[Bismark-devel] switching issue on device

[Bismark-devel] switching issue on device

[Nick Feamster]

when I ping my server from the openwrt box, I can see it:

root@OpenWrt:~# ping 172.16.0.159
PING 172.16.0.159 (172.16.0.159): 56 data bytes
64 bytes from 172.16.0.159: seq=0 ttl=64 time=1.326 ms
64 bytes from 172.16.0.159: seq=1 ttl=64 time=1.365 ms


but when I associate to the SSID of the OpenWRT box and try to ping my server's IP address, I can't.

Strangely, when I associate to an access point that is *downstream* of the OpenWRT box (i.e., a second access point that is actually connected to one of the switch ports on the OpenWRT box), pinging also works.  It is only when I associate directly to the OpenWRT box that (1) upnp names (e.g., back-bay.local), and (2) pinging the .159 address do not work. 

Any ideas what is going on here?

Thanks!
-Nick

Re: [Bismark-devel] switching issue on device

[Dave Taht]

On 04/17/2011 08:36 AM, Nick Feamster wrote:
> when I ping my server from the openwrt box, I can see it:
>
> root@OpenWrt:~# ping 172.16.0.159
> PING 172.16.0.159 (172.16.0.159): 56 data bytes
> 64 bytes from 172.16.0.159: seq=0 ttl=64 time=1.326 ms
> 64 bytes from 172.16.0.159: seq=1 ttl=64 time=1.365 ms
>
>
> but when I associate to the SSID of the OpenWRT box and try to ping my server's IP address, I can't.
>
> Strangely, when I associate to an access point that is *downstream* of the OpenWRT box (i.e., a second access point that is actually connected to one of the switch ports on the OpenWRT box), pinging also works.  It is only when I associate directly to the OpenWRT box that (1) upnp names (e.g., back-bay.local), and (2) pinging the .159 address do not work.
>

Multicast DNS (.local) addresses need a mdnsresponder installed. By 
default you are using pure dnsmasq, which defaults to naming various 
machines whatever.lan, (and can be configured to "do the right thing for 
real internet connections" by setting up

For example, in my case, my main dns server out on the internet for 
taht.net delegates the subdomain "co.teklibre.org" to my gateway there 
(or it did, before I left colorado) and my router would assign names and 
addresses inside of that space, (after setting it up to use 
co.teklibre.org and not .lan) example: cruithne.co.teklibre.org is my 
laptop.

> Any ideas what is going on here?
>
I'm mildly confused as to your topology here. Diagram?

You are behind NAT by default, so if you try to ping through the WAN 
port to something anything inside the LAN, those machines will be 
unreachable. You should however, be able to ping from the wireless to 
anywhere wired, LAN or WAN port. If you have AP isolation turned on in 
the wireless side, you cannot ping any other wireless connection, and 
I'm unsure what the behavior is for wired to wireless in that case.

(I HATE AP isolation personally, but it exists to virus proof public 
wireless lans)

Ping me on #bismark if you need further aid.

> Thanks!
> -Nick
> _______________________________________________
> Bismark-devel mailing list
> Bismark-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bismark-devel

Re: [Bismark-devel] switching issue on device

[Nick Feamster]

On Apr 17, 2011, at 10:46 AM, Dave Taht wrote:

> I'm mildly confused as to your topology here. Diagram?
> 
> You are behind NAT by default, so if you try to ping through the WAN port to something anything inside the LAN, those machines will be unreachable. You should however, be able to ping from the wireless to anywhere wired, LAN or WAN port. If you have AP isolation turned on in the wireless side, you cannot ping any other wireless connection, and I'm unsure what the behavior is for wired to wireless in that case.


I'm just talking about my LAN here:

		SERVER <----(2.4 GHz wireless, SSID "foo") ----> WNDR3700  <---- (wired LAN port) ----> Access Point 2 

* When I associate to AP2, I can ping SERVER, and resolve MDNS names.
* When I log into WNDR, I can ping SERVER
* When I associate to the WNDR3700, I can neither ping the server, nor resolve MDNS names.

So, isn't it strange that everything works when I'm connected via AP2, but not via the WNDR?  By my reasoning, all of the traffic that I'm sending when I'm connected via AP2 would have to go through the WNDR anyhow...

-Nick

Re: [Bismark-devel] switching issue on device

[Kim Hawtin]

On 18/04/11 00:22, Nick Feamster wrote:
> On Apr 17, 2011, at 10:46 AM, Dave Taht wrote:
>> I'm mildly confused as to your topology here. Diagram?
>>
>> You are behind NAT by default, so if you try to ping through the WAN
> port to something anything inside the LAN, those machines will be unreachable.
> You should however, be able to ping from the wireless to anywhere wired,
> LAN or WAN port. If you have AP isolation turned on in the wireless side,
> you cannot ping any other wireless connection, and I'm unsure what the
> behavior is for wired to wireless in that case.
>
> I'm just talking about my LAN here:
>
>  SERVER<----(2.4 GHz wireless, SSID "foo") ---->  WNDR3700<---- (wired LAN port) ---->  Access Point 2
>
> * When I associate to AP2, I can ping SERVER, and resolve MDNS names.
> * When I log into WNDR, I can ping SERVER
> * When I associate to the WNDR3700, I can neither ping the server, nor resolve MDNS names.
>
> So, isn't it strange that everything works when I'm connected via AP2,
> but not via the WNDR?  By my reasoning, all of the traffic that I'm
> sending when I'm connected via AP2 would have to go through the WNDR anyhow...

I am not sure how relevant my experience is here, as I am not using a 
WNDR3700. I have seen this behavior on other APs. I have a hunch that 
its related to how ARP is treated on the AP. In my case specifically on 
WPA2 on a modern Billion device that does ADSL2+/AP/VoIP. This behavior 
generally does not seem to be an issue on an open network or using WEP. 
I noticed this last weekend when I was setting up my server at home to 
to builds on, transfering files around with rsync/scp/etc

Only when *both* hosts on the wireless have ping'd the AP can then you 
ping the other hosts from wireless to wireless...

([laptop A], [laptop B]) --wifi-wpa2--> [AP] <--wired-- [server]

For example I can not ping [laptop B] from [laptop A], both being on the 
wireless using WPA2, until I ping the AP from both laptops. I can 
however ping the [server] from both laptops. However I can not ping 
either latptop from [server] until the laptop has ping'd [AP]. There is 
currently no mdns in use by any of these devices.

Perhaps the AP is building an internal table using mdns to 
allow/identify traffic across its interfaces?

regards,

Kim

Re: [Bismark-devel] switching issue on device

[Dave Taht]

On 04/17/2011 06:21 PM, Kim Hawtin wrote:
> On 18/04/11 00:22, Nick Feamster wrote:
>> On Apr 17, 2011, at 10:46 AM, Dave Taht wrote:
>>> I'm mildly confused as to your topology here. Diagram?
>>>
>>> You are behind NAT by default, so if you try to ping through the WAN
>> port to something anything inside the LAN, those machines will be 
>> unreachable.
>> You should however, be able to ping from the wireless to anywhere wired,
>> LAN or WAN port. If you have AP isolation turned on in the wireless 
>> side,
>> you cannot ping any other wireless connection, and I'm unsure what the
>> behavior is for wired to wireless in that case.
>>
>> I'm just talking about my LAN here:
>>
>>  SERVER<----(2.4 GHz wireless, SSID "foo") ---->  WNDR3700<---- 
>> (wired LAN port) ---->  Access Point 2
>>
>> * When I associate to AP2, I can ping SERVER, and resolve MDNS names.
>> * When I log into WNDR, I can ping SERVER
>> * When I associate to the WNDR3700, I can neither ping the server, 
>> nor resolve MDNS names.
>>
>> So, isn't it strange that everything works when I'm connected via AP2,
>> but not via the WNDR?  By my reasoning, all of the traffic that I'm
>> sending when I'm connected via AP2 would have to go through the WNDR 
>> anyhow...
>
> I am not sure how relevant my experience is here, as I am not using a 
> WNDR3700. I have seen this behavior on other APs. I have a hunch that 
> its related to how ARP is treated on the AP. In my case specifically 
> on WPA2 on a modern Billion device that does ADSL2+/AP/VoIP. This 
> behavior generally does not seem to be an issue on an open network or 
> using WEP. I noticed this last weekend when I was setting up my server 
> at home to to builds on, transfering files around with rsync/scp/etc
>
> Only when *both* hosts on the wireless have ping'd the AP can then you 
> ping the other hosts from wireless to wireless...
>
> ([laptop A], [laptop B]) --wifi-wpa2--> [AP] <--wired-- [server]
>
> For example I can not ping [laptop B] from [laptop A], both being on 
> the wireless using WPA2, until I ping the AP from both laptops. I can 
> however ping the [server] from both laptops. However I can not ping 
> either latptop from [server] until the laptop has ping'd [AP]. There 
> is currently no mdns in use by any of these devices.
>
> Perhaps the AP is building an internal table using mdns to 
> allow/identify traffic across its interfaces?

In Nick's case he had AP isolation on, which isolates individual 
wireless clients from each other on the same AP.

Most cafe's and public wifi spots have this on. Home users and anyone 
doing p2p stuff should have it off, and it should be off by default.

It's ironic that people trust the internet more than machines 
topologically close by these days.

So if you have AP isolation on in your WPA case and off in your WEP 
case, that's probably the real diagnosis.

I've *also* seen all kinds of issues with ARP of late, taking 10s of ms 
for an ARP reply to be propagated, and in the bufferbloated case, often 
failing entirely.

>
> regards,
>
> Kim
> _______________________________________________
> Bismark-devel mailing list
> Bismark-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bismark-devel

Re: [Bismark-devel] switching issue on device

[Nick Feamster]

On Apr 17, 2011, at 8:21 PM, Kim Hawtin wrote:

> Perhaps the AP is building an internal table using mdns to allow/identify traffic across its interfaces?

Yes, I also initially suspected an mdns issue, but it turned out to be the AP isolation point that Dave mentioned.

Both Dave and Srikanth insist that this option is disabled by default, but I'm pretty sure I would not have blindly disabled this option, especially since I had no idea what it was, or that it even existed, before today.  Hmm...  maybe I'm becoming senile.

-Nick

Re: [Bismark-devel] switching issue on device

[Kim Hawtin]

On 18/04/11 11:15, Dave Taht wrote:
> In Nick's case he had AP isolation on, which isolates individual
> wireless clients from each other on the same AP.
>
> Most cafe's and public wifi spots have this on. Home users and anyone
> doing p2p stuff should have it off, and it should be off by default.
>
> It's ironic that people trust the internet more than machines
> topologically close by these days.
>
> So if you have AP isolation on in your WPA case and off in your WEP
> case, that's probably the real diagnosis.

I will check this out when I get home. Its quite possible its the 
default on my AP.

I need to image my older WRT54g with bismark and tinker with it directly.

> I've *also* seen all kinds of issues with ARP of late, taking 10s of ms
> for an ARP reply to be propagated, and in the bufferbloated case, often
> failing entirely.

Will have to compare with other kit locally to figure what happens with 
consumer kit...

cheers,

Kim