1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outbound IP Traffic on Wireless

Discussion in 'Tomato Firmware' started by puppycrack, Dec 6, 2012.

  1. puppycrack

    puppycrack Addicted to LI Member

    I am running "Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6" on an Asus RT-N16 router. I have been running it successfully for some time now, save for one problem. Sometimes, any clients that are connected to the router wirelessly, cannot send outbound traffic outside of the LAN. When this happens, they can see other devices on the LAN, wired devices continue to work fine, and I can get *to* them from any of the devices on the LAN.

    I've checked iptables and brctl output when it's running, and when it's in this broken state, and I can't seem to find any differences. brctl and iptables output is below.

    Note that most times a reboot of the router fixes things, yet sometimes it does not.

    Does anyone have any ideas as to what might be going on?

    Thanks!

    root@tomato:/tmp/home/root# brctl show
    bridge namebridge idSTP enabledinterfaces
    br08000.bcaec5e7d0e8novlan1
    eth1

    root@tomato:/tmp/home/root# iptables -nvL
    Chain INPUT (policy DROP 467 packets, 21953 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- br0 * 0.0.0.0/0 [*WAN IP ADDRESS*]
    50 3179 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    63781 5659K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    28056 3217K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    43 5968 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    5946 2009K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
    0 0 ACCEPT all -- ppp+ * 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    6006 6080K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    49 2380 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    16443 963K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    498K 238M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    1283 77088 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
    9629 618K wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    9629 618K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * ppp+ 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 64958 packets, 10M bytes)
    pkts bytes target prot opt in out source destination

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination
    596 35760 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:80
    685 41100 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.26 tcp dpt:80
    2 228 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.210 tcp dpt:22
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.210 tcp dpt:8090

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination


    root@tomato:/tmp/home/root# iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 69879 packets, 15M bytes)
    pkts bytes target prot opt in out source destination
    1451 87365 WANPREROUTING all -- * * 0.0.0.0/0 [*WAN IP ADDRESS*]
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24

    Chain POSTROUTING (policy ACCEPT 1872 packets, 128K bytes)
    pkts bytes target prot opt in out source destination
    8 512 SNAT tcp -- * * 192.168.1.0/24 192.168.1.25 tcp dpt:80 to:[*WAN IP ADDRESS*]
    8 512 SNAT tcp -- * * 192.168.1.0/24 192.168.1.26 tcp dpt:80 to:[*WAN IP ADDRESS*]
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.210 tcp dpt:22 to:[*WAN IP ADDRESS*]
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.210 tcp dpt:8090 to:[*WAN IP ADDRESS*]
    11738 741K MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 4249 packets, 295K bytes)
    pkts bytes target prot opt in out source destination

    Chain WANPREROUTING (1 references)
    pkts bytes target prot opt in out source destination
    2 56 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
    600 36032 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 to:192.168.1.25:80
    687 41252 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:192.168.1.26:80
    2 228 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:192.168.1.210:22
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.210:8090
     
  2. rafwes

    rafwes Serious Server Member

    pls use code next time, it is horrible to read.
    telnet to router and try this:

    iptables -t nat -A PREROUTING -i vlan2 -d 192.168.1/24 -j DROP
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.1.1/24 -d 192.168.1.1/24 -j SNAT --to-source 192.168.1.1
     
  3. puppycrack

    puppycrack Addicted to LI Member

    Sorry for the formatting...

    It looks like the 1st command is already in the PREROUTING section? Also, what is the second command doing exactly? In any case, I'll try this next time things become a problem.

    Thanks!
     
  4. rafwes

    rafwes Serious Server Member

    SNAT will change the source address of your packages from your lan, replacing the source address from the clients' to the router's address. Tomato does it by default. I do not really know what's going on. If it doesn't work, besides posting a ipfilter dump, also post a brctl show, a ifconfig and a ip route show dump.
     
  5. puppycrack

    puppycrack Addicted to LI Member

    Still a no-go. Requested output below. Thanks for any help or insight!

    Code:
    Tomato v1.28.9054 MIPSR2-beta K26 USB vpn3.6
    root@tomato:/tmp/home/root# iptables -t nat -A PREROUTING -i vlan2 -d 192.168.1/24 -j DROP
    root@tomato:/tmp/home/root# iptables -t nat -A POSTROUTING -o br0 -s 192.168.1.1/24 -d 192.168.1.1/24 -j SNAT --to-s
    ource 192.168.1.1
    root@tomato:/tmp/home/root# iptables -nvL
    Chain INPUT (policy DROP 424 packets, 22848 bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 DROP      all  --  br0    *      0.0.0.0/0            [*WAN_IP_ADDRESS*]     
      70  4858 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    5564  567K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    15110 2293K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
      32  4518 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    6065 2040K ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
        0    0 ACCEPT    47  --  *      *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1723
        0    0 ACCEPT    all  --  ppp+  *      0.0.0.0/0            0.0.0.0/0         
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0         
      57  2796 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    10276  611K TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    322K  175M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    1196 71360 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0         
    7820  544K wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
    7820  544K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  ppp+  *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0         
     
    Chain OUTPUT (policy ACCEPT 15990 packets, 2236K bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination       
      539 32252 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.25        tcp dpt:80
      652 38776 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.26        tcp dpt:80
        1  148 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.210      tcp dpt:22
        4  184 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.210      tcp dpt:8090
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
     
     
    root@tomato:/tmp/home/root# iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 50812 packets, 13M bytes)
    pkts bytes target    prot opt in    out    source              destination       
    1371 85700 WANPREROUTING  all  --  *      *      0.0.0.0/0          [*WAN_IP_ADDRESS*]   
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.1.0/24     
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.1.0/24     
     
    Chain POSTROUTING (policy ACCEPT 1690 packets, 110K bytes)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 SNAT      tcp  --  *      *      192.168.1.0/24      192.168.1.25        tcp dpt:80 to:72.230.238.176
        0    0 SNAT      tcp  --  *      *      192.168.1.0/24      192.168.1.26        tcp dpt:80 to:72.230.238.176
        0    0 SNAT      tcp  --  *      *      192.168.1.0/24      192.168.1.210      tcp dpt:22 to:72.230.238.176
        0    0 SNAT      tcp  --  *      *      192.168.1.0/24      192.168.1.210      tcp dpt:8090 to:72.230.238.176
    8087  528K MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
        0    0 SNAT      all  --  *      br0    192.168.1.0/24      192.168.1.0/24      to:192.168.1.1
     
    Chain OUTPUT (policy ACCEPT 3282 packets, 224K bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        7  328 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.1.1
      539 32252 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:5000 to:192.168.1.25:80
      633 37636 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:5001 to:192.168.1.26:80
        1  148 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1234 to:192.168.1.210:22
        4  176 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:192.168.1.210:8090
     
     
    root@tomato:/tmp/home/root# brctl show
    bridge name    bridge id        STP enabled    interfaces
    br0        8000.bcaec5e7d0e8    no        vlan1
                                eth1
     
     
     
    root@tomato:/tmp/home/root# ifconfig -a
    br0        Link encap:Ethernet  HWaddr BC:AE:C5:E7:D0:E8 
              inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:247220 errors:0 dropped:0 overruns:0 frame:0
              TX packets:173289 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:141651735 (135.0 MiB)  TX bytes:54280903 (51.7 MiB)
     
    eth0      Link encap:Ethernet  HWaddr BC:AE:C5:E7:D0:E8 
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:5277403 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6511251 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1821987538 (1.6 GiB)  TX bytes:70567234 (67.2 MiB)
              Interrupt:4 Base address:0x2000
     
    eth1      Link encap:Ethernet  HWaddr BC:AE:C5:E7:D0:EA 
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:6257088 errors:0 dropped:0 overruns:0 frame:716941
              TX packets:4209540 errors:13 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:4212379424 (3.9 GiB)  TX bytes:1636074388 (1.5 GiB)
              Interrupt:3 Base address:0x1000
     
    lo        Link encap:Local Loopback 
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
              RX packets:404 errors:0 dropped:0 overruns:0 frame:0
              TX packets:404 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:70688 (69.0 KiB)  TX bytes:70688 (69.0 KiB)
     
    vlan1      Link encap:Ethernet  HWaddr BC:AE:C5:E7:D0:E8 
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:4304734 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6328946 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1633538529 (1.5 GiB)  TX bytes:4236387348 (3.9 GiB)
     
    vlan2      Link encap:Ethernet  HWaddr BC:AE:C5:E7:D0:E9 
              inet addr:[*WAN_IP_ADDRESS*]  Bcast:72.230.255.255  Mask:255.255.224.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:972668 errors:0 dropped:0 overruns:0 frame:0
              TX packets:182305 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:93455705 (89.1 MiB)  TX bytes:129147182 (123.1 MiB)
     
    vlan3      Link encap:Ethernet  HWaddr BC:AE:C5:E7:D0:E8 
              BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
     
    root@tomato:/tmp/home/root# ip route show
    72.230.224.1 dev vlan2  scope link
    192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
    72.230.224.0/19 dev vlan2  proto kernel  scope link  src [*WAN_IP_ADDRESS*]
    127.0.0.0/8 dev lo  scope link
    default via 72.230.224.1 dev vlan2
    
     
  6. puppycrack

    puppycrack Addicted to LI Member

    I cleared out some nvram variables that were left over from trying to set up 2 separate Wireless LANs (the guide I followed is here: http://tomatousb.org/tut:two-isolated-separate-lan-subnets). Once I started having problems, I backed out those changes, but it looks like I missed some items.

    I ran the following (to back out the last of the changes I made in the above guide):

    Code:
    nvram unset vlan3hwname
    nvram unset vlan3ports
    nvram set vlan1ports="4 3 2 1 8*"
    nvram commit
    reboot
    
    The wireless is now working as it should, but I don't have a lot of confidence that it will remain that way. I'll update with the same output I supplied previously, if and when things go south again.

    Thanks.
     
  7. rafwes

    rafwes Serious Server Member

    That could have done the trick. If your clients were in different vlans before, default rules loaded after reconfiguration thru the gui could easily break forwards between them.
     

Share This Page