Complex routing thru multiple APs and interfaces
by f15radar from LinuxQuestions.org on (#5A919)
I have a network that contains the following Centos 7 boxes running hostapd and wpa_supplicant.
AP1/Box1 - Has two radios.
wlan0 has ip of 192.168.100.1 netmask 255.255.255.0
wlan1 has Ip of 192.168.200.1 netmask 255.255.255.0
wlan0 has 1 client that hooks up to it (an Android device and it get an IP via DHCP)
wlan1 can have either Box2 and/or Box3 connected to it (depending on Box2 and 3's range)
AP2/Box2 - Has two radios
wlan0 has ip of 192.168.100.1 netmask 255.255.255.0
wlan1 has ip of 192.168.200.20 netmask 255.255.255.0
wlan0 can have a client (An Android device and it gets it IP via DHCP)
wlan1 is connected as a client to AP1/Box1
AP3/Box3 - Has two radios
wlan0 has an ip of 192.168.100.1 netmask 255.255.255.0
wlan1 has an ip of 192.168.200.30 netmask 255.255.255.0
wlan0 can have a client (An Android device and it gets it IP via DHCP)
wlan1 is connected as a client to AP1/Box2
In order for the client that connects to wlan0 to communicate with everyone, I added to the firewall the following pn each device:
/sbin/sysctl -w net.ipv4.ip_forward=1
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o wlan1 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wlan0-o wlan1 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wlan1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
All three work great, but sometimes Box3 wanders away and it goes out of range of Box1 but in range of Box2, so I added the following
AP2/Box2 has a virtual interface wlan3 with the ip of 192.168.50.1, I then run another hostapd on it
AP3/Box3 has a virtual interface wlan4 with the ip of 192.168.50.70. It connects via wpa_supplicant to Box2
I have added the folling routes:
AP3/Box 3 - ip route add 192.168.100.1 via 192.168.50.1
AP2/Box 2 - ip route add 192.168.50.70 via 192.168.50.1
AP1/Box 1 - ip route add 192.168.200.30 via 192.168.200.20
I get pings from AP1 to AP2 and AP1 to AP3. I also get pings from AP3 to AP1 and AP3 to AP2. But i cannot ssh from 192.168.100.1 to 192.168.200.30 because it says my firewall is blocking it(I can ping), so I did service firewalld stop on AP2/Box2 and I now can ssh, however, I now cannot ping 192.168.100.1 from 192.168.200.30. I could before I stopped the firewall.
I figure its in my firewall settings but I am not very good at routing or firewalls.
How can I get it to ping?
AP1/Box1 - Has two radios.
wlan0 has ip of 192.168.100.1 netmask 255.255.255.0
wlan1 has Ip of 192.168.200.1 netmask 255.255.255.0
wlan0 has 1 client that hooks up to it (an Android device and it get an IP via DHCP)
wlan1 can have either Box2 and/or Box3 connected to it (depending on Box2 and 3's range)
AP2/Box2 - Has two radios
wlan0 has ip of 192.168.100.1 netmask 255.255.255.0
wlan1 has ip of 192.168.200.20 netmask 255.255.255.0
wlan0 can have a client (An Android device and it gets it IP via DHCP)
wlan1 is connected as a client to AP1/Box1
AP3/Box3 - Has two radios
wlan0 has an ip of 192.168.100.1 netmask 255.255.255.0
wlan1 has an ip of 192.168.200.30 netmask 255.255.255.0
wlan0 can have a client (An Android device and it gets it IP via DHCP)
wlan1 is connected as a client to AP1/Box2
In order for the client that connects to wlan0 to communicate with everyone, I added to the firewall the following pn each device:
/sbin/sysctl -w net.ipv4.ip_forward=1
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o wlan1 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wlan0-o wlan1 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wlan1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
All three work great, but sometimes Box3 wanders away and it goes out of range of Box1 but in range of Box2, so I added the following
AP2/Box2 has a virtual interface wlan3 with the ip of 192.168.50.1, I then run another hostapd on it
AP3/Box3 has a virtual interface wlan4 with the ip of 192.168.50.70. It connects via wpa_supplicant to Box2
I have added the folling routes:
AP3/Box 3 - ip route add 192.168.100.1 via 192.168.50.1
AP2/Box 2 - ip route add 192.168.50.70 via 192.168.50.1
AP1/Box 1 - ip route add 192.168.200.30 via 192.168.200.20
I get pings from AP1 to AP2 and AP1 to AP3. I also get pings from AP3 to AP1 and AP3 to AP2. But i cannot ssh from 192.168.100.1 to 192.168.200.30 because it says my firewall is blocking it(I can ping), so I did service firewalld stop on AP2/Box2 and I now can ssh, however, I now cannot ping 192.168.100.1 from 192.168.200.30. I could before I stopped the firewall.
I figure its in my firewall settings but I am not very good at routing or firewalls.
How can I get it to ping?