You are not logged in.

#126 2014-11-14 10:47:44

razlo
Member
Registered: 2014-08-17
Posts: 2

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Thank you very much for the script. It saves me a lot of work. However, I have problems connecting to my AP.

I am using the following USB-Device, which supports AP mode:

Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter

I can successfully start my AP:

sudo ./create_ap wlp0s29u1u1 wlp3s0 DemoAP abcdefghij

WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt
Config dir: /tmp/create_ap.wlp0s29u1u1.conf.PVoF49GQ
Sharing Internet using method: nat
hostapd command-line interface: hostapd_cli -p /tmp/create_ap.wlp0s29u1u1.conf.PVoF49GQ/hostapd_ctrl
Configuration file: /tmp/create_ap.wlp0s29u1u1.conf.PVoF49GQ/hostapd.conf
Using interface wlp0s29u1u1 with hwaddr 10:fe:ed:1a:45:11 and ssid "DemoAP"
wlp0s29u1u1: interface state UNINITIALIZED->ENABLED
wlp0s29u1u1: AP-ENABLED 
wlp0s29u1u1: STA 10:1c:0c:ad:5d:fc IEEE 802.11: authenticated
wlp0s29u1u1: STA 10:1c:0c:ad:5d:fc IEEE 802.11: associated (aid 1)
WPA: wpa_sm_step() called recursively
wlp0s29u1u1: STA 10:1c:0c:ad:5d:fc IEEE 802.11: deauthenticated due to local deauth request

However, when I try to connect my devices to the new AP, it always fails, because the password is wrong. I already tried this with an iPad and Android smartphone.

Offline

#127 2014-11-15 13:52:39

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

AFAIK, RTL8192cu needs an old version of hostapd that is patched from Realtek. You can actually install it from AUR: https://aur.archlinux.org/packages/hostapd-8192cu/
After that you must run create_ap with:

sudo ./create_ap --no-virt --driver rtl871xdrv wlp0s29u1u1 wlp3s0 DemoAP abcdefghij

Last edited by OBLiQUE (2014-11-15 13:53:28)

Offline

#128 2014-11-23 12:22:35

RibShark
Member
Registered: 2013-09-21
Posts: 30

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Is there a way to configure what MAC address is used for the created access point? I tried using iw but could not bring the interface back up after changing the MAC address.

Offline

#129 2014-11-23 17:18:36

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I just added --mac for this, so get the github version of create_ap or wait until AUR version is updated (it usually takes 1-2 days).

This is how you can do it:

./create_ap --mac 00:11:22:33:44:55 wlan0 eth0 MyAccessPoint MyPassPhrase

Offline

#130 2014-11-24 15:58:03

RibShark
Member
Registered: 2013-09-21
Posts: 30

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

OBLiQUE wrote:

I just added --mac for this, so get the github version of create_ap or wait until AUR version is updated (it usually takes 1-2 days).

This is how you can do it:

./create_ap --mac 00:11:22:33:44:55 wlan0 eth0 MyAccessPoint MyPassPhrase

Thank you so much, that is really helpful!

Offline

#131 2014-12-03 03:20:01

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Hi,
When I create_ap then proces stopping on "Creating a virtual WiFi interface..."

 sudo create_ap wlp0s26f7u2 enp2s0 *** ***
Config dir: /tmp/create_ap.wlp0s26f7u2.conf.7b4c5XId
Network Manager found, set ap0 as unmanaged device... DONE
Creating a virtual WiFi interface... 

Offline

#132 2014-12-03 06:25:39

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

@Wado Please open a new issue report here: https://github.com/oblique/create_ap/issues
Before you do, make sure that you have the latest commit of create_ap (or the latest version from AUR).
In the report, paste the output of the following commands while create_ap is stuck on "Creating a virtual WiFi interface..."

cat /etc/NetworkManager/NetworkManager.conf
nmcli --version
nmcli d
ip link show ap0
iw dev
uname -a

What distribution do you use? Do you run it from a livecd?

Also, do you get it all the time? Because if you got it only once, then it's probably a bug in NetworkManager.

Last edited by OBLiQUE (2014-12-03 06:26:58)

Offline

#133 2014-12-03 13:05:31

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I found the problem. I had bad adress mac in networkmanager.conf. But now i have a new problem with ip tables and i can't slove it.

sudo create_ap wlp0s26f7u2 enp2s0 *** ***
[sudo] password for wado: 
Config dir: /tmp/create_ap.wlp0s26f7u2.conf.ZStPMcun
Network Manager found, set ap0 as unmanaged device... DONE
Creating a virtual WiFi interface... ap0 created.
Sharing Internet using method: nat
iptables: No chain/target/match by that name.

Doing cleanup...

Offline

#134 2014-12-03 17:39:48

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Try the following and then run create_ap. Tell me if this fixes your problem.

modprobe ipt_MASQUERADE

Offline

#135 2014-12-03 19:34:37

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I tried, but  the same problem again.

Offline

#136 2014-12-03 19:46:43

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Give me the output of the following:

zcat /proc/config.gz | grep IP_NF
iptables -t nat -L
iptables -L

Which one of the following fails?

iptables -t nat -I POSTROUTING -o enp2s0 -j MASQUERADE
iptables -I FORWARD -i wlp0s26f7u2 -s 192.168.12.0/24 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT

To clean up the above rules run:

iptables -t nat -F
iptables -F

Are you using Arch or another distribution?

Offline

#137 2014-12-03 20:06:53

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I'm using manjaro.

[wado@Kombajn ~]$ zcat /proc/config.gz | grep IP_NF
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
[wado@Kombajn ~]$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
 sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[wado@Kombajn ~]$ sudo iptables -t nat -I POSTROUTING -o enp2s0 -j MASQUERADE
[sudo] password for wado: 
iptables: No chain/target/match by that name.
[wado@Kombajn ~]$ sudo iptables -I FORWARD -i wlp0s26f7u2 -s 192.168.12.0/24 -j ACCEPT
[wado@Kombajn ~]$ sudo iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables: No chain/target/match by that name.

I tried run create_ap before and after cleaning and with the same result.

Offline

#138 2014-12-03 21:01:35

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

give me the output of:

uname -a
lsmod

Offline

#139 2014-12-03 21:03:01

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

[wado@Kombajn ~]$ uname -a
Linux Kombajn 3.12.30-1-MANJARO #1 SMP PREEMPT Sat Oct 11 08:48:59 UTC 2014 x86_64 GNU/Linux
[wado@Kombajn ~]$ lsmod
Module                  Size  Used by
iptable_filter          1560  0 
iptable_nat             3398  0 
nf_conntrack_ipv4       9334  1 
nf_defrag_ipv4          1443  1 nf_conntrack_ipv4
nf_nat_ipv4             3672  1 iptable_nat
nf_nat                 12826  2 nf_nat_ipv4,iptable_nat
nf_conntrack           74971  4 nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
ip_tables              17538  2 iptable_filter,iptable_nat
x_tables               17480  2 ip_tables,iptable_filter
option                 36634  0 
usb_wwan                8270  1 option
usbserial              31045  2 option,usb_wwan
usb_storage            49191  0 
fuse                   75208  7 
arc4                    2008  2 
nouveau               934780  2 
mxm_wmi                 1475  1 nouveau
wmi                     8483  2 mxm_wmi,nouveau
video                  11109  1 nouveau
ttm                    64652  1 nouveau
drm_kms_helper         36306  1 nouveau
coretemp                6494  0 
drm                   239373  4 ttm,drm_kms_helper,nouveau
kvm_intel             131415  0 
kvm                   395139  1 kvm_intel
i2c_algo_bit            5488  1 nouveau
hid_generic             1225  0 
i2c_i801               11308  0 
serio_raw               5017  0 
i2c_core               25016  5 drm,i2c_i801,drm_kms_helper,i2c_algo_bit,nouveau
ath9k_htc              57887  0 
ath9k_common            2159  1 ath9k_htc
ath9k_hw              396783  2 ath9k_common,ath9k_htc
ath                    15881  3 ath9k_common,ath9k_htc,ath9k_hw
mac80211              479157  1 ath9k_htc
cfg80211              428671  3 ath,mac80211,ath9k_htc
rfkill                 15907  1 cfg80211
atl1                   32963  0 
gpio_ich                4593  0 
evdev                  12112  4 
mii                     4259  1 atl1
iTCO_wdt                5471  0 
iTCO_vendor_support     1937  1 iTCO_wdt
shpchp                 25586  0 
microcode              16965  0 
snd_hda_codec_realtek    42984  1 
snd_hda_intel          37896  4 
snd_hda_codec         151235  2 snd_hda_codec_realtek,snd_hda_intel
snd_hwdep               6340  1 snd_hda_codec
snd_pcm                77869  3 snd_hda_codec,snd_hda_intel
snd_page_alloc          7242  2 snd_pcm,snd_hda_intel
snd_timer              18726  2 snd_pcm
snd                    60149  12 snd_hda_codec_realtek,snd_hwdep,snd_timer,snd_pcm,snd_hda_codec,snd_hda_intel
soundcore               5615  1 snd
intel_agp              10944  0 
intel_gtt              12728  1 intel_agp
lpc_ich                13504  0 
asus_atk0110           12193  0 
button                  4837  1 nouveau
acpi_cpufreq           10971  0 
processor              25212  1 acpi_cpufreq
nfs                   199317  0 
lockd                  77838  1 nfs
sunrpc                238132  2 nfs,lockd
fscache                47476  1 nfs
usbhid                 40833  0 
hid                    91734  2 hid_generic,usbhid
ext4                  486840  1 
crc16                   1367  1 ext4
mbcache                 6146  1 ext4
jbd2                   86295  1 ext4
sd_mod                 30885  4 
ata_generic             3442  0 
pata_acpi               3459  0 
ahci                   23792  0 
pata_jmicron            2595  0 
libahci                21610  1 ahci
firewire_ohci          32605  0 
ata_piix               25248  3 
firewire_core          52788  1 firewire_ohci
libata                171516  6 ahci,pata_acpi,libahci,ata_generic,ata_piix,pata_jmicron
crc_itu_t               1371  1 firewire_core
ehci_pci                4224  0 
uhci_hcd               25603  0 
scsi_mod              132461  3 usb_storage,libata,sd_mod
ehci_hcd               60820  1 ehci_pci
usbcore               183509  9 uhci_hcd,usb_storage,usbserial,ehci_hcd,ehci_pci,option,usbhid,ath9k_htc,usb_wwan
usb_common              1720  1 usbcore
floppy                 59219  0 

Offline

#140 2014-12-03 21:13:46

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

ipt_MASQUERADE module is not loaded. did you get any errors when you run 'modprobe ipt_MASQUERADE'? i believe this is the issue.

Offline

#141 2014-12-03 21:30:56

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

no, look:

[wado@Kombajn ~]$ modprobe ipt_MASQUERADE
[wado@Kombajn ~]$ 

Offline

#142 2014-12-03 21:40:25

Wado
Member
Registered: 2014-12-03
Posts: 7

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I have just restarted system and now it working smile Thank You very much for help smile

Offline

#143 2014-12-07 00:50:03

Xenphor
Member
Registered: 2011-07-01
Posts: 47

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I'm trying to use this script using Arch ARM on a Raspi with a Panda wireless adapter but I get this error message:

$ sudo create_ap --ieee80211n --ht_capab '[HT40+]' wlan0 eth0 archap topsecretpass
WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt
Config dir: /tmp/create_ap.wlan0.conf.DJsr0TM8
Sharing Internet using method: nat
hostapd command-line interface: hostapd_cli -p /tmp/create_ap.wlan0.conf.DJsr0TM8/hostapd_ctrl
Configuration file: /tmp/create_ap.wlan0.conf.DJsr0TM8/hostapd.conf
nl80211: Could not configure driver mode
nl80211 driver initialization failed.
hostapd_free_hapd_data: Interface wlan0 wasn't started
Error: Failed to run hostapd, maybe a program is interfering.

I think it should support it:

$ iw list
Wiphy phy0
	max # scan SSIDs: 4
	max scan IEs length: 2257 bytes
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports RSN-IBSS.
	Supported Ciphers:
		* WEP40 (00-0f-ac:1)
		* WEP104 (00-0f-ac:5)
		* TKIP (00-0f-ac:2)
		* CCMP (00-0f-ac:4)
	Available Antennas: TX 0 RX 0
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * WDS
		 * monitor
		 * mesh point
	Band 1:
		Capabilities: 0x2f2
			HT20/HT40
			Static SM Power Save
			RX Greenfield
			RX HT20 SGI
			RX HT40 SGI
			TX STBC
			RX STBC 2-streams
			Max AMSDU length: 3839 bytes
			No DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 2 usec (0x04)
		HT RX MCS rate indexes supported: 0-15, 32
		TX unequal modulation not supported
		HT TX Max spatial streams: 2
		HT TX MCS rate indexes supported may differ
		Bitrates (non-HT):
			* 1.0 Mbps
			* 2.0 Mbps (short preamble supported)
			* 5.5 Mbps (short preamble supported)
			* 11.0 Mbps (short preamble supported)
			* 6.0 Mbps
			* 9.0 Mbps
			* 12.0 Mbps
			* 18.0 Mbps
			* 24.0 Mbps
			* 36.0 Mbps
			* 48.0 Mbps
			* 54.0 Mbps
		Frequencies:
			* 2412 MHz [1] (20.0 dBm)
			* 2417 MHz [2] (20.0 dBm)
			* 2422 MHz [3] (20.0 dBm)
			* 2427 MHz [4] (20.0 dBm)
			* 2432 MHz [5] (20.0 dBm)
			* 2437 MHz [6] (20.0 dBm)
			* 2442 MHz [7] (20.0 dBm)
			* 2447 MHz [8] (20.0 dBm)
			* 2452 MHz [9] (20.0 dBm)
			* 2457 MHz [10] (20.0 dBm)
			* 2462 MHz [11] (20.0 dBm)
			* 2467 MHz [12] (20.0 dBm) (no IR)
			* 2472 MHz [13] (20.0 dBm) (no IR)
			* 2484 MHz [14] (20.0 dBm) (no IR)
	Supported commands:
		 * new_interface
		 * set_interface
		 * new_key
		 * start_ap
		 * new_station
		 * new_mpath
		 * set_mesh_config
		 * set_bss
		 * authenticate
		 * associate
		 * deauthenticate
		 * disassociate
		 * join_ibss
		 * join_mesh
		 * set_tx_bitrate_mask
		 * frame
		 * frame_wait_cancel
		 * set_wiphy_netns
		 * set_channel
		 * set_wds_peer
		 * probe_client
		 * set_noack_map
		 * register_beacons
		 * start_p2p_device
		 * set_mcast_rate
		 * testmode
		 * connect
		 * disconnect
	Supported TX frame types:
		 * IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * mesh point: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
		 * P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
	Supported RX frame types:
		 * IBSS: 0x40 0xb0 0xc0 0xd0
		 * managed: 0x40 0xd0
		 * AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
		 * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
		 * mesh point: 0xb0 0xc0 0xd0
		 * P2P-client: 0x40 0xd0
		 * P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
		 * P2P-device: 0x40 0xd0
	software interface modes (can always be added):
		 * AP/VLAN
		 * monitor
	valid interface combinations:
		 * #{ AP, mesh point } <= 8,
		   total <= 8, #channels <= 1
	HT Capability overrides:
		 * MCS: ff ff ff ff ff ff ff ff ff ff
		 * maximum A-MSDU length
		 * supported channel width
		 * short GI for 40 MHz
		 * max A-MPDU length exponent
		 * min MPDU start spacing
	Device supports TX status socket option.
	Device supports HT-IBSS.
	Device supports SAE with AUTHENTICATE command
	Device supports low priority scan.
	Device supports scan flush.
	Device supports AP scan.
	Device supports per-vif TX power setting
	Driver supports a userspace MPM

I'm not using networkmanager or any other service that I know of to connect to the internet - just ethernet cable which was automatically detected and working. I can see access points using wifi-menu wlan0 but the purpose of the device was to use eth0 to make an access point.

Edit: I tried again from scratch, this time using the AUR package and it works without doing anything different.

Last edited by Xenphor (2014-12-07 06:50:30)

Offline

#144 2014-12-07 07:51:22

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

AUR and github have the same code. Maybe it was a temporary problem with the driver.

Offline

#145 2014-12-14 14:09:54

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I added 3 useful options: --daemon, --list, --stop.

With --daemon you can run create_ap in the background.
Example:

create_ap --daemon wlan0 eth0 MyAccessPoint MyPassPhrase

With --list you can get the PID of the running create_ap and what interface is using to transmit.
Example:

% create_ap --list
4914 wlan0

With --stop you can stop the running create_ap.
Examples:

create_ap --stop wlan0
create_ap --stop 4914

Last edited by OBLiQUE (2014-12-14 14:10:25)

Offline

#146 2015-01-24 20:40:53

Cz-David
Member
Registered: 2012-05-25
Posts: 33

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I just can't get NAT forwarding to work. Been trying for two hours.

What wireshark shows me is that on (ap0 or wlan0) I get a ping packet to 8.8.8.8 from my connected device. Next my computer correctly forwards the packet to 8.8.8.8 (through eth0) and I get a response packet back. Which is then swallowed by a black hole.

iptables logs do not show it as a dropped packet. I tried to set up the iptables rules manually and no difference. Really don't know where to go from here.

david@dntb:~$ sudo create_ap -c 2 -m nat --hidden --no-virt wlan0 eth0 ntest testtest
Config dir: /tmp/create_ap.wlan0.conf.qtwIX8Ld
PID: 3093
Access Point's SSID is hidden!
Sharing Internet using method: nat
hostapd command-line interface: hostapd_cli -p /tmp/create_ap.wlan0.conf.qtwIX8Ld/hostapd_ctrl
Configuration file: /tmp/create_ap.wlan0.conf.qtwIX8Ld/hostapd.conf
Using interface wlan0 with hwaddr 00:25:d3:81:8b:37 and ssid "ntest"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED 
wlan0: STA 30:a8:db:a2:64:5d IEEE 802.11: authenticated
wlan0: STA 30:a8:db:a2:64:5d IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED 30:a8:db:a2:64:5d
wlan0: STA 30:a8:db:a2:64:5d RADIUS: starting accounting session 54C40124-00000000
wlan0: STA 30:a8:db:a2:64:5d WPA: pairwise key handshake completed (RSN)
root@dntb:/home/david# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.12.0/24     
ACCEPT     all  --  192.168.12.0/24      anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@dntb:/home/david# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere
root@dntb:/home/david# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.104.105.2  netmask 255.254.0.0  broadcast 10.105.255.255
        inet6 fe80::225:d3ff:fe81:8b37  prefixlen 64  scopeid 0x20<link>
        ether 00:25:d3:81:8b:37  txqueuelen 1000  (Ethernet)
        RX packets 90556  bytes 9396737 (8.9 MiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 16079  bytes 1736138 (1.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 2  bytes 140 (140.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 140 (140.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.12.1  netmask 255.255.255.0  broadcast 192.168.12.255
        inet6 fe80::225:d3ff:fe81:8b37  prefixlen 64  scopeid 0x20<link>
        ether 00:25:d3:81:8b:37  txqueuelen 1000  (Ethernet)
        RX packets 5091  bytes 390423 (381.2 KiB)
        RX errors 0  dropped 4  overruns 0  frame 0
        TX packets 151  bytes 19357 (18.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
root@dntb:/home/david# sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 5995 packets, 479K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1   334 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
   47  3074 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            192.168.12.0/24     
 1382 93624 ACCEPT     all  --  wlan0  *       192.168.12.0/24      0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1969 packets, 199K bytes)
 pkts bytes target     prot opt in     out     source               destination
root@dntb:/home/david# sudo iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 1708 packets, 136K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 703 packets, 76768 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 109 packets, 7184 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  381 23284 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0  

Offline

#147 2015-01-25 14:29:19

Cz-David
Member
Registered: 2012-05-25
Posts: 33

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Never mind, after an inspired guess about TTL from my NATted subnet I found out that my provider blocks any packet with TTL less than 64. Gonna be sorting out that particular rule with them.

Anyway, temporary fix

iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 64

Offline

#148 2015-01-27 08:18:13

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

I would never thought about TTL. Now I'm thinking if I should add your fix in create_ap. I will check it later, probably I will add it.
Thanks btw.

Last edited by OBLiQUE (2015-01-27 08:19:04)

Offline

#149 2015-01-27 20:46:12

OBLiQUE
Member
Registered: 2008-12-04
Posts: 107
Website

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

It's a bit strange that '-i eth0' in your iptables rule fixed your problem. It should be '-i wlan0'. Anyway, does the following also fix your problem?

iptables -t mangle -I PREROUTING -i wlan0 -j TTL --ttl-inc 1

Last edited by OBLiQUE (2015-01-27 20:46:55)

Offline

#150 2015-01-29 22:00:17

Cz-David
Member
Registered: 2012-05-25
Posts: 33

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

These ones do not change the ttl of outgoing packets and do not work for me:

iptables -t mangle -A PREROUTING -i wlan0 -j TTL --ttl-set 64
iptables -t mangle -I PREROUTING -i eth0 -j TTL --ttl-inc 1
iptables -t mangle -A OUTPUT -j TTL --ttl-set 64

These ones do change the ttl on outgoing packets but still do not work for me:

iptables -t mangle -A POSTROUTING -j TTL --ttl-set 64
iptables -t mangle -I PREROUTING -i wlan0 -j TTL --ttl-inc 1

this solves my problem, but does not change the TTL of the packet.

iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 64

now I have it hardcoded into the script as

iptables -t mangle -A PREROUTING -i ${INTERNET_IFACE} -j TTL --ttl-set 64 || die

\

I can't figure out why it works, but my assumption that it was based on the TTL is clearly wrong. It must be doing something else to the packet I can't see. Gonna compare the wireshark captures more closely.

Offline

Board footer

Powered by FluxBB