search

coova / coova-chilli

CoovaChilli is an open-source software access controller for captive portal hotspots.
Other
514 stars 257 forks source link

Some packets are not being NAT/routed properly? #511

Closed aport closed 4 years ago

aport commented 4 years ago

Running latest coova-chilli on OpenWrt 19.07.1, basically a standard setup going to hotspotsystem.com

The following tcpdump is running on my WAN interface during a client login. Almost every packet is properly put through NAT but occasionally some packets slip through with the source IP set to the private radius address.

In my case, my WAN provider (Verizon) sees the unroutable source IP and disconnects my LTE bearer which brings my internet down.

I've tried every combination of firewall rules I can think of but I must be doing something wrong because these packets still get through.

20:48:39.173708 IP (tos 0x0, ttl 53, id 59401, offset 0, flags [DF], proto TCP (6), length 1360) 195.228.254.149.443 > ZZZ.YYY.202.198.60371: Flags [P.], cksum 0x53da (correct), seq 2890:4198, ack 2890, win 278, options [nop,nop,TS val 2524332824 ecr 27519633], length 1308

20:48:39.316310 IP (tos 0x0, ttl 63, id 31724, offset 0, flags [DF], proto TCP (6), length 52) ZZZ.YYY.202.198.60371 > 195.228.254.149.443: Flags [.], cksum 0xa7da (correct), seq 2890, ack 2890, win 369, options [nop,nop,TS val 27519696 ecr 2524332823], length 0

20:48:39.316450 IP (tos 0x0, ttl 63, id 55782, offset 0, flags [DF], proto TCP (6), length 52) 192.168.182.2.60352 > 195.228.254.149.443: Flags [F.], cksum 0xd522 (correct), seq 0, ack 1, win 583, options [nop,nop,TS val 27519696 ecr 2524312590], length 0

20:48:39.355874 IP (tos 0x0, ttl 63, id 31725, offset 0, flags [DF], proto TCP (6), length 52) ZZZ.YYY.202.198.60371 > 195.228.254.149.443: Flags [.], cksum 0xa2ae (correct), seq 2890, ack 4198, win 380, options [nop,nop,TS val 27519700 ecr 2524332824], length 0

20:48:39.679381 IP (tos 0x0, ttl 63, id 10255, offset 0, flags [DF], proto TCP (6), length 52) 192.168.182.2.60357 > 195.228.254.149.443: Flags [F.], cksum 0x5616 (correct), seq 0, ack 1, win 347, options [nop,nop,TS val 27519731 ecr 2524315427], length 0

20:48:40.521621 IP (tos 0x0, ttl 63, id 55783, offset 0, flags [DF], proto TCP (6), length 52) 192.168.182.2.60352 > 195.228.254.149.443: Flags [F.], cksum 0xd4aa (correct), seq 0, ack 1, win 583, options [nop,nop,TS val 27519816 ecr 2524312590], length 0

aport commented 4 years ago

Update, this was caused by TCP FIN packets going out late after a connection has been torn down, skipping conntrack and not being NATed. Firewall rule problem, not coova, closing