[arch-general] hostapd + ap_isolate

[Erich Eckner]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, 23 Oct 2021, Uwe Sauter wrote:

>
>> 
>>> From my experience, tcpdump connects to the interface and you will see
>>> all traffic regardless of firewall settings, given you have the
>>> permissions.
>> 
>>> In your case I'd first verify that layer 2 is working correctly (layer
>>> 2 is ethernet or wifi). So I'd use the utilities provided by
>>> "wpa_supplicant" or "iw" to see if the "hardware connection" is
>>> working as expected.
>> 
>>> If your wifi card didn't connect on layer 2 it has no reasons to
>>> configure layer 3 (IP, IPv6) and above.
>> 
>> Well, layer 2 works, if it is needed for connections between the client
>> and the access point.
>> 
>> Layer 2 should already see mac addresses, right? Can you point me to a
>> command, which scans on layer 2 for all macs? I seem to only find how to
>> see the available access points (which works as expected) and using nmap
>> to ping around - which fails as expected :-/
>> 
>> Do you know any command to query the interface regarding routing
>> information (similar to what `ip route` does on layer 3 for the whole
>> machine)?
>
> On layer 2 there is no routing. That's the reason why you need to configure a 
> default route and possibly static routes.
>
>
> Unfortunately I'm not very experienced in debugging wifi but I'd probably 
> start to investigate using some sniffer, e.g. Kismet [1] (not a 
> recommendation, just the first reasonable search result).
>
> One hunch though: was there any update to hostapd that might have enabled 
> WPA3? This might be the totally wrong direction but I've read on multiple 
> occasions that old hardware (e.g. Android tablets from 2012) and WPA3-enabled 
> APs don't work well together.

There's nothing wpa3-specific in the hostapd.conf, but I faintly remember 
considering to enable wpa3, but probably never actually did - and 
definitely not in the time range, when the inter-client communication 
broke. Just to be sure, I added "wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256" 
(e.g. no "SAE", there) to /etc/hostapd.conf without success.

What I now did to make things just work, is: removing routes for 
192.168.1.0/24 on wlan0 of the clients and adding a route for 
192.168.1.13/32 only - so now packages use the default route "via 
192.168.1.13" and traverse the access point at this address (which is 
also the router) and get routed on layer 3 there to the right target. 
(packets will be subject to firewall rules on the router, which is not a 
problem)

Does someone have any suggestions on how to publish this route via dhcp? 
Currently, it looks to me, like the "192.168.1.0/24 dev wlan0" route is 
automatically added due to the subnet mask of "255.255.255.0" - and I 
probably cannot change the latter, as the dhcp server actually should 
server this very subnet on wifi.

The dynamic part of the dhcpd.conf looks like:
- ---8<---8<---8<---8<---
subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.20 192.168.1.254;
   option broadcast-address 192.168.1.255;
   option routers 192.168.1.13;
   option rfc3442 24, 192, 168, 0, 192, 168, 1, 13, 0, 192, 168, 1, 13;
}
- --->8--->8--->8--->8---

and the pseudo-static part looks like:
- ---8<---8<---8<---8<---
host raspi0 {
   hardware ethernet de:ad:be:ef:42:42;
   fixed-address 192.168.1.2;
   option routers 192.168.1.13;
   option rfc3442 24, 192, 168, 0, 192, 168, 1, 13, 0, 192, 168, 1, 13;
}
- --->8--->8--->8--->8---

>
>
> Regards,
>
> 	Uwe

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmF1FUgACgkQCu7JB1Xa
e1oBpBAArlHWvLsaCsY62dzi8Zl3TdBKwqRwkVLV/oZfZQhjI3KDcjzED7Ih/mpl
8iDy+BaAqbvNM79qPwPc8rQ3eldOMEf5tyd9Y/LeefVVWwdno4Of6I0UAeXL1o8A
j68fnf5kgT2J0uDwCwR+oCoxvcOE06BezPLm3acD52w2uScU0uKoJGwnKtpVSdjD
sG0taHrzZPpdcUkrJYPYv3aDdDbMbcz1Vn3obg2GYKI/QBm+Q1UGqaC3buVAqJIw
Z4jz8aoG0sugHuBUUXHM7LOEtaTsYu8NKRwTa1CkI6keRb3xEile1dA4jOOK5cgc
kYXrI+xCLm0T3OzcGrvpz8mQCxTx2n8g0IuIIisB1Y3JlXVsiM8CvC3NsEtp+gXs
dY8t12pbG65NgxrAnTYeigCDGrKwc2IxiaDE2Mhu4LyXr+CqxcLm5kBvpAxVzHOz
9aYEoRkrtIXuDBZoP2cxjQ7tAFvYID3Z14T80KDJuD9WRzNVOosSuWtAnHHPsp6o
aZrNI5sp4vXkeJDdHroqI6cF0/v5a+WKoV4c87TioEq5C+xBGgGtFO32GKQ3CqGo
1OJYPUpu2jgbetDTtWbDmnzGknZw92nfB9IwI5++dY/FQj+djd5LgD5f58D60nKm
kHp9cb5ZpX5jKJtEWiZJri9HaxhxXIZm9Wn0zy13uoZG8FzaPqU=
=gz96
-----END PGP SIGNATURE-----