Broadband-Hamnet™ Forum :: General
Board Index Latest Posts Welcome Guest   [Register]  [Login]
 Subject :WAN/Internet to Mesh access, how does the routing work?.. 2014-08-13- 16:24:46 
N4SV
Member
Joined: 2014-04-08- 19:54:23
Posts: 23
Location

What exactly happens "behind the scenes" when the "Gateway" box is checked, this is to say, how does the routing change across the mesh to route other remote mesh notes to the Internet connection on the router that has "Gateway" checked? I've looked at the route tables in all of my mesh nodes and I see no changes in the routing that would tell those remote mesh nodes how to route a call to www.google.com, for instance, across the mesh to the one node that has an Internet connection on its WAN and has the Gateway checked? What exactly is the man behind the curtain doing on the Internet-connected mesh router to propagate it's Internet connection routing to the rest of the mesh? I'm trying to fully understand how the routing changes when that box is checked as I am trying to build a non-Internet Internet...I want to place a "fake" Internet on the WAN port of the one router with Gateway checked to do some testing. So far it isn't working for me so I am clearly missing something in how the routing changes across the mesh when that magic "Gateway" box is checked. Thanks. 73, Bill, N4SV
IP Logged
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2014-08-14- 06:31:38 
KG6JEI
Member
Joined: 2013-12-02- 19:52:05
Posts: 516
Location

What happens when the MESH GW checkbox is enabled, saved and rebooted is that the OLSR DYN GW module is enabled in the config files

The OLSR DYN GW module controls the injecting of a 0.0.0.0/0 HNA address

http://olsr.org/git/?p=olsrd.git;a=blob;f=lib/dyn_gw/README_DYN_GW is the main readme for the DYN_GW module.

The main item is that it performs a ping to the BBHN website (single ping) every 60 seconds with a fallback to Google as a safety net (the 4exact servers are listed in the source code.)

If any of the the pings are successful for a set amount of time than a HNA of 0.0.0.0/0 is published by the module (same feature that tells nodes about your local 'direct' subnet')

Once a HNA of 0.0.0.0/0 is published other nodes will see the route and add it to the routing tables on each field node in routing table 31 so they than can then get to the internet by going to the publishing node.

If the ping fails a set number of times the route is removed from publication and the nodes remove the 0.0.0.0/0 route from the table via that node thus changing the GW routing


A route of 0.0.0.0/0 means 'SEND EVERYTHING' to me. If the node is told to send all data but does not forward it onto the internet as a whole it WILL confuse the users if they are expecting to get out to the web and can't (depending how close they are to that filtering node vs the open node)

In addition if someone else turns on mesh GW and is closer they will not be able to get to your network on your WAN port so keep that in mind with your design and be sure to set the policies for your network.
IP Logged
Note: Most posts submitted from iPhone
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2014-08-14- 08:13:31 
AE4ML
Member
Joined: 2014-06-01- 15:17:42
Posts: 47
Location: Spotsylvania VA USA
 
If the mesh need to see the internet then I think you just answered why I haven't been able to access from my mesh to the local network. On my ISP router I deny everything from the mesh and only allow my local PC's and wireless devices access to the internet. At this time I don't want the mesh to touch the internet. with that said, I haven't been able to go from my local network and traverse the other side of the mesh network. I would think a change to check access to the next hop router on the WAN side would be sufficient to populate the 0.0.0.0/0 route. I plan on being extremely prejudice on what is and isn't permitted to the internet off of the mesh.
IP Logged
Michael Lussier
AE4ML
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2014-08-15- 00:36:41 
N4SV
Member
Joined: 2014-04-08- 19:54:23
Posts: 23
Location
Thanks Conrad, I had no idea the algorithm was quite that complicated. Obviously my "non-Internet/Internet" test concept won't work because those sites can't be ping'd. Don't suppose the 4 sites in the list in the OLSR code can be easily modified? I'd like to keep my local mesh in a closed system for proof-of-concept testing; I completely agree with Michael's comment in this thread as to keeping a tight control on what goes in and out of my WAN port. Thanks again for the detailed response. 73, Bill, N4SV
IP Logged
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-19- 14:15:25 
N8JJ
Member
Joined: 2014-07-23- 14:46:49
Posts: 15
Location: Beavercreek, Ohio

I am noticing that when I enable WAN access, the mesh also has access to my LAN.

Isn't the a security and routing issue.  Multiple nodes could be using 192.168.0.x for example and create a IP conflict.
IP Logged
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-21- 13:37:32 
N6DLH
Member
Joined: 2011-12-27- 20:03:33
Posts: 14
Location: Hampton Virginia
 
That seems really strange. There is a firewall on the WAN port of the gateway mesh node. I just went through trying to allow access to a meshed web server. I had to reconfigure the firewall.user file on the mesh gateway to allow the forwarding of port 80.Even one of my main computers access the LAN from a wireless connection, I cannot access the past the gateway mesh by default. So I have that on the mesh via ethernet cable to allow remote administration of the server. Even then I have to unplug the wireless card to get past the local node. I am no expert in this, (So I could be wrong!) but have been playing with them off and on since I could count all the modes on the world map in several minutes. It seems odd to be able to see the LAN from the mesh via the mesh Gateway. Also there should not be a conflict since the the comptuers on the mesh would not use that type of public IP, they should all be on the 10.0.0.0 public Dave N6DLH
IP Logged
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-21- 13:53:23 
AE4ML
Member
Joined: 2014-06-01- 15:17:42
Posts: 47
Location: Spotsylvania VA USA
 

My setup is a Cisco router with sub interfaces to use my set of VLANs on a Cisco switch.  In this case VLAN 1 is the mesh WAN VLAN and my local LAN is a totally different VLAN and network. That way I can setup INBOUND and OUTBOUND Access control list on the  MESH VLAN and Network  to block access to and from the mesh, Internet and local lan.  The mesh has its own wan network on the router and certain access to the internet and not local LAN.  I have run into the same issues going from the LAN to the mesh. I never got into the firewall on the node yet. I can see having it there as not everyone is savvy enough to setup firewalls outside of the nodes. But there should be instructions as to how to remove, disable or bypass them as needed. Mike AE4ML
IP Logged
Last Edited On: 2015-05-21- 14:00:56 By AE4ML for the Reason
Michael Lussier
AE4ML
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-21- 14:06:39 
N8JJ
Member
Joined: 2014-07-23- 14:46:49
Posts: 15
Location: Beavercreek, Ohio
I sent a detailed note to the developers on how to duplicate the problem. I'll see what they say.
IP Logged
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-21- 14:10:43 
N6DLH
Member
Joined: 2011-12-27- 20:03:33
Posts: 14
Location: Hampton Virginia
 
Mike, Other may be able to chime in here.... If you SSH into the gateway there is a file under /etc/config.firewall.user if you use the line vi /etc/config/firewall.user you can see the information there. Like you I only want certain access to the mesh. You can port forward port 2222 and have access to the SSH into the gateway. Now you have the option of opening port 2222 on the gateway WAN port but keeping it closed on the ISP port to isolate that from the Internet. One thing I have been thinking about doing is trying to keep the port 8080 closed on my ISP router, but using the DHCP ip for the WAN port on the gateway router and opening 8080 to allow me to access the status page on the gateway router. Hopefully from there is will allow access to all the other nodes on the network via 8080 but that is still uncertain to me.
IP Logged
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-21- 14:16:58 
AE4ML
Member
Joined: 2014-06-01- 15:17:42
Posts: 47
Location: Spotsylvania VA USA
 
That's why I love Cisco router. ACLs are easy as well as port forwarding. I will have to look into firewall on the node. Thanks
IP Logged
Michael Lussier
AE4ML
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-22- 04:36:44 
K5KTF
Admin
Joined: 2010-01-18- 23:04:04
Posts: 266
Location: 5' from this webserver
  

In looking over what is happening and what is wanted, Im thinking if you crank down the subnet on the mesh node WAN/route to only allow ONE IP might give what you want easily.

Try changing 255.255.255.0 to 255.255.255.254 on the node's WAN subnet mask and/or in the static route .

KTF
IP Logged
B-) Jim K5KTF EM10bm Cedar Park, TX :star:
 Subject :Re:WAN/Internet to Mesh access, how does the routing work?.. 2015-05-22- 07:37:53 
AE6XE
Member
Joined: 2013-11-05- 00:09:51
Posts: 116
Location

The technical implementation of the 'gateway' is such that if there is no route on the mesh to an IP address, then send traffic to the 'gateway'. Here's what this 'default' route looks like on the gateway node (there's more complexity with policy routing we'll ignore for the moment):

Destination      Gateway        Genmask      Flags Metric   Ref     Use   Iface

default          192.168.1.1      0.0.0.0       UG        0      0       0     eth0.1

Thus, any IP address that mesh traffic is being routed to, and the mesh has no specific routing definition, will go to 192.168.1.1. Changing the netmask to 255.255.255.254 for a 192.168.x.x route, bumps it to the default route.

All, please consider that this design and behavior is how all your home netgear, linksys, etc. routers work. The same scenario occurs when you connect 2 netgear devices back to back, for example:

Netgear_A_WAN_port -> Netgear_B_LAN_port/Netgear_B_WAN_port -> ISP_Internet_port

10.x.x.x_network -> 192.168.x.x_network -> internet

It is a design choice for the 10.x.x.x network to openly talk with the 192.168.x.x network (and venders' default is 'yes'). If the design choice is to not have access to the intermediate network, then a config setting can be made given know-how (on ether side of the fence). There are a few options for the intended behavior, DMZ, don't daisy chain, and more.

Joe AE6XE
IP Logged
Last Edited On: 2015-05-22- 07:40:22 By AE6XE for the Reason
Page # 


Powered by ccBoard


SPONSORED AD: