radoslavv DD-WRT Novice
Joined: 23 Aug 2013 Posts: 10 Location: Slovakia
|
Posted: Sun Jun 19, 2022 21:52 Post subject: [SOLVED]r49139 WireGuard setup with internet via Client WiFi |
|
I have 3 dd-wrt devices using WireGuard VPN to create LAN:
Topology:
1. NetGear R6700v3 as public "master" node (LAN segment 192.168.10.x)
2. NetGear R6700v3 as "slave" (LAN segment 192.168.20.x)
3. NetGear WNDR4500v1 as "slave" (LAN segment 192.168.30.x)
Segments 192.168.10.0/24 and 192.168.20.0/24 are reachable without issues in both segments. Any host from one segment can reach any hosts in another segment.
Both 1 and 2 devices are in Gateway mode with internet connected wia WLAN port.
Problem is with reachability of 192.168.30.0/24 segment. Only difference in 3rd router configuration is that internet is connected via WiFi port (in client mode). Internet for hosts in 192.168.30.0/24 is working properly, but VPN not (reachability of hosts 192.168.10.0/24, 192.168.20.0/24 does not work properly, same issue with opposite direction).
1) PING works OK from master router 192.168.10.1 to both routers:
Code: | root@R6700:~# ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1): 56 data bytes
64 bytes from 192.168.30.1: seq=0 ttl=64 time=45.266 ms
64 bytes from 192.168.30.1: seq=2 ttl=64 time=66.985 ms
64 bytes from 192.168.30.1: seq=3 ttl=64 time=42.492 ms
64 bytes from 192.168.30.1: seq=4 ttl=64 time=93.015 ms
64 bytes from 192.168.30.1: seq=5 ttl=64 time=42.720 ms
^C
--- 192.168.30.1 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 42.492/58.095/93.015 ms
root@R6700:~# ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=64 time=10.573 ms
64 bytes from 192.168.20.1: seq=1 ttl=64 time=20.543 ms
64 bytes from 192.168.20.1: seq=2 ttl=64 time=11.979 ms
64 bytes from 192.168.20.1: seq=3 ttl=64 time=10.073 ms
64 bytes from 192.168.20.1: seq=4 ttl=64 time=10.165 ms
^C
--- 192.168.20.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 10.073/12.666/20.543 ms |
2) PING works OK from slave router 192.168.20.1 to master 192.168.10.1 but not to slave 192.168.30.1:
Code: | root@R6700bu:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: seq=0 ttl=64 time=10.100 ms
64 bytes from 192.168.10.1: seq=1 ttl=64 time=10.848 ms
64 bytes from 192.168.10.1: seq=2 ttl=64 time=9.599 ms
64 bytes from 192.168.10.1: seq=3 ttl=64 time=10.272 ms
64 bytes from 192.168.10.1: seq=4 ttl=64 time=11.080 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 9.599/10.379/11.080 ms
root@R6700bu:~# ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1): 56 data bytes
^C
--- 192.168.30.1 ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss |
3) PING works OK from slave router 192.168.30.1 to master router 192.168.10.1 and slave router 192.168.20.1:
Code: | root@WNDR4500:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: seq=0 ttl=64 time=41.860 ms
64 bytes from 192.168.10.1: seq=1 ttl=64 time=53.699 ms
64 bytes from 192.168.10.1: seq=2 ttl=64 time=41.595 ms
64 bytes from 192.168.10.1: seq=3 ttl=64 time=41.356 ms
64 bytes from 192.168.10.1: seq=4 ttl=64 time=42.793 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 41.356/44.260/53.699 ms
root@WNDR4500:~# ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=63 time=72.868 ms
64 bytes from 192.168.20.1: seq=1 ttl=63 time=56.930 ms
64 bytes from 192.168.20.1: seq=2 ttl=63 time=61.697 ms
64 bytes from 192.168.20.1: seq=4 ttl=63 time=54.941 ms
64 bytes from 192.168.20.1: seq=5 ttl=63 time=128.556 ms
^C
--- 192.168.20.1 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 54.941/74.998/128.556 ms |
4) host 192.168.10.66 can ping both slave routers:
Code: | root@WNDR4500:~# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: seq=0 ttl=64 time=41.860 ms
64 bytes from 192.168.10.1: seq=1 ttl=64 time=53.699 ms
64 bytes from 192.168.10.1: seq=2 ttl=64 time=41.595 ms
64 bytes from 192.168.10.1: seq=3 ttl=64 time=41.356 ms
64 bytes from 192.168.10.1: seq=4 ttl=64 time=42.793 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 41.356/44.260/53.699 ms
root@WNDR4500:~# ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=63 time=72.868 ms
64 bytes from 192.168.20.1: seq=1 ttl=63 time=56.930 ms
64 bytes from 192.168.20.1: seq=2 ttl=63 time=61.697 ms
64 bytes from 192.168.20.1: seq=4 ttl=63 time=54.941 ms
64 bytes from 192.168.20.1: seq=5 ttl=63 time=128.556 ms
^C
--- 192.168.20.1 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 54.941/74.998/128.556 ms |
5) host 192.168.30.111 can ping both primary 192.168.10.1 and slave router 192.168.20.1:
Code: | C:\>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=45ms TTL=63
Reply from 192.168.10.1: bytes=32 time=54ms TTL=63
Reply from 192.168.10.1: bytes=32 time=44ms TTL=63
Reply from 192.168.10.1: bytes=32 time=43ms TTL=63
Ping statistics for 192.168.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 54ms, Average = 46ms
C:\>ping 192.168.20.1
Pinging 192.168.20.1 with 32 bytes of data:
Reply from 192.168.20.1: bytes=32 time=54ms TTL=62
Reply from 192.168.20.1: bytes=32 time=62ms TTL=62
Reply from 192.168.20.1: bytes=32 time=51ms TTL=62
Reply from 192.168.20.1: bytes=32 time=51ms TTL=62
Ping statistics for 192.168.20.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 51ms, Maximum = 62ms, Average = 54ms |
6) host 192.168.30.111 can tracert both primary 192.168.10.1 and slave router 192.168.20.1:
Code: | C:\>tracert 192.168.10.66
Tracing route to 192.168.10.66 over a maximum of 30 hops
1 2 ms 1 ms 1 ms WNDR4500 [192.168.30.1]
2 * 41 ms 44 ms 172.16.0.1
3 * 361 ms 44 ms 192.168.10.66
Trace complete.
C:\>tracert 192.168.10.232
Tracing route to 192.168.10.232 over a maximum of 30 hops
1 2 ms 1 ms 1 ms WNDR4500 [192.168.30.1]
2 * * 397 ms 172.16.0.1
3 85 ms 109 ms 57 ms 192.168.10.232
Trace complete. |
7) host 192.168.10.66 can't tracert slave router 192.168.30.1:
Code: | C:\>tracert 192.168.30.111
Tracing route to NB-LNV-Y9 [192.168.30.111]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms R6700 [192.168.10.1]
2 * 43 ms 43 ms 172.16.0.3
3 * * * Request timed out.
4 ^C
C:\>tracert 192.168.30.111
Tracing route to NB-LNV-Y9 [192.168.30.111]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms R6700 [192.168.10.1]
2 * 40 ms 45 ms 172.16.0.3
3 * * * Request timed out.
4 ^C |
8 ) host 192.168.10.66 can reach SSH of master router 192.168.10.1, but just few packets are passing VPN (only part of top command screen is transferred):
Code: | login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r49139 giga (c) 2022 NewMedia-NET GmbH
| Release: 06/10/22
| Board: Netgear WNDR4500
End of banner message from server
root@192.168.30.1's password:
==========================================================
___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/
DD-WRT v3.0
https://www.dd-wrt.com
==========================================================
BusyBox v1.35.0 (2022-06-10 02:35:58 +07) built-in shell (ash)
root@WNDR4500:~# top
Mem: 48780K used, 75832K free, 0K shrd, 6628K buff, 15240K cached
CPU: 0.0% usr 8.3% sys 0.0% nic 91.6% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 0.14 0.08 0.09 1/65 9403
PID PPID USER STAT VSZ %VSZ %CPU COMMAND
9403 9380 root R 1456 1.1 8.3 top
1852 1 root S 4388 3.5 0.0 httpd -n -S -p 80 -m 443
2319 1 root S 2240 1.7 0.0 wpa_supplicant -B -Dwext -ieth1 -c /tm
2613 1 root S 1904 1.5 0.0 dnsmasq -u root -g root -C /tmp/dnsmas
1682 1 root S 1896 1.5 0.0 ttraff
2320 1 root S 1688 1.3 0.0 nas -P /tmp/nas.wl1lan.pid -H 34954 -l |
9) host 192.168.30.111 can reach SSH of slave router 192.168.30.1, but just few packets are passing VPN (only part of top command screen is transferred):
Code: | login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r43886 std (c) 2020 NewMedia-NET GmbH
| Release: 07/21/20
| Board: Netgear R6700 v3
End of banner message from server
root@192.168.20.1's password:
==========================================================
___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/
DD-WRT v3.0
http://www.dd-wrt.com
==========================================================
BusyBox v1.32.0 (2020-07-21 09:17:36 +04) built-in shell (ash)
root@R6700bu:~# top
Mem: 69720K used, 184684K free, 0K shrd, 6088K buff, 17140K cached
CPU: 4.1% usr 41.6% sys 0.0% nic 54.1% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 0.57 0.46 0.43 3/159 32641
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
32631 32558 root R 1460 0.5 0 4.1 top
1719 1717 nobody S 46356 18.1 0 0.0 nginx: worker process
1720 1717 nobody S 46244 18.0 0 0.0 nginx: cache manager process
1717 1 root S 46120 18.0 1 0.0 nginx: master process /jffs/bin/ng
1626 1 root S 12756 4.9 0 0.0 httpd -n -S -p 80 -m 443
17798 1 root S 1940 0.7 0 0.0 dnsmasq -u root -g root --conf-fil
1556 1 root S 1696 0.6 1 0.0 ttraff
1617 1 root S 1576 0.6 0 0.0 radio_timer |
10) route and iptables look correct for all 3 routers:
---------------------------------------------------------
Code: | login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r49139 std (c) 2022 NewMedia-NET GmbH
| Release: 06/10/22
| Board: Netgear R6700 v3
End of banner message from server
root@192.168.10.1's password:
==========================================================
___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/
DD-WRT v3.0
https://www.dd-wrt.com
==========================================================
BusyBox v1.35.0 (2022-06-10 01:51:35 +07) built-in shell (ash)
root@R6700:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 188-xxx-yyy-zz3 0.0.0.0 UG 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
172.16.0.0 * 255.255.255.0 U 0 0 0 oet1
172.16.0.2 * 255.255.255.255 UH 0 0 0 oet1
172.16.0.3 * 255.255.255.255 UH 0 0 0 oet1
188.xxx.yyy.zz2 * 255.255.255.252 U 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 oet1
192.168.10.0 * 255.255.255.0 U 0 0 0 br0
192.168.20.0 * 255.255.255.0 U 0 0 0 oet1
192.168.20.0 R6700 255.255.255.0 UG 1 0 0 br0
192.168.30.0 * 255.255.255.0 U 0 0 0 oet1
192.168.30.0 172.16.0.3 255.255.255.0 UG 1 0 0 oet1
root@R6700:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 188.xxx.yyy.zz4 tcp dpt:443 to:192.168.10.1:443
DNAT icmp -- 0.0.0.0/0 188.xxx.yyy.zz4 to:192.168.10.1
DNAT tcp -- 0.0.0.0/0 188.xxx.yyy.zz4 tcp dpt:8443 to:192.168.10.1:8443
DNAT udp -- 0.0.0.0/0 188.xxx.yyy.zz4 udp dpt:8443 to:192.168.10.1:8443
DNAT tcp -- 0.0.0.0/0 188.xxx.yyy.zz4 tcp dpt:51820 to:192.168.10.1:51820
DNAT udp -- 0.0.0.0/0 188.xxx.yyy.zz4 udp dpt:51820 to:192.168.10.1:51820
DNAT tcp -- 192.168.0.1 188.xxx.yyy.zz4 tcp dpt:514 to:192.168.10.222:514
DNAT udp -- 192.168.0.1 188.xxx.yyy.zz4 udp dpt:514 to:192.168.10.222:514
DNAT tcp -- 89.173.176.28 188.xxx.yyy.zz4 tcp dpt:80 to:192.168.10.27:8000
DNAT udp -- 89.173.176.28 188.xxx.yyy.zz4 udp dpt:80 to:192.168.10.27:8000
DNAT tcp -- 89.173.176.28 188.xxx.yyy.zz4 tcp dpt:8001 to:192.168.10.27:8001
DNAT udp -- 89.173.176.28 188.xxx.yyy.zz4 udp dpt:8001 to:192.168.10.27:8001
DNAT tcp -- 89.173.176.28 188.xxx.yyy.zz4 tcp dpt:8888 to:192.168.10.27:8888
DNAT udp -- 89.173.176.28 188.xxx.yyy.zz4 udp dpt:8888 to:192.168.10.27:8888
DNAT tcp -- 0.0.0.0/0 188.xxx.yyy.zz4 tcp dpts:10005:10008 to:192.168.10.40
DNAT udp -- 0.0.0.0/0 188.xxx.yyy.zz4 udp dpts:10005:10008 to:192.168.10.40
TRIGGER all -- 0.0.0.0/0 188.xxx.yyy.zz4 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.16.0.0/24 0.0.0.0/0
SNAT all -- 192.168.10.0/24 0.0.0.0/0 to:188.xxx.yyy.zz4
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
MASQUERADE all -- 192.168.10.0/24 192.168.10.0/24
root@R6700:~# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
RRDIPT_INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RRDIPT_FORWARD all -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
RRDIPT_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain RRDIPT_FORWARD (1 references)
target prot opt source destination
RETURN all -- 192.168.10.222 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.10.222
RETURN all -- 192.168.10.27 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.10.27
RETURN all -- 192.168.10.66 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.10.66
RETURN all -- 188.xxx.yyy.zz3 0.0.0.0/0
RETURN all -- 0.0.0.0/0 188.xxx.yyy.zz3
RETURN all -- 192.168.10.101 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.10.101
RETURN all -- 192.168.10.102 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.10.102
RETURN all -- 192.168.10.103 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.10.103
Chain RRDIPT_INPUT (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain RRDIPT_OUTPUT (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
root@R6700:~# iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 172.16.0.0/24 ADDRTYPE match src-type !LOCAL
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@R6700:~# |
---------------------------------------------------------
Code: | login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r43886 std (c) 2020 NewMedia-NET GmbH
| Release: 07/21/20
| Board: Netgear R6700 v3
End of banner message from server
root@192.168.20.1's password:
==========================================================
___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/
DD-WRT v3.0
http://www.dd-wrt.com
==========================================================
BusyBox v1.32.0 (2020-07-21 09:17:36 +04) built-in shell (ash)
root@R6700bu:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
172.16.0.0 * 255.255.255.0 U 0 0 0 oet1
188.aaa.bbb.ccc 192.168.1.1 255.255.255.255 UGH 0 0 0 vlan2
188.xxx.yyy.zz4 192.168.1.1 255.255.255.255 UGH 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.10.0 * 255.255.255.0 U 0 0 0 oet1
192.168.20.0 * 255.255.255.0 U 0 0 0 br0
192.168.30.0 * 255.255.255.0 U 0 0 0 oet1
root@R6700bu:~# iptables -t nat -Ln
root@R6700bu:~# iptables -t nat -Ln list
Bad argument `list'
Try `iptables -h' or 'iptables --help' for more information.
root@R6700bu:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:80
DROP tcp -- 192.168.20.1 192.168.20.1 tcp dpt:443
ACCEPT tcp -- 192.168.20.0/24 192.168.20.1 tcp dpt:443
DNAT tcp -- 0.0.0.0/0 !192.168.1.2 tcp dpt:80 to:192.168.20.1:8118
DNAT tcp -- 0.0.0.0/0 192.168.1.2 tcp dpt:443 to:192.168.20.1:443
DNAT icmp -- 0.0.0.0/0 192.168.1.2 to:192.168.20.1
DNAT tcp -- 0.0.0.0/0 192.168.1.2 tcp dpt:8443 to:192.168.20.1:8443
DNAT udp -- 0.0.0.0/0 192.168.1.2 udp dpt:8443 to:192.168.20.1:8443
TRIGGER 0 -- 0.0.0.0/0 192.168.1.2 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT 0 -- 192.168.20.0/24 0.0.0.0/0 to:192.168.1.2
MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0 mark match 0x80000000/0x80000000
root@R6700bu:~# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 0 -- 0.0.0.0/0 192.168.1.2 MARK or 0x80000000
CONNMARK 0 -- 0.0.0.0/0 0.0.0.0/0 CONNMARK save
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@R6700bu:~# iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP 0 -- 0.0.0.0/0 172.16.0.0/24 ADDRTYPE match src-type !LOCAL
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@R6700bu:~# |
---------------------------------------------------------
Code: | login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r49139 giga (c) 2022 NewMedia-NET GmbH
| Release: 06/10/22
| Board: Netgear WNDR4500
End of banner message from server
root@192.168.30.1's password:
==========================================================
___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/
DD-WRT v3.0
https://www.dd-wrt.com
==========================================================
BusyBox v1.35.0 (2022-06-10 02:35:58 +07) built-in shell (ash)
root@WNDR4500:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.2.0.1 0.0.0.0 UG 0 0 0 eth1
10.2.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
172.16.0.0 * 255.255.255.0 U 0 0 0 oet1
172.16.0.1 * 255.255.255.255 UH 0 0 0 oet1
188.xxx.yyy.zz4 10.2.0.1 255.255.255.255 UGH 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 oet1
192.168.20.0 * 255.255.255.0 U 0 0 0 oet1
192.168.30.0 * 255.255.255.0 U 0 0 0 br0
root@WNDR4500:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.2.185.12 tcp dpt:443 to:192.168.30.1:443
DNAT icmp -- 0.0.0.0/0 10.2.185.12 to:192.168.30.1
TRIGGER all -- 0.0.0.0/0 10.2.185.12 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.30.0/24 0.0.0.0/0 to:10.2.185.12
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
MASQUERADE all -- 192.168.30.0/24 192.168.30.0/24
root@WNDR4500:~# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
RRDIPT_INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RRDIPT_FORWARD all -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
RRDIPT_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain RRDIPT_FORWARD (1 references)
target prot opt source destination
RETURN all -- 10.2.0.1 0.0.0.0/0
RETURN all -- 0.0.0.0/0 10.2.0.1
RETURN all -- 192.168.30.111 0.0.0.0/0
RETURN all -- 0.0.0.0/0 192.168.30.111
Chain RRDIPT_INPUT (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain RRDIPT_OUTPUT (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
root@WNDR4500:~# iptables -t raw -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 172.16.0.0/24 ADDRTYPE match src-type !LOCAL
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@WNDR4500:~# |
---------------------------------------------------------
11) 1-packet connection-close HTTP 1.0 web page is transferred (192.168.30.111<->192.168.10.232):
11.1) tcpdump on 192.168.10.1
Code: | root@R6700:~# tcpdump -i oet1 -n |grep 192.168.30.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on oet1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:52:15.925758 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [.], seq 1491238036:1491238037, ack 348007, win 65298, length 1: HTTP
22:52:16.008846 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:16.014106 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [P.], seq 1426155910:1426156434, ack 348106, win 65392, length 524: HTTP: GET /co2 HTTP/1.1
22:52:16.077537 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 20, win 532, length 0
22:52:16.278261 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [FP.], seq 1:1293, ack 20, win 532, length 1292: HTTP: HTTP/1.0 200 OK
22:52:16.326752 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [.], ack 1294, win 65392, length 0
22:52:16.326762 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [F.], seq 524, ack 1294, win 65392, length 0
22:52:16.492036 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 20:524, ack 1294, win 65392, length 504: HTTP
22:52:16.555747 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 40, win 532, length 0
22:52:16.579214 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [F.], seq 1294, ack 40, win 532, length 0
22:52:16.970414 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:17.015517 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:17.094771 IP 192.168.10.232.80 > 192.168.30.111.57582: Flags [S.], seq 348151, ack 987474932, win 532, options [mss 536], length 0
22:52:17.139643 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [.], ack 1, win 65392, length 0
22:52:17.680285 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:19.116363 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:21.537815 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [R.], seq 367, ack 1, win 0, length 0
22:52:21.974690 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:27.673631 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:39.065547 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [R.], seq 525, ack 1294, win 0, length 0
^C110 packets captured
110 packets received by filter
0 packets dropped by kernel |
11.2) tcpdump on 192.168.30.1
Code: | root@WNDR4500:~# tcpdump -i oet1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oet1, link-type RAW (Raw IP), capture size 262144 bytes
22:52:15.904666 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [.], seq 1491238036:1491238037, ack 348007, win 65298, length 1: HTTP
22:52:15.981623 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:15.982750 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [P.], seq 1426155910:1426156434, ack 348106, win 65392, length 524: HTTP: GET /co2 HTTP/1.1
22:52:16.102399 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 20, win 532, length 0
22:52:16.303844 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [FP.], seq 1:1293, ack 20, win 532, length 1292: HTTP: HTTP/1.0 200 OK
22:52:16.305918 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [.], ack 1294, win 65392, length 0
22:52:16.307762 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [F.], seq 524, ack 1294, win 65392, length 0
22:52:16.464139 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 20:524, ack 1294, win 65392, length 504: HTTP
22:52:16.578406 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [.], ack 40, win 532, length 0
22:52:16.606943 IP 192.168.10.232.80 > 192.168.30.111.57531: Flags [F.], seq 1294, ack 40, win 532, length 0
22:52:16.947174 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:16.993011 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [S], seq 987474931, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:52:17.118906 IP 192.168.10.232.80 > 192.168.30.111.57582: Flags [S.], seq 348151, ack 987474932, win 532, options [mss 536], length 0
22:52:17.120979 IP 192.168.30.111.57582 > 192.168.10.232.80: Flags [.], ack 1, win 65392, length 0
22:52:17.660902 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:19.096520 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:21.517227 IP 192.168.30.111.57529 > 192.168.10.232.80: Flags [R.], seq 367, ack 1, win 0, length 0
22:52:21.955573 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:27.653324 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [FP.], seq 40:524, ack 1294, win 65392, length 484: HTTP
22:52:39.047421 IP 192.168.30.111.57531 > 192.168.10.232.80: Flags [R.], seq 525, ack 1294, win 0, length 0
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel |
12) multi-packet HTTP 1.1 web page (master router admin page) is NOT transferred (192.168.30.111<->192.168.10.1):
12.1) tcpdump on 192.168.10.1
Code: | root@R6700:~# tcpdump -i oet1 -n |grep 192.168.30.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on oet1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:38:44.390243 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [R.], seq 978377737, ack 1457390884, win 0, length 0
22:38:58.343263 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [S], seq 328263245, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.344952 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [S.], seq 3031236128, ack 328263246, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.389532 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [S], seq 3503679211, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.391254 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [S.], seq 22148557, ack 3503679212, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.400699 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [P.], seq 1:458, ack 1, win 1026, length 457: HTTP: GET / HTTP/1.1
22:38:58.402463 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.400710 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.406352 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.416027 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:2841, ack 458, win 3684, length 2840: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:38:58.418676 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [P.], seq 2841:3215, ack 458, win 3684, length 374: HTTP
22:38:58.420509 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [F.], seq 3215, ack 458, win 3684, length 0
22:38:58.445957 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.474379 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.478977 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {2841:3215}], length 0
22:38:58.667854 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:38:59.187352 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:38:59.844812 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], seq 2250878284:2250878285, ack 993200019, win 1025, length 1
22:38:59.912544 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 1, win 3684, options [nop,nop,sack 1 {0:1}], length 0
22:39:00.226766 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:39:02.305202 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:39:06.472349 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
22:39:08.285137 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [F.], seq 1, ack 1, win 3550, length 0
22:39:08.335089 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 2, win 1026, length 0
22:39:13.149915 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [F.], seq 1, ack 2, win 1026, length 0
22:39:13.151548 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [.], ack 2, win 3550, length 0
22:39:14.806572 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], seq 1:1421, ack 458, win 3684, length 1420: HTTP: HTTP/1.1 401 UNAUTHORIZED
^C142 packets captured
142 packets received by filter
0 packets dropped by kernel |
12.2) tcpdump on 192.168.30.1 (not transferred 401 UNAUTHORIZED)
Code: | root@WNDR4500:~# tcpdump -i oet1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oet1, link-type RAW (Raw IP), capture size 262144 bytes
22:38:44.415964 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [R.], seq 978377737, ack 1457390884, win 0, length 0
22:38:58.309336 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [S], seq 328263245, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.310072 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [S], seq 3503679211, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:38:58.361708 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [S.], seq 3031236128, ack 328263246, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.363781 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.364001 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [P.], seq 1:458, ack 1, win 1026, length 457: HTTP: GET / HTTP/1.1
22:38:58.410711 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [S.], seq 22148557, ack 3503679212, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:38:58.412777 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.423685 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.423887 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [.], ack 458, win 3684, length 0
22:38:58.445595 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [F.], seq 3215, ack 458, win 3684, length 0
22:38:58.446682 IP 192.168.10.1.80 > 192.168.30.111.57273: Flags [P.], seq 2841:3215, ack 458, win 3684, length 374: HTTP
22:38:58.447816 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, length 0
22:38:58.448500 IP 192.168.30.111.57273 > 192.168.10.1.80: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {2841:3215}], length 0
22:38:59.873805 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], seq 2250878284:2250878285, ack 993200019, win 1025, length 1
22:38:59.873979 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 1, win 3684, options [nop,nop,sack 1 {0:1}], length 0
22:39:08.305104 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [F.], seq 1, ack 1, win 3550, length 0
22:39:08.307470 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [.], ack 2, win 1026, length 0
22:39:13.115467 IP 192.168.30.111.57274 > 192.168.10.1.80: Flags [F.], seq 1, ack 2, win 1026, length 0
22:39:13.173808 IP 192.168.10.1.80 > 192.168.30.111.57274: Flags [.], ack 2, win 3550, length 0
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel |
13) multi-packet HTTP 1.1 web page (slave router admin page) is NOT transferred (192.168.10.66<->192.168.30.1):
13.1) tcpdump on 192.168.10.1
Code: | root@R6700:~# tcpdump -i oet1 -n |grep 192.168.30.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on oet1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:36:13.775261 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [S], seq 2250877443, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.776995 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [S], seq 978377218, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.992921 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [S.], seq 993199919, ack 2250877444, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:13.992932 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [S.], seq 1457390883, ack 978377219, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:13.998889 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.000440 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.002658 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.004488 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.089798 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 518, win 3684, length 0
22:36:14.093591 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], ack 518, win 3684, length 0
22:36:14.455281 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1421:1579, ack 518, win 3684, length 158
22:36:14.458311 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:14.577230 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1421:1579, ack 518, win 3684, length 158
22:36:14.580128 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 2 {1421:1579}{1421:1579}], length 0
22:36:19.334719 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [F.], seq 1579, ack 518, win 3684, length 0
22:36:19.337645 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:19.339732 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 1:100, ack 518, win 3684, length 99
22:36:19.342951 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 518:841, ack 100, win 1025, length 323
22:36:19.397026 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 841, win 3684, length 0
22:36:19.622125 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 1520:1721, ack 841, win 3684, length 201
22:36:19.625182 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
22:36:24.622396 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [F.], seq 1721, ack 841, win 3684, length 0
22:36:24.625434 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
^C96 packets captured
96 packets received by filter
0 packets dropped by kernel |
13.2) tcpdump on 192.168.30.1
Code: | root@WNDR4500:~# tcpdump -i oet1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oet1, link-type RAW (Raw IP), capture size 262144 bytes
22:36:13.917459 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [S], seq 2250877443, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.917724 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [S.], seq 993199919, ack 2250877444, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:13.917825 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [S], seq 978377218, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
22:36:13.918028 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [S.], seq 1457390883, ack 978377219, win 28400, options [mss 1420,nop,nop,sackOK,nop,wscale 3], length 0
22:36:14.046217 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.051548 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 1, win 1026, length 0
22:36:14.051808 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.051954 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 518, win 3684, length 0
22:36:14.052069 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
22:36:14.058420 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], ack 518, win 3684, length 0
22:36:14.293366 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1:1579, ack 518, win 3684, length 1578
22:36:14.545475 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [P.], seq 1421:1579, ack 518, win 3684, length 158
22:36:14.558594 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:14.595678 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:14.679382 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 2 {1421:1579}{1421:1579}], length 0
22:36:14.986629 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:15.758258 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:17.321364 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:19.295252 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [F.], seq 1579, ack 518, win 3684, length 0
22:36:19.300904 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 1:100, ack 518, win 3684, length 99
22:36:19.359023 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [.], ack 1, win 1026, options [nop,nop,sack 1 {1421:1579}], length 0
22:36:19.363442 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [P.], seq 518:841, ack 100, win 1025, length 323
22:36:19.363665 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 841, win 3684, length 0
22:36:19.586715 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [P.], seq 100:1721, ack 841, win 3684, length 1621
22:36:19.642069 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
22:36:19.666297 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:20.057023 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:20.447916 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:20.828623 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:22.391598 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:24.585755 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [F.], seq 1721, ack 841, win 3684, length 0
22:36:24.646089 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [.], ack 100, win 1025, options [nop,nop,sack 1 {1520:1721}], length 0
22:36:25.527639 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:26.700004 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:31.779445 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:39.226989 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], seq 1:1421, ack 518, win 3684, length 1420
22:36:44.306606 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], seq 100:1520, ack 841, win 3684, length 1420
22:36:44.356826 IP 192.168.10.66.51056 > 192.168.30.1.443: Flags [F.], seq 518, ack 1, win 1026, length 0
22:36:44.357014 IP 192.168.30.1.443 > 192.168.10.66.51056: Flags [.], ack 519, win 3684, length 0
22:36:44.698585 IP 192.168.10.66.51055 > 192.168.30.1.443: Flags [F.], seq 841, ack 100, win 1025, length 0
22:36:44.698770 IP 192.168.30.1.443 > 192.168.10.66.51055: Flags [.], ack 842, win 3684, length 0
^C
41 packets captured
41 packets received by filter
0 packets dropped by kernel |
=> Something is wrong in WDNR4500. Routes & iptables seems to be OK. Seems something is wrong in dd-wrt code in router Gateway mode in combination with WiFi Client internet access (not all packets are passing WireGuard interface).
Any advices are welcome. I tried several changes in WG setup, but no change in behaviour. Same issue was with older code r43886 on master router. Apparently some issue present longer and not resolved till now. |
|