Kalcifer

Kalcifer OP , 1 month ago

Thank you!

Kalcifer OP , 3 months ago

Is the app in question an XWayland app?

How do I find this info?

you need to change the setting for scaling in the Display Settings to something the XWayland apps like

I’ve never modified the scaling, though — It’s at the default 100%.

Kalcifer OP , 3 months ago

I tried setting that too, but it didn’t fix it.

Kalcifer OP , 3 months ago

Yeah, I’m also pretty sure that this is a Flatpak issue — an update for one of the affected Flatpaks came out, and it’s issue with the cursor is now fixed. I suspect that when an update for the other applications rolls out, then they will also be fixed. I’m not entirely sure what went wrong in the Flatpaks with Plasma 6, though — it’s rather interesting. Maybe something got changed in one of the desktop portals?

Kalcifer OP , 3 months ago

I am using a default Breeze cursor theme. Specifically, I am using Breeze Light.

Kalcifer OP , 3 months ago

This isn’t a solution. I am using the Breeze cursors. Specifically, I am using Breeze Light.

Kalcifer OP , 3 months ago

Out of curiosity, is kitty installed as a Flatpak?

Kalcifer OP , 4 months ago

Input means packets originating from another device within this zone with the router as the destination.

How does this work with the second rule? Wouldn’t any connection from the internet be a connection originating from another device within the wan zone (internet) with the router as the destination? The rule has Input: reject, but I would think that it should then be input: accept.

Kalcifer OP , 4 months ago

openwrt.org/docs/…/firewall_configuration

Does this help op ?

I linked that at the end of my post. I mentioned that I felt it didn’t answer my question.

Kalcifer OP , 4 months ago

It’s no problem! Thank you for trying to help 😊

Kalcifer OP , 4 months ago (edited 4 months ago)

Input means the packet stops at the router

Ah okay, so if Output: accept is still enabled, then, even though Input: reject is set, the packet can still use the router as a hop in it’s journey to a device on the router’s network? It just can’t stop at the router? I guess that makes sense because the device on the routers network is addressed by a port which is a layer above the IP address, so it wouldn’t even have a notion of addressing the router unless it just specifies the raw IP.

[EDIT (2024-02-08T00:21Z): Redacted this paragraph after re-reading this comment.]Another thing that is confusing me is the setting for Forward. I would assume that if a packet is destined for a device on the router’s network, then that packet is being forwarded from wan to lan, and if Masquerading is enabled, then the destination IP will be modified by the router. But, in the example image we have that Forward: reject is set. How does the packet get forwarded between interfaces if forwarding is disabled?

[EDIT (2024-02-08T00:21Z): Added the following quote, and response.]

When forward on the wan interface is set to reject, it essentially means no device from outside may initiate a connection. However, they may respond to already opened connection.

How does the router differentiate between the two? If I remember correctly, nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?

[EDIT (2024-02-08T00:26Z): Added the following update.]

nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?

When I was looking through the settings for the second row, I came across the following setting:

https://sh.itjust.works/pictrs/image/dc459644-af01-48e4-aa00-a9b9a8f54e18.webp

I believe that this setting is accomplishing the behaviour that you described (not allowing connections from wan, but still allowing responses). Correct?

Kalcifer OP , 4 months ago

For the most part, it has been answered (you can scroll through the comments to see if you want to add any other information to a reply of mine, or someone else), but I would still certainly appreciate other attempts at explanations.

Kalcifer , 4 months ago

Is there a plan to allow KDE Discover to update flatpaks automatically?

Kalcifer OP , 5 months ago

That’s… interesting. Router B shouldn’t be involved at all with this, it should be blindly forwarding the packets. That’s a layer 3 error!

Indeed! I’m quite stumped.

How’s the bridge set up?

I set it up using this guide.

Have you made sure router B doesn’t do DHCP […]?

Yup, it’s disabled.

Have you made sure router B […] doesn’t take the IP of router A by accident?

Yep, it’s set to be static.

Kalcifer OP , 5 months ago

OP - how is router B cabled?

For the bridge, it’s set up over a wifi connection to Router A. For the Nextcloud server, it’s just connected to one of the LAN ports on Router B.

Kalcifer OP , 5 months ago

Alright, I’ll give your suggestion a go.

Make B have its own subnet, say, 192.168.1.0/24, assuming that A is on 192.168.0.0/24. Enable DHCP and everything, it’s now it’s own full network.

Done.

Make B a client of A with a static IP, like 192.168.0.2. That makes B present on A’s network.

Done.

Add a route on A for B’s network: 192.168.1.0/24 via 192.168.0.2.

I think I set this right: Network->Routing->Add->(Interface: wwan, Route type: unicast, Target: 192.168.0.1/24, Gateway: 192.168.1.1)

Disable NAT on B, just set A as the default route.

How would I go about doing this? I can’t find any definitive information on how to disable NAT in OpenWRT.

The only thing missing would be to handle broadcasts so stuff like Bonjour/Avahi works correctly.

I do need this. I believe this would then require an mDNS reflector, right (it wasn’t required before as relayd was bridging the networks)?

Kalcifer OP , 5 months ago

Ah, I see. You’re using 2 wifi access points as a bridge to each other.

Yeah, this is a requirement for how I am trying to implement it.

Kalcifer OP , 5 months ago

Ok, so, I’m ending up with an issue where I can ping Router A from a device on Router B, but I get Destination Port Unreachable if I try to ping a device on Router A. Likewise, I can ping Router B from a device on Router A, but I get Destination Port Unreachable if I try to ping a device on Router B.

I have the route added to Router A (192.168.1.0/24 via 192.168.0.2), I have masquerading turned off for wan on Router B.

Kalcifer OP , 5 months ago (edited 5 months ago)

Hrm, I still have the same issue. Here’s the firewall settings:

lan zone:

• Input: accept
• Output: accept
• Forward: accept
• Masquerading: false (unchecked)
• MSS clamping: false (unchecked)
• Covered Networks: lan
• Allow forward to destination zones: wan, wan6, wwan
• Allow forward from source zones: unspecified

wan zone:

• Input: accept
• Output: accept
• Forward: accept
• Masquerading: false (unchecked)
• MSS clamping: true (checked)
• Covered Networks: wan, wan6, wwan
• Allow forward to destination zones: unspecified
• Allow forward from source zones: lan

EDIT: I didn’t see your edit, as I hadn’t refreshed the page.

Kalcifer OP , 5 months ago

If you WireShark this, I bet B is successfully sending packets to A and A’s devices, and A’s packets make it all the way to B but B doesn’t forward it to its own LAN, and it stops there.

Yep that’s exactly what I see.

Can you post the output of ip ro and ip a on both routers? (Feel free to redact your public IP/ISP stuff if it shows up)

I would only be able to for one router. Router A is a tp-link AX73 which doesn’t support OpenWRT. Router B, however, is a tp-link Archer C7 and is flashed with OpenWRT.

Kalcifer OP , 5 months ago

Alright, I now am able to ping a device on Router B from a device on Router A, but I’m still not able to ping a device on Router A from a device on Router B.

Here’s the firewall settings for Router B:

lan zone:

• Input: accept
• Output: accept
• Forward: accept
• Masquerading: false (unchecked)
• MSS clamping: false (unchecked)
• Covered Networks: lan
• Allow forward to destination zones: wan, wan6, wwan
• Allow forward from source zones: wan, wan6, wwan

wan zone:

• Input: accept
• Output: accept
• Forward: accept
• Masquerading: false (unchecked)
• MSS clamping: true (checked)
• Covered Networks: wan, wan6, wwan
• Allow forward to destination zones: lan
• Allow forward from source zones: lan

EDIT:

Scratch that! apparently it is working. I could’ve sworn that I checked the ping. Maybe I subconciously applied something else.

Kalcifer OP , 5 months ago

I’m now encountering another issue where I can’t ping any external IP’s. I don’t mean that DNS isn’t resolving (I set that on Router B to use Router A as the DNS resolver), but the I can’t ping, say, google.com, for example, from a device on Router B. I can see the ICMP requests in Wireshark, but they just say “no response”.

Kalcifer OP , 5 months ago

I really appreciate all the help that you provided in this thread! To simplify the setup, I bought a different primary router, flashed OpenWRT to it, then set up a WDS bridge between it and the other router. So far, I’ve had no issues, and the setup has been greatly simplified. I’m, of course, still curious as to why the previous setup wasn’t working, but at least everything is working now.

Kalcifer OP , 5 months ago

Are your clients all on the same subnet

Router A (192.168.0.1) is a different subnet than router B (192.168.2.1).

Make sure you’re actually doing a bridge

Bridge was added using the linked guide (it uses relayd).

Kalcifer OP , 5 months ago

Router A would also need to bridge in order for that to work

Why would Router A also need to be a bridge? Router B is configured to bridge its devices to Router A’s network, so, from what I understand, its devices are treated as if they are on Router A’s network – bridging is layer 2, and mDNS is layer 3 (afaik), so Avahi should be able to resolve across the bridge.

On the other hand, there are ways of setting up Multicast Forwarding if the router supports it, or you could have a device in both networks that does Avahi/mDNS Reflection.

Wouldn’t this only matter if Device A, and Device B were on two separate vlan’s?

Kalcifer OP , 5 months ago

Router B is bridging Device B to Router A’s network, so they aren’t on separate vlans; thus, it shouldn’t require an mDNS reflector as that repeats mDNS between separate subnets.

Kalcifer OP , 5 months ago

I’m not familiar with how Avahi works, but I assume it uses broadcast packets.

It does, yeah; multicast DNS uses multicast packets e.g. 224.0.0.251 (ipv4).

Do you actually have routing between two networks, or is it just a wireless bridge?

It’s just a wireless bridge.

Do broadcast packets transit the bridge?

They do.

Kalcifer OP , 5 months ago

👀

Kalcifer OP , 5 months ago

Afaik, an mDNS reflector is only needed to cross subnets – both subnets and mDNS function on layer 3. Bridging occurs on layer 2, and since mDNS functions in layer 3 (ipv4 multicast is layer 3), the bridge itself is invisible to it.

Kalcifer OP , 5 months ago

This works if B has an interface that is connected to the A subnet

I’m not sure I understand exactly what you mean. Is it not given that if two routers are connected to each other then an interface from either of them will be connected to the other?

but not if you have a PtP between the two routers

What do you mean by PtP? Are you referring to something like WDS, or, in my case, relayd?

Kalcifer OP , 5 months ago

Wait, are you just generally referring to this? That already exists in the form of PPPoE, and, for all intents and purposes, WPA, does it not?

Kalcifer OP , 5 months ago

Interesting, where does the 3rd hop come from? Wouldn’t the routing table just point from one router to the other – so 2 hops?

Kalcifer OP , 5 months ago

To make sure that I understand correctly, are you describing something similar to what was described in this thread?

Kalcifer OP , 4 months ago

However, how comfortable are you with routing in general?

Ha, depends what you mean by that. If you mean manually specifying routes in a router, I think I generally understand it, but I am not at all confident in my abilities.

Kalcifer OP , 4 months ago

Does this make it more clear?

Yes, thank you! Usually, however, most of my issues seem to stem from knowing where configs are, what tools to use for what, or where to find things in the router user interface, etc.

Kalcifer OP , 5 months ago

see if your router can support OpenWRT

I have an Archer C7, to which I have already flashed OpenWRT.

avoid any routers with Broadcom or Qualcomm

Noted! I assume that the Archer C7 is an exception to that? It has a Qualcomm chip afaik. But, yeah, the AX73 is Broadcom.

Use the AX73 as your primary and the OpenWRT one as the repeater node and you’re set.

Is that not what WDS, or 802.11s is (I’m not arguing, I am simply unaware, and I would appreciate correction!)? I’ve tried setting this up a number of ways – all to no avail. I haven’t been able to identify exactly where the problem lies in the setup, as I am not knowledgeable enough about network administration yet. The Archer C7 is able to connect to the AX73 just fine, but any device connected to the Archer C7 is unable to reach the AX73. Would you be able to provide me with any instructions, or recommendations for guides to set up what you are describing? I’m missing some important set up step, or I’m improperly configuring something.

If Ethernet between the 2 is viable, go with that instead

I would like to try and set it up over a wireless link.

Kalcifer OP , 5 months ago

The tp-link Archer AX73 doesn’t support OpenWRT, but the second router (tp-link Archer C7) does, and has it installed.

Kalcifer OP , 5 months ago

Aside from the fact that hte AX73 isn’t supported by OpenWRT, what steps would you suggest if one were to flash OpenWRT to accomplish this?

Kalcifer OP , 5 months ago

Yea Qualcomm is hit or miss (with more misses than hits) but never Broadcom, they never release drivers for their stuff without NDAs and lots of fees n shit (Fuckin assholes man lol). In fact you should avoid anything Broadcom, they recently acquired VMware and before the ink had even dried they announced they were revoking perpetual licenses to make people/business move to a subscription model.

Noted!

But back on topic, WDS is a more full featured version where both the primary router and secondary ones are configured to bridge with each other. Kind of like a proto-mesh.

Gotcha. From what I’ve read, it appears that the AX73 doesn’t support WDS, which I thought was weird since its a pretty new router.

It’s been a long time since I’ve used this mode, but from what I remember, it’s under the AP mode setting (Where you would select AP or Router mode) you would select Repeater mode then configure the SSID name and Security settings exactly as the primary router. Sometimes there was a dedicated spot for this, sometimes you just set it on the normal SSID Security settings screen

I found this guide for creating a wireless bridge. It doesn’t feel as elegant a solution as simply hopping onto Router A with Router B, but it at least functions.