403 Forbiden error when on wifi

[jpbaril]

Hi,

I'm trying to access the webui by wifi and I get a 403 forbidden error. When wired, I can access it.
It's strange because I'm on the same subnet on wired and wifi (192.168.0.x).
The only thing I can say is that in a past setup this DD-WRT router the NAS is plugged in was the main internet gateway in PPPoE (and had no problem accessing webui) and now the setup of the router is as a wifi repeater but with its own subnet from main gateway router.
The wifi computer and the Alt-F NAS are on that same subnet network.
I understand it is not entirely a problem caused from the NAS, but why ALT-F sees my computer as being external from subnet?
For info, the NAS has 192.168.0.109 and wifi computer has 192.168.0.106, both getting IP from DHCP.

Thank you

[Joao Cardoso (Alt-F)]

On Thursday 19 April 2012 20:58:18 jpbaril wrote:
> Hi,
>
> I'm trying to access the webui by wifi and I get a 403 forbidden error.
> When wired, I can access it.

and do you have access to other resources, like samba, ftp, ssh...?

> It's strange because I'm on the same subnet on wired and wifi (192.168.0.x).

That is done an an app base. For the web pages, see the ip/mask value
/etc/httpd.conf; for samba, watch /etc/samba/smb.conf, the "hosts allow"
directive.

It is possible that the mask is not correclty setup. Can you post the relevant
lines of the config files, the 'ifconfig eth0' and "route" command output, and
the DHCP log part? "logread" or Sytem->Utilities->View Logs->System log

Apr 20 10:09:11 nas user.notice udhcpc: udhcpc environment:
Apr 20 10:09:11 nas user.notice udhcpc: router=192.168.1.254
Apr 20 10:09:11 nas user.notice udhcpc: subnet=255.255.255.0 <-------------
Apr 20 10:09:11 nas user.notice udhcpc: METHOD=dhcp
Apr 20 10:09:11 nas user.notice udhcpc: MODE=start
Apr 20 10:09:11 nas user.notice udhcpc: domain=homenet
Apr 20 10:09:11 nas user.notice udhcpc: interface=eth0
Apr 20 10:09:11 nas user.notice udhcpc: dns=192.168.1.254
Apr 20 10:09:11 nas user.notice udhcpc: IF_MTU=1500
Apr 20 10:09:11 nas user.notice udhcpc: ADDRFAM=inet
Apr 20 10:09:11 nas user.notice udhcpc: serverid=192.168.1.254
Apr 20 10:09:11 nas user.notice udhcpc: IF_CLIENT=udhcpc
Apr 20 10:09:11 nas user.notice udhcpc: PATH=/sbin:/usr/sbin:/bin:/usr/bin
Apr 20 10:09:11 nas user.notice udhcpc: ip=192.168.1.76
Apr 20 10:09:11 nas user.notice udhcpc: lease=86400
Apr 20 10:09:11 nas user.notice udhcpc: mask=24 <------------------------
Apr 20 10:09:11 nas user.notice udhcpc: IFACE=eth0
Apr 20 10:09:11 nas user.notice udhcpc: PWD=/
Apr 20 10:09:11 nas user.notice udhcpc: opt53=05

Thanks

> The only thing I can say is that in a past setup this DD-WRT router the NAS
> is plugged in was the main internet gateway in PPPoE (and had no problem
> accessing webui) and now the setup of the router is as a wifi repeater

If all Alt-Fnetwork services have the same problem, and the netwaork mask is
OK, than the problem might be the wifi repeater.

[jpbaril]

You are right, ssh and afpd are working, samba and httpd are not.


/etc/httpd.conf

A:127.0.0.1     #!# Allow local loopback connections                                                                  
D:*             #!# Deny from other IP connections                                                                    
A:192.168.0.0/255.255.255.0 #!# Allow local net


Excerpt of /etc/samba/smb.conf

[global]
        server string = DNS-323 NAS
        map to guest = Bad User
        passdb backend = smbpasswd
        username map = /etc/samba/smbusers
        syslog only = Yes
        max log size = 32
        enable core files = No
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        hosts allow = 127. 192.168.0.0/255.255.255.0


# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:22:B0:EA:A8:33 
          inet addr:192.168.0.109  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2555373 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5142242 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:193388824 (184.4 MiB)  TX bytes:3207856478 (2.9 GiB)
          Interrupt:21


# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0


Apr 20 20:34:41 zebrick user.notice udhcpc: udhcpc environment:
Apr 20 20:34:41 zebrick user.notice udhcpc:    opt58=00009cbe
Apr 20 20:34:41 zebrick user.notice udhcpc:    router=192.168.0.1
Apr 20 20:34:41 zebrick user.notice udhcpc:    subnet=255.255.255.0
Apr 20 20:34:41 zebrick user.notice udhcpc:    opt59=00011b4e
Apr 20 20:34:41 zebrick user.notice udhcpc:    METHOD=dhcp
Apr 20 20:34:41 zebrick user.notice udhcpc:    MODE=start
Apr 20 20:34:41 zebrick user.notice udhcpc:    interface=eth0
Apr 20 20:34:41 zebrick user.notice udhcpc:    siaddr=192.168.0.1
Apr 20 20:34:41 zebrick user.notice udhcpc:    dns=192.168.0.1
Apr 20 20:34:41 zebrick user.notice udhcpc:    IF_MTU=1500
Apr 20 20:34:41 zebrick user.notice udhcpc:    ADDRFAM=inet
Apr 20 20:34:41 zebrick user.notice udhcpc:    serverid=192.168.0.1
Apr 20 20:34:41 zebrick user.notice udhcpc:    broadcast=192.168.0.255
Apr 20 20:34:41 zebrick user.notice udhcpc:    IF_CLIENT=udhcpc
Apr 20 20:34:41 zebrick user.notice udhcpc:    PATH=/sbin:/usr/sbin:/bin:/usr/bin
Apr 20 20:34:41 zebrick user.notice udhcpc:    ip=192.168.0.109
Apr 20 20:34:41 zebrick user.notice udhcpc:    lease=86400
Apr 20 20:34:41 zebrick user.notice udhcpc:    mask=24
Apr 20 20:34:41 zebrick user.notice udhcpc:    IFACE=eth0
Apr 20 20:34:41 zebrick user.notice udhcpc:    PWD=/usr/www/cgi-bin
Apr 20 20:34:41 zebrick user.notice udhcpc:    opt53=05
Apr 20 20:34:41 zebrick user.notice udhcpc: Updating /etc/hosts
Apr 20 20:34:41 zebrick user.notice udhcpc: Updating /etc/httpd.conf
Apr 20 20:34:41 zebrick user.notice udhcpc: Updating /etc/samba/smb.conf
Apr 20 20:34:41 zebrick user.notice udhcpc: Updating default route
Apr 20 20:34:41 zebrick user.notice udhcpc: Updating /etc/resolv.conf
Apr 20 20:34:41 zebrick user.notice udhcpc: adding dns 192.168.0.1


Thank you

[Joao Cardoso]

Both samba and httpd (as well as general networking, as given by the "route" and "ifconfig" commands) seems to be correctly setup, according to what the DHCP server supplied, i.e., mask=24, subnet=255.255.255.0 and broadcast=192.168.0.255.

So the problem might be elsewhere, perhaps the way that the wifi computer is setup (is it a linux or win box?) or the way that the wifi repeater router might be setup... don't know.

But the fact that all other box network services are working OK is strange... it could be an httpd bug, but I don't believe that samba is also in error, so it looks like that  "hosts allow = 127. 192.168.0.0/255.255.255.0" and "A:192.168.0.0/255.255.255.0 #!# Allow local net" is wrong!

Is the wifi router working as a router or as a switch? I also have a second wired wifi router (working as a switch, no subnets, vlans) without problems.

I'm afraid I can't give any further help.

[jpbaril]

I commented that line:

hosts allow = 127. 192.168.0.0/255.255.255.0

in /etc/samba/smb.conf
restarted smb and it works!

I also did the same with httpd and it also works.

That said, does it exists a command I could run on the NAS that would tell me what the NAS sees as my client (PC) address? That way I could modify back the config files to reflect my private network?

Thank you again

[jpbaril]

ok, I went it the samba logs, and it sees my pc has having the IP

169.254.255.1

I could not find logs for httpd, but I think that dropbear also report my pc has having 
169.254.255.1 IP address.

Weird! Is it me or addresses beginning by 169 are addresses computers give to themselves when they cannot get one from a dhcp server?

[Joao Cardoso]

On Saturday, April 21, 2012 10:00:08 PM UTC+1, jpbaril wrote:

ok, I went it the samba logs, and it sees my pc has having the IP

169.254.255.1

I could not find logs for httpd, but I think that dropbear also report my pc has having 
169.254.255.1 IP address.

Weird! Is it me or addresses beginning by 169 are addresses computers give to themselves when they cannot get one from a dhcp server?

 

Yes, see http://en.wikipedia.org/wiki/Link-local_address

It looks like the DHCP request is not reaching the DHCP server. This mostly happens if a router is in the path between the requesting PC and the DHCP server. You should use your 2nd wifi router as a switch, i.e., don't use or connect its WLAN or upstream network port, use only its its LAN ports.

If you really want to have two networks, than you must activate the DHCP server of your 2nd wifi router. But this is just a conjecture, as I don't have a layout of your network. Anyway this is out of this group scope.

[jpbaril]

The second (mine) router IS acting as a DHCP server. That's why I'm saying it is an independant network. I don't control the first router, I can only access it because they gave me the name and password. The first router is only the source of the Internet, it does not play any further role.

Still, as the computers and NAS get their IP address from this second router, they should see each other as being on the same subnet.
I don't understand why the NAS think my computer has an IP beginning with 169 when both the router and the computer itself know that the IP is in reality beginning with 198.168.0.1xx

Anyway, if I have a firewall on my router, is it necessary to filter out extarnal traffic versus local traffic on the NAS?

[Joao Cardoso]

On Sunday, April 22, 2012 7:39:12 AM UTC+1, jpbaril wrote:

The second (mine) router IS acting as a DHCP server. That's why I'm saying it is an independant network. I don't control the first router, I can only access it because they gave me the name and password. The first router is only the source of the Internet, it does not play any further role.

ah, OK.

 

Still, as the computers and NAS get their IP address from this second router, they should see each other as being on the same subnet.
I don't understand why the NAS think my computer has an IP beginning with 169

He doesn't think, it just prints the IP of the originating computer :)

And all applications (samba, ssh, ftp,...) are reporting the same, so the computer IP is not what you think it is.

If commenting the relevant lines in smb.conf and httpd.conf makes the DNS visible to your computer, then the computer IP does not seems to be 192.x.x.x

Have you run 'ifconfig' in the computer, to see its real IP? even MS-Win has 'ifconfig'

when both the router and the computer 

itself know that the IP is in reality beginning with 198.168.0.1xx

you mean 192.168.0.x, right? please run 'ifconfig' in the computer

 

[jpbaril]

Le dimanche 22 avril 2012 12:28:42 UTC-4, Joao Cardoso a écrit :

Still, as the computers and NAS get their IP address from this second router, they should see each other as being on the same subnet.
I don't understand why the NAS think my computer has an IP beginning with 169

He doesn't think, it just prints the IP of the originating computer :)

And all applications (samba, ssh, ftp,...) are reporting the same, so the computer IP is not what you think it is.

If commenting the relevant lines in smb.conf and httpd.conf makes the DNS visible to your computer, then the computer IP does not seems to be 192.x.x.x

Have you run 'ifconfig' in the computer, to see its real IP? even MS-Win has 'ifconfig'

ifconfig from my MacBook Pro:

ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
    lladdr 00:1b:63:ff:fe:68:f1:06
    media: autoselect <full-duplex>
    status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:1c:b3:c1:56:38
    inet6 fe80::21c:b3ff:fec1:5638%en1 prefixlen 64 scopeid 0x5
    inet 192.168.0.106 netmask 0xffffff00 broadcast 192.168.0.255
    media: autoselect
    status: active
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:19:e3:68:09:60
    media: autoselect
    status: inactive
 

when both the router and the computer 

itself know that the IP is in reality beginning with 198.168.0.1xx

you mean 192.168.0.x, right? please run 'ifconfig' in the computer

192.168.0.x yes, I just wanted to specify that IP were released by router beginning at 100.

As I said the router gave and sees my computer as 192.168.0.106 . Every other computers on my network also see and can access my computer on 192.168.0.106. I can even ping my computer from the NAS.

Maybe it's just the router that reports wrongly to the NAS the IP of my computer.

Thank you

[Joao Cardoso]

On Monday, April 23, 2012 2:58:03 AM UTC+1, jpbaril wrote:

Le dimanche 22 avril 2012 12:28:42 UTC-4, Joao Cardoso a écrit :

Still, as the computers and NAS get their IP address from this second router, they should see each other as being on the same subnet.
I don't understand why the NAS think my computer has an IP beginning with 169

He doesn't think, it just prints the IP of the originating computer :)

And all applications (samba, ssh, ftp,...) are reporting the same, so the computer IP is not what you think it is.

If commenting the relevant lines in smb.conf and httpd.conf makes the DNS visible to your computer, then the computer IP does not seems to be 192.x.x.x

Have you run 'ifconfig' in the computer, to see its real IP? even MS-Win has 'ifconfig'

ifconfig from my MacBook Pro:

ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
    lladdr 00:1b:63:ff:fe:68:f1:06
    media: autoselect <full-duplex>
    status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:1c:b3:c1:56:38
    inet6 fe80::21c:b3ff:fec1:5638%en1 prefixlen 64 scopeid 0x5
    inet 192.168.0.106 netmask 0xffffff00 broadcast 192.168.0.255

No doubt, its configured as  192.168.0.106. So, why do samba reports through the system log an IP of  169.254.255.1? I'm puzzled.

dropbear (ssh) and ftp also report 169.254.255.1, don't they?

Do you have any other computer in your network? Can you poweroff the router, disconnect all computers, unplug the cable from the router from the main router, power on only the router, the NAS and the wifi laptop and repeat the pings, ftp, ssh, samba, etc and watch the system log? In despair one tries everything :-(

...

As I said the router gave and sees my computer as 192.168.0.106 . Every other computers on my network also see and can access my computer on 192.168.0.106. I can even ping my computer from the NAS.

and ping the nas from the computer also works?

Have you tried to ping 169.254.x.x from the NAS?

I'm really puzzled!

 

Maybe it's just the router that reports wrongly to the NAS the IP of my computer.

No, the router isn't involved in that part, it just receive and send packets.

[writing thoughts]

I can't imagine what is happening, the NAS network is correctly setup according to what the router DHCP server said the network is.

aahhh, a Mac... could it be "bonjour" in action? No idea. 

Sorry, I would like to know what's going on... and its only with wifi, when plugged it's OK. Could it be the router that creates a special network for wifi only? Can't you experiment with another wifi laptop? Even a wifi smartphone?

If you discover what the problem is I would love to know. Meanwhile you have to leave with it, as smb.conf and httpd.conf are updated whenever a DHCP lease is renewed.

You could setup the nas with a fixed IP, edit smb.conf and httpd.conf and save settings...

[Brandon Hume]

On 04/22/12 11:53 PM, Joao Cardoso wrote:
>
> No doubt, its configured as 192.168.0.106. So, why do samba reports
> through the system log an IP of 169.254.255.1? I'm puzzled.
> dropbear (ssh) and ftp also report 169.254.255.1, don't they?

It would be interesting to see the output of 'who' and 'arp -a' from a
shell while logged into the NAS.

[jpbaril]

Le dimanche 22 avril 2012 22:53:24 UTC-4, Joao Cardoso a écrit :

No doubt, its configured as  192.168.0.106. So, why do samba reports through the system log an IP of  169.254.255.1? I'm puzzled.

dropbear (ssh) and ftp also report 169.254.255.1, don't they?

Dropbear yes, ftp I don't know it is not anabled.
 

Do you have any other computer in your network? Can you poweroff the router, disconnect all computers, unplug the cable from the router from the main router, power on only the router, the NAS and the wifi laptop and repeat the pings, ftp, ssh, samba, etc and watch the system log? In despair one tries everything :-(

Mmm, it will be dificult, we are four roomates here, so maybe when will not be there and their laptops will be in sleep.
 

As I said the router gave and sees my computer as 192.168.0.106 . Every other computers on my network also see and can access my computer on 192.168.0.106. I can even ping my computer from the NAS.

and ping the nas from the computer also works?

Have you tried to ping 169.254.x.x from the NAS?

It works. But how can I be sure that it really pings my laptop and not some sort of catch-all ?
 

I can't imagine what is happening, the NAS network is correctly setup according to what the router DHCP server said the network is.

aahhh, a Mac... could it be "bonjour" in action? No idea. 

Me neither.
 

Sorry, I would like to know what's going on... and its only with wifi, when plugged it's OK. Could it be the router that creates a special network for wifi only? Can't you experiment with another wifi laptop? Even a wifi smartphone?

I will.
 

If you discover what the problem is I would love to know. Meanwhile you have to leave with it, as smb.conf and httpd.conf are updated whenever a DHCP lease is renewed.

You could setup the nas with a fixed IP, edit smb.conf and httpd.conf and save settings...

I will.

Thanks again

Le lundi 23 avril 2012 08:51:42 UTC-4, Brandon Hume a écrit :

It would be interesting to see the output of 'who' and 'arp -a' from a
shell while logged into the NAS.

I logged with ssh onto the NAS from the wifi laptop.

# who
root            pts/0           00:00   Apr 23 18:58:05  169.254.255.1

# arp -a
? (192.168.0.1) at 48:5b:39:e7:95:bd [ether]  on eth0
jp-mbp (192.168.0.106) at 00:1c:b3:c1:56:38 [ether]  on eth0
? (192.168.0.114) at 00:90:a9:9f:01:e1 [ether]  on eth0
 

[Brandon Hume]

On 23/04/2012 8:31 PM, jpbaril wrote:
> I logged with ssh onto the NAS from the wifi laptop.

And from your laptop, what does a traceroute (or tracert on Windows) to
the NAS show? And "netstat -rn"?

[Joao Cardoso]

On Tuesday, April 24, 2012 12:31:05 AM UTC+1, jpbaril wrote:

Le dimanche 22 avril 2012 22:53:24 UTC-4, Joao Cardoso a écrit :

No doubt, its configured as  192.168.0.106. So, why do samba reports through the system log an IP of  169.254.255.1? I'm puzzled.

dropbear (ssh) and ftp also report 169.254.255.1, don't they?

Dropbear yes, ftp I don't know it is not anabled.

...

 

Le lundi 23 avril 2012 08:51:42 UTC-4, Brandon Hume a écrit :

It would be interesting to see the output of 'who' and 'arp -a' from a
shell while logged into the NAS.

I logged with ssh onto the NAS from the wifi laptop.

# who
root            pts/0           00:00   Apr 23 18:58:05  169.254.255.1

# arp -a
? (192.168.0.1) at 48:5b:39:e7:95:bd [ether]  on eth0
jp-mbp (192.168.0.106) at 00:1c:b3:c1:56:38 [ether]  on eth0
? (192.168.0.114) at 00:90:a9:9f:01:e1 [ether]  on eth0

No 169.254.x.x is reported, and you was using ssh (dropbear) that logs a child connection from 169.254.x.x?!

"arp -a" is a good idea, it enable us to determine the origin computer through its MAC (the  00:90:a9:... stuff), avoiding the need to turn-off other computers in the network.

E.g., on my laptop with  IP 192.168.1.65 and MAC  00:0E:35:9D:xx:xx,  through wifi, after sshing the DNS:

# logread | grep dropbear

Apr 24 01:42:18 nas authpriv.info dropbear[1844]: Child connection from 192.168.1.65:38496

Apr 24 01:42:24 nas authpriv.notice dropbear[1844]: Password auth succeeded for 'root' from 192.168.1.65:38496

# arp -a

flash.homenet (192.168.1.65) at 00:0e:35:9d:xx:xx [ether]  on eth0 # the wifi laptop

gw.homenet (192.168.1.254) at 00:26:44:2e:xx:xx [ether]  on eth0 # the router

In my case no (?) appears in the "arp -a" output, because I have setup /etc/hosts with the computer IP/hostname relationship -- you can also do that using Setup->Hosts (plural)

PS: As the MAC is unique to every network card in the world, people don't like to publish it entirely, because of security and impersonation issues, so I have replaced the last digits of my MACs with xx.xx

You can see your network card MAC using "ifconfig", and look at the en0/en1 entries in your case (wireless and wired)