How to properly configure subnet static routing and nat offload / avoid double nat for wireless client

Hi,

I have the following setup:

image

Goal: define static route to 192.168.4.0/24 subnet, offload nat to/from clients in 192.168.4.0/24 on LEDE router to dir636l gateway router.

What I managed to achieve:

  • Client 192.168.4.203 can access internet.
  • Client 192.168.4.203 can access 192.168.1.1 but none of the other hosts on 192.168.1.0/24
  • Lede router on 192.168.4.1 can ping client on 192.168.4.203.

What I did:

  • On dir636l I created static route as follows:
# ip route
XXX via XXX dev eth2.2
XXX via XXX dev eth2.2
192.168.4.0/24 via 192.168.1.134 dev br0  metric 1
192.168.1.0/24 dev br0  src 192.168.1.1
XXX/22 dev eth2.2  src XXX
default via XXX dev eth2.2
  • On dir636l I added a rule in nat table for 192.168.4.0/24 for nat:

iptables -t nat -A POSTROUTING -j MASQ_POST -s 192.168.4.0/24

  • On lede router I have following lan and wan config:
config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1 eth0.1'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'static'
        option ipaddr '192.168.1.134'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
  • On lede router I changed the following firewall rules (the 5ghz wlan interface is bridged to wan)
config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT
        option masq             0
        option mtu_fix          1
  • I can confirm that NAT is done on dir636l by looking at /proc/net/nf_conntrack:
    On lede router

ipv4 2 icmp 1 29 src=192.168.4.203 dst=172.217.3.206 type=8 code=0 id=1 packets=65 bytes=3900 src=172.217.3.206 dst=192.168.4.203 type=0 code=0 id=1 packets=65 bytes=3900 mark=0 zone=0 use=2

On dir636l

ipv4 2 icmp 1 29 src=192.168.4.203 dst=172.217.3.206 type=8 code=0 id=1 src=172.217.3.206 dst=my.public.ip type=0 code=0 id=1 mark=0 use=2

Again my issue right now is

  • 192.168.4.203 cannot see other hosts on 192.168.1.0/24 except 192.168.1.1 the gateway router

I hope this also serves as a reference for people looking to do subnet static routing and NAT offload.

Thanks for your help!

I managed to get 192.168.1.1 (gateway router) to ping 192.168.4.203 directly by adding this in lede router firewall:

config forwarding
        option src              wan
        option dest             lan

Still, 192.168.4.203 still cannot access other hosts on 192.168.1.0/24

Update:
192.168.1.132 can ping 192.168.4.203, however 192.168.4.203 still cannot ping 192.168.1.132
Checked forward table, nothing is getting dropped/reject.

Another update:

On 192.168.1.132 the wireless AP, I added the following static route:

ip route add 192.168.4.0/24 via 192.168.1.134

Now 192.168.4.203 can ping and access 192.168.1.132 directly. What is wrong with my setup? It seemed like when 192.168.1.132 sees a packet from 192.168.4.203 to itself, it accepts the packet but have no gateway information about how to send the packet back to 192.168.4.203. Instead of sending it to 192.168.1.1 for routing it just dropped/ignored the packet?

Without the static route on the AP the routing is asymmetric if LEDE sends packets directly to the AP but the reverse path is via 192.168 1.1. Asymmetric routing and stateful firewalls are not a good match. The result may be dropped packets. It's often better to connect a LAN to one router only and use another network for connections between routers. By not having a direct connection between LEDE and the AP you force all traffic between them to pass 192.168 1.1 and the results is symmetric routing.

1 Like

I guess I should look into some dynamic routing protocol. Any recommendations on which routing protocol may be suitable for this task to get me started?

Thanks

I use babel since it supports source specific routing which is necessary when you use multiple IPv6 WAN at home. (Multiple Hurricane Electric tunnels in my case.) I have also used OSPF/OSPFv3 which are good alternatives if you don't use IPv6 or don't need source specific routing. They are more widely supported on other platforms than babel.