Kernel version | Linux BedroomPi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
Architecture | Arm64
SBC model | RPI 4 8Gb
Power supply used | (EG: 5V 4A RAVpower)
SD card used | Samsung 64G
Additional Information (if applicable)
Software title | Dietpi v.9
Was the software title installed freshly or updated/migrated? Yes, tried several times.
Can this issue be replicated on a fresh installation of DietPi? Yes.
← If you sent a “dietpi-bugreport”, please paste the ID here →
Bug report ID | 5ad8dedc-e264-4697-8fd1-e4abaf3a3976
Steps to reproduce
No matter the IP that the WIFI Hotspot issues the traffic is blocked if I go out my router and back in using the 192.168.42.* , I’ve changed the IP numerous times to other 192.168.. and same result.
If I am on my normal router 192.168.1.* I can connect to my webpage and ftp going out the router and back in. I have the firewall turned off on the router. Same result with the router firewall on or off.
Expected behaviour
I should able to connect to my webserver from the internet or from on the lan.
Do you mean that you cannot from the internet to a webserver in the WiFi area (e.g. to a webserver with 192.168.42.20)?
The WiFi Hotspot has a function like a guest network on a router: It enables to have traffic started from the WiFi area but allows no traffic initiated from outside to the WiFi area.
Also from the LAN area you cannot connect to a webserver in the WiFi area.
This is blocked via rules in /etc/iptables.ipv4.nat.
You would need to change this configuration manually.
I think I’m understanding you correctly but let me clarify.
192.168.42.10 can connect to 192.168.1.55 inside my home network, but the connection is rejected when from 192.168.42.10 tries to hit my home ISP assigned IP to the same machine through port forwarding. But if I move to another area of my house not on the Hotspot I can connect both ways so I know the port forwarding is working.
I read some of the documentation you included and either I’m not understanding or the particular info I’m asking about is not included. Here is the iptable.ipv4.nat file… what do I need to change?
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
I edited the line to this: -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j
So far during my initial testing it seems to be working the way I want.
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Jan 30 09:18:29 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
COMMIT
# Completed on Tue Jan 30 09:18:29 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Jan 30 09:18:29 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jan 30 09:18:29 2024
I’m hoping this will make it easier to explain what my problem. I’ve been reading a few articles and clearly I’m missing something. Any help would be appreciated.
Because they are in different subnets.
The wifi clients are in 192.168.42.0 /24 and the ethernet clients in 192.168.1.0 (probably also /24).
You could place them in one subnet ( /16 ), and let the router assign every device IPs, even the wifi ones. Or you assign different IP ranges in DHCP for wifi and ethernet, but in the same subnet, so they can reach each other.
Is the hotspot also a DietPi device?
ok just did some stupid testing and created a hotsopt on my RPi3 demo system. Once up I connected my mobile phone DietPi-HotSpot and I’m able to reach every device I have within my regular local network without issues.
I am not sure what is the problem, as I read different descriptions. In general if you have the masquerade rule in iptables, everything looks as if it is originating from the eth0 of the dietpi.
Traffic originating from the 192.168.1.0/24 towards 192.168.42.0/24 will not work.
The opposite works fine.
Finally trying to access an internal lan resource by using the public wan IP of the ISP router and hoping that the port forwarding rule will work is very often a grey area which I don’t recommend. Better use directly the internal lan IP.
Hitting everything in the local network is not the issue.
Going out the router and trying to get back in is the problem. It’s not a big deal but I was testing ftp / webpage setups and noticed I could not connect. I initially thought it was my router not forwarding traffic. But that’s not the case, when I go to the other room and connect to the router everything works as it should.
I initially removed the MASQUERADE and it appeared to work. But I had to leave and when I tested upon my return, same issue persisted.
I play around with a webserver and ftp hosted on 192.168.1.55, 192.168.42.* can reach the server 192.168.1.55 BUT not if I try and connect to http://whatever.com.
If I connect to the other WIFI on my router and have 192.168.1.60 (or whatever IP assigned) I can get to 192.168.1.55 or http://whatever.com.
My port forwarding is working but something is blocking the 192.168.42.* .
192.168.42.10 is treated as one directional.
I only use it for testing, so I’m just trying to find a solution.
I have a similiar setup and I set up a local DNS entry (with Pi-Hole).
When I try to reach my services - hosted inside my LAN, but publicy available via domain - the request never leaves the LAN. When it hit’s my DNS server it get’s redirected to the private LAN IP instead of going out and connecting to the public IP.
This may not solve the underlying problem, but would be a workaround.
Does your router support dns rebind protection ?? Sometimes this could have an influence.
I’ve never seen this option on the Eltex NTU-RG-5421G-Wac
And another question, do you use a local DNS serer like PiHole or AGH?
I have PiHole running, but even if I bypass pihole and use any other DNS I get the same outcome.
Last question, do you have a strickt need to run the hotspot on an own separated IP range or could it be same IP range as your regular network?
I had the hotspot set to use 192.168.1.100/24 and get the same outcome again. So it was leading to something on the Hotspot configuration is creating the issue.
it’s exactly the opposite. You need to use PiHole as DNS server for your hotspot clients. Inside PiHole create a local DNS record. This way your hotspot clients will receive local network IP for your DDNS target system
It depends on the ISP router capabilities, not every one allows to set static routes. Moreover there is the case of ISP router firewall dropping packets as invalid due to the asymmetric routing. Furthermore the nature of the hotspot is to isolate the wifi, otherwise it would be bridged and not routed.
That being said I’d rather say it can’t be done to avoid troubleshooting random routers.
