[WLANware] Freifunk 1.6.29, dhcp-splash, and natting

Fri Jul 25 19:25:36 CEST 2008

Hi

I run a 30 node freifunk mesh network.
Each node has LAN (all 5 ports) DHCP and OLSR-DHCP.
The LAN and the WLAN is unnatted into the mesh.
The WLAN (OLSR-DHCP) is on the same subnet.

ADSL -ethernet- Linuxrouter -ethernet- mesh-gw-node -w-i-r-e-l-e-s-s-
all other mesh nodes.

172.18.0.0  mesh network

172.18.172.1 example node, mask 255.255.0.0
172.18.172.10 to 172.18.172.14 example node's WLAN, mask 255.255.255.240
192.168.172.2 to 192.168.172.6 example node's LAN

In /etc/init.d/S45firewall I unnat:

jan at osprey:~/freifunk$ cat S45firewall-wannat.patch

--- S45firewall	2008-03-07 12:43:51.000000000 +0200
+++ S45firewall.gw	2008-03-07 12:43:55.000000000 +0200
@@ -58,6 +58,8 @@
 		iptables -t nat -A POSTROUTING -o $WIFIDEV -s $LANNET/$LANPRE -j MASQUERADE
 	fi

+WANOLSR="dontnat"
+
 	if [ -n "$WANDEV" ]; then
 		if [ -z "$WANOLSR" ]; then
 			# Mask packets to WAN
jan at osprey:~/freifunk$ cat S45firewall-wlannat.patch
--- S45firewall-25	2008-03-07 12:43:55.000000000 +0200
+++ S45firewall	2008-03-07 12:43:51.000000000 +0200
@@ -43,15 +43,15 @@
 	# Accept fragments
 	iptables -I INPUT -f -j ACCEPT

-	# Mask packets from these WLAN DHCP clients, so they can do inet w/o OLSR
-	ENTS=$(nvram get ff_wldhcp)
-	IFS=\;
-	for ENT in $ENTS; do
-		NET=${ENT%[:,]*}
-		MSK=${ENT#*[:,]}
-		iptables -t nat -A POSTROUTING -s $NET -j MASQUERADE
-	done
-	unset IFS
+#	# Mask packets from these WLAN DHCP clients, so they can do inet w/o OLSR
+#	ENTS=$(nvram get ff_wldhcp)
+#	IFS=\;
+#	for ENT in $ENTS; do
+#		NET=${ENT%[:,]*}
+#		MSK=${ENT#*[:,]}
+#		iptables -t nat -A POSTROUTING -s $NET -j MASQUERADE
+#	done
+#	unset IFS

 	if [ -z "$LANOLSR" ] && [ "$(nvram get ff_nonat)" != "1" ]; then
 		# Mask packets from LAN to WIFI


The stanza commented out makes sure the WLAN (OLSR-DHCP) is not natted.
The one-liner WANOLSR="dontnat" is just for the gateway node so it doesn't nat.
Perhaps this is a terrible way to unnat. Let me know. It has worked
great so far.

Why do I unnat?
Outside the gw node is my Linux router before the ADSL router, and the Linux
router knows all these IPs and does some routing, bandwidth management, etc.
This has worked fine up to 1.6.28 (from many versions ago). Two or
three versions
ago I started playing with dhcpsplash which has worked OK as well. We
use dhcpsplash
and wanted to extend it's use even further to the agreement and
location specific splash pages.

But now, after upgrading to 1.6.29 the routers mysteriously start
natting again...
so the IPs which are allowed to use the smtp server (yes, smtp-auth
will follow in some weeks
or months, it cannot come immediately) are now not allowed to use the
SMTP server.
And the accounting on the mesh-gateway-node starts to show only the
router IPs of each
node, not the laptop (connected by wire or wirelessly via OLSR-DHCP),
whereas we would
like to know those IPs on the linux router.

I found this in crontab:

0-59/10 * * * *  /usr/sbin/cron.dhcpsplash

Which runs a /etc/init.d/S70dhcpsplash
Which is doing some natting and more.
Something must have changed from 1.6.28 to 1.6.29
in freifunk-dhcpsplash-en ?

Can someone suggest a solution for me?
A better way to unnat with some nvram variables, or an easy way
to prevent the dhcpsplash interfering, as I do want to use that.

regards,
Jan

www.muizenmaze.za.org/drupal5/

