Hello Krzysiek -
from your long post I can see that batmand is actually working. Both nodes see each other and the gateway is announced from the gateway side and selected from the client side. You are using the --disable-client-nat option and you announce individual subnets with batmand's HNA option. All good.
On the client side, in /etc/config/network:
config 'interface' 'ath0' option 'ifname' 'ath0' option 'proto' 'static' option 'ipaddr' '10.130.1.3' option 'netmask' '255.255.255.0' option 'gateway' '10.130.1.1' option 'dns' '10.130.1.1'
1/ Get rid of the gateway setting. Setting up the gateway is the job of batmand. I suppose you copied the settings of the Mesh-Potato, right? The Mesh-Potato uses a fake gateway entry to make the Asterisk PBX happy. It didn't actually create harm, since batmand performs policy routing. But it may have added to confusion on your side.
The command
route -n
is not helpful when working with batmand. The route command is a outdated legacy from Linux 2.2 and older. Use the ip command instead, to see the policy routing tables.
ip r ls table all
will list all tables.
2/ Are you really running a DNS server / DNS forwarder on 10.130.1.1? When testing Internet access, I prefer to ping a IP first, to rule out DNS issues. Something easy to remember like 8.8.8.8. That IP is also a reliable public DNS server. If you don't need to resolve local IPs, a public DNS server setting like 141.1.1.1 or 8.8.8.8 will work reliably.
3/ With regards to the firewall - you don't need it. At least not for testing. My recommendation is to stop the firewall until you get the system running as expected and then enable the firewall again. If the system breaks after enabling the firewall, you know where to look at.
So, a simple
iptables -F
on the client side will save you additional headaches. That change is not permanent, so only stops the firewall manually until you reboot. You can do this in all the clients.
On the gateway side you need just one simple firewall setting:
iptables -F iptables -t nat -A POSTROUTING -o eth0.1 -j MASQUERADE
(I am assuming that you have the uplink connected to the WAN port of the Asus)
The advanced way to set up the batmand gateway is to set up routing in the subnet gateway (thats where the WAN port of the batmand gateway gets its DHCP lease from) and eliminate NAT here. This way you can eliminate the need to apply several layers of NAT everywhere. But this is causing additional challenges so I won't cover it for now.
I added also a registration to iptable (on the gateway and on the client the same) iptables -t nat -I POSTROUTING -o gate0 -j MASQUERADE
Don't.
So, nodes can see each other, and the gateway is broadcasting (client can see it). I can ping from gateway to client by tunnel -> ping 169.254.0.0 but I can`t ping from client to gateway -> ping 169.254.0.0 , what`s wrong?
ping 10.130.1.X or 192.168.X.X instead.
Unfortunately, I can`t get internet too.
You will be there in no time ;)
Cheers, Elektra