[Commotion-dev] Setting masq & MTU values correctly with OLSRd SmartGateway

Dan Staples danstaples at opentechinstitute.org
Sun Aug 4 16:02:44 UTC 2013 

On Sat 03 Aug 2013 10:08:56 PM EDT, Will Hawkins wrote:
> Ben,
>
> Thank you for sending this out to the list. Keep us updated on your
> progress. We will work through your recommendations on our end and see
> what comes of it. Thanks again!
>
> Will
>
> On 08/03/2013 08:38 PM, Ben West wrote:
>> Hi All,
>>
>> I'm emailing here in follow-up to a recent thread on commotion-discuss
>> about repeater nodes not reliably having their internet-bound traffic
>> routed.
>>
>> In particular, I was seeing my own repeater nodes, both 1-hop way and
>> especially 2-hops away, apparently losing their connection to the
>> Internet once the local OLSRd instance had inserted its tnl_* interface
>> (i.e. a few minutes after power up).  I'm highlighting the instance of a
>> node 2-hops away, since in practice that can be difficult to replicate.
>>
>> Below is the readme about the SmartGateway feature.  Do please note in
>> particular the recommendation to add an iptables rules to the gateway
>> node, clamping all packets leaving the mesh to the same MTU as what is
>> used by the OLSRd SmartGateway tunnels.
>>
>> http://svn.dd-wrt.com/browser/src/router/olsrd/README-Olsr-Extensions
>>
>> This seemed to resonate with a sporadic problem I'd been having with
>> repeater nodes occasionally not seeing their Internet-bound traffic
>> correctly routed, despite all routing tables appearing valid.  These
>> repeater nodes restored their Internet connection when I enabled the
>> 'mtu_fix' option on their local firewall.  But not consistently so,
>> making the problem very challenging to resolve.
>>
>> So, following the advice from the readme, I added this to
>> /etc/firewall.user on my gateway node (eth0 is its wired uplink):
>>
>> iptables -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
>> --set-mss 1480
>>
>> On the gateway node with wired WAN and LAN ports, in addition to the
>> mesh interface, I set these firewall zones in /etc/config/firewall:
>>
>> config zone
>>     option name 'mesh'
>>     option network 'mesh'
>>     option input 'ACCEPT'
>>     option output 'ACCEPT'
>>     option forward 'ACCEPT'
>>     option 'masq' '1'
>>
>> config zone
>>     option name 'wan'
>>     option output 'ACCEPT'
>>     option masq '1'
>>     option input 'DROP'
>>     option forward 'ACCEPT'
>>
>> config zone
>>     option input 'ACCEPT'
>>     option output 'ACCEPT'
>>     option forward 'ACCEPT'
>>     option name 'lan'
>>     option network 'lan'
>>
>> config forwarding
>>     option src 'mesh'
>>     option dest 'wan'
>>
>> config forwarding
>>     option src 'lan'
>>     option dest 'wan'
>>
>> config 'forwarding'
>>     option 'src' 'mesh'
>>     option 'dest' 'mesh'
>>
>> Next, on repeater nodes with only one LAN port (counter-intuitively
>> labeled 'wan'), these are the firewall zones:
>>
>> config 'zone'
>>     option 'name' 'mesh'
>>     option 'input' 'ACCEPT'
>>     option 'output' 'ACCEPT'
>>     option 'forward' 'ACCEPT'
>>
>> config zone
>>     option name        wan
>>     option input    ACCEPT
>>     option output    ACCEPT
>>     option forward    ACCEPT
>>     option masq        1
>>
>> config 'forwarding'
>>     option 'src' 'wan'
>>     option 'dest' 'mesh'
>>
>> config 'forwarding'
>>         option 'src' 'mesh'
>>         option 'dest' 'mesh'
>>
>> In particular, note how the 'masq' option is enabled on the zone 'mesh'
>> only for the gateway node, but not on the repeater nodes.  Likewise,
>> 'masq' is enabled on the zone corresponding to the local LAN port of the
>> repeater nodes, but not on the LAN port of the gateway node.  For
>> Commotion-OpenWRT, the firewall zones of the LAN ports would be
>> equivalent to those of the APs of each node.
>>
>> This configuration described above appears to be what works for using
>> the SmartGateway feature with OLSRd v0.6.5.4-commotion-0.1-1.
>>
>> I'm trying to review the firewall rules that commotiond is generating
>> for gateway and repeater nodes, to see if they follow.  However, I'm
>> posting to the listserv now in case someone else happens to see an
>> oversight in how Commotion-OpenWRT is deploying OLSRd and firewall config.
>>
>> On Thu, Aug 1, 2013 at 1:38 PM, Ben West <ben at gowasabi.net
>> <mailto:ben at gowasabi.net>> wrote:
>>
>>     Hi All,
>>
>>     I can confirm having encountered similar issues specifically
>>     repeater nodes not correctly masq'ing AP traffic to the Internet,
>>     while gateway nodes do.  My own problems were encountered running
>>     both private APs and coovachilli APs (as opposed to nodogsplash) on
>>     nodes running the WasabiNet firmware, not Commotion-OpenWRT. However
>>     the firewall config is quite similar.
>>
>>     So, on repeater nodes I have the 'masq' option enabled for zones
>>     mesh, ap1, and ap2 (i.e. public and private APs).  On gateway nodes,
>>     it seems that I need to have 'masq' disabled for zones ap1 and ap2.
>>
>>     On Wed, Jul 31, 2013 at 5:18 PM, Ryan Gerety
>>     <gerety at opentechinstitute.org <mailto:gerety at opentechinstitute.org>>
>>     wrote:
>>
>>         After a further chat with Preston, this seems like it *might* be
>>         the same problem I encountered at the Hackerspace in Tunis.
>>          When using the AP of the gateway node the client can access the
>>         internet and when on another mesh node (say via ssh) you can
>>         access the internet, however, when you are on the AP of another
>>         node you cannot access the internet.
>>
>>         I had sent this to the tech list about two weeks ago, and in the
>>         office Seamus and Griffin thought it might be a zone issue.
>>          Seamus and Griffin did you discover what the problem actually
>>         was?  Were you able to replicate the problem?
>>
>>         Best,
>>         Ryan
>>
>>
>>         <snip>
>>
>>
>>
>>
>>     --
>>     Ben West
>>     http://gowasabi.net
>>     ben at gowasabi.net <mailto:ben at gowasabi.net>
>>     314-246-9434 <tel:314-246-9434>
>>
>>
>>
>>
>> --
>> Ben West
>> http://gowasabi.net
>> ben at gowasabi.net <mailto:ben at gowasabi.net>
>> 314-246-9434 <tel:314-246-9434>
>>
>>
>> _______________________________________________
>> Commotion-dev mailing list
>> Commotion-dev at lists.chambana.net
>> https://lists.chambana.net/mailman/listinfo/commotion-dev
>>
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>

Would we be able to verify the MTU problem by doing packet captures 
along the route from a repeater to a gateway, and checking the MTU of 
packets that get through versus those that get dropped?

--
Dan Staples

Open Technology Institute
https://commotionwireless.net
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9

More information about the Commotion-dev mailing list