How to make DST-NAT to another subnet behind openwrt?

on "openwrt-01", the L3 tunnel is extended to "openwrt-02", 1: the end of the tunnel has the address 192.168.160.9/24, 2: the end of the tunnel has the address 192.168.160.10/24.
On "openwrt-01" I ping 192.168.0.30, ping is available. 192.168.0.30 is behind "openwrt-02"
What are the options?

Is NAT required?

# on openwrt-01 in  /etc/config/network

config route
        option target '192.168.0.30'
        option netmask '255.255.255.255'
        option interface 'foo'
  • it seems you didn't understand me, the fact is that openwrt-01 and openwrt-02 are connected by an L3 tunnel (for example wireguard), on openwrt-01 I do something like "iptables -t nat -A PREROUTING -p tcp --dport 22 -d external IP -j DNAT --to 192.168.0.30:22", but for some reason it doesn't connect to ssh located on 192.168.0.30.

I did understand you - I have a similar setup. What I don't understand is why you made the iptables NAT rule, or why it's needed. Can you explain fruther?

1 Like
  • NAT on openwrt-01 is necessary in any case, without it it will not be possible to make a port forwarding, this is if we are talking about "iptables -t nat -A PREROUTING -p tcp --dport 22 -d external IP -j DNAT --to 192.168.0.30:22"
    I log in to the ssh server via the external address "openwrt-01"
    But for some reason he can't log in, even though the port forward on "openwrt-01"

Options to route port forwarding replies over the WAN of R1:

  • Enable masquerading on the VPN zone for R1.
  • Configure PBR on R2 for the target host.
2 Likes

I found on the Internet: "/ip firewall manipulates adding an action=mark the connection chain=pre-routing comment="routing via R1" connection status=new in the interface=tunnel_do_r1 new-connection-mark=con-R1 passthrough=no src
address=!192.168.0.0/16
/changing the ip firewall add action=mark-routing chain=pre-connection-mark=con-R1 dst address=!192.168.0.0/16 new-routing-mark=via-R1 passthrough=no

/ip route add comment="default route via R1" gateway=10.0.1.1 routing-mark=via-R1" - only the commands did not fit on openwrt-02.

OpenWrt specific instructions for the second method:

uci -q delete firewall.ssh_vpn
uci set firewall.ssh_vpn="rule"
uci set firewall.ssh_vpn.name="Mark-SSH"
uci set firewall.ssh_vpn.src="lan"
uci set firewall.ssh_vpn.src_ip="192.168.0.30"
uci set firewall.ssh_vpn.src_port="22"
uci set firewall.ssh_vpn.dest="*"
uci set firewall.ssh_vpn.proto="tcp"
uci set firewall.ssh_vpn.set_mark="0x1"
uci set firewall.ssh_vpn.target="MARK"
uci commit firewall
/etc/init.d/firewall restart
uci set network.@wireguard_vpn[0].route_allowed_ips="1"
uci -q delete network.@wireguard_vpn[0].allowed_ips
uci add_list network.@wireguard_vpn[0].allowed_ips="0.0.0.0/0"
uci set network.lan.ip4table="1"
uci set network.vpn.ip4table="2"
uci -q delete network.ssh_vpn
uci set network.ssh_vpn="rule"
uci set network.ssh_vpn.in="lan"
uci set network.ssh_vpn.mark="1"
uci set network.ssh_vpn.lookup="2"
uci set network.ssh_vpn.priority="30000"
uci commit network
/etc/init.d/network restart
1 Like

Theory: When 192.168.0.30 receives a response from "openwrt-01", it starts accessing "openwrt-02", but because "openwrt-02" does not understand that it is necessary to send packets back to the L3 tunnel, and not through the wan interface, so an attempt to connect via ssh to 192.168.0.30 falls out with an error. That is, the outgoing response was not received from "openwrt-01", because "openwrt-02" did not forward this response to "openwrt-01".
In "KiTTY" I enter an external IP (address "openwrt-01")+port 22, then "openwrt-01" redirects port 22 to 192.168.0.30.

1 Like

That's basically a fact, and you have at least 2 ways to solve the issue.

2 Likes
  • Configure PBR on R2 for the target host. - need to do in "openwrt-02" to try to solve the problem?

It's going to be simpler to answer with some idea of what you're actual configs are.

Please copy the output of the following commands from both routers and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
2 Likes

Yes, but depending on your configuration, the above code may require some adjustment.

1 Like