ip routing

Moderators: mdrjr, odroid, meveric

ip routing

Unread postby richard-g8jvm » Wed Sep 12, 2018 6:49 am

Hi
Its not really applicable to just one board, so I'll scribble here
Got a minor routing problem
route table
Code: Select all
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.21.24.1     128.0.0.0       UG    0      0        0 tun0
default         _gateway        0.0.0.0         UG    100    0        0 eth0
64-145-79-177.i _gateway        255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       172.21.24.1     128.0.0.0       UG    0      0        0 tun0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 eth0
172.21.24.0     0.0.0.0         255.255.254.0   U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0



I've used a commercial VPN so I can watch US TV when I get bored, thats where tun0 gets used.
I also have motion running with a USB cam on a C2.
I can using an app on my phone see all the ip cameras and the usb cam on the local net.
and I have a fixed ipaddress (WAN)
I've set up port forwarding through the router so I can check the cameras when away from home
all IPcams are visible, except the USB cam connected to the C2
I'm pretty sure the reason I cant connect to the C2 from the WAN and outside world, is the VPN running.
Now i'd have thought that if I was connecting to the fixed ip address on the wan side of the router, even if the return path got routed
via the VPN over to New York it would find its way back to my phone, but I'm guessing the mobile network can see the return source and detination source
addresses are diferent and wont play.
Right after all the waffel here's the question
If I add a fixed static route to my fixed ip address on the WAN side of the router, would that get over the problem, or would it still go the what ever address
the mobile network uses. And that address is liable to be different depending on my location, so go out via the VPN.
My knowledge of the TCPIP stack is very rusty now
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Wed Sep 12, 2018 2:36 pm

The problem is the tunnel provider is announcing two /1 addresses through the tunnel interface (0.0.0.0/1 and 128.0.0.0/1) - which effectively bypass your C2's default gateway. This makes all return traffic (not destined to your lan) to go through your vpn and you have asymetric routing (which should be ok as long as you don't run into firewalls), but since both you and your vpn provider do nat you run into the different ip problem you described.

You have a couple of solutions - it depends which one is applicable to you:
1. Ask your vpn provider if there's a setting you can use not to receive default route, but to receive specific routes for us address space (could be up to 50k routes). Might not be an option, or might be paid, but it's the correct solution.
2. If the place from where you're connecting to view your cameras has a fixed/known address space (e.g. from work) you can route that address through eth0 to be more specific. It doesn't scale becauuse you need to know all addresses you want to connect from.
3. Instead of connecting through regular port forqarding (the C2 still sees your public source address and has trouble with return traffic), you can ssh into any other LAN system (including the router) and set up ssh port forwarding (-L8080:odroid-ip:camera-port). You then connect with ssh to your other system and while connected you can connect to 127.0.0.1:8080 and will be proxied to odroid-ip:camera port. This works because your C2 has a correct route (lan) to your ssh server. And traffic is encrypted - yay!
4. You can use policy-based routing with iptables and its mangle table so that any new connections from outside the lan to your camera-port will have its nexthop/outgoing interface rewritten so it bypasses the routing table. I don't have an example, but it can be done.

Let us know which one you pick.
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Wed Sep 12, 2018 5:24 pm

Thanks Mad_ady

You confirmed my suspicions on what was happenning.
Of all the options maybe 4, iptables mangle.

But the may be another
I will need , before the next vacation I need to set up a personal VPN so I can use my fixed ip address in the UK from where ever I am.
So maybe I could port forward from the router, which is not very friendly and limited on what can be done, to the C1 which can be set up as the VPN
Then I could port forward from within the LAN which would give access to the C2 with the USB camera, it would also increase the security on the
other ipcams on the LAN.
If I remeber correctly iptables can filter on the MAC address of the originating device ???
if so there would only be 3 devices that need access and I know the MAC addresses of all of them.
What do you think ?????
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Wed Sep 12, 2018 5:44 pm

No, MAC addresses are visible only on the same layer 2 network - you can't know the MAC address of a device on the internet.
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Wed Sep 12, 2018 6:36 pm

Oh, thats a shame , I'll have to rely on a ssl tunnel
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby richard-g8jvm » Wed Sep 12, 2018 10:00 pm

Hi
I now have a C1 sitting on the LAN, thats used the last spare port on the router running in to a 5 way switch.
I can alter the port forwarding on the router to send anything that was destined for the C2 on port 8083 to go to the C1.
the C1 has only one ETH port can I use iptables forwarding to accept and forward to the same port .
So the C1 will now send packets to port 8083 on the C2. I will need to change the forwarding port number on the router
going to the C1
The LAN ports are faster than anything coming from the internet, or do I need another port ???
thanks
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Wed Sep 12, 2018 11:37 pm

You can do everything over the same ethernet port, no need for separate physical ports. If you need help put together a detailed network diagram and we'll work something out.
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 12:08 am

Hiya
Yes some help would be appreciated, I did do a lot of ip routing / iptables use, but that was 15 years ago, and my brain is definitly volatile memory.
The router is currently set to port forward 80.xx.xx.xx:8083 to 192.168.1.70:8083 ( C2 address and motion port)
The C1 is at 192.168.1.80, ip forwarding has been enabled.
new incoming packet route, port 8083 will be WAN>LAN Router 192.168.1.254 >C1 192.168.1.80 >C2 192.168.1.70
Return packet route, C2 192.168.1.70 > Router 192.168.1.254 > WAN
static routing on C1 wil be default 192.168.1.254 eth0
I think the iptable entry is something like
Code: Select all
iptables -t nat -A PREROUTING -p tcp --dport 8083 -j DNAT --to-destination 192.168.1.70:8083

As its on the same subnet do I need to masquerade ?
many thanks
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Thu Sep 13, 2018 12:16 am

I think you need snat as well, because with dnat you forward packets from C1-> C2, but the source IP address will still be the public ip and traffic won't flow back to the C1. Masquerade (or snat) should change also the source. You also need to enable ip routing on C1 and allow packets in the FORWARD chain.
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 1:05 am

Hiya
I really am rusty at this mad_ady
Ive added two rules and saved to /etc/iptables.rules
Code: Select all
# Generated by iptables-save v1.6.1 on Wed Sep 12 15:55:14 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 8083 -j DNAT --to-destination 192.168.1.70:8083
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Wed Sep 12 15:55:14 2018
# Generated by iptables-save v1.6.1 on Wed Sep 12 15:55:14 2018
*filter
:INPUT ACCEPT [642:53498]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [503:49938]
COMMIT
# Completed on Wed Sep 12 15:55:14 2018


I guess the second block has to be deleted
the new prerouting moved up before the existing prerouting rule
and
the existing postrouting rule deleted,
any thing else I need so I dont brick the C1
thanks
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Thu Sep 13, 2018 2:33 am

I'm not sure if the file is loaded automatically on startup, so I think there's little risk.
The masquerade rule could be more specific (e.g only for port 80xx).
Otherwise, try it out - I don't see anything wrong with it
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 2:54 am

Code: Select all
root@odroid:/etc# cat iptables.rules
# Generated by iptables-save v1.6.1 on Wed Sep 12 16:30:56 2018
*nat
-A PREROUTING -p tcp -m tcp --dport 8083 -j DNAT --to-destination 192.168.1.70:8083
-A PREROUTING -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.71:7776
-A PREROUTING -p tcp -m tcp --dport 8085 -j DNAT --to-destination 192.168.1.72:7777
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
:POSTROUTING ACCEPT [0:0]
COMMIT


Using a browser on this laptop all ports on 192.168.1.80 redirect to the correct addresses :)
and on my phone to the WAN ip address :))

Now the hard bit, creating a secure VPN so anything coming in from the internet will look as if its come from my WAN address, my use only
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 3:23 am

oops , we have made a problem
It looks as if I have stopped it being able to connect to the WAN
Code: Select all
root@odroid:/etc# apt update
Err:1 http://ports.ubuntu.com/ubuntu-ports bionic InRelease     
  Temporary failure resolving 'ports.ubuntu.com'
Err:2 http://deb.odroid.in/c1 bionic InRelease                   
  Temporary failure resolving 'deb.odroid.in'
0% [Connecting to ports.ubuntu.com]


Code: Select all
root@odroid:/etc# cat iptables.rules
# Generated by iptables-save v1.6.1 on Wed Sep 12 16:30:56 2018
*nat
-A PREROUTING -p tcp -m tcp --dport 8083 -j DNAT --to-destination 192.168.1.70:8083
-A PREROUTING -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.71:7776
-A PREROUTING -p tcp -m tcp --dport 8085 -j DNAT --to-destination 192.168.1.72:7777
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
:POSTROUTING ACCEPT [0:0]
COMMIT


where did I screw up


here !!
Code: Select all
# Generated by iptables-save v1.6.1 on Wed Sep 12 18:42:10 2018
*nat
:PREROUTING ACCEPT [18:4517]
:INPUT ACCEPT [18:4517]
:OUTPUT ACCEPT [52:3494]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 8083 -j DNAT --to-destination 192.168.1.70:8083
-A PREROUTING -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.71:7776
-A PREROUTING -p tcp -m tcp --dport 8085 -j DNAT --to-destination 192.168.1.72:7777
-A POSTROUTING -p tcp --sport 8083 -j MASQUERADE
-A POSTROUTING -p tcp --sport 7776 -j MASQUERADE
-A POSTROUTING -p tcp --sport 7777 -j MASQUERADE
COMMIT



Now OW ,,phew
Last edited by richard-g8jvm on Thu Sep 13, 2018 3:51 am, edited 1 time in total.
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Thu Sep 13, 2018 3:46 am

Sounds like a dns problem. Check that you have something inside /etc/resolv.conf. You can also rewrite the following rule:
Code: Select all
-A POSTROUTING -m tcp --sport 8083 -j MASQUERADE


A tcpdump might be useful as well:
Code: Select all
tcpdump -n -i eth0 not port 22
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 4:16 am

Hi
changing the -p to -m causeing the table restore to fail on line 13 "commit"
With the masquerade ports named , I can connect OK to the WAN apt update works, but it stoped the redirect to 192.168.170

with tcpdump , there's a lot , but when requesting 192.168.1.80:8083 I can arp requests and answers, but difficult to see whats happeming with 10 devices on the LAN
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 4:37 am

Think I have got it

Code: Select all
# Generated by iptables-save v1.6.1 on Wed Sep 12 18:42:10 2018
*nat
:PREROUTING ACCEPT [18:4517]
:INPUT ACCEPT [18:4517]
:OUTPUT ACCEPT [52:3494]
-A PREROUTING -p tcp -m tcp --dport 8083 -j DNAT --to-destination 192.168.1.70:8083
-A PREROUTING -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.71:7776
-A PREROUTING -p tcp -m tcp --dport 8085 -j DNAT --to-destination 192.168.1.72:7777
#-A POSTROUTING -p tcp --sport 8083 -j MASQUERADE
-A POSTROUTING -d 192.168.1.70 -p tcp --dport 8083 -j MASQUERADE
-A POSTROUTING -d 192.168.1.71 -p tcp --dport 7776 -j MASQUERADE
-A POSTROUTING -d 192.168.1.72 -p tcp --dport 7777 -j MASQUERADE
:POSTROUTING ACCEPT [0:0]
COMMIT

BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4

Re: ip routing

Unread postby mad_ady » Thu Sep 13, 2018 2:36 pm

You can also run iptables -t nat -L -n -v to view hit counts/matches per rule
User avatar
mad_ady
 
Posts: 4466
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1

Re: ip routing

Unread postby richard-g8jvm » Thu Sep 13, 2018 5:52 pm

Thanks
BR
Richard G8JVM
richard-g8jvm
 
Posts: 293
Joined: Sun Jan 18, 2015 1:27 am
Location: Telford UK
languages_spoken: english
ODROIDs: C1+ C2, XU4


Return to General Chat

Who is online

Users browsing this forum: No registered users and 2 guests