Setting up Blue internet access

yoda · 29 November 2019 19:37

I’m missing something in setting up my BLUE internet access.

Devices on GREEN (my LAN) can access the internet and are achieving download speeds of over 630Mbps. However, my WI-FI devices on BLUE cannot surf to websites in a browser.

I have wlan0 and wlan1 Native to BLUE in the Zone Configuration. I have WLAN AP setup and running. I have my WI-FI MAC addresses setup in Blue Access. The Current DHCP leases on BLUE is showing WI-FI devices.

NICs are assigned in the network configuration area as follows:
RED (IP: 192.168.15.15) eth0
GREEN (IP: 192.168.10.1/24) eth1
BLUE (192.168.20.1/24) wlan0 & wlan1

Using my laptop as an example, everything appears correct:

BLUE DHCP assigns the laptop:
a. IP address of 192.168.20.13
b. Default router 192.168.20.1 and
c. DNS of 192.168.20.1
I can log into IPFire in a browser at 192.168.10.1:444
I can ping 8.8.8.8, 192.168.10.1, 192.168.20.1
I cannot ping computers in GREEN i.e. 192.168.10.4

So the only issue that I have is that the laptop (and other WI-FI devices on BLUE) cannot access any websites via the browser.

The Default firewall behaviour is Forward: Allowed and Outgoing: Allowed. I have not added any firewall rules and the Firewall Rules are showing that Internet is allowed in BLUE:

Firewall Rules

No rules defined

GREEN Internet (Allowed) BLUE (Allowed)

BLUE Internet (Allowed) GREEN (Blocked)

Policy: Allowed

However, in the Firewall Log I’m seeing a number of drops (192.168.20.13 is my Laptop’s IP):

13:04:30 DROP_Wirelessforward blue0 UDP 192.168.20.13 10.64.0.1 48789 53(DOMAIN)

13:04:31 DROP_Wirelessforward blue0 UDP 192.168.20.13 10.64.0.1 47063 53(DOMAIN)

13:04:31 DROP_Wirelessforward blue0 UDP 192.168.20.13 10.64.0.1 47063 53(DOMAIN)

13:04:49 DROP_INPUT red0 UDP 192.168.15.16 192.168.15.255 57621 57621

13:05:16 DROP_INPUT red0 2 192.168.15.1 224.0.0.1

I’m not sure if this has something to do with this, but I see on the DHCP configuration page that my WIFI devices are being assigned an IP from the GREEN and BLUE DHCP servers. I.e. it is showing that my iPad has two current dynamic leases:

192.168.20.11 expiring 29/11/2019 14:31:28
192.168.10.12 expiring 29/11/2019 15:12:53

Any suggestions as to what I’m missing in the setup and how to resolve this issue?

jon · 29 November 2019 22:01

On the Web Proxy page (menu Network > Web Proxy) scroll down to Network based access control. Maybe the blue network needs to be added…

25%20PM

This is one of the things that stumped me!

jon · 29 November 2019 22:32

the other item that stumped me was adding IP address(es) to the Wireless Configuration page (menu Firewall > Blue Access).

yoda · 30 November 2019 00:01

Thanks @jon for the suggestions:

Blue is currently included in the allowed subnets:

192.168.10.0/24
192.168.20.0/24

I have added my WI-FI MAC addresses. In fact, under Devices on BLUE, the system added hostname beside each device after they have connected.

I also tried using an entry to open all MAC addresses (like in your example above), but that did resolve the issue.

yoda · 30 November 2019 00:32

I appear to have found the issue on my Linux laptop. The nameserver address in /etc/resolv.conf did update to 192.168.20.1 when my laptop connected to IPFire. If I add 192.168.20.1 to resolv.conf, then I can connect to the web.

However, this is not a solution, I need to figure out why the Network Manager didn’t update resolv.conf when I connected to IPFire. Any ideas would be greatly appreciated.

And I have no idea how to resolve this on the iPad.

starkstromkonsument · 1 December 2019 17:05

Hello Richard,

do you still get entries of the type DROP_Wirelessforward for your blue net in your Firewall-Logs?

Did you read the following Wikipage? https://wiki.ipfire.org/configuration/firewall/accesstoblue

What is the issue on your iPad? I don’t see the correlation between your issue on the laptop and the issue on the iPad yet. Are you sure your DHCP-Server on the blue net distributes the DNS-Option correctly?

yoda · 1 December 2019 18:59

No

Yes

My iPad had not been able to connect to the internet thru IPFire. However, this morning my iPad can now connect to the internet thru IPFire. I have no idea what changed. Although I still need to find an optimized hostapd file for my WLE900vx card as the speeds on the iPad average only 100 Mbps where they should be over 600.

It appears that the DHCP-Server is correctly passing the DNS address to the laptop (running LMDE 3) and the DNS is showing up in the connection file:

nmcli -f IP4.DNS connection show IPF
IP4.DNS[1]: 192.168.20.1

But for some unknown reason /etc/resolv.conf is not being updated with the above nameserver IP address.

If I manually change the nameserver in /etc/resolv.conf to 192.168.20.1, then I can connect to the internet thru IPFire (which tells me that IPFire is setup correctly). However, this is not a solution as the IP address is erased upon reboot and doesn’t allow for me changing DHCP servers.

I just cannot figure out why the nameserver stops at the connection file and is not being passed to /etc/resolv.conf.

I’ve check the symlink for resolvconf and it appears correct, and my head in /etc/resolv.conf is showing that it’s running:

#Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN

After spending hours on this, my current best guess is that my VPN provider / OpenVPN is locking the DNS IP Address even when I don’t have a VPN connection. They have originally said that it was not them. But I have now sent them new information showing that the DNS IP address does not change both on my LMDE 3 and Windows 10 Pro computer. It also only happens on the WIFI connection (the DNS IP address correctly updates when connecting over my LAN).

starkstromkonsument · 1 December 2019 23:00

Hi,

you didn’t mention the VPN before … could it be an issue with “Split-DNS” or routing? I ran into this problem some time ago.

There is an option called something like “Use this connection only for resources on this network” a little bit hidden in the Networkmanager of LMDE3:

Open the Network Connections Window
Click “Edit” for OpenVPN-Interface
Open the IPv4-Tab
Click on “Routes” button
Enable “Use this connection only for ressources on this network” (or similar)

Additionally make sure the Searchdomains for DNS are set properly for every interface on the IPv4/IPv6-Tabs.

fifi · 14 March 2020 09:20

Hi Yoda,

I have exactly the same issue then you (with a similar config and the same WLE900VX), except that i tried with two computers , one with Ubuntu, one with W10, and two Android Smartphones. None of them can reach internet trough Wlan and BLUE.

Did you found something else ? Did you solved your issue ?

Thanks in advance for your help,

Cheers

yoda · 14 March 2020 18:48

Hi @fifi, Unfortunately, I ran into additional issues with IPFire which nobody was able to help me resolve. For example: IPFire vs. OpenWRT re: Wireless and Interfaces & Hostapd file for WLE900VX

As a result, I replaced IPFire with OpenWRT and no longer have any of the issues that I had with IPFire.