moshem
August 10, 2020, 4:52am
1
I followed the guide here dozen of times:
https://openwrt.org/docs/guide-user/virtualization/virtualbox-vm
my /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde2:3e1c:b155::/48'
config interface 'mng'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.56.2'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'lan'
option proto 'dhcp'
option ifname 'eth2'
the last interface on eth2 is optional according to the guide and made no difference.
the "router" is working fine, it has internet connectivity and can ping the real router in my office (192.168.1.1)
the host machine hosting the VM can ssh into the VM and has a ping to the VM and to the real router
all is fine until I change my iOS device to manual and provide it with a static IP and the router VM as the gateway and DNS address
however the iOS device which connected to the WIFI network (my real router) configured to use the VM gateway has no internet connection...
I tried to setup routes like
route add 10.0.3.0 gateway 192.168.1.1 eth0
but still no internet
what am I doing wrong?
BTW, my ifconfig in openwrt:
root@OpenWrt:~# ifconfig
br-mng Link encap:Ethernet HWaddr 08:00:27:04:B8:B1
inet addr:192.168.56.2 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe04:b8ba/64 Scope:Link
inet6 addr: fde2:3e1c:b155::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:290 errors:0 dropped:0 overruns:0 frame:0
TX packets:161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21576 (21.0 KiB) TX bytes:19298 (18.8 KiB)
eth0 Link encap:Ethernet HWaddr 08:00:27:04:B8:B2
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3191 errors:0 dropped:0 overruns:0 frame:0
TX packets:2375 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:387765 (378.6 KiB) TX bytes:897675 (876.6 KiB)
eth1 Link encap:Ethernet HWaddr 08:00:27:ED:A0:31
inet addr:10.0.3.15 Bcast:10.0.3.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:feed:a032/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:75708 errors:0 dropped:0 overruns:0 frame:0
TX packets:2879 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15326164 (14.6 MiB) TX bytes:215731 (210.6 KiB)
eth2 Link encap:Ethernet HWaddr 08:00:27:04:B8:B2
inet addr:192.168.1.53 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe04:b8b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9214 errors:0 dropped:0 overruns:0 frame:0
TX packets:75821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1137386 (1.0 MiB) TX bytes:15337676 (14.6 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:536 errors:0 dropped:0 overruns:0 frame:0
TX packets:536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38199 (37.3 KiB) TX bytes:38199 (37.3 KiB)
moshem:
however the iOS device which connected to the WIFI network (my real router) configured to use the VM gateway has no internet connection...
I tried to setup routes like
router add 10.0.3.0 gateway 192.168.1.1 eth0
route add -net, ... check all your routes.... nat etc.
Check all links one at a time... direct... the way you are testing your client, while not impossible... is not the 'directest' approach... nor have you provided a definitive / exhaustive breakdown of what is happening with it...
moshem
August 10, 2020, 5:40am
3
I checked, tried many approaches
I understand my specific setup is kind of wierd, but if I want a WIFI device (my phone) to connect to the network I need it to go through a real WIFI router (192.168.1.1 WIFI) but be setup with manual settings:
static ip: 192.168.1.10
mask: 255.255.255.0
gateway: 192.168.1.53
dns: 192.168.1.53
my VM-router routes table:
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.3.2 0.0.0.0 UG 0 0 0 eth1
10.0.3.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth2
192.168.56.0 * 255.255.255.0 U 0 0 0 br-mng
Not sure if my routes table is missing something, not an expert.
Using iOS libTerm app I can ping 192.168.1.53 while connected to the real router WIFI and setup with the 192.168.1.53 gateway, I cannot however ping 192.168.56.2
any other information I can provide?
1 Like
uci show firewall
p.s. the router 192.168.1.x should ideally not be dhcp... (imho)
moshem
August 10, 2020, 5:56am
5
the 192.168.1.1 is the main router, it is the one connected to the external internet and the only device seeing all clients, why shouldn't it be the DHCP server? who else?
firewall:
root@OpenWrt:~# uci show firewall
firewall.@rule[0]=rule
firewall.@rule[0].src='lan'
firewall.@rule[0].proto='tcp'
firewall.@rule[0].dest_port='ssh'
firewall.@rule[0].target='ACCEPT'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[1]=rule
firewall.@rule[1].dest='lan'
firewall.@rule[1].proto='all'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].src='wan'
firewall.@rule[2]=rule
firewall.@rule[2].dest='wan'
firewall.@rule[2].proto='all'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].src='lan'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCP-Renew'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='68'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].family='ipv4'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-Ping'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].icmp_type='echo-request'
firewall.@rule[4].family='ipv4'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-IGMP'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='igmp'
firewall.@rule[5].family='ipv4'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-DHCPv6'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='udp'
firewall.@rule[6].src_ip='fc00::/6'
firewall.@rule[6].dest_ip='fc00::/6'
firewall.@rule[6].dest_port='546'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-MLD'
firewall.@rule[7].src='wan'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].src_ip='fe80::/10'
firewall.@rule[7].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ICMPv6-Input'
firewall.@rule[8].src='wan'
firewall.@rule[8].proto='icmp'
firewall.@rule[8].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[8].limit='1000/sec'
firewall.@rule[8].family='ipv6'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ICMPv6-Forward'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='*'
firewall.@rule[9].proto='icmp'
firewall.@rule[9].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[9].limit='1000/sec'
firewall.@rule[9].family='ipv6'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-IPSec-ESP'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest='lan'
firewall.@rule[10].proto='esp'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-ISAKMP'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_port='500'
firewall.@rule[11].proto='udp'
firewall.@rule[11].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='surf_vpn'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network=' '
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='wan'
this is what I mean... you have a reservation?
moshem
August 10, 2020, 6:36am
7
you mean setting it up as a static address, no reservations.
any suggestions to which? currently my real router assigns the 192.168.1.53 to this network adapter which is accessible to my iphone, can ping, but when used as gateway.. no internet...
so you are doing something like this then? same subnet 'pre-gateway'?
where are your firewall rules between the 1.x and 56.x network? and why does 56 exist in the first place if your assigning dhcp to the iphone and router... only thing that makes sense is similar to diagram above... ( where all vmnics are bridged and isolation is purely logical )
where do wan and 56.x go?
are all vmnics bridged?
(diagram needed)
some general advice...
simplify your topology a little...
use a wired client test from both sides of the vm
EDIT: or perhaps draw a diagram similar to the one above for your intended setup... so we can better understand how to assist.
Have a read / look at some of the topologies and examples virtualbox advanced it might help to refer to or grasp what you are currently doing...
1 Like
moshem
August 10, 2020, 5:17pm
9
good questions, maybe I am not understanding these right. I followed the setup in the guide thinking these are required because of the virtualization
here is an illustration of the setup
1 Like
moshem
August 10, 2020, 5:28pm
10
changes my /etc/config/network to reflect static IP for eth2 as you suggested and added a bunch of routing rules that didn't help
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'lan'
option proto 'static'
option ifname 'eth2'
option ipaddr '192.168.1.53'
option netmask '255.255.255.0'
option ip6assign '60'
config route
option target '192.168.56.0'
option gateway '192.168.1.1'
option netmask '255.255.255.0'
option interface 'mng'
config route
option target '192.168.1.0'
option gateway '192.168.1.1'
option netmask '255.255.255.0'
option interface 'lan'
config route
option target '192.168.1.0'
option gateway '192.168.1.1'
option netmask '255.255.255.0'
option interface 'lan'
config route
option target '10.0.3.0'
option gateway '192.168.1.1'
option netmask '255.255.255.0'
option interface 'lan'
config route
option target '10.0.3.0'
option gateway '192.168.56.0'
option netmask '255.255.255.0'
option interface 'lan'
1 Like
(remove the routes for a bit - cp /etc/config/network /config-network-w-routes )
step 1 > have you configured the gateway on vm:eth2>192.168.1.1 [ no ]
step 2 > you are sending dns to the vm... as it now has a static ip... it also needs a dns entry under eth2
option gateway '192.168.1.1'
option dns '192.168.1.1'
/etc/init.d/network restart
/etc/init.d/dnsmasq restart
Now this should work... the trouble is... you had this already when you had it setup as dhcp... so...
Step 3 > To simplify the firewall side of things... you might want to assign eth2 as your 'lan' interface... ( edit: I see that you've already taken care of this - do the restarts anyway )
uci -q set network.lan.ifname='eth2'
uci commit network
/etc/init.d/network restart
/etc/init.d/firewall restart
and you should be good to go...
( for reference... next time... use eth0 as your primary bridged lan interface )
1 Like
moshem
August 10, 2020, 7:28pm
12
did that, still the iphone has no internet connection
/etc/network/config
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde2:3e1c:b155::/48'
config interface 'mng'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.56.2'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'lan'
option proto 'static'
option ifname 'eth2'
option ipaddr '192.168.1.53'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option dns '192.168.1.1'
option ip6assign '60'
/etc/config/firewall
config rule
option src 'lan'
option proto 'tcp'
option dest_port 'ssh'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option dest 'lan'
list proto 'all'
option target 'ACCEPT'
option src 'wan'
config rule
option dest 'wan'
list proto 'all'
option target 'ACCEPT'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'surf_vpn'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option network ' '
config forwarding
option dest 'lan'
option src 'wan'
iOS device:
Connected to WIFI (192.168.1.1 router)
IPV4 Address->Manual
IP: 192.168.1.10
Subnet: 255.255.255.0
Router 192.168.1.53
DNS: 192.168.1.53
moshem
August 10, 2020, 7:30pm
15
VM adapter #3
exactly (I think) as described in the openwrt/virtualbox guide
1 Like
go into the virtual box settings... untick connected for the two nics that are currently unused... ( virtually disconnect their cables )
can you ping between them now?
does opkg update work on the vm now?
is your macbook running a firewall?
1 Like
moshem
August 10, 2020, 7:52pm
17
I unchecked Cable connected for Adapter 1, Adapter 2, leaving only Adapter 3, meaning only the bridged adapter is connected
I can ping 192.168.56.2
I can ping 192.168.1.1
opkg update fails, no internet (I am guessing that Adapter 1 took care of that curtesy of the virtualbox network)
macbook internal firewall is off
sophos home anti virus, I disabled as much as I could of it
BTW, I can probably upload the virtualbox VM for you to see for yourself if you like
this is what i reckon...
start with a brand new VM -> 1NIC only ( eth0=lan=bridged)
simply set the static ip + dns + gw
simple!
any other issues are at the MAC/Sophos /APClientIsolation level... and I vaguely remember a post/s about that... it's early morning here... so i'll do some research on that over the next day... and you can report back how you went...
EDIT:
bridged ( emulation-nic: "PCnet-FAST III" ) seems to be one mac workaround
moshem
August 11, 2020, 6:22am
19
I appreciate that! thank you!
and sorry, the forum wouldn't allow me to post for 9-hours as new user..
I made a brand new VM, started with a fresh image of openWRT and create one NIC as you described
ifconfig
br-lan Link encap:Ethernet HWaddr 08:00:27:1A:47:3E
inet addr:192.168.1.53 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe1a:473e/64 Scope:Link
inet6 addr: fd2c:fe7f:c7e6::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1897 errors:0 dropped:0 overruns:0 frame:0
TX packets:795 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:191583 (187.0 KiB) TX bytes:96843 (94.5 KiB)
eth0 Link encap:Ethernet HWaddr 08:00:27:1A:47:3E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2128 errors:0 dropped:0 overruns:0 frame:0
TX packets:805 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:240321 (234.6 KiB) TX bytes:99141 (96.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:124 errors:0 dropped:0 overruns:0 frame:0
TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8822 (8.6 KiB) TX bytes:8822 (8.6 KiB)
network setup
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2c:fe7f:c7e6::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.53'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option dns '192.168.1.1'
option ip6assign '60'
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 br-lan
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
I tried another openwrt VM on another host, wired, as the client, assigned it with 192.168.1.4 and tried to use the 192.168.1.53 VM as the gateway, got no internet..
I tried the PCnet-FAST III and Fast II network both resulted in openWRT detecting an Intel one anyone and no adapter actually mounter on openWRT once booted, no IP assigend
*** I also uploaded the virtualbox VM online as a zip file and created a bit.ly link for it
https://bit.ly/2XOY3ev
so you can see for yourself
1 Like
was 'opkg update' working tho?
( one other thing that is often suggested is to re-install/upgrade virtualbox )... i'm not so sure that applies in your case... but at this point we do need to know what version you are running ?
i'm thinking sophos is (was during install), the issue here... ( unless your main wireless router is non-typical and doing something fancy... )
1 Like