Double NAT: ping from the first router to a device on the second router

doremifajb · January 22, 2022, 9:36am

Hello !
I have Raspi-OpenWRT as the first router from ISP, and Fritzbox4020-OpenWRT as the router behind it (hooked on 192.168.1.0 net). FB's address on the WAN side is 192.168.1.101. I have a Raspi2 (PiOS) hooked on FB in the net 192.168.10.0, and its address is 192.168.10.30.
ISP--RP.OpenWRT--FB--raspi2.

I am having difficulties in making things on Raspi2 accessible from RP-Openwrt. I am trying in small steps.

First: I want to ping raspi2 from 192.168.1.0 of RP-Opewrt.
On raspi-Openwrt I set:

config route
	option interface 'lan'
	option target '192.168.10.0'
	option netmask '255.255.255.0'
	option gateway '192.168.1.101'

Note that lan's subnet is 192.168.1.0.

And on FB I set

config rule
	option name 'ping from wan'
	list proto 'icmp'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '192.168.10.30'

And now, my PC is 192.168.1.205 on raspi-openwrt, I type
ping 192.168.10.30

but it doesn't go through !

I had a similar problem earlier, I got help here, and I thought I understood it, but it seems I'm not quite there;; I am sorry for asking the same question, could you please help;; ??

pavelgl · January 22, 2022, 1:06pm

You have to disable the masquerading to that particular IP address or the entire subnet in the FB's wan zone.

uci add_list firewall.@zone[1].masq_dest="!192.168.1.205/32"
uci commit firewall
fw3 restart

doremifajb · January 22, 2022, 2:03pm

Thank you for your reply ! I tried, but it didn't work;; As I had a similar problem with another device on FB, I was able to browse the GUI of it from my PC in the end, and disabling the masquerading was not among the things I had to do....

trendy · January 22, 2022, 5:19pm

Does the raspi2 have any kind of firewall?
Setup a packet capture on FB4020: opkg update; opkg install tcpdump; tcpdump -i any -evn host 192.168.10.30 try a few pings, stop capture with Ctrl-c, and post here the results.

doremifajb · January 22, 2022, 8:04pm

Just did:


20:37:56.124690  In e4:5f:01:46:51:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 57587, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.205 > 192.168.10.30: ICMP echo request, id 35011, seq 0, length 64
20:37:56.124857 Out 4a:ba:a7:a5:8c:yy ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 62, id 57587, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.205 > 192.168.10.30: ICMP echo request, id 35011, seq 0, length 64
20:37:56.124880 Out 4a:ba:a7:a5:8c:yy ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 62, id 57587, offset 0, flags [none], proto ICMP (1), length 84)

This combination repeats: once with MAC address xx (address of RP.Openwrt), then twice with address yy.... I don't know what this address is.... not my laptop, not FB, not raspi2.

As I started your command, before I pinged, there was a lot of this:

20:37:27.586617  In e4:5f:01:46:51:xx ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 23394, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.205.65303 > 192.168.10.30.8043: Flags [S], cksum 0x984a (correct), seq 659678802, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1559660633 ecr 0,sackOK,eol], length 0
20:37:27.586752 Out 4a:ba:a7:a5:8c:yy ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 23394, offset 0, flags [DF], proto TCP (6), length 64)

This looks like my attempt trying to access Omada Controller on raspi2, but I wasn't doing anything right then, I wonder why it's there....
As for firewall on raspi2, I don't think it has: I did the so-called "basic installation", installed Docker, and Omada controller, nothing else.

Thanks a lot for checking my stuff !

trendy · January 23, 2022, 1:18am

Seems correct, run the same on raspi2 to verify that you receive the packets.

doremifajb · January 23, 2022, 8:59am

Thank you for your hints ! Now, in the course of trying to install tcpdump on raspi2, I realized that dhcpcd.conf had a few mistakes: I did something wrong with setting static router, DNS server etc, as I wanted to set a static IP for raspi2. I found this out, because sudo apt update gave errors like Temporary failure resolving 'archive.raspberrypi.org'.

Another thing which might have been wrong is, I had wan and wanb set up for mwan3, but had disabled mwan3. May be the icmp reply wanted to go to wanb?

I'm not sure which one of these was the cause of failed ping, but now ping is working ! Thank you very much for your help ! I had never heard of tcpdump, now I learned something new again:)

Now, actually the whole business was about accessing the web GUI of Omada Controller on raspi2, ssh to raspi2 etc from WAN side, now it's all working:) Thanks a lot !!

trendy · January 23, 2022, 10:56am

I don't think so, there is a static route for that.

system · February 2, 2022, 10:57am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.