I have OpenWrt v18.06.5, r7897-9d401013fc loaded on the Netgear R7800. This router does a standard (out of the box) NAT between a 192.168.0.1/24 LAN (on eth1 ) and one public IP 140.82.118.4 (on eth2 ). The router has the iptables-mod-tee module loaded and running.
My goal is to monitor the traffic going OUT of the interface eth2 to the WAN. The monitoring is to be done by a computer running "Wireshark", which is located on the LAN (at 192.168.0.3 ).
For example when I ping 8.8.8.8 from another computer on the LAN (e.g. from 192.168.0.2 ), I expect to see an IP/ICMP Echo request, that has ip.src == 140.82.118.4 and ip.dst == 8.8.8.8 going out on the eth2 interface to the WAN.
I am using the following command to modify the iptables to send the cloned packets to the host running the "Wireshark": iptables -t mangle -A POSTROUTING -o eth2 -j TEE --gateway 192.168.0.3
It works but "Wireshark" displays the IP/ICMP Echo request with ip.src == 192.168.0.2 and ip.dst == 8.8.8.8 ...which is wrong, because the ip.src looks like it would be before it is NAT'ed !!!
The ip.src should be 140.82.118.4 which is the IP of my public WAN interface... because if it wasn't, then the 8.8.8.8 host would not know where to send the ICMP Echo reply to, however the ping command is getting ICMP Echo replies from the 8.8.8.8 host (as it should).
Why is this happening and how to correct it ?
P.S.
Also, where is the documentation how the POSTROUTING and the -o options work ?
@mindwolf
I am not using tcpdump. I am using iptables-mod-tee.
Please take a look at the diagram - I am capturing the cloned packets on a LAN host (at 192.168.0.3) which is running "Wireshark".
I saw that, but was wondering if you did a live capture on your router first, then analyzed it on your computer. If capturing from the lan behind the router, I would venture to say you would not see the external ip address but the local ip instead.Thus you didn't cross the bridge...PUN INTENDED
I did try sing tcpdump and it works as expected, namely it shows ip.src == 140.82.118.4.
However using tcpdump on the router does not satisfy my real-time monitoring needs, as I will have custom software doing this analysis on the LAN host (at 192.168.0.3)
Why?
When I look at the iptables diagram (attached below) then it seems that the "mangle table" with "POSTROUTING chain" would have the ip.src already translated to the IP of the eth2 (wan IP 140.82.118.4) because it is after the "filter table" with the "FORWARD chain" and after the "NAT table" with the "OUTPUT chain".
Only the "NAT table" with the "POSTROUTING chain" is closer to the outbound WAN interface (eth2) than the "mangle table"...but can iptables-mod-tee do the packet cloning there ?
Yes, the MASQUERADE target in the nat:POSTROUTING chain was the problem.
I have found a solution to cloning / monitoring the snat'ed outbound traffic on the WAN interface (eth2) with the TEE (iptables-mod-tee) ...if anyone is interested.