MeshNat

back to http://scratchpad.wikia.com/wiki/Sasecurity

TableOfContents

Mesh uses multiple NAT
Meshnode uses multiple layers of NAT.

edit NAT link
It is registrerd in Wiana and have the 1.x.x.x on br0, but still as default br1 is defined even though it's not used (on this node) I agree with you that this is the problem....I'll try to change the br1 assignment to something in 192.99.99.x Also found out that the ISP has locked the MAC of my laptop to the assigned IP, (paranoid one! It's good sometimes to be on the customer end of things to experience stuff we force our own users to go through! ;). BTW Is there a way in (linux) to clone/change the eth0 MAC? (It's a WRAP board). I was planning on having a demonstration on how "easy" it is to set up a network with Mesh tomorrow!

> In general, the mesh system does not like having overlapping subnets > (10.x,172.x,192.x) at different interfaces. From what you're describing that may be the problem. I'd suggest registering the device at wiana, so that you get the 1.x.x.x address assigned to wlan0 instead of 10.x

> > Well this one is! I'm currently travelling, and of course I brought one MeshAP with me for some testing) The ISP at my current location, hands out IP's in the 10.x.x.x range,and the AP get's one assigned fine: But I can not reach out on internet via my laptop. Before I hit my head to hard against the wall, IS it's supposed to work with a 10.x.x.x address on the eth0? (node is gateway, and worked before I left home) (By default wlan1 is assigned 10.x.x.x addresses, in my node only wlan0 is populated with a radio, but by MeshAP default a 10.x.x.x. address is allocated for br1 and it seems to mess up the route's) (To make things worse, the ISP is apparently dropping all PING's and only allows use of their own DNS, which makes troubleshooting frustrating. Can somebody give me some help? I'm tired and stuck, and I'm bound to use a cable attached to my laptop! ;) /Stefan (Just for fun, and with regards to the subject: http://www.apnic.net/meetings/17

NAT and SSH, Ethernet port to router
This is great... Exactly what I need since MikroTik cannot produce nice reports because of MeshAP requiring NAT on each node. When can I have this? :-) I assume these are scripts to install on the mesh  nodes and a set of PHP to install somewhere...

> Over the past 2 weeks I've been working on a centralized tracking system > for my mesh network. In the spirit of wiana, Dustin and I have been > toying around with unix scripts and php to address our own concerns on > our own network. What we wanted to do was create a web-based system like wiana that gave more detailed information about the activity and QoS of each individual > user. Our solution... the MeshTrak system. > > This system allows you to monitor the byte usage of individual users, > see users who are currently logged in, up-to-date client signal > strengths, client signal trends, etc. > > At the moment, this is the first version, which is near "completion". > This is by no means a finished and polished product as it stands right > now but, with minor additions, it will be a fully-functional system that > is relatively easy to implement on your own network. I have been happy > with the results I've gotten over the past few days of testing. This is > to offer a preview and gather some input from the community. > > Here is the live site statistics that I check on my own network: > http://meshtrak.timbuktuwifi.com/ > > This system should (and is designed to) support an infinite amount of > nodes and clients. Right now I have about 30,000 records in my database, > so with everyone accessing it, things might get a little slow. So please > be patient with my 200MHz Pentium Pro server ;-). I'm working to > optimize my database queries and caching as we type. > > I hope to release and package version 1 in the near future for you to test out on your own networks. "using tri-NICs"

i.e. Having three NICs in the machine.

{{{ > When I search on "tri-NIC", I get "Transport Research > Institute-Norther Ireland Centre". > > Seems like it should be some sort of three-radio card?

>> We're using the following setup. >> >> ADSL provided with 8 addresses. >> | >> | >> ADSL modem bridging the connection to >> | >> | >> IPCOP firewall running on Dell server. Moving to much smaller solution >> using meshAP motherboards with tri-NICs >> | >> | >> --> Orange/DMZ network with websites and forums for members >> >> --> Green/Wireless network with uplink meshAPs on this section. >> >> >> >> When we install further uplink sites, we're going to be using a >> similar >> setup, but without an Orange network. >> We do have plans to change our ADSL modem to a Cisco ADSL router as >> subscription rates allow. >> >> If you want to hit me with any q's, please do!

>>> I use mikrotik on the edge of all my gateways. They work great, I >>> have >>> never >>> had a failure. I use public IPs on all my meshboxes (host-mapped to >>> tunnel >>> 172.16.x.2) address.

>>>> We had our mesh behind a Mikrotik router and all worked well except >>>> giving static IP's to clients. I never could make that work right >>>> all >>>> of the time. Sometimes it would work... then for no reason it would >>>> quit. At some point after removing the router from the loop, I tried >>>> static IP's again, and now they work - all of the time. Could it >>>> have >>>> been the extra layer of NAT??? Beats me. >>>> >>>> The reasons for removing the Mikrotik... I bought it for traffic >>>> shaping - not knowing much about the native shaping included with >>>> MeshAP. Knowing what I know now it seemed redundant. >>>> >>>> Hope this helps you guys make a decision...

>>>>> | Would it be safe/wise to simply connect (CAT5) directly from the >>>>> router >>>>> | to the meshbox. If I did this, how would I ssh to that meshbox >>>>> rather >>>>> | than ssh'ing to the server and thence to the meshbox ? >>>>> >>>>> The address to ssh to would show up as the ethernet address on the >>>>> wiana page --- a distinct benefit!, and you don't really have much >>>>> to >>>>> worry about as the meshbox is a nating firewall for all the mesh >>>>> customers. Certainly putting another natting firewall in front is >>>>> rather a waste of time, as you are already doing traffic shaping as >>>>> part of your basic Mesh operation, and the other things that get >>>>> protected are basically Windows vulnerabilities. >>>>> >>>>> Putting an extra firewall fails Occam's Razor "Entia non sunt >>>>> multiplicanda praeter necessitatem" or in English "Do not >>>>> needlessly >>>>> multiply entities"

=
}}}