[RÉSOLU] Configuration d'un hotspot filaire

gauthier67 · June 21, 2018, 12:22am

J’ai déplacé la déclaration du serveur dhcp de eth1 dans /etc/dnsmasq.d/dhcpdv4-eth0.conf et ajouté listen-address=10.0.243.1

Il me reste les lignes suivantes dans /etc/dnsmasq.conf, je me demande si elles sont nécessaires/justes :

domain-needed
expand-hosts

listen-address=127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=256

Dans /etc/resolv.dnsmasq.conf j’ai remplacé les ip existantes par les 2 serveurs dns
qui étaient donnés dans la config du hotspot wifi.

Mon ordi reçoit bien une lease, mais rien ne ping. journalctl -f -u dnsmasq me renvoie :

juin 21 01:49:15 DOMAIN dnsmasq[2961]: started, version 2.72 cachesize 256
juin 21 01:49:15 DOMAIN dnsmasq[2961]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect
juin 21 01:49:15 DOMAIN dnsmasq-dhcp[2961]: DHCP, IP range 10.0.243.10 -- 10.0.243.200, lease time 4h
juin 21 01:49:15 DOMAIN dnsmasq-dhcp[2961]: DHCP, sockets bound exclusively to interface eth1
juin 21 01:49:15 DOMAIN dnsmasq[2961]: reading /etc/resolv.dnsmasq.conf
juin 21 01:49:15 DOMAIN dnsmasq[2961]: using nameserver adresse_dns1#53
juin 21 01:49:15 DOMAIN dnsmasq[2961]: using nameserver adresse_dns2#53
juin 21 01:49:15 DOMAIN dnsmasq[2961]: read /etc/hosts - 10 addresses
juin 21 01:49:17 DOMAIN dnsmasq[2962]: /etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
juin 21 01:49:17 DOMAIN systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
juin 21 01:49:50 DOMAIN dnsmasq-dhcp[2961]: DHCPREQUEST(eth1) 10.0.243.198 ******
juin 21 01:49:50 DOMAIN dnsmasq-dhcp[2961]: DHCPACK(eth1) 10.0.243.198 ****** ******

Le DHCP semblant fonctionner correctement, je suppose que ça vient de la configuration du firewall? Avant ces tests j’ai supprimé l’appli hotspot wifi

pitchum · June 21, 2018, 5:48am

As-tu essayé de pinguer une adresse IP ou bien un nom de domaine ?
Pour voir si c’est un problème lié à iptables ou bien juste un problème de résolution DNS, sur ton PC essaye de pinguer une adresse IP publique. Par exemple ping 80.67.169.52.

gauthier67 · June 21, 2018, 10:20am

J’avais pingué en 9.9.9.9 et je viens de revérifier, ça ne fonctionne pas.

Au niveau de la config de l’interface eth1, la gateway c’est le serveur DHCP? Donc on aurait ça :

address 10.0.243.1
netmask 255.255.255.0
network 10.0.243.0
broadcast 10.0.243.255
gateway 10.0.243.1

pitchum · June 21, 2018, 1:46pm

Retire la ligne gateway 10.0.243.1, je n’ai pas d’idée précise de ce que ça peut provoquer mais ça ne peut rien apporter de bon à mon avis.

gauthier67 · June 21, 2018, 2:45pm

Ok c’est fait.

Et concernant la configuration iptables, tu penses qu’il peut y avoir une erreur là? Ou tu suspectes autre-chose?

pitchum · June 21, 2018, 3:59pm

Oui il faut t’assurer qu’il y a une règle iptables qui assure la fonction NAT.
Normalement cette règle iptables est activée automatiquement par l’appli hotspot.
Pour vérifier que le NAT est bien activé tapes ça :

iptables -nvt nat -L POSTROUTING

Tu devrais alors voir quelque chose comme ça :

Chain POSTROUTING (policy ACCEPT 799 packets, 67272 bytes)
 pkts bytes target     prot opt in     out     source               destination
  310 26729 MASQUERADE  all  --  *     tun0    0.0.0.0/0            0.0.0.0/0

gauthier67 · June 22, 2018, 10:04am

J’avais désinstallé le hotspot wifi et iptables -nvt nat -L POSTROUTING ne me renvoyait rien.

Je l’ai ensuite réinstallé, et effectivement j’obtiens ça :

Chain POSTROUTING (policy ACCEPT 385 packets, 23606 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  244 19029 MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Le hotspot wifi et le “hotspot filaire” eth1 fonctionnent maintenant correctement. J’ai débranché l’antenne et ça continue à fonctionner (hotspot running)

J’ai aussi fait d’autres modifs sur la configuration ipv6. Je posterai la solution la semaine pro.

Merci beaucoup @pitchum , ça faisait des mois que je voulais réussir à faire ça!

gauthier67 · July 13, 2018, 7:43am

Les fichiers de configuration nécessaires au bon fonctionnement du hotspot filaire sont :

/etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
post-up ip a a fe80::42:babe/128 dev eth0

auto eth1
allow-hotplug eth1
iface eth1 inet static
address 10.0.243.1
netmask 255.255.255.0

iface eth1 inet6 static
address 2a00:5881:8118:1700::42
netmask 64
post-up ip a a fe80::42:babe/128 dev eth1

auto usb0
allow-hotplug usb0
iface usb0 inet dhcp

Je me suis arrangé pour “copier” la configuration wlan0 du hotspot wifi en remplaçant 10.0.242.x par 10.0.243.x

/etc/dnsmasq.d/dhcpdv6-eth1.conf

interface=eth1
listen-address=2a00:5881:8118:1700::42
dhcp-range=2a00:5881:8118:1700::,slaac,64,4h
dhcp-option=option6:dns-server, [2001:913::8],[2001:910:800::12]

/etc/dnsmasq.d/dhcpdv4-eth1.conf

interface=eth1
listen-address=10.0.243.1
dhcp-range=eth1,10.0.243.10,10.0.243.100,4h
dhcp-option=option:dns-server, 80.67.188.188,80.67.169.12
dhcp-authoritative
bind-interfaces

/etc/resolv.dnsmasq.conf

nameserver 89.234.141.66
nameserver 2a00:5881:8100:1000::3

/etc/dnsmasq.conf

domain-needed
expand-hosts

listen-address=127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=256

/usr/local/bin/wiredgw

#!/bin/bash

case “${1}” in
start)
# ipv6
ip6tables -w -I FORWARD -i tun0 -o eth1 -j DROP
ip6tables -w -I FORWARD -i tun0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -w -I FORWARD -i eth1 -o tun0 -j ACCEPT
#ip6tables -w -I FORWARD -i eth1 -o wlan0 -j ACCEPT
#ip6tables -w -I FORWARD -i wlan0 -o eth1 -j ACCEPT
ip6tables -w -I INPUT -i eth1 -j ACCEPT
ip6tables -w -I OUTPUT -o eth1 -j ACCEPT

  #IPv4
  iptables -w -I FORWARD -i tun0 -o eth1 -j DROP
  iptables -w -I FORWARD -i tun0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -w -I FORWARD -i eth1 -o tun0 -j ACCEPT
  #iptables -w -I FORWARD -i eth1 -o wlan0 -j ACCEPT
  #iptables -w -I FORWARD -i wlan0 -o eth1 -j ACCEPT
  iptables -w -I INPUT -i eth1 -j ACCEPT
  iptables -w -I OUTPUT -o eth1 -j ACCEPT
;;
stop)
  # ipv6
  ip6tables -w -D FORWARD -i tun0 -o eth1 -j DROP
  ip6tables -w -D FORWARD -i tun0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -w -D FORWARD -i eth1 -o tun0 -j ACCEPT
  #ip6tables -w -D FORWARD -i eth1 -o wlan0 -j ACCEPT
  #ip6tables -w -D FORWARD -i wlan0 -o eth1 -j ACCEPT
  ip6tables -w -D INPUT -i eth1 -j ACCEPT
  ip6tables -w -D OUTPUT -o eth1 -j ACCEPT

  # IPv4
  iptables -w -D FORWARD -i tun0 -o eth1 -j DROP
  iptables -w -D FORWARD -i tun0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -w -D FORWARD -i eth1 -o tun0 -j ACCEPT
  #iptables -w -D FORWARD -i eth1 -o wlan0 -j ACCEPT
  #iptables -w -D FORWARD -i wlan0 -o eth1 -j ACCEPT
  iptables -w -D INPUT -i eth1 -j ACCEPT
  iptables -w -D OUTPUT -o eth1 -j ACCEPT
;;
*)
  echo "Usage: $0 {start|stop}"
  exit 1
;;

esac

/etc/systemd/system/wiredgw.service

[Unit]
Description=Gateway for wire link
Requires=network.target
After=ynh-vpnclient.service
Wants=ynh-vpnclient.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/wiredgw start
ExecStop=/usr/local/bin/wiredgw stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Aleks · February 28, 2019, 10:48pm

If people are interested, I made a small POC script for this. Though it relies on isc-dhcp-server and not dnsmasq … Mostly because I have no idea what I’m doing

Could be turned into an app

gauthier67 · March 9, 2019, 1:16am

Cool, thanks! I tested it after reinstalling my internet cube from scratch. I ran it connected as root in ssh, but I guess should be run as admin with:

sudo bash deploy.sh

It created a DHCP server on my usb ethernet adapter. All devices connected to this eth1 interface go through my VPN at ARN. It works like a charm but after some testing it looks like it requires the hotspot_ynh wifi app.

Thus I wonder why not just adapting the hotspot_ynh app to provide an optional eth1 configuration.

gauthier67 · March 9, 2019, 1:21am

While doing some test I realized that the POC script only configures IPV4, while vpnclient_ynh is configured mainly on an IPV6 basis with the ARN .cube.
Thus I’m wondering if hotspot_ynh is not providing some configuration that handles the missing IPV4-IPV6 bridging issues.

charly · September 24, 2021, 12:19pm

Hi @Aleks ,

Is this script still usable ?

Thanks a lot !
Charly

Aleks · September 24, 2021, 12:31pm

I think so … but I havent tried it since then … would be interested to get any feedback

charly · September 26, 2021, 2:04pm

Yup, it indeed works.
Once again, thanks a lot man.

CHeers!

Aleks · September 26, 2021, 4:23pm

You mean it just works out of the box ? No particular tweaking required ? (That sounds too good to be true )

charly · September 27, 2021, 6:09am

OUT - OF - THE - BOX.

I just had to assign the IP address 10.0.0.1 to my eth1 interface with something like
ifconfig 10.0.0.1 eth1 up

So, thanks again

charly · October 8, 2021, 2:25pm

Hi Alex,

A question :
My interface is a USB <> ethernet.
When I plug it, the server gives it the name eth1 (all good), but does’nt assign the IP address 10.0.0.1, despite the part of the shell that creates this file :
/etc/network/interfaces.d/eth1.conf

that contains :

allow-hotplug eth1
iface eth1 inet static
address 10.0.0.1/24

I thought that the “allow hotplug” option would detect the presence of eth1 and assign it the IP address.
Sounds weird no ?

And also, the command

root@box:~# ifup eth1
ifup: unknown interface eth1

Also weird no ?

Thanks in advance for your kind help

Aleks · October 8, 2021, 11:55pm

Then I guess it doesnt know about your extra interface … which should also be absent from ip a ?

charly · October 9, 2021, 9:36am

If I dont assign manually the IP to eth1 (with ifconfig eth1 up 10.0.0.1), then the command ip a results this :

6: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether a0:ce:c8:5b:59:e9 brd ff:ff:ff:ff:ff:ff

There is indeed no IP adress assigned but the interface is there.

charly · October 13, 2021, 8:04pm

Yo,

Just to let you know that I found out where the problem was : Raspian uses a weird / different than Debian / poorly documented system to assign a static IP address to an interface.

I uploaded the config files and now everything works as expected.

More information :

To set up a static IP using the new dhcpd system edit your /etc/dhcpcd.conf file and add :

# Static IP configuration
interface eth1
static ip_address=10.0.0.1/24
static routers=192.168.0.1
static domain_name_servers=8.8.8.8 8.8.4.4

You will also have to edit your /etc/network/interfaces file so that the eth1 entry looks like this:

auto eth1
allow-hotplug eth1
iface eth1 inet **manual**