I have a PC that acts as server/gateway/router for a LAN. And i'd like to add a third interface to act as wifi access point to it, such as that the LAN devices can reach the WIFI connected devices, and either of them being able to access the Internet trough the gateway.
I've already got LAN connected devices working perfectly accessing Internet trough the gateway and the services on the gateway (ssh, http etc.). But for some reason, the devices connecting to the WIFI AP can neither reach Internet or the gateway.
I suspect it might just be a simple detail in my configurations that i'm overlooking. (most likely in my IP addressing setup and/or in my shorewall masquerade setup ?..)
Shortpoints:
- The Gateway can access The Internet/WAN.
- The wired/LAN can access The Internet trough the Gateway
- The wired/LAN can access the services running on the Gateway
- The WIFI-connected devices however can not reach the Gateway, the LAN or Internet
- they do apparently get authenticated correctly by hostapd
- they do receive intended DHCP settings seemingly fine
- But even
ping 192.168.0.1 (the gateway's ip)fails
- But even
Software stack on the gateway/router:
- systemd-networkd (to set up the interfaces' and the ISP gateway connection)
- shorewall (for firewall and router)
- unbound (for caching/forwarding DNS server)
- dhcpd(4) (for DHCP server)
- hostapd (for setting up the wifi AP)
Physical interfaces on the gateway/router:
- the WAN/Internet interface (dynamic adresses from ISP by DHCP):
## from 'ip address show'
4: enp0s20u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
inet <REDACTED IP> brd 255.255.255.255 scope global dynamic noprefixroute enp0s20u1
valid_lft 9497sec preferred_lft 7239sec
inet6 <REDACTED IP> scope global dynamic noprefixroute
valid_lft 25472sec preferred_lft 25472sec
inet6 <REDACTED IP> scope link
valid_lft forever preferred_lft forever
## /etc/systemd/network/enp0s20u1.network
[Match]
Name=enp0s20u1
[Network]
#IPv6AcceptRA=0
#DNSDefaultRoute=1
DHCP=ipv4
DNSSEC=allow-downgrade
DNS=127.0.0.1
[Route]
GatewayOnLink=1
[DHCP]
RouteMetric=1000
[DHCPv4]
UseDNS=0
[DHCPv6]
UseDNS=0
- the LAN/wired interface (static IP and "main" server interface):
## from 'ip address show'
#
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
altname enp2s0
inet 192.168.0.1/23 brd 192.168.1.255 scope global ens1
valid_lft forever preferred_lft forever
inet6 <REDACTED IPV6 ADRESS> scope link
valid_lft forever preferred_lft forever
## /etc/systemd/network/ens1.network
#
[Match]
Name=ens1
[Network]
Address=192.168.0.1/23
UseDNS=0
DHCP=0
- the WIFI(AP) interface (as WPA(2)-PSK Access Point):
## from 'ip address show'
#
3: wlp0s20u2u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/23 brd 192.168.1.255 scope global wlp0s20u2u1
valid_lft forever preferred_lft forever
inet6 <REDACTED IPV6 ADDRESS> scope link
valid_lft forever preferred_lft forever```
## /etc/systemd/network/wlp0s20u2u1.network
#
[Match]
Name=wlp0s20u2u1
[Network]
Address=192.168.1.1/23
UseDNS=0
DHCP=0
Shorewall configs:
## /etc/shorewall/interfaces
#
internet NET_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=enp0s20u1
lokal LOCAL_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=ens1
lokal WIFI_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=wlp0s20u2u1
docker docker0 bridge
## /etc/shorewall/zones
#
fw firewall
internet ipv4
lokal ipv4
docker ipv4
## /etc/shorewall/snat
#
MASQUERADE 192.168.0.0/23 NET_IF
MASQUERADE 192.168.1.0/23 NET_IF
## from /etc/shorewall/rules
#
Invalid(DROP) internet all tcp
# allow 'lokal' to access dhcpd
ACCEPT lokal $FW udp 67:68
#allow DNS
DNS(ACCEPT) $FW internet
DNS(ACCEPT) lokal $FW
# allow 'lokal' to ssh into to gateway
ACCEPT lokal $FW tcp 2222
# ping stuff
Ping(ACCEPT) lokal $FW
Ping(DROP) internet $FW
ACCEPT $FW lokal icmp
ACCEPT $FW internet icmp
#just some http(/s) stuff
ACCEPT internet $FW tcp 80,443
ACCEPT lokal $FW tcp 8090,8443
ACCEPT internet $FW tcp 8090,8443
DHCPD config:
## /etc/dhcpd.conf
#
subnet 192.168.0.0 netmask 255.255.254.0
{
option subnet-mask 255.255.254.0;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
range 192.168.0.100 192.168.0.254;
}
subnet 127.0.0.0 netmask 255.0.0.0
{
}
HOSTAPD config:
## /etc/hostapd/hostapd.conf
#
interface=wlp0s20u2u1
# "g" simply means 2.4GHz band
hw_mode=g
# the channel to use
channel=10
# limit the frequencies used to those allowed in the country
ieee80211d=1
# the country code
country_code=NO
# 802.11n support
ieee80211n=1
# QoS support, also required for full speed on 802.11n/ac/ax
wmm_enabled=1
# the name of the AP
ssid=<REDACTED SSID>
# 1=wpa, 2=wep, 3=both
auth_algs=1
# WPA2 only
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=<REDACTED PSK PASSWORD>
Some (possibly) relevant notes:
- https://shorewall.org/two-interface.htm#Wireless
- https://wiki.archlinux.org/title/Shorewall
- https://bbs.archlinux.org/viewtopic.php?pid=821090#p821090
- https://shorewall.org/manpages/shorewall-snat.html
I'd be happy to provide any other potentially useful information upon request in comments.
192.168.1.0/23isn't a valid subnet ID (rather it's a valid host in192.168.0.0/23). If you are not bridgingwlp0s20u2u1andens1together, you should use a separate subnet for the wifi network (e.g.192.168.2.0/23) and make dhcpd give out IP/route/so on for the two LAN appropriately / correspondingly.192.168.0.0/23(which includes host assigned with IP192.168.1.0-192.168.1.254) will be routed out ofens1.192.168.0.0/23 via 192.168.2.1and192.168.2.0/23 via 192.168.0.1with DHCP to hosts in the two network respectively to allow them to communicate on (only) L3 (IP).