Problem with NAT/ip_forward

mariaczi · July 24, 2019, 12:44pm

Test lan topology:

Local GW (10.10.0.1) <-> switch <-> [wan - separatedt port] BPI-R2 (NAT/ip_forward) [lan3] <-> test desktop

“1st” and “2nd” means that I have two BPI-R2 motherboards. When I type 1st - it means that this is the BPI-R2 on which I have problems with NAT and create this topic, when I type 2nd - this is the BPI-R2 motherboards on which NAT problems not occurs on kernel 4.16.18.

How to check the soldering of ethernet ports - with magnifier? Without magnifier everything looks OK.

Here is the photo for this problematic BPI-R2 - ethernet ports: https://imgur.com/bQldLLs

frank-w · July 24, 2019, 12:51pm

so only 1 r2 is between your test-desktop and your gateway?

wan and lan have different subnets? nat/masquerade is setup on wan?

what says traceroute?

root@slackware:~# ping 10.10.0.1 #works
root@slackware:~# wget http://noc.pirx.pl/100mb.bin -O /dev/null #does not work

looks like on your r2 the default-route is not set (right), it knows your main-gateway but dows not use it for forwarded packets (or your dns brings wrong ip…your can test from r2)

mariaczi · July 24, 2019, 12:57pm

Yes, it is only one BPI-R2 between my lan GW and the test desktop, which have works as a router. It is not a problem with NAT setup. It is a strange problem with BPI-R2.

root@bpi-iot-ros-ai:/home/pi# ip r s
default via 10.10.0.1 dev eth1 src 10.10.1.11 metric 206 
10.10.0.0/16 dev eth1 proto kernel scope link src 10.10.1.11 metric 206 
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.165.117 metric 205 
172.100.254.0/24 dev eth0 proto kernel scope link src 172.100.254.1 

root@bpi-iot-ros-ai:/home/pi# iptables -t nat -L -vn | grep MASQUERADE
   17  1160 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

root@bpi-iot-ros-ai:/home/pi# sysctl -a | grep "net.ipv4.ip_forward"
net.ipv4.ip_forward = 1

This above NAT setup is from BPI-R2 with kernel 4.4 and the same (of course with correct network interfaces) I run for kernel 4.16.

frank-w · July 24, 2019, 1:02pm

default via 10.10.0.1 dev eth1 src 10.10.1.11 metric 206 
10.10.0.0/16 dev eth1 proto kernel scope link src 10.10.1.11 metric 206

ok, you use a /16…

how are the ips on lan-interfaces/test-PC?

mariaczi · July 24, 2019, 1:03pm

I really use wide subnet. On BPI-R2 lan3 port is setup 172.100.254.1 with dhcp server. On test-PC I get one of the dhcp pool.

root@bpi-iot-ros-ai:/home/pi# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: bond0: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 4e:4b:25:12:ed:5e brd ff:ff:ff:ff:ff:ff
3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
    link/sit 0.0.0.0 brd 0.0.0.0
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 62:70:92:16:e9:fd brd ff:ff:ff:ff:ff:ff
    inet 169.254.165.117/16 brd 169.254.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.100.254.1/24 brd 172.100.254.254 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::4ae1:1c59:8366:f6cc/64 scope link 
       valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 3e:91:22:51:96:11 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.11/16 brd 10.10.255.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::b859:41f9:b5e4:db20/64 scope link 
       valid_lft forever preferred_lft forever
7: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:08:22:04:bf:fb brd ff:ff:ff:ff:ff:ff

root@bpi-iot-ros-ai:/home/pi# ps -ef | grep dhcp
root       535     1  0 19:24 ?        00:00:00 /sbin/dhcpcd -q -b
root      1347     1  0 19:27 ?        00:00:00 /usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd2.conf eth0

@frank-w don’t worry about the mistakes in NAT configuration. I’m IT guy working as IT infrastructure admin.

frank-w · July 24, 2019, 1:11pm

but this kernel 4.4 where you have no problems, right?

have you checked for soldering-problems (a few people have reported pin-moving)

but if you can ping your gateway basicly you reach it…and wget should also work

how about the traceroute…you can also do tcpdump on r2 to look where traffic goes (better do this via console or filter out ssh)

mariaczi · July 24, 2019, 1:20pm

Yes, this is the output from OS with kernel 4.4 but as I wrote before - the setup is correct too with kernel 4.16. Heh, I’m trying to boot this BPI with kernel 4.16, so edit uEnv.txt file -> save -> reboot and BPI not up I see that is starting but on the end screen was black

After two resets up correctly.

mariaczi · July 24, 2019, 1:26pm

BPI on kernel 4.16. Traceroute result from test-PC Selection_100

On BPI: tcpdump host 172.100.254.101 and the result when on test-PC wget has been running: Selection_101

test-PC

frank-w · July 24, 2019, 1:43pm

traceroute goes through and r2 does not see it??? have you setup the interface for tcpdump?

tcpdump -nni lan0 host 192.168.0.11

mariaczi · July 24, 2019, 1:53pm

tcpdump -nni lan3 host 172.100.254.101
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan3, link-type EN10MB (Ethernet), capture size 262144 bytes
[ 1997.871436] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:32:38.654624 IP 172.100.254.101.36836 > 10.10.0.1.53: 949+ AAAA? noc.pirx.pl. (29)
21:32:38.705169 IP 10.10.0.1.53 > 172.100.254.101.36836: 949 0/1/0 (93)
21:32:38.705785 IP 172.100.254.101.39547 > 10.10.0.1.53: 5024+ AAAA? noc.pirx.pl.example.org. (41)
21:32:38.749014 IP 10.10.0.1.53 > 172.100.254.101.39547: 5024 NXDomain 0/1/0 (95)
21:32:38.749706 IP 172.100.254.101.47602 > 10.10.0.1.53: 41198+ A? noc.pirx.pl. (29)
21:32:38.751049 IP 10.10.0.1.53 > 172.100.254.101.47602: 41198 1/0/0 A 217.73.181.197 (45)
21:32:38.751530 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [S], seq 678732469, win 29200, options [mss 1460,sackOK,TS val 13674775 ecr 0,nop,wscale 7], length 0
21:32:38.754012 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [S.], seq 1605673348, ack 678732470, win 28960, options [mss 1460,sackOK,TS val 3186729752 ecr 13674775,nop,wsc0
21:32:38.754302 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 13674778 ecr 3186729752], length 0
21:32:38.754519 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [P.], seq 1:84, ack 1, win 229, options [nop,nop,TS val 13674778 ecr 3186729752], length 83: HTTP: GET /100mb.b1
21:32:38.756412 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 0
21:32:38.760101 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1:1449, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP: HTTP/1.1K
21:32:38.760343 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.760606 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.760826 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 4345:5793, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.761026 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 5793:7241, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.761218 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 7241:8689, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.761410 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 8689:10137, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.761604 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 10137:11585, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.761801 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 11585:13033, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.762044 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 13033:14481, ack 84, win 227, options [nop,nop,TS val 3186729753 ecr 13674778], length 1448: HTTP
21:32:38.762525 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [.], ack 1, win 251, options [nop,nop,TS val 13674786 ecr 3186729753,nop,nop,sack 1 {13033:14481}], length 0
21:32:38.764678 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1:1449, ack 84, win 227, options [nop,nop,TS val 3186729755 ecr 13674786], length 1448: HTTP: HTTP/1.1K
21:32:38.968804 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1:1449, ack 84, win 227, options [nop,nop,TS val 3186729806 ecr 13674786], length 1448: HTTP: HTTP/1.1K
21:32:39.376579 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1:1449, ack 84, win 227, options [nop,nop,TS val 3186729908 ecr 13674786], length 1448: HTTP: HTTP/1.1K
21:32:39.377085 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [.], ack 1449, win 274, options [nop,nop,TS val 13675401 ecr 3186729908,nop,nop,sack 1 {13033:14481}], length 0
21:32:39.379364 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 14481:15929, ack 84, win 227, options [nop,nop,TS val 3186729908 ecr 13675401], length 1448: HTTP
21:32:39.379634 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 15929:17377, ack 84, win 227, options [nop,nop,TS val 3186729908 ecr 13675401], length 1448: HTTP
21:32:39.379738 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [.], ack 1449, win 296, options [nop,nop,TS val 13675403 ecr 3186729908,nop,nop,sack 1 {13033:15929}], length 0
21:32:39.381923 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3186729909 ecr 13675403], length 1448: HTTP
21:32:39.584619 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3186729960 ecr 13675403], length 1448: HTTP
21:32:39.585195 IP 172.100.254.101.38272 > 217.73.181.197.80: Flags [.], ack 2897, win 319, options [nop,nop,TS val 13675609 ecr 3186729960,nop,nop,sack 1 {13033:15929}], length 0
21:32:39.587386 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186729960 ecr 13675609], length 1448: HTTP
21:32:39.587653 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 17377:18825, ack 84, win 227, options [nop,nop,TS val 3186729960 ecr 13675609], length 1448: HTTP
21:32:39.788828 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186730011 ecr 13675609], length 1448: HTTP
21:32:40.196545 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186730113 ecr 13675609], length 1448: HTTP
21:32:41.012727 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186730317 ecr 13675609], length 1448: HTTP
21:32:42.648948 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186730726 ecr 13675609], length 1448: HTTP
[ 2002.891320] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:32:43.745514 ARP, Request who-has 172.100.254.101 tell 172.100.254.1, length 28
21:32:43.746091 ARP, Reply 172.100.254.101 is-at 00:19:0f:25:1a:ac, length 46
21:32:45.920643 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186731544 ecr 13675609], length 1448: HTTP
[ 2007.906712] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:32:50.896255 IP 172.100.254.101.68 > 169.254.116.242.67: BOOTP/DHCP, Request from 00:19:0f:25:1a:ac, length 346
21:32:50.913884 IP 172.100.254.1.67 > 172.100.254.101.68: BOOTP/DHCP, Reply, length 300
21:32:50.946967 ARP, Request who-has 172.100.254.101 tell 172.100.254.101, length 46
21:32:52.464866 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186733180 ecr 13675609], length 1448: HTTP
21:32:52.949179 ARP, Request who-has 172.100.254.101 tell 172.100.254.101, length 46
[ 2012.929673] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:32:55.912048 ARP, Request who-has 172.100.254.1 tell 172.100.254.101, length 46
21:32:55.912273 ARP, Reply 172.100.254.1 is-at 4a:62:12:f8:6a:b9, length 28
[ 2017.943756] rc.local[448]: Can't open RFKILL control device: No such file or directory
[ 2022.980708] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:33:05.537039 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186736448 ecr 13675609], length 1448: HTTP
[ 2028.005882] rc.local[448]: Can't open RFKILL control device: No such file or directory
[ 2033.040672] rc.local[448]: Can't open RFKILL control device: No such file or directory
[ 2038.071803] rc.local[448]: Can't open RFKILL control device: No such file or directory
[ 2043.089101] rc.local[448]: Can't open RFKILL control device: No such file or directory
[ 2048.116223] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:33:31.712584 IP 217.73.181.197.80 > 172.100.254.101.38272: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3186742992 ecr 13675609], length 1448: HTTP
[ 2053.136664] rc.local[448]: Can't open RFKILL control device: No such file or directory
21:33:36.785645 ARP, Request who-has 172.100.254.101 tell 172.100.254.1, length 28
21:33:36.786396 ARP, Reply 172.100.254.101 is-at 00:19:0f:25:1a:ac, length 46
[ 2058.160380] rc.local[448]: Can't open RFKILL control device: No such file or directory
[ 2063.181251] rc.local[448]: Can't open RFKILL control device: No such file or directory

frank-w · July 24, 2019, 3:41pm

You defined 172.100.x.x as lan-ip? Imho only 172.16.x.x-172.31.x.x is private…

But traffic seems right,i see http going from outside to inside…

mariaczi · July 25, 2019, 7:46am

Yes, I know. I defined this IPs but for tests purposes only. It doesn’t matter. So, how it is possible You see traffic from outside to inside but wget can’t download file on test-PC? What’s going on? Where are the packets?

frank-w · July 25, 2019, 7:51am

you can do the tcp also on test-pc simultanously, to see if the packets reach test-pc…maybe any firewall…the packets reach r2, so there is no problem with routing before (needing static route on your gateway)

btw. you can disable the rfkill-messages (and other system-mesages) on console with “dmesg -D”

mariaczi · July 25, 2019, 8:50am

On test-PC:

root@slackware:~# wget http://noc.pirx.pl/100mb.bin -O /dev/null
Connecting to noc.pirx.pl (217.73.181.197:80)
null                   0% |                                                                                                                                 |     0k  - stalled -^C

and tcpdump:

root@slackware:~# /usr/sbin/tcpdump -nni eth0 host 172.31.254.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:43:06.853783 ARP, Request who-has 172.31.254.101 tell 172.31.254.1, length 46
21:43:07.918125 ARP, Request who-has 172.31.254.101 tell 172.31.254.1, length 46
21:43:08.958215 ARP, Request who-has 172.31.254.101 tell 172.31.254.1, length 46
21:43:24.717977 ARP, Request who-has 172.31.254.102 tell 172.31.254.1, length 46
21:43:24.718003 ARP, Reply 172.31.254.102 is-at 00:19:0f:25:1a:ac, length 28
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

tcpdump from BPI-R2 (as router)

root@bpi-iot-ros-ai:~# tcpdump -nni lan3 host 172.31.254.102
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan3, link-type EN10MB (Ethernet), capture size 262144 bytes
16:27:44.755529 IP 172.31.254.102.33657 > 10.10.0.1.53: 20202+ AAAA? noc.pirx.pl. (29)
16:27:44.803743 IP 10.10.0.1.53 > 172.31.254.102.33657: 20202 0/1/0 (93)
16:27:44.804386 IP 172.31.254.102.35154 > 10.10.0.1.53: 16946+ AAAA? noc.pirx.pl.example.org. (41)
16:27:44.933487 IP 10.10.0.1.53 > 172.31.254.102.35154: 16946 NXDomain 0/1/0 (95)
16:27:44.933953 IP 172.31.254.102.35839 > 10.10.0.1.53: 12767+ A? noc.pirx.pl. (29)
16:27:44.961341 IP 10.10.0.1.53 > 172.31.254.102.35839: 12767 1/3/2 A 217.73.181.197 (145)
16:27:44.961982 IP 172.31.254.102.41214 > 217.73.181.197.80: Flags [S], seq 2528255344, win 29200, options [mss 1460,sackOK,TS val 617852 ecr 0,nop,wscale 7], length 0
16:27:44.964552 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [S.], seq 2436261195, ack 2528255345, win 28960, options [mss 1460,sackOK,TS val 3203756306 ecr 617852,nop,wscal0
16:27:44.964843 IP 172.31.254.102.41214 > 217.73.181.197.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 617855 ecr 3203756306], length 0
16:27:44.965064 IP 172.31.254.102.41214 > 217.73.181.197.80: Flags [P.], seq 1:84, ack 1, win 229, options [nop,nop,TS val 617855 ecr 3203756306], length 83: HTTP: GET /100mb.bin 1
16:27:44.966972 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], ack 84, win 227, options [nop,nop,TS val 3203756307 ecr 617855], length 0
16:27:44.970638 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1:1449, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP: HTTP/1.1 20K
16:27:44.970901 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.971105 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.971340 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 4345:5793, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.971559 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 5793:7241, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.971773 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 7241:8689, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.971972 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 8689:10137, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.972168 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 10137:11585, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.972361 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 11585:13033, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.972557 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 13033:14481, ack 84, win 227, options [nop,nop,TS val 3203756308 ecr 617855], length 1448: HTTP
16:27:44.972680 IP 172.31.254.102.41214 > 217.73.181.197.80: Flags [.], ack 1, win 251, options [nop,nop,TS val 617862 ecr 3203756307,nop,nop,sack 1 {5793:7241}], length 0
16:27:44.974944 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1:1449, ack 84, win 227, options [nop,nop,TS val 3203756309 ecr 617862], length 1448: HTTP: HTTP/1.1 20K
16:27:44.975448 IP 172.31.254.102.41214 > 217.73.181.197.80: Flags [.], ack 1449, win 274, options [nop,nop,TS val 617866 ecr 3203756309,nop,nop,sack 1 {5793:7241}], length 0
16:27:44.977620 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203756310 ecr 617866], length 1448: HTTP
16:27:44.977866 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 2897:4345, ack 84, win 227, options [nop,nop,TS val 3203756310 ecr 617866], length 1448: HTTP
16:27:45.181441 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203756361 ecr 617866], length 1448: HTTP
16:27:45.589713 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203756463 ecr 617866], length 1448: HTTP
16:27:46.405684 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203756667 ecr 617866], length 1448: HTTP
16:27:48.041728 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203757076 ecr 617866], length 1448: HTTP
16:27:49.827750 ARP, Request who-has 172.31.254.102 tell 172.31.254.1, length 28
16:27:49.828110 ARP, Reply 172.31.254.102 is-at 00:19:0f:25:1a:ac, length 46
16:27:51.313399 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203757894 ecr 617866], length 1448: HTTP
16:27:57.849691 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203759528 ecr 617866], length 1448: HTTP
16:28:10.937619 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], seq 1449:2897, ack 84, win 227, options [nop,nop,TS val 3203762800 ecr 617866], length 1448: HTTP
16:28:13.289196 IP 172.31.254.102.41214 > 217.73.181.197.80: Flags [F.], seq 84, ack 1449, win 274, options [nop,nop,TS val 646180 ecr 3203756309,nop,nop,sack 1 {5793:7241}], leng0
16:28:13.329032 IP 217.73.181.197.80 > 172.31.254.102.41214: Flags [.], ack 85, win 227, options [nop,nop,TS val 3203763398 ecr 646180], length 0
^C
37 packets captured
37 packets received by filter
0 packets dropped by kernel
root@bpi-iot-ros-ai:~#

I changed the subnet between BPI-R2 and test-PC to be really private

And ping from test-PC to the url used with wget:

root@slackware:~# ping noc.pirx.pl
PING noc.pirx.pl (217.73.181.197): 56 data bytes
64 bytes from 217.73.181.197: seq=0 ttl=58 time=3.072 ms
64 bytes from 217.73.181.197: seq=1 ttl=58 time=2.761 ms
64 bytes from 217.73.181.197: seq=2 ttl=58 time=2.603 ms
^C
--- noc.pirx.pl ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.603/2.812/3.072 ms

root@slackware:~# ping -s 12500 noc.pirx.pl
PING noc.pirx.pl (217.73.181.197): 12500 data bytes
12508 bytes from 217.73.181.197: seq=0 ttl=58 time=5.281 ms
12508 bytes from 217.73.181.197: seq=1 ttl=58 time=6.838 ms
12508 bytes from 217.73.181.197: seq=2 ttl=58 time=7.035 ms
12508 bytes from 217.73.181.197: seq=3 ttl=58 time=4.958 ms
12508 bytes from 217.73.181.197: seq=4 ttl=58 time=4.954 ms
^C
--- noc.pirx.pl ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.954/5.813/7.035 ms

It is not understandable for me

frank-w · July 25, 2019, 9:07am

i see only http-packets with size 1448 on r2…

i expect larger packets will be fragmented…but this does not explain why the packets from r2 to your desktop do no reach the desktop

may you try with a newer kernel and maybe some phylink one?

have you any firewall on desktop?

can you try the wget on r2?

mariaczi · July 25, 2019, 9:07am

@frank-w If U agree, I will talk with my Boss, and if I got agreement from his site I can send this interesting BPI-R2 to You. Are you from DE?

ad1. the same configuration works well on another one BPI-R2 board with exactly the same configuration

ad2. Could you provide, which one to use?

ad3. I haven’t any firewall on BPI-R2 and test-PC (here I booted slackware from USB stick).

ad4. wget result from BPI-R2;

root@bpi-iot-ros-ai:~# wget http://noc.pirx.pl/100mb.bin -O /dev/null
--2019-07-25 16:49:27--  http://noc.pirx.pl/100mb.bin
Resolving noc.pirx.pl (noc.pirx.pl)... 217.73.181.197
Connecting to noc.pirx.pl (noc.pirx.pl)|217.73.181.197|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: �‘/dev/null�’

/dev/null            22%[===>                ]  22.32M  7.37MB/s    eta 11s    ^C

frank-w · July 25, 2019, 9:22am

i’m from DE, but i do this only on my freetime and have much to do…so i don’t need another r2

phylink (last one): https://github.com/frank-w/BPI-R2-4.14/tree/5.3-phylink-2.5

have you looked soldering-points? i expect a hardware-issue, anyway its strange that ping works, but http not…this looks more like a firewall

mariaczi · July 25, 2019, 9:24am

from BPI-R2 (router):

root@bpi-iot-ros-ai:~# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
root@bpi-iot-ros-ai:~# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 17483 packets, 4020K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 4995 packets, 504K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 66 packets, 6144 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 59 packets, 5549 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   34 27281 MASQUERADE  all  --  *      wan     0.0.0.0/0            0.0.0.0/0           
root@bpi-iot-ros-ai:~# iptables -L -vn -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

from test-PC: I haven’t installed iptables on them.

root@slackware:~# iptables
-bash: iptables: command not found

mariaczi · July 25, 2019, 9:28am

I asked you earlier I should do that with magnifier or please explain how to check it?

Hmm, @frank-w - I’m thinking, if it was a problem with ethernet ports soldering we will have exactly the same situation with kernel 4.4 but with kernel 4.4 NAT works well. Are you agree?

But, the other things - why the same configuration with kernel 4.16.18 works well on other BPI-R2 board :)?

frank-w · July 25, 2019, 9:46am

right, hardware-issue should affect all kernels, but software-issue should affect all boards

missed the question about magnifier…that wll be a good start, maybe try to move the pins to check if they soldered correctly (board powered off of course with anti-static precautions)