About NAT and Routing rules for VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone
I have 3 sites connected to each other:
lan1 192.168.1.1/27 ROUTEa 1.1.1.1(pppoe-wan)------3.3.3.3 ROUTEc 172.27.7.1/24-lan3

                                    |------2.2.2.2 ROUTEb 192.168.100.1/28  (the wan_ip is a dhcp of isp)-lan2

The lan1 can ping lan2 and lan3 ,routea and routeb is openwrt.

conf:
root@UBNT:~# ipsec status

Security Associations (2 up, 0 connecting):

        b[50]: ESTABLISHED 16 minutes ago, 1.1.1.1[@rightid]...2.2.2.2[@leftid]
        b{194}:  INSTALLED, TUNNEL, reqid 50, ESP in UDP SPIs: c19823cd_i ccb5d18e_o
        b{194}:   192.168.1.0/27 === 192.168.100.0/28

       a[49]: ESTABLISHED 19 minutes ago, 1.1.1.1[@rightid]...3.3.3.3[@leftid]
       a{193}:  INSTALLED, TUNNEL, reqid 49, ESP in UDP SPIs: c2933a82_i c7494696_o
       a{193}:   192.168.1.0/27 === 172.27.7.0/24

In the case
Can I let lan1 access the internet through 2.2.2.2?

I am add the rule in firewall(routea),but traceroute 8.8.8.8 did not through the 2.2.2.2 line.

 iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/27 -d 8.8.8.8 -m policy --dir out --pol ipsec -j ACCEPT
 iptables   -A FORWARD -s 192.168.1.0/27 -d 8.8.8.8 -m policy --dir out --pol ipsec -j ACCEPT

Could you help me.

2
  • Those are firewall rules, did you make a route (to 8.8.8.8, or 0.0.0.0/0)?
  • Where are LANs 1, 2 and 3!?!?
  • There is so much missing above to actually help you.
  • Sure, if you route and firewall it properly.
3

sorry, i am use ip replace lan_name
192.168.1.0 is lan1
192.168.100.0 is lan2
172.27.7.0 is lan3

other info:
2.2.2.2 have a domain of ddns

and i don't know how to make a route table because the 1.1.1.1 is a dynamic ip :blush:

thanks

4
6

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

7

the routea ip is

br-lan

       Link encap:Ethernet  HWaddr 78:8B:20:6F:76:E8
      inet addr:192.168.1.1  Bcast:192.168.1.31  Mask:255.255.255.224
      inet6 addr: fe80::7a8a:20ff:fe0b:76c8/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:133862 errors:0 dropped:0 overruns:0 frame:0
      TX packets:147730 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:16392734 (15.6 MiB)  TX bytes:105873339 (100.9 MiB)

pppoe-wan

      Link encap:Point-to-Point Protocol
      inet addr:1.1.1.1  P-t-P:1.1.1.2  Mask:255.255.255.255
      inet6 addr: fe80::fcc6:7fbe:6e1f:82c8/10 Scope:Link
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
      RX packets:139822 errors:0 dropped:0 overruns:0 frame:0
      TX packets:126301 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:3
      RX bytes:105131865 (100.2 MiB)  TX bytes:18051118 (17.2 MiB)

How to make a route make let 192.168.1.2 go out from 2.2.2.2?

8

:confused:

# in /etc/config/network
config route
	option interface 'pppoe-wan' # this assumes it's the name used in this file
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway '192.168.1.1'

I think you need to see this:

9

You don't need to use the dynamic IP that the provider assigns you to create a static route. You have VPNs amonge 3 points.
On RouteA make a source route to send the desired source traffic to the VPN IP of RouteB that has the 2.2.2.2 gateway.

10

I understand what you mean.
and i am execute the command

#ip rule add fwmark 1 table 210

#iptables -t mangle -I PREROUTING -d 8.8.8.8 -j MARK --set-mark 1

however,how to add the source traffic to the VPN IP of RouteB ?
Can you give me an example?

 #ip route add 8.8.8.8 via ?? dev ?? table 210
11

Involving iptables' mangle is a bit overkill, you can do it all in one rule.

config rule
option dest 8.8.8.8/32
option lookup 210

Regarding the route, you need something like

ip route add default via XXX.XXX.XXX.XXX

Where XXX.XXX.XXX.XXX is the IP address of the tunnel interface on Router that has the 2.2.2.2.

1 Like
12

I am tried do it but output error

   root@UBNT:~# ip route add default via 192.168.100.1 table 210
   Error: Nexthop has invalid gateway.
13

What does ip -4 ro give?

14

(ROUTEa)
root@UBNT:~# ip -4 ro

 default via 172.26.128.1 dev pppoe-wan proto static
 1.1.1.2 dev pppoe-wan proto kernel scope link src 1.1.1.1
 192.168.1.0/27 dev br-lan proto kernel scope link src 192.168.1.1
15

Nothing there, post also these:
ip -4 ru and cat /etc/iproute2/rt_tables
/etc/config/ipsec or /etc/ipsec.d/* or whatever config you have done for ipsec.

Last the /etc/config/firewall

17

ROUTEa for
'---------------------------------------------------------------------------

root@UBNT:~# ip -4 ru
0: from all lookup local
210: from all fwmark 0x1 lookup 210
32766: from all lookup main
32767: from all lookup default
'---------------------------------------------------------------------------

root@UBNT:~# cat /etc/iproute2/rt_tables

reserved values

128 prelocal
255 local
254 main
253 default
0 unspec

local

#1 inr.ruhep
'---------------------------------------------------------------------------

root@UBNT:~# cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
left=%defaultroute
leftsubnet=192.168.1.0/27
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=****
auto=start

conn b
leftcert=ubnt1.cer
leftid=ubnt@domain.ddnss.de
leftfirewall=yes
right=domain.ddnss.de
rightid=domain.ddnss.de
rightsubnet=192.168.100.0/28
mark=1
'---------------------------------------------------------------------------

root@UBNT:~# ll /etc/ipsec.d/*

/etc/ipsec.d/aacerts:
drwxr-xr-x 2 root root 160 Nov 17 23:31 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
/etc/ipsec.d/acerts:
drwxr-xr-x 2 root root 160 Nov 17 23:31 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
/etc/ipsec.d/cacerts:
drwxr-xr-x 2 root root 296 Jan 20 13:57 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
-rw-r--r-- 1 root root 761 Aug 28 22:49 ca.cer
-rw-r--r-- 1 root root 774 Jan 19 20:34 linkca.cer
/etc/ipsec.d/certs:
drwxr-xr-x 2 root root 304 Jan 20 13:58 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
-rw-r--r-- 1 root root 766 Sep 9 21:42 ubnt.cer
-rw-r--r-- 1 root root 874 Jan 19 20:34 ubnt1.cer
/etc/ipsec.d/crls:
drwxr-xr-x 2 root root 160 Nov 17 23:31 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
/etc/ipsec.d/ocspcerts:
drwxr-xr-x 2 root root 160 Nov 17 23:31 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
/etc/ipsec.d/private:
drwxr-xr-x 2 root root 312 Jan 20 13:58 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
-rw-r--r-- 1 root root 1192 Jan 19 20:33 domain_ubntkey.der
-rw-r--r-- 1 root root 1193 Sep 9 22:23 ubntkey.der
/etc/ipsec.d/reqs:
drwxr-xr-x 2 root root 160 Nov 17 23:31 ./
drwxr-xr-x 10 root root 680 Nov 27 19:34 ../
'---------------------------------------------------------------------------
root@UBNT:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config forwarding
option dest 'wan'
option src 'lan'

root@UBNT:~#

Thank you

18

Did you try to set the rightsubnet to 0.0.0.0/0?
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling-with-IKEv2

19

@skveen
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
grafik

Please edit your posting accordingly. Thanks.

1 Like