification: 0x0000 (0)
    Flags: 0x4000, Don't fragment
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x23e7 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.10
    Destination: 10.0.0.222
Transmission Control Protocol, Src Port: 666, Dst Port: 35590, Seq: 1, Ack: 1, Len: 0
    Source Port: 666
    Destination Port: 35590
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Sequence number (raw): 0
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Acknowledgment number (raw): 1297277178
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x014 (RST, ACK)
    Window size value: 0
    [Calculated window size: 0]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0xdcf9 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000785635 seconds]
        [Time since previous frame in this TCP stream: 0.000785635 seconds]
➜  ~ ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=2.79 ms
64 bytes from 10.0.0.10: icmp_seq=2 ttl=64 time=2.33 ms
64 bytes from 10.0.0.10: icmp_seq=3 ttl=64 time=3.15 ms
64 bytes from 10.0.0.10: icmp_seq=4 ttl=64 time=5.37 ms
64 bytes from 10.0.0.10: icmp_seq=5 ttl=64 time=2.72 ms
64 bytes from 10.0.0.10: icmp_seq=6 ttl=64 time=5.56 ms
^C
--- 10.0.0.10 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5009ms
rtt min/avg/max/mdev = 2.326/3.652/5.564/1.305 ms

my Windows network info where everything works fine (same machine, dhcp):

  Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::72:ee6c:99d3:a669%13
   IPv4 Address. . . . . . . . . . . : 10.0.0.39
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1


Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.39     25
         10.0.0.0    255.255.255.0         On-link         10.0.0.39    281
        10.0.0.39  255.255.255.255         On-link         10.0.0.39    281
       10.0.0.255  255.255.255.255         On-link         10.0.0.39    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.0.0.39    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.0.0.39    281

Last edited by extcake (2020-10-11 17:31:09)

Offline

#4 2020-10-11 19:24:55

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: [SOLVED] Can't access services on server after changing LAN to 10.0.0.

There's either a local firewall (iptables/netfilter - check https://wiki.archlinux.org/index.php/Iptables & https://wiki.archlinux.org/index.php/Nftables on how to dump rules) or the different IP (linux gets 10.0.0.222, windows gets 10.0.0.39) is significant.
Maybe there's also a different MAC (which could be relevant either to the dhcp server or the camera), but maybe it's also a "firewall" (even a trivial subnet segmentation in the router or config in the camera) - as long as the ports are closed to the client, the behavior is not surprising.

Offline

#5 2020-10-12 08:44:21

extcake
Member
Registered: 2008-11-11
Posts: 10

Re: [SOLVED] Can't access services on server after changing LAN to 10.0.0.

I tried to reset iptables i don't have nftables installed.

➜  ~ iptables -nvL
Chain INPUT (policy ACCEPT 422 packets, 38689 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2101 packets, 1156K bytes)
 pkts bytes target     prot opt in     out     source               destination   

IP is different because is manually set outside of dhcp range. I tried using DHCP (dhcpcd), got similar IP to windows one but it didn't resolve problem.
Ofc Windows and Arch have same network card MAC.

Is there any other thing beside iptables that can block connections? (that is installed by default. My system is pretty clean, not lots of stuff installed, but installation itself is like 15 years old now)
Is there any way I can trace what block those packets?

Offline

#6 2020-10-12 19:10:57

extcake
Member
Registered: 2008-11-11
Posts: 10

Re: [SOLVED] Can't access services on server after changing LAN to 10.0.0.

Well culprit was piavpn.service hmm It pia deamon somehow blocked this connections even I wasn't connected to VPN hmm
Disabling service fix the problem. Actually after reinstalling pia software, all works even with piavpn.service enabled.
It seems it generates some config at install time.

Thanks all for help!

Offline

Board footer

Powered by FluxBB