1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Hard Crash With iptable Entries AC86U 384.8 alpha

Discussion in 'Asuswrt-Merlin' started by GHammer, Oct 28, 2018.

  1. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    Yes, no problem. But I've not tried using it from a startup script, only by typing them into the command line.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    My 86U becomes unusable (can't get response from SSH terminal, GUI, no device can reach anything) within minutes of manually putting these in.

    So, let me think out loud.
    .115 is a linux box running an AP (different network), weewx (doesn't use 80 or 443), mosquitto (different ports), and Apache of course on 80 & 443.
    My router sends port 80 & 443, among others, to .115 both IPV4 and IPV6. I did those from the router's GUI.

    I wonder if it is not happy with taking the port 80 traffic from the weather station and sending it to .115
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    I don't know what you mean by "AP (different network)". I'm guessing it has a second NIC on a different subnet? I can't think that would be a problem unless you've got some messed up routing between subnets. Other than that the Linux box is nothing unusual.

    I assume you're talking about port forwarding in the router's GUI. That shouldn't be a problem. Unless of course there's a bug in the firmware.

    What iptables commands are you using? Are you still using these? In that post it looks like you have the IP addresses the wrong way around. What is the IP address of the machine who's traffic you are intercepting and what is the IP address of the machine that is doing the monitoring?
     
  5. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    What I meant by the AP on a different network is that I have a USB WiFi adapter serving as an access point to provide a separate network for the weather station as I was never able to get the router to do the mirroring.
    So, the address of the device I want to sniff is .121 the device doing the sniffing is .115
    Code:
    pcap_filter = src 10.10.100.121 and dst port 80
    That is what gets the data into weewx.

    Code:
    iptables -t mangle -A PREROUTING  -s 10.10.100.121 -j ROUTE --tee --gw 10.10.100.115
    iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j ROUTE --tee --gw 10.10.100.115
    Those are the iptable commands I use.

    I don't wish to have the port 80 traffic pass only to the .115 address, it should proceed to its destination while being mirrored to .115
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    OK. Those commands look correct then.

    Are you saying that 10.10.100.115 and 10.10.100.121 are two network interfaces on the same physical box, i.e. multihomed? That could cause you problems if you haven't set the kernel networking parameters correctly.
     
  7. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    No. That's how I wish it to work.
    Currently it is configured differently as the router refuses to mirror the traffic.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    So how is it configured now?
     
  9. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    Code:
    Linux has 10.10.100.115 and uses hostapd to provide an AP for the weather station.
    
    AP has 10.10.0.1
    
    dnsmasq provides DHCP for the AP which allows the weather station to be assigned a static IP so I can sniff the traffic.
    
    Then enable ipv4 forwarding.
    iptables and iptables-persistent to allow the traffic from the AP to the LAN that is controlled by the router.
    
    It would be much simpler if the router would mirror the traffic.
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    So where (and what) is 10.10.100.121 in this setup?
     
  11. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    If the router mirrored traffic it would be the weather station
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    What port forwarding rules and/or static routes have you created on the router?
     
  13. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    Ports 80 and 443 to .115 all sources
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    Sorry, I'm having a really hard time trying to visualise the traffic flow here. As I understand it:

    1. There is some sort of networked weather station device which has IP 10.10.100.121 or 10.10.0.x depending on how you've set everything up.

    2. There's various services running on Linux at 10.10.100.115 which
    a) is accessible from the internet on ports 80 and 443
    b) the weather station communicates with is some way.

    So..... if you put the weather station back on 10.10.100.121 why are you mirroring it's traffic to 10.10.100.115 which presumably it's talking to already?

    What am I missing here?
     
  15. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    The weather station only sends traffic to a few internet sites. It is not configurable. It does not interface with anything locally. If, like me, you wish to have the data, you find a way to capture it.

    The real issue here is that the router will not mirror traffic.
     
  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    I suggest that you try just using this one command as an experiment:

    iptables -t mangle -A PREROUTING -s 10.10.100.121 -j ROUTE --tee --gw 10.10.100.222

    Where 10.10.100.222 is the address of some other PC on your LAN. If you don't have the problem with the router that you had before trying adding a second command:

    iptables -t mangle -A POSTROUTING -d 10.10.100.121 -j ROUTE --tee --gw 10.10.100.222

    If it still works we have narrowed down the problem.
     
  17. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    Good idea, I’ll send the traffic to my desktop. Nothing running or forwarded to it.
     
  18. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    No issues, but there's is no traffic coming from .121 as it is not configured as .121
    It's a fairly time consuming process to get it on a different IP.

    This would fail almost immediately just by entering the iptables commands if I use .115 as the target

    Off to swing the weather station to .121 to see if traffic makes a difference.
    Meantime, if this is heading the direction I think, I can have the process that sniffs the data look at any port. Is it possible to send the data to a different port while mirroring the traffic? DNAT perhaps?
     
  19. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    Sending traffic from .121 caused the router to fail.
    Nov 9 12:11:44 kernel: Call trace:

    I have the log saved and have restarted the router to get rid of the iptables entries.
     
  20. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,749
    Location:
    UK
    Reading more about ROUTE at places like this it seems that it's a depreciated unofficial extension. As your router has a much newer kernel than mine it's quite possible that that extension is simply not compatible any more.

    It appears that there is an official alternative built into the later iptables called TEE. So try this command and see if it accepts it:

    iptables -t mangle -A PREROUTING -s 10.10.100.121 -j TEE --gateway 10.10.100.222

    http://ipset.netfilter.org/iptables-extensions.man.html#lbDW
     
    Last edited: Nov 9, 2018
  21. GHammer

    GHammer Regular Contributor

    Joined:
    Jan 25, 2015
    Messages:
    144
    Doesn't apply.

    Code:
    [email protected]:/tmp/home/root# iptables -t mangle -A PREROUTING -s 10.10.10
    0.121 -j TEE --gateway 10.10.100.100
    iptables: No chain/target/match by that name.
    
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!