[Berlin-wireless] Port Forwarding von wan nach freifunk

Nicco Kunzmann niccokunzmann at gmx.de
So Sep 11 21:11:48 CEST 2022 

Ich habe mal neue Traffic-Rules hinzugefügt.

Bild:
https://ammanvalley.foss.wales/t/port-forwarding-from-wan-to-freifunk/35/2?u=niccokunzmann

 > Any traffic
 > From IP 172.16.0.42 in freifunk
 > To any host in any zone

Und

 > Any traffic
 > From any host in any zone
 > To IP 172.16.0.42, port 1234 in freifunk

Es geht immernoch nicht....

$ wget -O- http://192.168.1.78:1234/
--2022-09-11 20:09:00-- http://192.168.1.78:1234/
Connecting to 192.168.1.78:1234...

Langsam habe ich keine Optionen mehr und sowieso keine Ahnung.

Ich kann noch VLANs probieren und einen NGINX für HTTP/HTTPS...
Vielleicht mache ich das mal...
Wenn noch jemand Ideen hat, her damit! Danke :)

Viele Grüße,
Nicco

On 11.09.22 19:23, Nicco Kunzmann wrote:
> Danke! Das habe ich da:
>
> # ip rule list
> 0:    from all lookup local
> 1000:    from all lookup olsr
> 2000:    from all lookup localnets
> 10000:    from 172.31.224.110 lookup ffuplink
> 19989:    from all to 172.31.224.0/20 iif tunl0 prohibit
> 19989:    from all to 172.31.224.0/20 iif wlan0-adhoc-2 prohibit
> 19989:    from all to 172.31.224.0/20 iif br-dhcp prohibit
> 19990:    from all iif tunl0 lookup ffuplink
> 19990:    from all iif wlan0-adhoc-2 lookup ffuplink
> 19990:    from all iif br-dhcp lookup ffuplink
> 19999:    from all iif tunl0 lookup olsr-tunnel
> 19999:    from all iif br-dhcp lookup olsr-tunnel
> 19999:    from all iif wlan0-adhoc-2 lookup olsr-tunnel
> 20000:    from all iif tunl0 lookup olsr-default
> 20000:    from all iif br-dhcp lookup olsr-default
> 20000:    from all iif wlan0-adhoc-2 lookup olsr-default
> 20000:    from all iif wlan0-adhoc-2 lookup olsr-default
> 20000:    from all to 172.31.224.110/20 lookup ffuplink
> 20001:    from all iif tunl0 unreachable
> 20001:    from all iif br-dhcp unreachable
> 20001:    from all iif wlan0-adhoc-2 unreachable
> 32766:    from all lookup main
> 32767:    from all lookup default
> 90013:    from all iif lo lookup ffuplink
> 100000:    from all lookup olsr-tunnel
> 100010:    from all lookup olsr-default
>
> Noch weiß ich nix damit anzufangen.
>
> Da steht nichts von wan...
> Was bedeutet das ... mal nachsehen.
>
> On 11.09.22 19:10, Nick wrote:
>> Guck mal in "ip rule list". Es werden bei den Images automatisch
>> unreachable rules gesetzt. Kann sein, dass dort was blockt.
>>
>> On 9/11/22 19:34, Nicco Kunzmann wrote:
>>> Hallo,
>>>
>>> ich dachte, dass ich mal einen Port-Forward aus der WAN-Zone in meine
>>> Freifunk-Zone mache.
>>>
>>> Das habe ich versucht.
>>>
>>> Was nun passiert: Es wird eine Verbindung hergestellt aber nix drüber
>>> geschickt von WAN:
>>>
>>> $ wget -O- http://192.168.1.78:1234
>>> --2022-09-11 18:13:05-- http://192.168.1.78:1234/
>>> Connecting to 192.168.1.78:1234...
>>>
>>> Von dem Freifunk netz aus kommt garnix durch:
>>>
>>> $ wget -O- http://frei.funk:1234
>>> --2022-09-11 18:25:23-- http://frei.funk:1234/
>>> Resolving frei.funk (frei.funk)... fd00:24ca:599c::1, 172.16.0.1
>>> Connecting to frei.funk (frei.funk)|fd00:24ca:599c::1|:1234... failed:
>>> Connection refused.
>>> Connecting to frei.funk (frei.funk)|172.16.0.1|:1234... failed:
>>> Connection refused.
>>>
>>> Komischer Weise geht es aber von freifunk nach der externen IP:
>>>
>>> $ wget -O- http://192.168.1.78:1234/
>>> --2022-09-11 18:28:06-- http://192.168.1.78:1234/
>>> Connecting to 192.168.1.78:1234... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: unspecified [text/html]
>>> Saving to: ‘STDOUT’
>>>
>>> -                       [<=>                 ]       0
>>> --.-KB/s               <html>
>>> <head><title>Index of /</title></head>
>>> <body bgcolor="white">
>>> <h1>Index of /</h1><hr><pre><a href="../">../</a>
>>> </pre><hr></body>
>>> </html>
>>> -                       [ <=>                ]     151 --.-KB/s   
>>> in 0s
>>>
>>> 2022-09-11 18:28:06 (3,18 MB/s) - written to stdout [151]
>>>
>>> Das verstehe ich nich!
>>>
>>> Wie kann ich einen Port Forward einrichten?
>>>
>>> Ich habe mal die GUI und die firewall config hier.
>>>
>>> Liebe Grüße,
>>>
>>> Nicco
>>>
>>> Bilder:
>>> https://ammanvalley.foss.wales/t/port-forwarding-from-wan-to-freifunk/35
>>>
>>>
>>> root at TL-WR1043ND:~# cat /etc/config/firewall
>>>
>>> config redirect
>>>     option enabled '0'
>>>
>>> config redirect
>>>     option target 'DNAT'
>>>     option src 'wan'
>>>     option dest 'freifunk'
>>>     option proto 'tcp udp'
>>>     option src_dport '444'
>>>     option dest_port '443'
>>>     option dest_ip '172.16.0.118'
>>>     option name 'https screen'
>>>     option enabled '0'
>>>
>>> config redirect
>>>     option target 'DNAT'
>>>     option dest 'freifunk'
>>>     option proto 'tcp udp'
>>>     option dest_ip '172.16.0.42'
>>>     option dest_port '80'
>>>     option name 'http on pi.makerspace'
>>>     option src_dport '81'
>>>     option src_dip '192.168.1.78'
>>>     option src 'wan'
>>>     option enabled '0'
>>>
>>> config defaults
>>>     option syn_flood '1'
>>>     option input 'ACCEPT'
>>>     option output 'ACCEPT'
>>>     option forward 'REJECT'
>>>
>>> config zone
>>>     option name 'wan'
>>>     option masq '1'
>>>     option output 'ACCEPT'
>>>     option local_restrict '1'
>>>     option input 'ACCEPT'
>>>     option network 'wan wwan ms'
>>>     option forward 'REJECT'
>>>
>>> config rule
>>>     option name 'Allow-DHCP-Renew'
>>>     option src 'wan'
>>>     option proto 'udp'
>>>     option dest_port '68'
>>>     option target 'ACCEPT'
>>>     option family 'ipv4'
>>>
>>> config rule
>>>     option name 'Allow-Ping'
>>>     option src 'wan'
>>>     option proto 'icmp'
>>>     option icmp_type 'echo-request'
>>>     option family 'ipv4'
>>>     option target 'ACCEPT'
>>>
>>> config rule
>>>     option name 'Allow-DHCPv6'
>>>     option src 'wan'
>>>     option proto 'udp'
>>>     option src_ip 'fe80::/10'
>>>     option src_port '547'
>>>     option dest_ip 'fe80::/10'
>>>     option dest_port '546'
>>>     option family 'ipv6'
>>>     option target 'ACCEPT'
>>>
>>> config rule
>>>     option name 'Allow-ICMPv6-Input'
>>>     option src 'wan'
>>>     option proto 'icmp'
>>>     option icmp_type 'echo-request echo-reply destination-unreachable
>>> packet-too-big time-exceeded bad-header unknown-header-type
>>> router-solicitation neighbour-solicitation router-advertisement
>>> neighbour-advertisement'
>>>     option limit '1000/sec'
>>>     option family 'ipv6'
>>>     option target 'ACCEPT'
>>>
>>> config rule
>>>     option name 'Allow-ICMPv6-Forward'
>>>     option src 'wan'
>>>     option dest '*'
>>>     option proto 'icmp'
>>>     option icmp_type 'echo-request echo-reply destination-unreachable
>>> packet-too-big time-exceeded bad-header unknown-header-type'
>>>     option limit '1000/sec'
>>>     option family 'ipv6'
>>>     option target 'ACCEPT'
>>>
>>> config include
>>>     option path '/etc/firewall.user'
>>>
>>> config zone 'zone_freifunk'
>>>     option input 'ACCEPT'
>>>     option forward 'REJECT'
>>>     option name 'freifunk'
>>>     option output 'ACCEPT'
>>>     option device 'tnl_+'
>>>     option network 'tunl0 wireless0 dhcp'
>>>
>>> config zone 'zone_ffuplink'
>>>     option name 'ffuplink'
>>>     option input 'REJECT'
>>>     option forward 'ACCEPT'
>>>     option output 'ACCEPT'
>>>     option network 'ffuplink'
>>>     option masq '1'
>>>
>>> config forwarding
>>>     option dest 'freifunk'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option proto 'icmp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '80'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '443'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '22'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config advanced
>>>     option tcp_westwood '1'
>>>     option tcp_ecn '0'
>>>     option ip_conntrack_max '8192'
>>>
>>> config forwarding
>>>     option dest 'freifunk'
>>>     option src 'wan'
>>>
>>> config forwarding 'fwd_ff_ffuplink'
>>>     option src 'freifunk'
>>>     option dest 'ffuplink'
>>>
>>> config forwarding
>>>     option dest 'freifunk'
>>>     option src 'lan'
>>>
>>> config forwarding
>>>     option dest 'freifunk'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option proto 'icmp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '80'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '443'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '22'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '698'
>>>     option proto 'udp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '17990'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option src 'freifunk'
>>>     option target 'ACCEPT'
>>>     option dest_port '53'
>>>     option proto 'icmp'
>>>
>>> config rule
>>>     option src_port '68'
>>>     option leasetime '30m'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>     option dest_port '80'
>>>     option proto 'tcp'
>>>
>>> config rule
>>>     option proto 'tcp'
>>>     option src 'freifunk'
>>>     option target 'ACCEPT'
>>>     option dest_port '443'
>>>
>>> config forwarding
>>>     option dest 'freifunk'
>>>     option src 'lan'
>>>
>>> config forwarding
>>>     option dest 'freifunk'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '22'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '698'
>>>     option proto 'udp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option dest_port '17990'
>>>     option proto 'tcp'
>>>     option target 'ACCEPT'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option proto 'udp'
>>>     option src 'freifunk'
>>>     option target 'ACCEPT'
>>>     option dest_port '53'
>>>
>>> config rule
>>>     option src_port '68'
>>>     option leasetime '30m'
>>>     option proto 'udp'
>>>     option target 'ACCEPT'
>>>     option dest_port '67'
>>>     option src 'freifunk'
>>>
>>> config rule
>>>     option proto 'tcp'
>>>     option src 'freifunk'
>>>     option target 'ACCEPT'
>>>     option dest_port '8082'
>>>
>>> config rule
>>>     option enabled '1'
>>>     option target 'ACCEPT'
>>>
>>> config redirect
>>>     option target 'DNAT'
>>>     option proto 'tcpudp'
>>>     option src_dport '1234'
>>>     option dest_ip '172.16.0.42'
>>>     option dest_port '1234'
>>>     option name 'public share'
>>>     option src 'wan'
>>>     option dest 'freifunk'
>>>
>>>
>>>
>>> _______________________________________________
>>> Berlin mailing list
>>> Berlin at berlin.freifunk.net
>>> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
>>> Diese Mailingliste besitzt ein ffentlich einsehbares Archiv
>>
>> _______________________________________________
>> Berlin mailing list
>> Berlin at berlin.freifunk.net
>> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
>> Diese Mailingliste besitzt ein ffentlich einsehbares Archiv
>
> _______________________________________________
> Berlin mailing list
> Berlin at berlin.freifunk.net
> http://lists.berlin.freifunk.net/cgi-bin/mailman/listinfo/berlin
> Diese Mailingliste besitzt ein ffentlich einsehbares Archiv
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://lists.berlin.freifunk.net/pipermail/berlin/attachments/20220911/65a3dc26/attachment.html>

Mehr Informationen über die Mailingliste Berlin