Domain names not being resolved over extender node bridged connection #27
Comments
|
Ok here's my theory of what's going on. When a client connects to When the client pings The problem is that the DNS query from Checking if this theory is trueSetting the client to get only IP/subnet/gateway from DHCP, but not DNS, and then manually specifying the DNS server as e.g. SSH'ing into If these tests both succeed then the theory is probably true. Fixing this issueThe simplest fix is to alter the policy-based routing rules such that traffic originating from the node itself will use the public routing table (tunnel) rather than the private, even if the private is available. The disadvantage of this is that now DNS will stop working on the private network if the public network is down. Another fix (which I don't recommend) is to have the DHCP server on the home nodes provide e.g. The best fix in terms of results, but worst in terms of implementation complexity, would be to trigger a script whenever the DHCP client running on the home node gets a DHCP lease and trigger another script whenever the WAN link status changes to I am willing to work on this. Just let me know when and where (and send me an IRC message, Signal message or private email if I don't respond here). |
|
I like the idea of writing a hook script, feels like something that would be useful especially as we work on a zeroconf build of the firmware. I'm down to work on this and I could be around sudoroom most of the day Thursday, 4/12, if you can work on it then, @Juul or anyone else. |
|
I have a meeting earlier but I believe I can be there around 2 pm.
…On Mon, Apr 9, 2018 at 10:51 PM, grant_____ ***@***.***> wrote:
I like the idea of writing a hook script, feels like something that would
be useful especially as we work on a zeroconf build of the firmware. I'm
down to work on this and I could be around sudoroom most of the day
Thursday, 4/12, if you can work on it then, @Juul
<https://github.com/Juul> or anyone else.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#27 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAHfgEe0xkXGfv4lqnyhuULWZBxvCSqqks5tnEhxgaJpZM4TL6Ed>
.
|
|
2pm on Thursday works for me, we'll plan on that, any other node whisperers are welcome to join us |
I wonder if this is why the exit node mesh IP used to be hardcoded in as a DNS server? That would be similar to the first fix you mentioned, right @Juul? And if the exit node was unreachable, I'm guessing lookups would use DNS servers further down the list? This commit from #23 removed it: sudomesh/makenode@686499d. If this is the case, maybe another fix would be to dynamically add any connected exit nodes as DNS servers. Nice catch @paidforby ! |
|
On Tue, Apr 10, 2018 at 4:23 AM, Benny Lichtner ***@***.***> wrote:
The problem is that the DNS query from Chicken to the upstream DNS servers
is originating from Chicken's IP and any traffic originating from a home
node is using the private routing table (rather than the public) so if
there is no direct internet connection on the home node's WAN port then
this will fail.
I wonder if this is why the exit node mesh IP used to be hardcoded in as a
DNS server? That would be similar to the first fix you mentioned, right
@Juul <https://github.com/Juul>? And if the exit node was unreachable,
I'm guessing lookups would use DNS servers further down the list?
This commit from #23 <#23> removed
it: ***@***.***
<sudomesh/makenode@686499d>
.
Hm, yes that might have been the issue. It was probably there mostly
because of the fake captive portal functionality. Adding it back in would
only work work if the mesh exit server was somehow exempt from the policy
routing rules that send traffic originating from a home node over the
private WAN link rather than the tunnel. I'm not sure if that's the case
though.
|
|
In efforts to make (home) nodes independent of specific exit node mesh/public IPs (needed to support multiple, non-conflicting, exit nodes), please also consider changes I made via sudomesh/makenode@a3b243e . For examples of dhcp hooks, please see an existing hook at https://github.com/sudomesh/makenode/blob/master/configs/ar71xx/home_nodes/templates/files/etc/udhcpc.user . I'd be interested to learn about the root cause of the issue described here. btw - nice catch @paidforby |
|
Using the "sudomesh test bed", which I am attempting to document here. I've successfully proven that the patch to #23 causes the the bug observed in this issue. While using a pre-patch 23 version of makenode on both the I suggest that we find a better way of patch bug #23 this may be as simple as modifying the extender node configs to match the changes made by patch 23 or we may need a more complicated hook script as suggested by @Juul . Whatever the case, @jhpoelen you should be able to use the sudomesh test bed (in sudo room) to test any theories of your own. |
|
Thanks for sharing and reproducing the bug. @paidforby please let me know where I can find access info to test bed nodes. Also, for everyone, I consider fixing this a collective activity, so please don't wait for me, @paidforby or @Juul to fix this issue. If you are interested to troubleshoot and find a solution for this, please do holler and communicate on https://peoplesopen.net/chat . Being part of a community network project is not a spectator sport. |
|
@paidforby nice repro! Also, the extended extender node extension program looks great! Unfortunately, I didn't bring an extender node w/ me to NYC, but if I had, I think I have a pretty clear idea of how I'd debug. Brain dump below. -- The patch 23 changes are sudomesh/makenode@a3b243e and sudomesh/makenode@686499d. I suspect the bug was introduced in the single line deletion in the latter commit: sudomesh/makenode@686499d. This would be very easy to test. Simply add the following line to the top of (where [exit-node-mesh-ip-goes-here] is -- Hopefully re-adding the --
Darn. I dunno what I'm going to do with all of this coney island kettle corn... jk <3 <3 <3 If anyone is planning to work on this with @paidforby's test bed in front of them and wants moral support / a pair of remote eyes and ears, I'd love to work/hack with you (from afar). |
|
@jhpoelen @eenblam and @bennlich thanks for the help debugging the sudomesh test bed, it looks like we've got it working in some capacity. Tested the patch on deployed nodes (the real life Once tested, I would suggest that we tag this commit of makenode and recommend using it in the readme and on our wiki. I'd still like to find the root cause of this bug and understand why it only breaks when extender nodes are involved. Also this undoes some of the work done on bug #23 so we may need to revisit our solution to the single/double exit node issue. |
|
I just attempted a home node setup using
The resulting homenode has hostname 'spritzer'. It is not connected to the internet directly, but I'd expect it to mesh with my other node 'annie', which has a cable to a router connected to the internet. |
|
@gobengo If I understand you correctly, that's not a bug. Private SSID should only give you internet if you have a WAN connection on that node. |
|
please note that v0.2.3 is the latest firmware. |
|
@eenblam Thanks for pointing that out! I retested with same releases, but connecting to the non-private SSIDs. Things worked! @jhpoelen I noticed that there is no 0.2.3 on the builds server, so wasn't sure about it's status. Why is there no 0.2.3 on builds? https://builds.sudomesh.org/builds/sudowrt/fledgling/ |
|
@gobengo two reasons: 1. build machine is running out of build space and 2. zenodo offers permanent and "free" storage of citable open digital artifacts. |
|
given the semi-permanent nature of the builds.sudomesh.org (its a droplet that runs everything from website to chat) with no backup that I am aware of, we should probably consider to at least archive the binaries for 0.2.2 and 0.2.0 to zenodo. Please holler for questions about zenodo. |
|
Fix exist in makenode and most nodes have been patched. Closing issue. |
Discovered on a recent node mount that domain names are not being resolved over an extender node bridged mesh connection. I believe @jhpoelen and I observed similar behavior with the mesh test bed in sudoroom a few weeks ago.
The setup
To reproduce
Connect to the peoplesopen.net SSID of Chicken. And try the following,
you should see
however, if you try,
ping google.comyou will receive a timeoutYou can also try running
traceroute 8.8.8.8and see that it is successfully hoping the connection,Where,
100.65.98.130 is the IP of Chicken's roof mounted antenna,
100.65.98.2 is the IP of Cow's roof mounted antenna
100.65.98.1 is the IP of Cow's home node
100.65.0.43 is the IP of the mesh DNS
But trying to
traceroute google.comalso timesoutAlso when ssh'd into Chicken, in
/var/log/messagesyou should see,It looks like this just logs that a request was made and acknowledged, but, of course, it's unclear what the ack means. Also ignore the tunneldigger broker selection failure, Chicken doesn't need to tunnel to the exit node, only Cow.
thoughts
It's unclear how long this has been an issue, but it could be related to recent changes to exitnode or makenode, perhaps #23 and its related commits hold some secrets that may help debug this issue.
I suspect that difference between the configuration of newly madenodes and freshly flashed extender nodes (they don't get makenoded) results in conflicts with dns configurations, preventing the extender nodes from correctly routing dns requests.
Any help would be hugely appreciated, the first step is to get the mesh test bed in sudoroom back in working order.
The text was updated successfully, but these errors were encountered: