If you are like me and have multiple IPs on your WAN side, you my want to note that the hotspot redirects requests to the first IP address by default.

If the first IP address on your WAN side is on an subnet that is unreachable to a subnet on one of your WLAN cards, hotspot will not work.

Simple Workaround:
1. Delete all addresses that aren't reachable until an address that is reachable by all networks is at the top of the list.
2. Re-add your other ips

Not a bug. We implemented it that way. I am not sure how you can have an IP and subnet on the WAN device that is not reachable by the wlan cards. Typically the first IP is your gateway subnet. As far as I know any device on the system can reach any other device and subnet they attach to.

Please check out my notes for hotspot use. It will provide all the little details you have to watch for.

Maybe I am using the system in a way you never intended, but this is what I had to do to make it work.

Ex:
My setup was as follows

Ether0 Addresses:
1. 192.168.1.3/24
2. 64.68.x.x/29

Wlan0 Addresses:
1. 192.168.2.1/24
2. 192.168.3.1/24

When configured this way, it did not work.

The 192.168.1.x range is setup on the Ethernet port to act as NAT and DHCP for the local network behind the StarOS machine.

NAT is setup as:
masq from 192.168.1.0/24 to dev $net
masq from 192.168.2.0/24 to dev $net
masq from 192.168.3.0/24 to dev $net

All subnets can connect to the Internet.

There is no route established between the 192.168.2.x or 192.168.3.x subnet that will allow for communication with the 192.168.1.x network. Therefore, when a user on 192.168.2.x or 192.168.3.x tries to communicate with the captive portal web server on 192.168.1.3 ip, it fails.

Forgive me, I too am having one of those days. Why would you be doing nat from one private subnet to another?

We use private for almost our entire inside LAN. Our main gateway router handles firewall, CBQ for SMTP and POP3, IP Mapping and all masquerade.

That makes ALL internal IP addresses routable and trackable. If you get a DOS then at least you know the IP, instead of the IP of the nat machine.

I think the primary problem is that you are nat'ing the 192.168.1.x to the same device it is on (ie itself since nat takes the first IP on the device). I see no reason at all for the 192.168.1.x on anything, either for nat or the DHCP. The system has a public IP and using that IP and gateway you get Internet connectivity, etc. The only IP you need on the WAN is the public and it becomes the Hotspot IP as well.

Sorry. I should have made it clear that there is a LAN on Ether0 that is natted. I am not using NAT between private subnets.

There is a method to what may appear to be my madness. Mainly a small network of computers located at that APs location.

Forgive me, I too am having one of those days. Why would you be doing nat from one private subnet to another?


Actually this is what we do here !

My personal Cable connection comes in and is NATed in another linux box
with iptables which acts as a gateway for my domestic 192.168.x.x network (need DHCPCD on the cable side so cant use the
star-os box for that purpose).

On the other side of the 192.168 network is our local WLAN community Network. I interface with that from the 192.168 side by means of another
NAT firewall (also VPN endpoint) to the STAR-OS Router which is on our local Wireless community network IP range 10.x.x.x

its a little overkill perhaps :lol: but worked fine.....until 1.12.5 :wink:

Regards

BB

Are you saying 1.12.5 broke your nat between private IP addresses? That should not be happening, so please let me know. Or are you saying you will have to change IP ordering to be able to use the new code?

Note: The hotspot webserver is only intended to serve the clients connecting to it, and does not need any access to the rest of the networks itself. It will function just as well with either the public or private IP at the top of the list.

NAT support has not changed in this release, and operates as it does in previous releases.

Thanks!

I am not sure how this got off on a NAT tangent.

I never claimed nat support was broken NAT was fine.

Please disregard my post. It was only meant to help people that ran into the same problem I did, a problem which I have been able to replicate on multiple machines which led me to believe others might run into the problem.

I guess I am unable to explain myself clearly.

My apologies.

Things do get off on a tangent sometimes. I think you missed one crucial comment I made - you were nat'ing 192.168.1.0/24 to dev $net which is ether1 and the first IP on ether1 is 192.168.1.3, so in effect you have a nat boobo - nat'ing to itself.

If you remove nat for a brief instant you would see that any IP on 192.168.2.x and 192.168.3.x can certainly hit 192.168.1.3. Once the nat thing is in place with that mistake, all bets are off, and you saw that you could not access what you thought you should have been able to.

For the most part I see no need for the 192.168.1.3 IP on ether1 since it has a public IP and that is what you would want to nat the privates to anyway.

Maybe I am missing something but we do exactly that here - public on ether1 and privates on ether2,3,4, etc and they all get nat'ed to the ether1 public IP.

heh. I will try to explain one more time just for the curious.

Ether1 has a private network on it as well. There is a cable from Ether1 to a switch. The switch has other computers plugged into it.

The other computers are assigned IP addresses in the 192.168.1.x subnet from the DHCP server on the StarOS machine via Ether1. They are natted to go out Ether1. Since ether1 has a routeable IP they can get on the Internet.

This machine has no room for a second ethernet card, and I am out of real IPs. That's why I did it this way.

There are better ways to do this I know, but since I have to use your interface to iptables I don't know any other syntax to get this done.

Not complaining, just trying to clear the situation up for you. I know I hate it when I can't figure out why a user does something I would consider strange. :)

iptables is available in all its glory from our script. Just use iptables and everything after is passed straight through. It is the tough way to do things but it works.

I am amazed that you can take privates in on Ether1 and nat them and ship them back out Ether1. I would have never tried it, but it is cool if it works.

Yeah, it works fine.... I have a network set-up that way. It was a soekris machine in a place I couldn't go, so when one ethernet failed, I just moved the config to the other and had the customer move a wire

Excellent to know that iptables is available via the scripting interface.