1
0
My condo building provides wifi. However they have a stupid terms of service window you have to accept before getting access. I wrote a script that can post automatically to that terms of service window and grant access. My problem is I can not connect my Apple TV as it does not have a web browser to accept the terms of service.
So I took a Raspberry Pi and made it a NAT router. I connected the wifi of the PI to the condo wifi. I put a cron job in place to run my script to post to the condo router to keep the terms of service active. Everything works great until I attached an AirPort to the ethernet. My plan is to create my own WiFi network using the Raspberry Pi as the router and the AirPort as he secondarily router (private wifi network).
So more or less there is double NAT going on. The condo router is doing NAT. The AirPort is using NAT.
After about a minute of use everything shuts down. I think the condo router is blocking us. The condo router will not route packets to the web. It will not give me an IP from DHCP. The condo router is a WatchGuard product.
Is it possible that the condo router is detecting the private network (AirPort) and blocking my access. I assume they are detecting it via the double NAT that is going on. Is there any way to fool the router into not detecting the AirPort and letting all this work?
Thanks.
~Spicer
1Are you sure what you're doing isn't against ToS? – gronostaj – 2013-12-28T18:47:49.473
What router is giving your devices an ip? If you setup your raspberry pi as a router that is the device which should hand out new ip numbers to your services. And if you can disable the dhcp (and NAT) in the airport and use it only as an access point you'll just have one NAT. Also, after you don't have access anymore... is the raspberry pi also blocked?? – Rik – 2013-12-28T19:01:03.090
When I read through the TOS I don't see anything that forbids this. Plus I am an owner in the condo building. I consider it "mine". I have tried to work with the condo board to get the Terms of Service window removed from our routers but the board is pretty dumb and will not listen to me. – spicer – 2013-12-28T19:15:44.617
The condo router is gives an ip address to the wireless card on the raspberry pi. Then I have a static network setup between the ethernet of the raspberry pi and the AirPort. Then the AirPort hands out ip addresses to devices via DHCP. So devices gets an ip address from the AirPort, Airport routes via NAT through the raspberry pi's wifi connection to the condo's router. I have verified all this works properly. It seems the condo's router is blocking our connection. I think it is some sort of protection built into the router. – spicer – 2013-12-28T19:19:14.213
I am not sure how one would detect a router-behind-a-router. I know some things do, but I don't quite understand what they do to detect the usage of double-NAT. Also, is the Pi using some sort of bridged interface between its wifi and ethernet? Lastly, can you use different device, say one running OpenWRT? It might be easier to debug one device than two. – Michael Graff – 2013-12-28T19:24:04.427
With Linux on the raspberry pi it should be sufficient to debug the connection. Does the raspberry pi still have an ip from the condo router after being blocked? And does that still work? (use ping, etc.. on the raspberry pi to check) How did you determine your setup is "being blocked"? ("doesn't work anymore" does not necessary mean it is blocked) What happens if you hook up a computer to the raspberry pi and access internet? Do you get blocked then too? Loosing the ip (on devices) is also something the condo router can't do because the airport hands them out and that should still be working. – Rik – 2013-12-28T20:35:35.767
The Raspberry pi losses connection. I think the condo router is dropping all packets from it. It has an IP because it got it from DHCP. However, if you renew that lease the condo router will not respond. If I let it sit for 15 mins it will get an ip and have access again. If I renew the DHCP with a different MAC address or a different DHCP Client Id it will give me an IP and routes to the internet. The condo router only "blocks" me when I start sending NAT'ed traffic through it via the AirPort Express. And it takes a few mins to "block" (as in it takes sometime to detect NAT'ed traffic). – spicer – 2013-12-28T22:47:10.027
You did some good diagnosing already then. It does look like a block. You could try connecting a pc directly to the raspberry pi. If that doesn't work you might want to ask the technical department of the building (not the building-management because likely they don't have the technical data so try to find out who manages the technical side and ask them). Maybe another alternative is routing the traffic through a vpn (on the raspberry pi side) and seeing if they can detect that. – Rik – 2013-12-28T22:58:29.667
Oh. I also stuck a second wifi card on my mac. Then did Internet Sharing on the MAC. Same result. Yeah. I have talked to the technical department. They are against all this. They keep telling me if I want to run my Apple TV I can buy a dedicated connection from them :(. I did try a VPN but maybe not hard enough. I will try that again. I think the router detects NAT based on the TTL of the packet or something. That is the sort of advice I was looking for on this post. Is there some way to "refresh" the NAT packets or something to hide that it is NAT. – spicer – 2013-12-28T23:21:10.433
@spicer aah, i see you did your homework about detecting NAT ;) See an article here for example. Not sure about refreshing the TTL but have you thought about setting up a proxy on the raspberry pi. That way there is no NAT (raspberry pi is the first device) so there is no NAT to detect. (and here is hoping they don't check for proxies).
– Rik – 2013-12-29T00:28:09.857Or something like this thread: how to set iptables to hide NAT router
– Rik – 2013-12-29T00:39:15.323Hey @Rik Thanks for the suggestion. I really thought I had it. I changed the TTL via iptables. It worked great for about an hour. Then same result. I guess I just tricked the system for a bit longer :( – spicer – 2013-12-29T06:42:34.087
what's the IP address range of the two networks? – Journeyman Geek – 2013-12-29T09:37:15.800
What command did you use to set the TTL to 128? You need to make sure both the forwarded traffic as well as from the raspberry pi itself is set at the same otherwise it can still be detected. Next is making sure the raspberry pi doesn't forward the traffic on ports that are too high (also a sign of forwarded traffic). And last there are some OS fingerprint hiding to be done. Look at this. If all fails you could still try using a proxy. (Set the raspberry pi as the proxy-server)
– Rik – 2013-12-29T09:41:44.107Hi @Rik, I used "iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 128". I am trying to avoid the OS fingerprinting as that requires a kernel patch (could be complex on the raspberry pi). I like the proxy idea but I do not think I can do it. The point of this is get get devices that do not have web browsers online (ie. my apple tv). I looked in the settings on the Apple TV and I do not see a way to add a proxy setting. – spicer – 2013-12-29T17:49:26.220