[Berlin-wireless] Port Forwarding von wan nach freifunk

Nicco Kunzmann niccokunzmann at gmx.de
So Sep 11 20:23:54 CEST 2022


Danke! Das habe ich da:

# ip rule list
0:    from all lookup local
1000:    from all lookup olsr
2000:    from all lookup localnets
10000:    from 172.31.224.110 lookup ffuplink
19989:    from all to 172.31.224.0/20 iif tunl0 prohibit
19989:    from all to 172.31.224.0/20 iif wlan0-adhoc-2 prohibit
19989:    from all to 172.31.224.0/20 iif br-dhcp prohibit
19990:    from all iif tunl0 lookup ffuplink
19990:    from all iif wlan0-adhoc-2 lookup ffuplink
19990:    from all iif br-dhcp lookup ffuplink
19999:    from all iif tunl0 lookup olsr-tunnel
19999:    from all iif br-dhcp lookup olsr-tunnel
19999:    from all iif wlan0-adhoc-2 lookup olsr-tunnel
20000:    from all iif tunl0 lookup olsr-default
20000:    from all iif br-dhcp lookup olsr-default
20000:    from all iif wlan0-adhoc-2 lookup olsr-default
20000:    from all iif wlan0-adhoc-2 lookup olsr-default
20000:    from all to 172.31.224.110/20 lookup ffuplink
20001:    from all iif tunl0 unreachable
20001:    from all iif br-dhcp unreachable
20001:    from all iif wlan0-adhoc-2 unreachable
32766:    from all lookup main
32767:    from all lookup default
90013:    from all iif lo lookup ffuplink
100000:    from all lookup olsr-tunnel
100010:    from all lookup olsr-default

Noch weiß ich nix damit anzufangen.

Da steht nichts von wan...
Was bedeutet das ... mal nachsehen.

On 11.09.22 19:10, Nick wrote:
> Guck mal in "ip rule list". Es werden bei den Images automatisch
> unreachable rules gesetzt. Kann sein, dass dort was blockt.
>
> On 9/11/22 19:34, Nicco Kunzmann wrote:
>> Hallo,
>>
>> ich dachte, dass ich mal einen Port-Forward aus der WAN-Zone in meine
>> Freifunk-Zone mache.
>>
>> Das habe ich versucht.
>>
>> Was nun passiert: Es wird eine Verbindung hergestellt aber nix drüber
>> geschickt von WAN:
>>
>> $ wget -O- http://192.168.1.78:1234
>> --2022-09-11 18:13:05--  http://192.168.1.78:1234/
>> Connecting to 192.168.1.78:1234...
>>
>> Von dem Freifunk netz aus kommt garnix durch:
>>
>> $ wget -O- http://frei.funk:1234
>> --2022-09-11 18:25:23--  http://frei.funk:1234/
>> Resolving frei.funk (frei.funk)... fd00:24ca:599c::1, 172.16.0.1
>> Connecting to frei.funk (frei.funk)|fd00:24ca:599c::1|:1234... failed:
>> Connection refused.
>> Connecting to frei.funk (frei.funk)|172.16.0.1|:1234... failed:
>> Connection refused.
>>
>> Komischer Weise geht es aber von freifunk nach der externen IP:
>>
>> $ wget -O- http://192.168.1.78:1234/
>> --2022-09-11 18:28:06--  http://192.168.1.78:1234/
>> Connecting to 192.168.1.78:1234... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: unspecified [text/html]
>> Saving to: ‘STDOUT’
>>
>> -                       [<=>                 ]       0
>> --.-KB/s               <html>
>> <head><title>Index of /</title></head>
>> <body bgcolor="white">
>> <h1>Index of /</h1><hr><pre><a href="../">../</a>
>> </pre><hr></body>
>> </html>
>> -                       [ <=>                ]     151 --.-KB/s    in 0s
>>
>> 2022-09-11 18:28:06 (3,18 MB/s) - written to stdout [151]
>>
>> Das verstehe ich nich!
>>
>> Wie kann ich einen Port Forward einrichten?
>>
>> Ich habe mal die GUI und die firewall config hier.
>>
>> Liebe Grüße,
>>
>> Nicco
>>
>> Bilder:
>> https://ammanvalley.foss.wales/t/port-forwarding-from-wan-to-freifunk/35
>>
>> root at TL-WR1043ND:~# cat /etc/config/firewall
>>
>> config redirect
>>     option enabled '0'
>>
>> config redirect
>>     option target 'DNAT'
>>     option src 'wan'
>>     option dest 'freifunk'
>>     option proto 'tcp udp'
>>     option src_dport '444'
>>     option dest_port '443'
>>     option dest_ip '172.16.0.118'
>>     option name 'https screen'
>>     option enabled '0'
>>
>> config redirect
>>     option target 'DNAT'
>>     option dest 'freifunk'
>>     option proto 'tcp udp'
>>     option dest_ip '172.16.0.42'
>>     option dest_port '80'
>>     option name 'http on pi.makerspace'
>>     option src_dport '81'
>>     option src_dip '192.168.1.78'
>>     option src 'wan'
>>     option enabled '0'
>>
>> config defaults
>>     option syn_flood '1'
>>     option input 'ACCEPT'
>>     option output 'ACCEPT'
>>     option forward 'REJECT'
>>
>> config zone
>>     option name 'wan'
>>     option masq '1'
>>     option output 'ACCEPT'
>>     option local_restrict '1'
>>     option input 'ACCEPT'
>>     option network 'wan wwan ms'
>>     option forward 'REJECT'
>>
>> config rule
>>     option name 'Allow-DHCP-Renew'
>>     option src 'wan'
>>     option proto 'udp'
>>     option dest_port '68'
>>     option target 'ACCEPT'
>>     option family 'ipv4'
>>
>> config rule
>>     option name 'Allow-Ping'
>>     option src 'wan'
>>     option proto 'icmp'
>>     option icmp_type 'echo-request'
>>     option family 'ipv4'
>>     option target 'ACCEPT'
>>
>> config rule
>>     option name 'Allow-DHCPv6'
>>     option src 'wan'
>>     option proto 'udp'
>>     option src_ip 'fe80::/10'
>>     option src_port '547'
>>     option dest_ip 'fe80::/10'
>>     option dest_port '546'
>>     option family 'ipv6'
>>     option target 'ACCEPT'
>>
>> config rule
>>     option name 'Allow-ICMPv6-Input'
>>     option src 'wan'
>>     option proto 'icmp'
>>     option icmp_type 'echo-request echo-reply destination-unreachable
>> packet-too-big time-exceeded bad-header unknown-header-type
>> router-solicitation neighbour-solicitation router-advertisement
>> neighbour-advertisement'
>>     option limit '1000/sec'
>>     option family 'ipv6'
>>     option target 'ACCEPT'
>>
>> config rule
>>     option name 'Allow-ICMPv6-Forward'
>>     option src 'wan'
>>     option dest '*'
>>     option proto 'icmp'
>>     option icmp_type 'echo-request echo-reply destination-unreachable
>> packet-too-big time-exceeded bad-header unknown-header-type'
>>     option limit '1000/sec'
>>     option family 'ipv6'
>>     option target 'ACCEPT'
>>
>> config include
>>     option path '/etc/firewall.user'
>>
>> config zone 'zone_freifunk'
>>     option input 'ACCEPT'
>>     option forward 'REJECT'
>>     option name 'freifunk'
>>     option output 'ACCEPT'
>>     option device 'tnl_+'
>>     option network 'tunl0 wireless0 dhcp'
>>
>> config zone 'zone_ffuplink'
>>     option name 'ffuplink'
>>     option input 'REJECT'
>>     option forward 'ACCEPT'
>>     option output 'ACCEPT'
>>     option network 'ffuplink'
>>     option masq '1'
>>
>> config forwarding
>>     option dest 'freifunk'
>>     option src 'freifunk'
>>
>> config rule
>>     option proto 'icmp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '80'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '443'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '22'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config advanced
>>     option tcp_westwood '1'
>>     option tcp_ecn '0'
>>     option ip_conntrack_max '8192'
>>
>> config forwarding
>>     option dest 'freifunk'
>>     option src 'wan'
>>
>> config forwarding 'fwd_ff_ffuplink'
>>     option src 'freifunk'
>>     option dest 'ffuplink'
>>
>> config forwarding
>>     option dest 'freifunk'
>>     option src 'lan'
>>
>> config forwarding
>>     option dest 'freifunk'
>>     option src 'freifunk'
>>
>> config rule
>>     option proto 'icmp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '80'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '443'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '22'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '698'
>>     option proto 'udp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '17990'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option src 'freifunk'
>>     option target 'ACCEPT'
>>     option dest_port '53'
>>     option proto 'icmp'
>>
>> config rule
>>     option src_port '68'
>>     option leasetime '30m'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>     option dest_port '80'
>>     option proto 'tcp'
>>
>> config rule
>>     option proto 'tcp'
>>     option src 'freifunk'
>>     option target 'ACCEPT'
>>     option dest_port '443'
>>
>> config forwarding
>>     option dest 'freifunk'
>>     option src 'lan'
>>
>> config forwarding
>>     option dest 'freifunk'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '22'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '698'
>>     option proto 'udp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option dest_port '17990'
>>     option proto 'tcp'
>>     option target 'ACCEPT'
>>     option src 'freifunk'
>>
>> config rule
>>     option proto 'udp'
>>     option src 'freifunk'
>>     option target 'ACCEPT'
>>     option dest_port '53'
>>
>> config rule
>>     option src_port '68'
>>     option leasetime '30m'
>>     option proto 'udp'
>>     option target 'ACCEPT'
>>     option dest_port '67'
>>     option src 'freifunk'
>>
>> config rule
>>     option proto 'tcp'
>>     option src 'freifunk'
>>     option target 'ACCEPT'
>>     option dest_port '8082'
>>
>> config rule
>>     option enabled '1'
>>     option target 'ACCEPT'
>>
>> config redirect
>>     option target 'DNAT'
>>     option proto 'tcpudp'
>>     option src_dport '1234'
>>     option dest_ip '172.16.0.42'
>>     option dest_port '1234'
>>     option name 'public share'
>>     option src 'wan'
>>     option dest 'freifunk'
>>
>>
>>
>> _______________________________________________
>> Berlin mailing list
>> Berlin at berlin.freifunk.net
>> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
>> Diese Mailingliste besitzt ein ffentlich einsehbares Archiv
>
> _______________________________________________
> Berlin mailing list
> Berlin at berlin.freifunk.net
> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
> Diese Mailingliste besitzt ein ffentlich einsehbares Archiv




Mehr Informationen über die Mailingliste Berlin