[wifi-ap] Connected client can't access the network via shared interface
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snappy-hwe-snaps |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hardware: Dell Edge Gateway 3100 (DVT1)
A client connected to an access point provided by the wifi-ap snap cannot access the network via the shared Ethernet interface.
Snaps:
bluez 5.44-2 84 canonical -
caracalla 16.04-1.29 39 canonical -
caracalla-kernel 4.4.0-2002.2 40 canonical -
core 16-2.26.9 2381 canonical -
docker 17.03.2-ce-1 159 docker-inc -
locationd 4.0.0 71 canonical -
modem-manager 1.6.2-5 82 canonical -
network-manager 1.2.2-10.2 166 canonical -
snapweb 0.26-10 300 canonical -
tpm2 1.0-5 42 canonical -
uefi-fw-tools 1.4.1-0.7.2+git 7 canonical -
wifi-ap 15 146 canonical -
The BT/WiFi driver is confirmed to be AP mode (Bluetooth legacy & low energy):
root@caracalla:~# cat /sys/module/
14
The wifi-ap configuration appears to be correct:
root@caracalla:~# wifi-ap.config get
debug: false
dhcp.lease-time: 12h
dhcp.range-start: 10.0.60.2
dhcp.range-stop: 10.0.60.199
disabled: false
share.disabled: false
share.network-
wifi.address: 10.0.60.1
wifi.channel: 6
wifi.hostapd-
wifi.interface: wlan0
wifi.interface-
wifi.netmask: 255.255.255.0
wifi.operation-
wifi.security: open
wifi.security-
wifi.ssid: Ubuntu
The shared interface also appears to be active:
root@caracalla:~# nmcli c
NAME UUID TYPE DEVICE
Wired connection 1 1158e56d-
docker0 99a4aae0-
veth540af6f 9c2f5bb5-
Wired connection 3 46cbf376-
The gateway's Ethernet connection was validated by logging into the gateway and confirming that the Internet was reachable, and that DNS functions properly.
The client connected to the AP is able to ping the gateway, however the Internet isn't reachable via the NAT configured between WiFi and Ethernet by the wifi-ap snap.
IP forwarding is enabled:
root@caracalla:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
And the iptables (default & nat) are as follows:
root@caracalla:~# iptables -t filter -L -v
Chain INPUT (policy ACCEPT 37491 packets, 7193K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 368 packets, 22056 bytes)
pkts bytes target prot opt in out source destination
36204 69M DOCKER-ISOLATION all -- any any anywhere anywhere
19621 1564K DOCKER all -- any docker0 anywhere anywhere
72 10008 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
13459 68M ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
1035 63405 ACCEPT all -- wlan0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 4188 packets, 410K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:60002
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:6474
154 21659 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:6443
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:3000
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:1884
991 70154 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:1883
18404 1462K ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:https
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
36204 69M RETURN all -- any any anywhere anywhere
root@caracalla:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1089 packets, 238K bytes)
pkts bytes target prot opt in out source destination
494 31612 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 999 packets, 233K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3289 packets, 241K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 3435 packets, 242K bytes)
pkts bytes target prot opt in out source destination
36 2304 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
503 47168 MASQUERADE all -- any eth0 anywhere anywhere
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:60002
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:6474
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:6443
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:3000
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:1884
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:1883
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:https
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
0 0 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:60002 to:172.17.0.2:60002
0 0 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:6474 to:172.17.0.2:6474
6 384 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:6443 to:172.17.0.2:6443
0 0 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:3000 to:172.17.0.2:3000
0 0 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:1884 to:172.17.0.2:1884
86 5504 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:1883 to:172.17.0.2:1883
194 12416 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:https to:172.17.0.2:443
Changed in snappy-hwe-snaps: | |
status: | New → Confirmed |
description: | updated |
Syslog from the system