[ previous ] [ next ] [ threads ]
 
 From:  Scott Myers <scott at paperstreettech dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Slow/Buggy OPT1 Wireless InterfaceHmm.. First confusion, then frustration... now what?
 Date:  Wed, 25 Oct 2006 10:59:02 -0400
Ok my previous mailing list posts don't even seem to point to the nature 
of this problem... I am running a Soekris net 4511 with a Senao 
NL-2511CD wireless card. (listed as supporting hostap in the Docs)
When ever I try to connect via the Wireless/OPT1 interface, the 
performance is.. well strange.  I can go to a site, but then it hangs 
when loading the next site, or resolves one site and then not the next. 
I thought this was due to incorrect firewall rules on the OPT1 
interface, but no changes in these rules have yielded any positive 
results. Even worse, the firewall logs don't seem to show the OPT1 
experiencing any dropped packets due to rules, as previously thought. 
The LAN interface behaves beautifully, but no matter what I try to do 
the OPT1 interface refuses to act the same. I have tried reloading the 
M0n0wall software and resetting the rules, nothing works.  It never 
seems to perform correctly. I am not trying to be a PIA, but any help or 
places I could look to resolve the issue would be greatly appreciated.

Scott






Scott Myers wrote:
PS. I have looked at the interface stats and the wifi connection shows 
103 collision errors and 0 I/O errors.

Status     associated
MAC address     00:02:6f:3c:3c:5c
Channel     2
SSID     spicewifi
In/out packets     1870/917 (123 KB/421 KB)
In/out errors     0/0
Collisions     103



Scott Myers wrote:
Hi,

I have setup a net4511 running m0n0wall on a 340 MB IBM Microdrive. I am 
using the latest release as of this email, (1.22).

Interfaces:

WAN - PPPOE with WAN DNS address forwarding turned off.
LAN - Default 192.168.1.0 Subnet
WIFI - Bridged with LAN for testing
           Mode: hostap
           Channel: 2
           Station Name: Blank
           No WEP

Quality during testing for Wireless Link is 45.

Whenever I use the LAN interface, the connection is flawless. It runs 
smoothly and I experience no lag or slowness in the network.

Whenever I am attached to the WIFI connection, no matter the O/S used, 
card used (in laptop), or distance from the AP, it slows down, normally 
hanging up on resolving addresses (appears to have an issue resolving 
names on that interface).  My O/S shows that the servers it is using for 
DNS is the ISP servers, not trying to use DNS forwarding.

Any help or if I can offer any more information in regards to this 
setup, please let me know.



Chris,

Thanks for taking the time to assist me with this small, probably pebkac 
based error. Below is my config.xml. I have edited out any security risk 
based fields, so as to make it "Google Friendly".

My overall goal is to have the WIFI interface be on a seperate subnet 
with firewall rules blocking any interaction between it and the LAN 
subnet, (along with some basic subnet masking to ensure a client doesn't 
just try to change their IP address to the LAN subnet, 192.168.1.0.)

I basically copied the default LAN firewall rule to the WIFI rule list, 
with the important areas (specifically where the interfaces are defined 
in the rule) set to WIFI instead of LAN.  I suspect the incoming rule 
needed to allow webservers,etc. to communicate back to the WIFI 
interface is missing. (usually on the return web port, some random high 
end port number). If so, does the m0n0wall just assume that LAN needs 
this rule, but doesn't list it in the config? If this is the case, could 
you give me a reasonable rule to allow the return packet data to cross 
the firewall to the WIFI interface?


Thank you again,

Scott

<?xml version="1.0"?>
<m0n0wall>
    <version>1.6</version>
    <lastchange>1160601938</lastchange>
    <system>
        <hostname>firewall</hostname>
        <domain>firewall.lan</domain>
        <username>admin</username>
        <password>password</password>
        <timezone>Etc/UTC</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>pool.ntp.org</timeservers>
        <webgui>
            <protocol>http</protocol>
            <port/>
        </webgui>
        <dnsserver>64.203.254.30</dnsserver>
        <dnsserver>64.203.254.31</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>sis0</if>
            <ipaddr>192.168.1.1</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>sis1</if>
            <mtu/>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>pppoe</ipaddr>
        </wan>
        <opt1>
            <descr>WIFI</descr>
            <if>wi0</if>
            <wireless>
                <standard></standard>
                <mode>hostap</mode>
                <ssid>wifi</ssid>
                <stationname/>
                <channel>2</channel>
                <wep>
                </wep>
            </wireless>
            <ipaddr>192.168.2.1</ipaddr>
            <subnet>24</subnet>
            <bridge>lan</bridge>
        </opt1>
    </interfaces>
    <staticroutes/>
    <pppoe>
        <username>user</username>
        <password>password</password>
        <provider/>
        <timeout/>
    </pppoe>
    <pptp/>
    <bigpond/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
        <server/>
        <port/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <enable/>
            <range>
                <from>192.168.1.100</from>
                <to>192.168.1.199</to>
            </range>
        </lan>
        <opt1>
            <range>
                <from>192.168.2.100</from>
                <to>192.168.2.250</to>
            </range>
            <defaultleasetime/>
            <maxleasetime/>
            <enable/>
        </opt1>
    </dhcpd>
    <pptpd>
        <mode/>
        <redir/>
        <localip/>
        <remoteip/>
    </pptpd>
    <dnsmasq/>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat>
            <ipaddr/>
        </ipv6nat>
    </diag>
    <bridge/>
    <syslog/>
    <nat/>
    <filter>
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <source>
                <network>opt1</network>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default Wifi --&gt; ANY</descr>
        </rule>
        <rule>
            <type>block</type>
            <interface>opt1</interface>
            <source>
                <network>opt1</network>
            </source>
            <destination>
                <network>lan</network>
            </destination>
            <disabled/>
            <descr>Block WIFI traffic from LAN Subnet</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default LAN -&gt; any</descr>
        </rule>
    </filter>
    <shaper/>
    <ipsec/>
    <aliases/>
    <proxyarp/>
    <wol/>
</m0n0wall>



On 10/12/06, Scott Myers <scott at paperstreettech dot com> wrote:
> Sorry, I know this seems trivial but I have setup a  secondary interface
> on a m0n0wall box, and having little success in creating the proper
> firewall rules.
> I have duplicated (almost except the two fields where I switched LAN
> with OPT1) the default rule for the LAN interface, as well as tried to
> simply bridge the connections. No matter what I try, the OPT1 interface
> acts up, and the firewall log show numerous blocked packets, but only
> when using the OPT1 interface.
>
> What am I missing?
>

Sufficient detail to be able to tell you want the problem is.  ;)

Easiest thing would be to post the entire interfaces and rules parts
of your config.xml.  Or if you don't want them forever archived by
Google, you can email it to me offlist.

-Chris