OpenWrt Forum Archive

Topic: ARP - chicken and egg problem

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
nenekofi
16 May 2016, 01:42

I figured a good way to ask for help with this problem is to first pose the solution I came up with and hopefully that should shed some light on the initial problem I posed here: https://forum.openwrt.org/viewtopic.php?id=64749, since I didn't do a good job explaining the issue I was having.

Current solution:

#!/bin/sh
local gateway=$(route -n | grep UG | awk '{print $2}')
local subnet=$(echo $gateway | awk '{split($0, a, ".");print a[1]"."a[2]"."a[3]}')

if [ -n "$subnet" ]; then
        local bcast="$subnet.255"
        ping $bcast -c 10 -w 10 -q > /dev/null

        for ip in $(cat /proc/net/arp | grep -v IP | awk '{print $1}'); do  
                local belongs=$(echo $ip | awk '{split($0, a, ".");print a[1]"."a[2]"."a[3]}')
                if [ -n $belongs ] && [ "$belongs" = "$subnet" ]; then
                        ping $ip -c 2 -w 2 -q > /dev/null
                fi
        done
fi

I'm running in AP+STA mode. Other devices in the same subnet (wwan-side) can't ping my OpenWrt router unless I ping them first, to get them in my ARP table. So my laptop can't ping the router unless I get in via serial, ping the laptop and then the laptop can ping the router. Obviously this is not workable.

So what I've done is create a cron job that first broadcast an ARP message and pings whoever responds. This way I can ping and ssh into the router at anytime. This cron job kicks off every minute so the most a user has to wait is 60 seconds to be able to ping or ssh into the router. That's also not acceptable. The router should respond to ping messages right way and allow for authenticated users to ssh in with no delay.

Things I've tried:

  • Stop firewall, disable firewall

  • Add icmp specific rules to the firewall

  • Change sysctl settings to allow for icmp request and responses

  • Turn off power save

  • Request dhcp leases more frequently in case udhcpc is broken and doesn't renew leases

What am I doing wrong or not configuring to allow this as a default? Please see my configs below. Any insight is greatly appreciated. Thank you.

System:

{
        "kernel": "3.18.21",
        "hostname": "OpenWrt",
        "system": "Ralink RT3352 id:1 rev:6",
        "model": "Allnet ALL5002",
        "release": {
                "distribution": "OpenWrt",
                "version": "Bleeding Edge",
                "revision": "ping",
                "codename": "designated_driver",
                "target": "ramips\/rt305x",
                "description": "OpenWrt Designated Driver ping"
        }
}

Network:

config globals 'globals'
        option ula_prefix 'fdf3:ec15:e21b::/48'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'wwan'
        option proto 'dhcp'
        option sendopts 'hostname:Panel lease:1800'
        option clientid 'xxxxxxxx'

config interface 'lan'
        option proto 'static'
        option ifname 'eth0'
        option netmask '255.255.255.0'
        option ipaddr '172.16.10.254'
        option type 'bridge'
        option gateway '192.168.1.1'
        option dns '192.168.1.1

Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path '10180000.wmac'
        option disabled '0'
        option txpower '20'
        option country 'US'
        option htmode 'HT20'
        option hwmode '11g'
        option obss_interval '300'
        option noscan '0'
        option log_level '0'
        list ht_capab 'SHORT-GI-20'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'TX-STBC'
        list ht_capab 'RX-STBC1'
        list basic_rate '12000'
        list basic_rate '24000'
        list basic_rate '54000'
        list supported_rates '12000'
        list supported_rates '18000'
        list supported_rates '24000'
        list supported_rates '36000'
        list supported_rates '48000'
        list supported_rates '54000'

config wifi-iface
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxxx'
        option encryption 'psk2'
        option key 'xxxx'
        option wps_pushbutton '1'
        option macaddr 'aa:bb:cc:dd:ee:ff'
        option disassoc_low_ack '0'
        option max_inactivity '1810'
        option skip_inactivity_poll '1'
        option max_listen_interval '65535'

config wifi-iface
        option network 'wwan'
        option mode 'sta'
        option ssid 'myssid'
        option encryption 'psk2'
        option key 'myssidkey'
        option device 'radio0'
        option macaddr 'aa:bb:cc:dd:ee:ff'
        option channel '6'

DHCP:

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '100'
        option leasetime '86400m'
        option ignore '0'
        option ra 'server'
        option dhcpv6 'server'

config dhcp 'wwan'
        option interface 'wwan'
        option ignore '1'

Sysctl.conf:

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core

net.ipv4.conf.default.arp_ignore=0
net.ipv4.conf.all.arp_ignore=0

net.ipv4.ip_forward=1
net.ipv4.ipfrag_secret_interval=600

net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.icmp_ratemask=6168

net.ipv4.conf.wlan0.arp_accept=1
net.ipv4.conf.wlan0.arp_announce=2
net.ipv4.conf.wlan0.arp_filter=0
net.ipv4.conf.wlan0.arp_ignore=0
net.ipv4.conf.wlan0.arp_notify=1

net.ipv4.igmp_max_memberships=100

net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180
net.netfilter.nf_conntrack_icmp_timeout=30
net.netfilter.nf_conntrack_icmpv6_timeout=30

Firewall:

config defaults 
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wwan'
        option network 'wwan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wwan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wwan'
        option proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-ICMPv4-Input'
        option src 'wwan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'

config rule
        option name 'Allow-ICMPv4-Forward'
        option src 'wwan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wwan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '1900-1901'

config rule
        option name 'Allow-IGMP-Lan'
        option src 'lan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option proto 'udp'
        option dest 'lan'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wwan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wwan'
        option proto 'icmp'
  option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wwan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wwan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'wwan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wwan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include  
        option path '/etc/firewall.user'

config rule 'lan_rule_dns'
        option name 'Allow DNS Queries'
        option src 'lan'
        option dest_port '53'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'lan_rule_dhcp'
        option name 'Allow DHCP request'
        option src 'lan'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'
Post #2
anarchy99
16 May 2016, 10:07

i remember having same issue where one laptop could not ping the other while both were connected to the same network, until the first laptop started pinging second one. both laptops were running linux, and router was in AP mode.

Post #3
nenekofi
16 May 2016, 16:27

Thanks for the reply anarchy99. I haven't seen this issue in AP-only mode, but primarily in AP+STA mode. But I think you raise an interesting point. What happens if I remove the 'isolate' flag and have two devices connected to my AP ping each other? I will try that and post results. The current problem is devices connecting to the same nexthop (in this case my netgear router linked to comcast). These devices can ping each other but the openwrt client, unless the openwrt client pings them first. Thanks.

Post #4
jeffmeden
16 May 2016, 19:03

Have you tried using TCPDump on the local WLAN interface to see if for some reason the ARP responses are ending up there?

Post #5
nenekofi
16 May 2016, 19:07

Yeah, tcpdump doesn't show the ARP packets hitting the router. On the sending host, I see 'who-has 192.168.1.x, tell 192.168.1.y' messages. But none on the router side.

Post #6
jeffmeden
16 May 2016, 19:28
nenekofi wrote:

Yeah, tcpdump doesn't show the ARP packets hitting the router. On the sending host, I see 'who-has 192.168.1.x, tell 192.168.1.y' messages. But none on the router side.

Does the router see any mac-broadcast traffic?

Post #7
nenekofi
16 May 2016, 19:37

So if I ping the router from my linux laptop, this is the results:

root@OpenWrt:/# tcpdump -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:32:10.784155 IP 192.168.36.102 > 192.168.36.101: ICMP echo request, id 23452, seq 1, length 64
12:32:10.784608 ARP, Request who-has 192.168.36.102 tell 192.168.36.101, length 28
12:32:10.790744 ARP, Reply 192.168.36.102 is-at b8:ca:3a:77:58:ff (oui Unknown), length 46
12:32:10.790828 IP 192.168.36.101 > 192.168.36.102: ICMP echo reply, id 23452, seq 1, length 64
12:32:10.866223 IP 192.168.36.101.48423 > 192.168.36.1.53: 2179+ PTR? 102.36.168.192.in-addr.arpa. (45)
12:32:10.866538 IP 192.168.36.101.48423 > 192.168.36.1.53: 2179+ PTR? 102.36.168.192.in-addr.arpa. (45)
12:32:10.932280 IP 192.168.36.1.53 > 192.168.36.101.48423: 2179 NXDomain 0/1/0 (122)
12:32:12.064114 IP 192.168.36.1.53 > 192.168.36.101.41696: 6465 NXDomain 0/1/0 (120)
12:32:14.760216 IP 192.168.36.101 > 192.168.36.102: ICMP echo reply, id 23452, seq 5, length 64
12:32:15.750226 IP 192.168.36.102 > 192.168.36.101: ICMP echo request, id 23452, seq 6, length 64
12:32:15.750523 IP 192.168.36.101 > 192.168.36.102: ICMP echo reply, id 23452, seq 6, length 64
12:32:15.873043 ARP, Request who-has 192.168.36.1 tell 192.168.36.101, length 28
12:32:15.876737 ARP, Reply 192.168.36.1 is-at d8:fe:e3:7a:dc:12 (oui Unknown), length 28

Openwrt -- 192.168.36.101
laptop -- 192.168.36.102

both connected to the same nexthop

Now, if I send a broadcast ping, the openwrt router doesn't respond to that ping

ping -b 192.168.36.255
Post #8
nenekofi
16 May 2016, 19:38

This is with the solution I implemented already running, so perhaps I should disable that and try the test. I will repost the results of that

Post #9
jeffmeden
16 May 2016, 19:48
nenekofi wrote:

Now, if I send a broadcast ping, the openwrt router doesn't respond to that ping

ping -b 192.168.36.255

Pinging the broadcast address and using -b is redundant: the -b is meant to ping a given host using the broadcast address, but wait for that specific host to reply.  Pinging the broadcast IP intentionally will solicit responses from hosts whose stacks respond to that kind of thing (assuming all incoming traffic on the broadcast addr is for them).  I just tried it on my OpenWRT devices and they don't (even on the inside with no firewall).  So, as a symptom that is not a good test. Doing `ping -b [openwrt addr]` should work, though

(Last edited by jeffmeden on 16 May 2016, 19:50)

Post #10
fjskmdl
11 Sep 2017, 17:42

Did you ever find a solution to this problem? I'm having the same problem, but only with an osx client...

The discussion might have continued from here.