[Commotion-admin] [commotion-router] Meshing over Ethernet - Firewalls segment network (#165)

Andy Gunn notifications at github.com
Tue Feb 10 15:39:23 EST 2015 

During a recent workshop, we had a fairly complex network setup at the "center point" of the mesh - a radio station where tower access made it possible to mount three NanoStation M2 units very high, and one Rocket M2 lower down on the tower with small omni whip antennas:
![mesh-bukavu-moe-firewall-issue](https://cloud.githubusercontent.com/assets/6462133/6135772/3cfef954-b139-11e4-821e-b9dfdd465b67.png)
The mesh-over-Ethernet domain is shown in the yellow circle.

Setup:
* The three NanoStations and single Rocket were meshed together via Ethernet.
* The three NanoStations were assigned different channels (1, 6, 11) and the corresponding mesh segments they pointed at had the same channel assignments. This was to reduce on-channel interference between the closely spaced nodes.
* The Access Points were disabled on the NanoStations
* The wireless mesh link was disabled on the Rocket

The rest of the network connected back to this tower, and with Access Points turned off on the rooftop mesh equipment, had excellent connections with low (less than 2.0) ETX values.

A problem occurred when connected to the AP at the base of the tower (the Rocket M2), and any node not meshed over Ethernet was accessed via the web: the connection would time out completely. It was possible to SSH to each node via the IP address, but not access the web interface.

It appeared that users attached to the nodes in one "segment" of the network wouldn't be able to see the users or access the resources on the other segments. This was not heavily tested, but it would have been the case that each sub-mesh connected to the NanoStation on the tower was not able to access resources on the other segments.

The problem was traced to the firewall on the four nodes on the tower that were meshed over Ethernet. When the firewalls were turned off, all of the nodes on the network were accessible from the clients attached to the Rocket at the base of the tower.

This requires further testing but could be resolved with some of the "automagic" configuration that would come along with the meshing over Ethernet rework as mentioned in other issues:
https://github.com/opentechinstitute/luci-commotion/issues/209
etc.

---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-router/issues/165
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20150210/27f3d924/attachment-0001.html>

More information about the Commotion-admin mailing list