You are here

Mesh Tunneling / Switch Help

26 posts / 0 new
Last post
n4ldr
Mesh Tunneling / Switch Help

I have (2) Issues.

#1 - I have an Raspberry Pi on the switch port and I am not able to get updates when using this switch.  The computer however on the same port has no issues with internet access.  Not knowing much about VLAN's, I am assuming the RPi is having issues with the VLAN setup ?

#2 - I would like to join / tunnel into an Existing Mesh Network via internet link, but not exactly sure what needs to be set or how.

Is there a easy way to test the routing to the Tunnel 172.. address?  Has someone already written a guide besides the setup under documentation.  

I saw an earlier post regarding the 5525 port blockage.  Even setting my Comcast router to bridge mode, the online "Open Port" utilities show it is closed.

I am using a NetGear GS108Ev3 switch, configured as: 

<Comcast Modem/Router>  

               <NetGear Switch> - WAN Port  

               <Bullet Node>   - VLAN 2 Port.

               <Computer> - LAN Port

               <Raspberry PI> - LAN Port

 

Hope someone can tell me what I need to do in order to get the RPi able to access repositories when using the NetGear switches.

73 N4LDR  

 

K5DLQ
K5DLQ's picture
I have seen this behavior as

I have seen this behavior as well with one of my Pi's.  Haven't researched it further, but, you can issue the following command at every boot of your Pi:

route add default gw 10.x.x.x

(where 10.x.x.x is the eth0 address of the node that the Pi is attached to)

 

AE6XE
AE6XE's picture
#1)  The RasPi may be

#1)  The RasPi may be configured by default to have a static IP address (192.168.1.1?) and be a DHCP server on its port so when you connect a laptop, the laptop receives an IP address and you can connect.   (What OS is installed?)  If so, you need to change the network configuration so that it receives an IP from the AREDN node.   It will receive a 10.x.x.x address like a laptop and have access to the internet in the same way.   To access the RasPi from another laptop on the mesh network, you would need to use its assigned 10.x.x.x address (and could advertise a mesh service to have a link in mesh status).  

#2) There's no out-of-box way (something in the setup menus) in AREDN to do a port forward from the internet into the mesh network.  This could only be done by someone that knows linux routing (iptables) and vi to edit the appropriate config files under the hood.   This is something on the list to add in another release.  Note, there is an AREDN menu option to forward from the internet to a computer on the internet gateway's LAN, but not beyond the gateway node into the mesh network. 

 

AE6XE
AE6XE's picture
Can you clarify what device

Can you clarify what device is plugged into each port of the GS108Ev3 switch?    Something looks amiss, but may just be the notation.

Port 1 = Comcast modem/router

Port 2 = Bullet

Port 3 = Computer

Port 4 = Raspberry Pi

Port 5 = open

Port 6 = open

Port 7 = open

Port 8 = open

n4ldr
Currently I have (2) Nodes,

Currently I have (2) Nodes, with only one being used at a time until I get thru some of these issues.  I also see when looking at the tunneling directions to SSH into the Node.. This is something I have not been able to do on either node, not through the switch or direct to computer ethernet when issuing the "ssh root@10.x.x.x lan address.  Both node have 3.15.1.0b02 installed.

The Raspberry Pi is getting the Address from the (NODE A) DHCP and shows that node as the gateway address.  I also have the Pi mac: reserved in the Node.  Currently the Pi has Wheezy installed.  Never really gotten deep into Linux so still learning something new all the time.

The NODE A - Shows the Comcast Router Address as the gateway.

Here is my setup, re-arranged the order to make it easier for me to remember the porting.

Port 1 = (WAN) - Comcast modem/router

Port 2 = (NODE A) - Bullet 

Port 3 = (LAN A) - Computer

Port 4 = (LAN A) - Raspberry Pi

Port 5 = (LAN A) - Cisco 7961 Ip Phone

Port 6 = (LAN A) - open

Port 7 = (NODE B) - NanoStation  

Port 8 = (LAN B) - open

And the Configuration:

 

 

Image Attachments: 
n4ldr
Switch Configuration

and the rest of the configuration

Image Attachments: 
AE6XE
AE6XE's picture
Switch config looks good.  

Switch config looks good.   With ssh the nodes are expecting  incoming connections on port "2222" and not the default "22".  Consequently, try  "ssh -p 2222 root@<IP or hostname>".  However, in beta02, you should be able to configure the tunnel client from the setup menus and avoid the ssh commands (obsoleted the need to do command line).  

There shouldn't be any issues with vlan packets for the rasPi.   The switch is configured such that all packets going to the RasPi will be untagged and for the reverse direction, the switch won't do anything with a packet if the RasPi sends a tagged packet--all traffic in/out of the switch on the LAN ports can only be untagged to go anywhere.  The bullet is the router-gateway between the RasPi and your home network.  I'd recommend debugging by "ssh root@<RasPi IP>" and running the command, "traceroute 8.8.4.4".  You should see the following path:

1 localnode.local.mesh [10.x.x.x]  <- the bullet on port 2

2 192.168.1.1   <- or whatever your home network router is

3 An IP address of your service provider

4 ... and so on 

how far does it get?  the RasPi may have access to the internet, but have other road blocks for updating packages.   

One option you might consider is loading OpenWRT on to the RasPi, which AREDN is based on.  The out-of-box user interface, called Luci enables configuring the network of the device without having to know linux--installing packages, setting up all the interfaces, etc.    Many widely used packages have Luci plugins for configuring in the UI.  If you are digging further into linux, it would also be less confusing to be looking at one flavor of linux on both AREDN and RasPi. 

Joe AE6XE

n4ldr
Thanks for the help !

Thanks so much for the assistance, if nothing else I am learning a lot of Linux and Networking.

I thought I had the switch configured correctly.  Still new with these smart switches.

The node assigned the IP for the Raspberry Pi, so I just assumed it was handling the gateway information.  Just added the routing to the /etc/network/interfaces file.

I was not aware of the port "2222" for sshing into the nodes.  That worked perfectly, although not needed.

Now for the hard question... how to use tunnel to bridge my nodes with another via internet.

How do you port forward 5525 to a different IP Range / Subnet that is on the switch?

Do you just forward to the Smart Switch IP address ?

 

K5DLQ
K5DLQ's picture
to tunnel to another node on

to tunnel to another node on the internet, just setup a tunnel client on your node and make sure that whoever you are connecting to has a tunnel server setup on their node.

Or

vice versa.

 

IF you are the tunnel server, you need to port forward your internet router to pass port 5525 to your node's WAN address.

n4ldr
I am using Comcast/Xfinity

I am using Comcast/Xfinity Modem/Router.  Comcast's router IP range is 10.0.0.x / netmask 255.255.255.0  

The Node behind the switch is 10.0.46.x / netmask 255.255.255.248

When trying to port 5525 to the node's address I get the error message on the router, any idea's around it ?

 

Image Attachments: 
K5DLQ
K5DLQ's picture
your nodes WAN ip will be on

look on your node status page.

You need to look for the WAN IP address and forward to that.  it should be a 10.0.0.x according to your internal network addressing scheme.

 

n4ldr
Thank you.  For some reason I

Thank you.  For some reason I thought it had to direct to the MeshNode's gateway.

kc1bhd
Comcast
Have Comcast set their router to bridge mode. This will let you connect your own router and you can control your LAN ip.
KA9Q
Agreed! I can't stand being

Agreed! I can't stand being forced to use ISP-supplied routers. There's almost always something I want to do that it won't let me do, or a misfeature that I can't turn off, or a security bug that can't be patched. I build my own Linux boxes to act as my routers.

Things might get easier with IPv6 since it eliminates the #1 home-router-related hassle, that of making a server on your LAN accessible from the outside world. NAT and port forwarding become relics of the past.

 

n4ldr
No Joy on Tunneling !

No Joy on Tunneling !

I upgraded all nodes to b04.  

Cable Modem in Bridge Mode, to Router with port #5525 to Mesh Node's WAN.

Server Node:

Tunnel Server DNS Name = Address of Cable Modems IP address

Client Node: Server Address = Address of Cable Modems IP Address, password and the 172.x.x.x address on the tunnel server.

All Enabled Check boxes are enabled, Nodes have been rebooted.  Never get an Active Status.

SSH'd into each Node...

Tunnel Server:

>ps|grep vtun

 3998 root      2620 S    vtund[s]: waiting for connections on port 5525

Tunnel Client:

>ps|grep vtun

 6221 root      2620 S    vtund[c]: (Client Name-172-31-171-1 connecting to Tunnel DNS name. (This is pingable)

Any suggestions as to how to text, find where the failure is happening ?

Running out of idea's.

73 N4LDR (Loren)

K5DLQ
K5DLQ's picture
one thing to try: 

one thing to try: 

SSH into the CLIENT node, try and "telnet <your tunnel server IP> 5525"

if you get a "VTUN 3.x" response, you know it is routing through the internet/cablemodem/router/server node properly.

 

n4ldr
Port 5525 not working

Thanks for the information.

I was not able to telnet using port 5525.

I edited etc/config.mesh/firewall  and /etc/config.mesh/vtun using port #2250

Still was not able to connect or telnet.

edited /tmp/vtun/vtundsrv.conf and changed the port and issues vtund -s -f vtundsrv.conf and the tunnel works.

How can I make this change persistant.  Everything I have tried, upon rebooting. the node is still listening on 5525.

 

K5DLQ
K5DLQ's picture
in /etc/config/vtun,

in /etc/config/vtun,

after the line:   config options

add:

option port 2252

then restart the node.

 

KE2N
KE2N's picture
tunnel port

I am trying to do a tunnel (unsuccessfully) with another ham who has Comcast, so I thought I would try the alternate port number.

I changed the port number in firewall_tun and added the line in vtun, saved and rebooted.  But it seems that my server node is "not listening" on 2252 (according to portqryui).  It is not listening on 5525 either - which it was before.

So did I miss something?

Tnx

Ken

KE2N
KE2N's picture
firmware

sorry: this is with 3.15.1.0b4 and Rocket M2

 

K5DLQ
K5DLQ's picture
you must make sure that you

you must make sure that you have a valid client defined in order for the vtun service to start.  If you have no clients listed, then the server will not start.

try a:

ps -w|grep tun

and check the output

 

KE2N
KE2N's picture
output

it looks like it's running:
 1335 root      2620 S    vtund[s]: waiting for connections on port 2252

but not listening:
TCP port 2252 (unknown service): NOT LISTENING
portqry.exe -n 192.168.1.190 -e 2252 -p TCP exits with return code 0x00000001.

does that make any sense? Before, it *was* listening... but my local local client was showing as active and now its not.

Ken

KE2N
KE2N's picture
plan B

I changed my files back to 5525 and now my server is LISTENING again.  I do not know why I could not make 2252 work. I actually changed the port number in 3 files, although I am sure one of them was redundant being overwritten anyway on save/reboot.

My colleague changed his connection from Comcast to Verizon and his tunnel connection came up   :-)

Given that Comcast still has a few customers who have not yet quit, you might want to seriously consider make this port change a "feature". 

Thank you and 73
Ken

AE6XE
AE6XE's picture
Ken,  
Ken,  

The firewall rules of an AREDN node explicitly define what incoming ports are allowed.   To change the port # in the vtun config files would also necessitate going into the following files to change the port # accordingly (then reboot or restart firewall):

/etc/config/firewall
/etc/config.mesh/firewall

Joe AE6XE
n4ldr
Worked Beautifully !

That did it !  Thanks Much.

Not sure why 5525 is blocked by my provider.

Maybe it would be a nice feature in the Tunnel Section to also have a Location to specify a Port# instead of manual edits.

 

K5DLQ
K5DLQ's picture
yeah.  I built it be

yeah.  I built it be configurable, but, this version just doesn't expose that in the web interface.  Maybe in the future if there is demand.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer