TL;DR - if your router is connected to the internet by pppoe (common for DSL) the correct setting for PCAP_INTF is pppoe-wan, not eth0, as I had supposed.
I've left all of my noob ramblings below so you can all feel better about yourselves.
********Original stuff below
I'm trying to set up single packet authorization on my Netgear R7500v2 using the luci-app-fwknopd package, but it looks like SPA packets are not being noticed by the router.
The luci-app-fwknopd package installed without any errors, and I rebooted the modem.
I installed the fwknop2 app on my android phone from google play.
I scanned the QR code generated by luci-app-fwknopd, and the key information transferred to my phone correctly.
On the phone app, I set the url of my router and the port I wish to open, saved, and attempted a port knock
Checked the firewall on the router to see if the new rule opening the tcp port for SSH access was added. It was not.
Checked the system log. There is logging about startup of fwknopd, but no log of having received a SPA packet.
DDNS is working properly.
Does anyone know a good way to troubleshoot whether my phone is sending a proper SPA packet, and if it is arriving at my router? From what i can tell, if the packet is arriving, the router is not noticing it.
Thanks.
Anyone have thoughts on how to troubleshoot?
You can see the system log output on start of fwknopd. The system logs startup, but if I look after attempting to send the SPA, I see nothing.
I don't think the problem lies with the unknown access parameters being ignored - in the access.conf file, the key and hkey are correctly identified as base 64, nor do I think it lies with the warning.
LOG:
Thu Jan 26 07:33:29 2017 daemon.err fwknopd[5252]: [] Ignoring unknown access parameter: 'keytype' in /var/etc/access.conf
Thu Jan 26 07:33:29 2017 daemon.err fwknopd[5252]: [] Ignoring unknown access parameter: 'hkeytype' in /var/etc/access.conf
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Re-starting fwknopd
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: iptables 'comment' match is available
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Sniffing interface: eth0
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: PCAP filter is: 'udp port 62201'
Thu Jan 26 07:33:29 2017 daemon.info fwknopd[5252]: Starting fwknopd main event loop.
OK, so I tried changing the config for fwknopd so that it is listening on my wlan. Then if I send the packet from my phone on my wireless network, I see this in my syslog:
Fri Jan 27 07:47:30 2017 daemon.info fwknopd[7626]: (stanza #1) SPA Packet from IP: {redacted} received with access source match
Fri Jan 27 07:47:30 2017 daemon.warn fwknopd[7626]: {redacted} (stanza #1) Got 0.0.0.0 when valid source IP was required.
So it looks like fwknopd can sniff out the packet correctly if it is inside my network. Could this be an in issue with default firewall settings for fwknopd?
Also, even though fwknopd said it received the SPA packet, I could not see any change to the firewall configuration for opening the designated port. Where would I look for that?
I opened the port fwknopd was listening on and that didn't help. I think that was dumb because the whole point with fwknpod is that you can leave you wan firewall in the default drop state.
I'm now wondering if this could have anything to do with the wan port being a pppoe connection? I'm currently using my modem in "passthrough" mode, with the R7500v2 handling the pppoe connection.
I'll try having the modem handle the pppoe and connecting the router to the modem on a DHCP ethernet connection. I guess I'll also have to set up a static route on the modem to forward UDP traffic on the sniffing port to my router.