I have to put only a PREROUTING rule not a POSTROUTING one, because i must change destination IP from subnet 10.8.1.0/24 to subnet 192.168.15.0/24 before routing decision.
i yet had test the third exemple 3 days ago without success.
I will try to force the usage to postrouting :
iptables -t nat -A POSTROUTING -s 192.168.16.0/24 -j DNETMAP --prefix 192.168.15.0/24
iptables -t nat -A PREROUTING -j DNETMAP
So with a route pushed to 192.168.16.0/24, i will try to send ping request to 192.168.16.173 and see what happen.
Run a tcpdump as well and post it here to see what is going on.
with tcpdump, i see the request comming in the tun0 interface but there is no route on the router to route 192.168.16.1 to the br-lan interface.
On the br-lan interface no trace of echo request....
What can i do ? i try to put some static route ? like 192.168.16.0 dev tun0 scope link src 192.168.15.1 ?
there is no existance for 192.168.16.0/24 on the router.
In your case the 16.1 is source mapped to 15.1
I don't know what are you trying to achieve. I was under the impression that you knew what you wanted to do and you had trouble with the syntax of the command. Seems I was wrong as you shouldn't be asking such things.
I just try to use DNETMAP, but it seems to be not working on OpenWRT, so i use a DNAT rule that validate my needs.
I will just have to put a DNAT rule for each host i need to contact from the vpn users.
Chain PREROUTING (policy ACCEPT 295 packets, 78796 bytes)
num pkts bytes target prot opt in out source destination
1 5 284 DNETMAP all -- any any anywhere 192.168.16.0/24 -j DNETMAP --prefix 192.168.15.0/24
2 3 164 DNAT all -- any any anywhere 192.168.16.173 to:192.168.15.173
DNETMAP entry is not working
when i add DNAT entry it works.
I think about to post a bug report here :
I tried it in a test device and it works fine:
iptables -t nat -I POSTROUTING -s 10.0.3.0/24 -j DNETMAP --prefix 192.168.3.0/24
and the output from tcpdump -i any -vn icmp
11:44:15.453896 IP (tos 0x0, ttl 64, id 43031, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.3.100 > 1.1.1.1: ICMP echo request, id 13317, seq 10, length 64
11:44:15.454076 IP (tos 0x0, ttl 63, id 43031, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.3.0 > 1.1.1.1: ICMP echo request, id 13317, seq 10, length 64
Ingress packet has the original IP 10.0.3.100 and the egress packet has the new 192.168.3.0
If you add the rules at the bottom of the POSTROUTING or PREROUTING chains (the -A option) they will never be hit, since the zone_lan_prerouting is higher and will be preferred.
Thank you for your message,
I did this test again and it works, but the source address should change to 192.168.3.100 and not 192.168.3.0, I don't understand.
Also, I don't see how to simply use a POSTROUTING rule to meet my need.
I explain my case with an example:
Local Area Network A:
An OpenVPN server runs on the router with a lan address of 192.168.15.0/24.
Remote network B:
I'm on a remote network whose LAN is also 192.168.15.0/24.
From a Pc of this remote network, I connect via OpenVPN to the router of network A which runs the VPN Server.
My IP on the tun0 interface is the following: 10.8.0.2
I want to reach the host 192.168.15.173 on network A which is complicated because the addressing of the local and remote network is the same.
So I need to NAT the destination address of my ping request (192.168.16.173 -> 192.168.15.173 ).
So I use the following rule:
iptables -t nat -A PREROUTING -d 192.168.16.173/32 -j DNAT --to-destination 192.168.15.173
In this case if I send a ping to 192.168.16.173, the router will receive a ping request for the host: 192.168.15.173 from 10.8.0.2 before routing and then it will be able to forward it to the host and the host will be able to respond correctly too.
In order to have a universal solution, I thought I could replace DNAT with DNETMAP.
Okay, now I understand the utility of the --static.
perhaps, i have to add --static and --persistent to my DNETMAP entry
i try it
1 Like
no more success...
The target can be used only in the nat table in POSTROUTING or OUTPUT chains for SNAT, and
in PREROUTING for DNAT. Only flows directed to bound addresses will be DNATed. The packet
continues chain traversal if there is no free postnat address to be assigned to the prenat
address. The default binding TTL is 10 minutes and can be changed using the default_ttl
module option. The default address hash size is 256 and can be changed using the hash_size
module option.
--static
Do not create dynamic mappings using this rule. Use static mappings only. Note that
you need to create static mappings via the procfs interface for this rule for this
option to have any effect.
I try to put on terminal :
echo "+192.168.16.173:192.168.15.173" > /proc/net/xt_DNETMAP/192.168.15.0_24
-ash: can't create /proc/net/xt_DNETMAP/192.168.15.0_24: nonexistent directory 
or ash: write error: Bad address if i put dnetmap entry before...
The folder is there alright if the module is loaded.
However even root doesn't have write rights in there, so there must be some special way to create a file.
root@RoadWarrior:/# ls -la /proc/net/xt_DNETMAP/
dr-xr-xr-x 2 root root 0 Apr 15 16:13 .
dr-xr-xr-x 6 root root 0 Apr 15 16:13 ..
via the procfs
i will make more research tomorrow
1 Like
I guess this is for programming the modules to create the entries in /proc
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.