1
As I tried to remove some Ethernet wires in my home network, I took an older notebook with Linux and tried to use it as some kind of Ethernet-2-WiFi-NAT-router (Wi-Fi card can't act as bridge, so I had to do NAT). Basically, this works, but all the clients behind this NAT router get network errors on TCP connections from time to time.
First, here is the complete setup:
INTERNET > wire > Standard Wi-Fi Router > air > Linux Router > Clients
After some sniffing on the Linux router and the clients I found out the following:
- the client connects as usual to the remote server and retrieves some data
- client gets busy (e.g., writing data to disk) and the receive window gets full
- the client then basically tells the server to wait; in my case either ACK with win=0 or win < MTU is the last ACK I can see in capture before the connection breaks
- while this last ACK is traveling, there are still some packets arriving from the remote server
- the Linux router responds to each of these packets with a RST to the remote server and therefore destroys the connection
- the client is confused because it gets a RST from the server in response to the next packet the client sends
So it's [5] which is my problem here, and I would like to know why this happens and how to fix it.
Other things to mention:
- the wireless network itself works fine
- all clients not behind the Linux box work fine
- UDP works fine as far as I can tell
iptableson the Linux router is just minimal
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -I FORWARD -i eth1 -o eth0 -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT # for static routing iptables -I FORWARD -i eth0 -o eth1 -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT # for static routing
I also found out that setting the policy of the input chain to drop helps, since it drops the unwanted packets that lead to the reset, but that's IMHO just a dirty fix.
cdx
Posted 2013-06-24T15:17:48.160
Reputation: 11
Why are you natting in the first place ? Just put pfSense (FreeSco, m0n0wall, Vyatta or one of a dozen others) on the laptop and have it act as a full router. Your statement that the Wifi card can't act as a bridge is nonsensical. No NIC ever is a bridge by itself. The bridge always exists between 2 NIC's. – Tonny – 2013-06-24T18:43:48.590
@Tonny: Some wireless NICs don't support bridging with
nother device(s), for various reasons. I really doubt that he meant 'bridge an interface with itself'. You can of course have a single-port Linux bridge interface, not that it makes sense. – pilona – 2013-06-25T20:15:18.310no i didnt try to bridge the wifi interface by itself i was speaking of, as pilona said bridging eth0 and wifi0 wich doesnt work as the intel3945 card doesnt support that. @"why nat in the first place": i cant set static routes on the router that connects me to the internet so i have to kinda fake that all the clients connected via wire to the notebook router are in the subnet the router "knows". the two subnets that exist because of the bridging problem are statically routed and the routes are pushed via dhcp to the client (which also doesnt work with the router that connects me to the web) – cdx – 2013-06-30T22:46:37.913
i also tried a rule setup w/o static routes, which didnt work either:
iptables -I FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT – cdx – 2013-06-30T22:57:03.937