无线适配器:华硕 PCE-AC88
在路由器上运行:Fedora 33、firewalld、hostapd(从 master 构建)、dnsmasq
路由到互联网工作得很好,所有站点都使用连接到有线局域网接口(enp4s0)的电缆调制解调器路由到我的 ISP(Xfinity)提供的 WAN。
但是连接的客户端无法相互通信,无法 ping,无法 arp 发现,完全孤立。
路由器上的 ifconfig 输出:
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet <censored> netmask 255.255.248.0 broadcast <censored>
inet6 <censored> prefixlen 64 scopeid 0x20<link>
ether <censored> txqueuelen 1000 (Ethernet)
RX packets 4508572 bytes 5664501825 (5.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1793759 bytes 1160297835 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 170 bytes 32986 (32.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 170 bytes 32986 (32.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::2efd:a1ff:fecf:2ee0 prefixlen 64 scopeid 0x20<link>
ether <censored> txqueuelen 1000 (Ethernet)
RX packets 1711022 bytes 1123229018 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4455139 bytes 5651027770 (5.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
防火墙是firewalld,没有iptables,有两个区域,内部和外部:
$ sudo firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp4s0
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: wlp1s0
sources:
services: dhcp dhcpv6-client dns mdns samba-client ssh
ports: 5001/tcp
protocols: icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Hostapd 的构建与此页面类似:https://gist.github.com/picchietti/337029cf1946ff9e43b0f57aa75f6556
Hostapd.conf(请注意,它不是桥接):
interface=wlp1s0
driver=nl80211
#I tried both settings of ap_isolate with the same results
ap_isolate=0
ctrl_interface=/var/run/hostapd
logger_syslog=-1
logger_syslog_level=0
ssid=TestSSID
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_pairwise=CCMP
wpa_passphrase=<censored>
auth_algs=1
country_code=US
ieee80211d=1
hw_mode=a
ieee80211ac=1
vht_capab=[SHORT-GI-80][MU_BEAMFORMER]
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=42
ieee80211n=1
ht_capab=[VHT160][HT40+][SHORT-GI-40][SHORT-GI-160][DSSS_CCK-40]
wme_enabled=1
wmm_enabled=1
channel=36
dnsmasq.conf:
interface=wlp1s0
no-resolv
dhcp-range=192.168.1.10,192.168.1.250,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
cache-size=1500
log-queries
log-dhcp
listen-address=192.168.1.1,127.0.0.1
server=75.75.75.75
server=75.75.76.76
server=8.8.8.8
server=8.8.4.4
路由器上的路由表:
$ ip route
default via <isp gateway> dev enp4s0 proto dhcp metric 100
<public net> dev enp4s0 proto kernel scope link src <public ip> metric 100
169.254.0.0/16 dev wlp1s0 scope link metric 1004
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.1
这些站点被分配了默认路由,但无法互相 ping 通:
$ ip route
default via 192.168.1.1 dev wls7 proto static metric 600
192.168.1.0/24 dev wls7 proto kernel scope link src 192.168.1.54 metric 600
$ ping 192.168.1.69
PING 192.168.1.69 (192.168.1.69) 56(84) bytes of data.
From 192.168.1.54 icmp_seq=1 Destination Host Unreachable
From 192.168.1.54 icmp_seq=2 Destination Host Unreachable
From 192.168.1.54 icmp_seq=3 Destination Host Unreachable
如果我手动在站点上添加一条返回路由器的路由:
$ sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
然后他们就可以互相通信了(仍然没有 arp),但这不是必要的,我尝试这个步骤只是为了确保防火墙没有妨碍。
当我使用 tcpdump 检查流量时:
$ sudo tcpdump ip proto \\icmp -i wlp1s0
仅当添加站点上的手动路由时,我才能看到 icmp 流量。
作为一项实验,我将相同的站连接到我的 Galaxy Note 10 热点,该热点分配了与我的路由器类似的路由表,并且它们可以相互 ping 和连接。
什么阻碍了无线网络上的流量?
谢谢