Fixed external IP setup

[atheling]

Trying to setup a net5501 with one additional interface card added. Configuration:

PPPoE -> ETH0 -> DSL modem
ETH1 -> Cable Modem with static IP address allocation
ETH2 -> local wifi network (Zeroshell is DHCP server)
ETH3 -> local phone network (Zeroshell is DHCP server)
ETH4 -> local computer network (Zeroshell is DHCP server)

The PPPoE link, which I expected to have problems with, came right up. 🙂

ETH1 behavior:
1. Have link up indication.
2. Can open cable modem’s web interface page on the GW IP.
3. From the cable modem’s diagnostic page I am successful at pinging everything I’ve tried.
So link to modem is up, I can access the modem through Zeroshell and modem sees the world. But I can not access anything through that link from Zeroshell past the modem. Modem configuration unchanged from that which works with my old router.

Tried turning off my load balance setup (set for failover with Cable modem being highest priority) and simply putting the cable modem as the default GW. Have the same problem. (Load balancing showed ETH1 down because it was unable to ping the target IP addresses, so load balance was using the PPPoE link which it was able to successfully ping those same addresses with).

Tried setting the default route to be the interface and tried with default route being the modem’s IP addresss. Same result.

Wondered if there was an issue with NAT on that interface but the setup form on Zeroconf shows the same setup as for PPPoE which is working.

I’ve also put in some firewall rules that I thought might affect things but they are identical for input and forwarding for PPPoE and for ETH1. And, of course, the PPPoE side is working.

Suggestions on where to start looking on this? (Had to put the old router back online, so there will be some futzing to run test cases or screen shots.)

Thanks!

[ppalias]

ppp0 and ETH01 must have NAT enabled. Otherwise if you don’t masquerade the ETH01 interface you will have to add the internal prefixes in the cable modem routing table.

[atheling]

@ppalias wrote:

ppp0 and ETH01 must have NAT enabled. Otherwise if you don’t masquerade the ETH01 interface you will have to add the internal prefixes in the cable modem routing table.

I do have NAT enabled on ppp0 and ETH01. And also, for that matter on ETH00.

I don’t see how to put an attachment on this forum, so please forgive me for posting the following in the body of this post. The routing, network interface and firewall rules below are from the console interface. The NAT listing is from the web UI (I’ve edited the IP addresses to aa.bb.cc.NN and xx.yy.zz.NN):

====================

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
aa.bb.cc.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
xx.yy.zz.180 0.0.0.0 255.255.255.252 U 0 0 0 ETH01
10.7.52.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH04
10.7.53.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH03
192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN99
10.7.54.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH02
10.4.27.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH00
0.0.0.0 xx.yy.zz.182 0.0.0.0 UG 0 0 0 ETH01

====================

********* VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
Status: 100Mb/s Full Duplex
ETH00 Link encap:Ethernet HWaddr 00:00:24:CC:59:6C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4215 errors:0 dropped:0 overruns:0 frame:0
TX packets:4269 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3200564 (3.0 Mb) TX bytes:1153881 (1.1 Mb)
Interrupt:11 Base address:0x6000
IP 10.4.27.25/24 brd 10.4.27.255
********* VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
Status: 100Mb/s Full Duplex
ETH01 Link encap:Ethernet HWaddr 00:00:24:CC:59:6D
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:602 errors:0 dropped:0 overruns:0 frame:0
TX packets:3520 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:366852 (358.2 Kb) TX bytes:566241 (552.9 Kb)
Interrupt:5 Base address:0x8100
IP xx.yy.zz.181/30 brd xx.yy.zz.183
********* VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
Status: 100Mb/s Full Duplex
ETH02 Link encap:Ethernet HWaddr 00:00:24:CC:59:6E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1750 (1.7 Kb) TX bytes:1046 (1.0 Kb)
Interrupt:9 Base address:0x6200
IP 10.7.54.1/24 brd 10.7.54.255
********* VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
Status: 100Mb/s Full Duplex
ETH03 Link encap:Ethernet HWaddr 00:00:24:CC:59:6F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1837 errors:0 dropped:0 overruns:0 frame:0
TX packets:911 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:382707 (373.7 Kb) TX bytes:291868 (285.0 Kb)
Interrupt:12 Base address:0x8300
IP 10.7.53.1/24 brd 10.7.53.255
********* Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet (rev 10)
Status: 1000Mb/s Full Duplex
ETH04 Link encap:Ethernet HWaddr 00:14:D1:1A:A8:D2
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14211 errors:0 dropped:0 overruns:0 frame:0
TX packets:9927 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2480487 (2.3 Mb) TX bytes:5446520 (5.1 Mb)
Interrupt:10 Base address:0xc400
IP 10.7.52.1/24 brd 10.7.52.255
********* Host-to-LAN OpenVPN Interface
Status: Connections from Road Warrior clients not accepted
VPN99 Link encap:Ethernet HWaddr 00:FF:5F:B5:D8:BB
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
IP 192.168.250.254/24 brd 192.168.250.255
********* Covad
Status: Connected
ppp0 Link encap:Point-to-Point Protocol
inet addr:aa.bb.cc.55 P-t-P:aa.bb.cc.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:4013 errors:0 dropped:0 overruns:0 frame:0
TX packets:4062 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3100062 (2.9 Mb) TX bytes:1058190 (1.0 Mb)
IP aa.bb.cc.55 peer aa.bb.cc.1/32

====================

Chain INPUT (policy ACCEPT 1210 packets, 163K bytes)
pkts bytes target prot opt in out source destination
7457 855K SYS_INPUT all — * * 0.0.0.0/0 0.0.0.0/0
1 40 SYS_HTTPS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4018 427K SYS_HTTPS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1148 67569 SYS_SSH tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp — ETH00 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp — ETH00 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all — ETH00 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp — ETH01 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp — ETH01 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
40 1964 DROP all — ETH01 * 0.0.0.0/0 0.0.0.0/0
199 17958 ACCEPT icmp — ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp — ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
29 1420 DROP all — ppp0 * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 9800 packets, 5134K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 6784 packets, 1909K bytes)
pkts bytes target prot opt in out source destination
8607 2086K SYS_OUTPUT all — * * 0.0.0.0/0 0.0.0.0/0

Chain NetBalancer (0 references)
pkts bytes target prot opt in out source destination

Chain SYS_HTTPS (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
4018 427K ACCEPT all — * * 10.7.52.0/24 0.0.0.0/0
1 40 DROP all — * * 0.0.0.0/0 0.0.0.0/0

Chain SYS_INPUT (1 references)
pkts bytes target prot opt in out source destination
496 71749 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
248 66911 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state ESTABLISHED
30 34554 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8245 state ESTABLISHED
38 2888 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:123 state ESTABLISHED
6645 679K RETURN all — * * 0.0.0.0/0 0.0.0.0/0

Chain SYS_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
501 72161 ACCEPT all — * lo 0.0.0.0/0 0.0.0.0/0
1053 85314 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
66 3976 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8245
203 15428 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
6784 1909K RETURN all — * * 0.0.0.0/0 0.0.0.0/0

Chain SYS_SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
1148 67569 ACCEPT all — * * 10.7.52.0/24 0.0.0.0/0
0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0

====================

Port Forwarding and Source NAT (NAT):
Chain PREROUTING (policy ACCEPT 1058 packets, 84005 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:22 to:10.7.52.130:22
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:25 to:10.7.52.130:25
1 64 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:80 to:10.7.52.130:80
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:110 to:10.7.52.130:110
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:443 to:10.7.52.130:443
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:587 to:10.7.52.130:587
2 128 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:995 to:10.7.52.130:995
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:2401 to:10.7.52.130:2401
0 0 DNAT tcp — * * 0.0.0.0/0 xx.yy.zz.181 tcp dpt:5060 to:10.7.52.131:5060
0 0 DNAT udp — * * 0.0.0.0/0 xx.yy.zz.181 udp dpt:5060 to:10.7.52.131:5060
0 0 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:22 to:10.7.52.130:22
63 3164 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:25 to:10.7.52.130:25
3 188 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:80 to:10.7.52.130:80
0 0 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:110 to:10.7.52.130:110
1 64 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:443 to:10.7.52.130:443
0 0 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:587 to:10.7.52.130:587
0 0 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:995 to:10.7.52.130:995
0 0 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:2401 to:10.7.52.130:2401
0 0 DNAT tcp — * * 0.0.0.0/0 aa.bb.cc.55 tcp dpt:5060 to:10.7.52.131:5060
3 1719 DNAT udp — * * 0.0.0.0/0 aa.bb.cc.55 udp dpt:5060 to:10.7.52.131:5060

Chain POSTROUTING (policy ACCEPT 160 packets, 16708 bytes)
pkts bytes target prot opt in out source destination
2552 211K SNATVS all — * * 0.0.0.0/0 0.0.0.0/0
1 64 MASQUERADE all — * ETH00 0.0.0.0/0 0.0.0.0/0
1247 101K MASQUERADE all — * ETH01 0.0.0.0/0 0.0.0.0/0
1146 93107 MASQUERADE all — * ppp0 0.0.0.0/0 0.0.0.0/0

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

[atheling]

In case anyone cares, the issue is that the cable modem was blocking traffic because the MAC address on the ethernet interface on the new net5501 Zeroshell router was different than that on the old router.

I was able to change the MAC address via the shell to prove that was the issue. But that does not survive a power cycle.

I don’t see a way in the UI to set MAC addresses on interfaces. Am I missing it? Or, is there a start up script that I could edit to set the MAC address on boot?

I’ll also look into seeing if the net5501 has a bios setup that will change the MAC address…

[ppalias]

Yes you can change the MAC address of an interface, if that would solve the problem. While the interface is in down state issue the command:

ifconfig ETH01 hw 00:11:22:33:44:55

You can modify the script

/root/kerbynet.cgi/scripts/setinterface

and in line 57 change this

      ifconfig $INTERFACENAME:$A $IP netmask $NETMASK broadcast `getbroadcast $IP $NETMASK` $STATUS 2>/dev/null >/dev/null

into this

      ifconfig $INTERFACENAME:$A hw 00:11:22:33:44:55 $IP netmask $NETMASK broadcast `getbroadcast $IP $NETMASK` $STATUS 2>/dev/null >/dev/null

[atheling]

Thank you ppalias for all the help you have given me and everyone else on this forum!

I wasn’t able to make the change suggested by you to stick: /root is actually RAM disk and disappears on reboot. And I did not see where on the “cdrom” (actually flash memory) partition this existed. I guess its a compressed file that is expanded into the RAM disk…

But I was able to use the UI (in the “Setup”->”Startup/Cron” page) to create a “post boot” script that seems to do the trick for me:

# Startup Script
ifconfig ETH01 down
ifconfig ETH01 hw ether 00:09:A3:00:2F:52
ifconfig ETH01 up

[ppalias]

To avoid this down-up of the interface you can do the following…

1) Copy the file

/root/kerbynet.cgi/scripts/setinterface

somewhere in /Database
2) Change the line that I mentioned above
3) Add a pre-boot script that copies the file from the /Database to the place of the original.

[atheling]

I don’t see it documented on the zeroshell website and I am not home to look through all the scripts at the moment. Am I correct in assuming that when a database save is done everything in the database directory and below it is tarred and zipped?

So anything I put there will be backed up and properly restored?

If so then I could create a “local” or “custom” subdirectory in there, populate it with any and all scripts I wish to alter. Then a generic “pre boot” script could copy all of them to the scripts directory.

Is this correct? (Still learning how this distribution is put together.)

Thank you again!

[ppalias]

@atheling wrote:

I don’t see it documented on the zeroshell website and I am not home to look through all the scripts at the moment. Am I correct in assuming that when a database save is done everything in the database directory and below it is tarred and zipped?

Yes

@atheling wrote:

So anything I put there will be backed up and properly restored?

Yes
@atheling wrote:

If so then I could create a “local” or “custom” subdirectory in there, populate it with any and all scripts I wish to alter. Then a generic “pre boot” script could copy all of them to the scripts directory.

Yes

[atheling]

Hi ppalias!

Your suggestions worked well with the following issue: Even in the setinterface script you need to set that interface down while changing the MAC address.

Based on your suggestion, I now have a short generic script set into the “pre-boot” which copies anything it finds in /Database/custom/ to the scripts directory. That works really well.

And I did check the backup script to find that the backup file is simply a uuencoded tgz file of the “database” area. Simple enough and very effective.

Thank you for your help! (I’ll undoubtably have other questions in other threads).

[Author]

Posts