According to this https://openwrt.org/packages/pkgdata/kmod-macvlanmacvlan is A kernel module which allows one to create virtual interfaces that map packets to or from specific MAC addresses to a particular interface
To my understanding that means that I can set up the system to send traffic from certain MACs from the LAN to a specific interface (say, ipsec VTI, pptp or another gateway etc...).
But all I found is a different implementation - users create virtual interfaces and then assign them different MACs, then use them for multiWAN.
But how to "bind" internal LAN's MAC addresses so that all traffic from it goes only to (say) PPTP VPN?
Well, it's possible to do ALSO with PBR I suppose... I've chosen macvlan as it seems easier to implement according to its description. So, maybe anyone has config examples?
OK, looks like macvlan is not really used widely... Switching to PBR.
192.168.1.99 is a host in LAN, 192.168.1.1 is local IPSEC tunnel endpoint and 192.168.3.1 is a remote IPSEC tunnel endpoint (which works and pings perfectly from LAN).
The aim is to send all traffic from 1.99 to tunnel endpoint 3.1.
So, I added vpn table in iproute2, then tried on 1.1:
ip rule add from 192.168.1.99 table vpn
ip route add default via 192.168.3.1 dev vti0 table vpn
ip route flush cache
Also on 1.1 I allowed any zone/direction forwarding for 1.99 host.
All above didn't work:
no ping 8.8.8.8 from 1.99; (tunnel and LAN hosts are pinged OK)
traceroute reports from 1.1: "destination host unreachable"
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms host1 [192.168.1.1]
2 host1 [192.168.1.1] reports: Destination host unreachable.
By "SA" you mean ipsec Security Association for the tunnel parameters? Then no and it must not be to my understanding. Otherwise, please give me an idea what configs/logs to post.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Add also what is configured for the ipsec (*swan or whatever).
ubus call system board; \
> uci export network; \
> uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip6tables-save -c; nft list ruleset; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "4.9.152",
"hostname": "host0",
"system": "XScale-IXP42x Family rev 0 (v5b)",
"model": "USRobotics USR8200",
"board_name": "generic",
"release": {
"distribution": "OpenWrt",
"version": "18.06.2",
"revision": "r7676-cddd7b4c77",
"target": "ixp4xx\/generic",
"description": "OpenWrt 18.06.2 r7676-cddd7b4c77"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xx:xx:::/xx'
config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ip6assign '60'
option delegate '0'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option macaddr 'xx:xx:xx:xx:xx'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option auto '0'
config interface 'c377'
option proto 'pptp'
option delegate '0'
option buffering '1'
option username 'pptp'
option defaultroute '0'
option server 'c377.iii.com'
option password 'aaaaa'
option auto '0'
config interface 'IPSEC'
option ifname 'vti0'
option proto 'none'
option delegate '0'
config device
option name 'ppp0'
option ipv6 '0'
config interface 'p1_in'
option proto 'none'
option delegate '0'
option ifname 'ppp0'
package firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port '500'
config rule
option target 'ACCEPT'
option name 'l76 allow'
option src '*'
option src_ip '192.168.1.76 192.168.1.2'
option dest 'ipsec'
config rule
option src '*'
option target 'DROP'
option proto 'tcp udp icmp 47 all'
option name 'l76 DROP'
option src_ip '192.168.1.76 192.168.1.2'
option dest 'wan'
config defaults
option syn_flood '1'
option forward 'REJECT'
option input 'REJECT'
option output 'REJECT'
config zone
option name 'lan'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option input 'REJECT'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config zone
option name 'pptp'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option family 'ipv4'
option network 'c37'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option forward 'REJECT'
option name 'ipsec'
option input 'ACCEPT'
option output 'ACCEPT'
option family 'ipv4'
option network 'IPSEC'
config forwarding
option dest 'lan'
option src 'pptp'
config forwarding
option dest 'pptp'
option src 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option family 'ipv4'
option forward 'REJECT'
option name 'ppp2me'
option network 'p1_in'
config forwarding
option dest 'lan'
option src 'ipsec'
config forwarding
option dest 'ipsec'
option src 'lan'
config forwarding
option dest 'ipsec'
option src 'ppp2me'
config forwarding
option dest 'lan'
option src 'ppp2me'
config forwarding
option dest 'wan'
option src 'ppp2me'
config rule
option target 'ACCEPT'
option name '99'
option family 'ipv4'
option proto 'tcp udp icmp all'
option src '*'
option src_ip '192.168.1.99'
option dest '*'
# Generated by iptables-save v1.6.2 on Wed Jan 11 12:38:34 2023
*nat
:PREROUTING ACCEPT [113:10948]
:INPUT ACCEPT [40:2974]
:OUTPUT ACCEPT [40:2839]
:POSTROUTING ACCEPT [2:131]
:postrouting_ipsec_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_ppp2me_rule - [0:0]
:postrouting_pptp_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_ipsec_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_ppp2me_rule - [0:0]
:prerouting_pptp_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_ipsec_postrouting - [0:0]
:zone_ipsec_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_ppp2me_postrouting - [0:0]
:zone_ppp2me_prerouting - [0:0]
:zone_pptp_postrouting - [0:0]
:zone_pptp_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[113:10948] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[68:9043] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
[45:1905] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i vti0 -m comment --comment "!fw3" -j zone_ipsec_prerouting
[0:0] -A PREROUTING -i ppp0 -m comment --comment "!fw3" -j zone_ppp2me_prerouting
[109:10568] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
[107:10437] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:131] -A POSTROUTING -o vti0 -m comment --comment "!fw3" -j zone_ipsec_postrouting
[0:0] -A POSTROUTING -o ppp0 -m comment --comment "!fw3" -j zone_ppp2me_postrouting
[2:131] -A zone_ipsec_postrouting -m comment --comment "!fw3: Custom ipsec postrouting rule chain" -j postrouting_ipsec_rule
[0:0] -A zone_ipsec_prerouting -m comment --comment "!fw3: Custom ipsec prerouting rule chain" -j prerouting_ipsec_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[68:9043] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_ppp2me_postrouting -m comment --comment "!fw3: Custom ppp2me postrouting rule chain" -j postrouting_ppp2me_rule
[0:0] -A zone_ppp2me_prerouting -m comment --comment "!fw3: Custom ppp2me prerouting rule chain" -j prerouting_ppp2me_rule
[0:0] -A zone_pptp_postrouting -m comment --comment "!fw3: Custom pptp postrouting rule chain" -j postrouting_pptp_rule
[0:0] -A zone_pptp_prerouting -m comment --comment "!fw3: Custom pptp prerouting rule chain" -j prerouting_pptp_rule
[107:10437] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[107:10437] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[45:1905] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Jan 11 12:38:34 2023
# Generated by iptables-save v1.6.2 on Wed Jan 11 12:38:34 2023
*mangle
:PREROUTING ACCEPT [177484:72400891]
:INPUT ACCEPT [522:51076]
:FORWARD ACCEPT [176962:72349815]
:OUTPUT ACCEPT [454:100972]
:POSTROUTING ACCEPT [177446:72453534]
[18:1052] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Jan 11 12:38:34 2023
# Generated by iptables-save v1.6.2 on Wed Jan 11 12:38:34 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:forwarding_ipsec_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_ppp2me_rule - [0:0]
:forwarding_pptp_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_ipsec_rule - [0:0]
:input_lan_rule - [0:0]
:input_ppp2me_rule - [0:0]
:input_pptp_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_ipsec_rule - [0:0]
:output_lan_rule - [0:0]
:output_ppp2me_rule - [0:0]
:output_pptp_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_ipsec_dest_ACCEPT - [0:0]
:zone_ipsec_dest_REJECT - [0:0]
:zone_ipsec_forward - [0:0]
:zone_ipsec_input - [0:0]
:zone_ipsec_output - [0:0]
:zone_ipsec_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_ppp2me_dest_ACCEPT - [0:0]
:zone_ppp2me_dest_REJECT - [0:0]
:zone_ppp2me_forward - [0:0]
:zone_ppp2me_input - [0:0]
:zone_ppp2me_output - [0:0]
:zone_ppp2me_src_ACCEPT - [0:0]
:zone_pptp_dest_ACCEPT - [0:0]
:zone_pptp_dest_REJECT - [0:0]
:zone_pptp_forward - [0:0]
:zone_pptp_input - [0:0]
:zone_pptp_output - [0:0]
:zone_pptp_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[523:51116] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[43:6214] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[40:1624] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[40:3027] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
[112:18521] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i vti0 -m comment --comment "!fw3" -j zone_ipsec_input
[0:0] -A INPUT -i ppp0 -m comment --comment "!fw3" -j zone_ppp2me_input
[0:0] -A INPUT -m comment --comment "!fw3" -j reject
[176988:72365073] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[176663:72198490] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.76/32 -p tcp -m comment --comment "!fw3: l76 allow" -j zone_ipsec_dest_ACCEPT
[0:0] -A FORWARD -s 192.168.1.2/32 -p tcp -m comment --comment "!fw3: l76 allow" -j zone_ipsec_dest_ACCEPT
[5:355] -A FORWARD -s 192.168.1.76/32 -p udp -m comment --comment "!fw3: l76 allow" -j zone_ipsec_dest_ACCEPT
[0:0] -A FORWARD -s 192.168.1.2/32 -p udp -m comment --comment "!fw3: l76 allow" -j zone_ipsec_dest_ACCEPT
[0:0] -A FORWARD -s 192.168.1.76/32 -p tcp -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.2/32 -p tcp -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.76/32 -p udp -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.2/32 -p udp -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[4:240] -A FORWARD -s 192.168.1.76/32 -p icmp -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.2/32 -p icmp -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.76/32 -p gre -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.2/32 -p gre -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[4:240] -A FORWARD -s 192.168.1.76/32 -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.2/32 -m comment --comment "!fw3: l76 DROP" -j zone_wan_dest_DROP
[0:0] -A FORWARD -s 192.168.1.99/32 -p tcp -m comment --comment "!fw3: 99" -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.99/32 -p udp -m comment --comment "!fw3: 99" -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.99/32 -p icmp -m comment --comment "!fw3: 99" -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.99/32 -m comment --comment "!fw3: 99" -j ACCEPT
[320:166228] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i vti0 -m comment --comment "!fw3" -j zone_ipsec_forward
[0:0] -A FORWARD -i ppp0 -m comment --comment "!fw3" -j zone_ppp2me_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[458:101804] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[418:98959] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
[40:2845] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o vti0 -m comment --comment "!fw3" -j zone_ipsec_output
[0:0] -A OUTPUT -o ppp0 -m comment --comment "!fw3" -j zone_ppp2me_output
[0:0] -A OUTPUT -m comment --comment "!fw3" -j reject
[0:0] -A input_rule -i eth1 -p tcp -m tcp --dport 1111 -j ACCEPT
[0:0] -A input_rule -i eth1 -p tcp -m tcp --dport 2222 -j ACCEPT
[0:0] -A input_rule -i eth1 -p tcp -m tcp --dport 33333 -j ACCEPT
[978:87331] -A input_rule -i eth0 -p tcp -m tcp --dport 1111 -j ACCEPT
[0:0] -A input_rule -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
[3619:199250] -A input_rule -i eth0 -p tcp -m tcp --dport 2222 -j ACCEPT
[0:0] -A input_rule -i eth0 -p tcp -m tcp --dport 33333 -j ACCEPT
[6626:2564024] -A input_rule -i eth1 -p esp -j ACCEPT
[9:2489] -A input_rule -i eth1 -p udp -m udp --dport 5000 -j ACCEPT
[113:9400] -A input_rule -i eth1 -p tcp -m tcp --dport 7777 -j ACCEPT
[61:2464] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[4:221] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[40:1624] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[9:595] -A zone_ipsec_dest_ACCEPT -o vti0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_ipsec_dest_REJECT -o vti0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_ipsec_forward -m comment --comment "!fw3: Custom ipsec forwarding rule chain" -j forwarding_ipsec_rule
[0:0] -A zone_ipsec_forward -m comment --comment "!fw3: Zone ipsec to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_ipsec_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_ipsec_forward -m comment --comment "!fw3" -j zone_ipsec_dest_REJECT
[0:0] -A zone_ipsec_input -m comment --comment "!fw3: Custom ipsec input rule chain" -j input_ipsec_rule
[0:0] -A zone_ipsec_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_ipsec_input -m comment --comment "!fw3" -j zone_ipsec_src_ACCEPT
[0:0] -A zone_ipsec_output -m comment --comment "!fw3: Custom ipsec output rule chain" -j output_ipsec_rule
[0:0] -A zone_ipsec_output -m comment --comment "!fw3" -j zone_ipsec_dest_ACCEPT
[0:0] -A zone_ipsec_src_ACCEPT -i vti0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[320:166228] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[320:166228] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[4:240] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to pptp forwarding policy" -j zone_pptp_dest_ACCEPT
[4:240] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to ipsec forwarding policy" -j zone_ipsec_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[40:3027] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[40:3027] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[40:3027] -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_ppp2me_dest_ACCEPT -o ppp0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_ppp2me_dest_REJECT -o ppp0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_ppp2me_forward -m comment --comment "!fw3: Custom ppp2me forwarding rule chain" -j forwarding_ppp2me_rule
[0:0] -A zone_ppp2me_forward -m comment --comment "!fw3: Zone ppp2me to ipsec forwarding policy" -j zone_ipsec_dest_ACCEPT
[0:0] -A zone_ppp2me_forward -m comment --comment "!fw3: Zone ppp2me to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_ppp2me_forward -m comment --comment "!fw3: Zone ppp2me to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_ppp2me_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_ppp2me_forward -m comment --comment "!fw3" -j zone_ppp2me_dest_REJECT
[0:0] -A zone_ppp2me_input -m comment --comment "!fw3: Custom ppp2me input rule chain" -j input_ppp2me_rule
[0:0] -A zone_ppp2me_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_ppp2me_input -m comment --comment "!fw3" -j zone_ppp2me_src_ACCEPT
[0:0] -A zone_ppp2me_output -m comment --comment "!fw3: Custom ppp2me output rule chain" -j output_ppp2me_rule
[0:0] -A zone_ppp2me_output -m comment --comment "!fw3" -j zone_ppp2me_dest_ACCEPT
[0:0] -A zone_ppp2me_src_ACCEPT -i ppp0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_pptp_forward -m comment --comment "!fw3: Custom pptp forwarding rule chain" -j forwarding_pptp_rule
[0:0] -A zone_pptp_forward -m comment --comment "!fw3: Zone pptp to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_pptp_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_pptp_forward -m comment --comment "!fw3" -j zone_pptp_dest_REJECT
[0:0] -A zone_pptp_input -m comment --comment "!fw3: Custom pptp input rule chain" -j input_pptp_rule
[0:0] -A zone_pptp_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_pptp_input -m comment --comment "!fw3" -j zone_pptp_src_ACCEPT
[0:0] -A zone_pptp_output -m comment --comment "!fw3: Custom pptp output rule chain" -j output_pptp_rule
[0:0] -A zone_pptp_output -m comment --comment "!fw3" -j zone_pptp_dest_ACCEPT
[1:52] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[355:168781] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth1 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[112:18521] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[47:15836] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 5000 -m comment --comment "!fw3: Allow-ISAKMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[65:2685] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[40:2845] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[40:2845] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[65:2685] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Jan 11 12:38:34 2023
# Generated by ip6tables-save v1.6.2 on Wed Jan 11 12:38:34 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:160]
:POSTROUTING ACCEPT [1:160]
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Jan 11 12:38:34 2023
# Generated by ip6tables-save v1.6.2 on Wed Jan 11 12:38:34 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -m comment --comment "!fw3" -j reject
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1:160] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:160] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -m comment --comment "!fw3" -j reject
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:160] -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:160] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:160] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth1 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: Allow-ISAKMP" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
Regarding the Stongswan tunnel - local subnet is 192.168.1.0/24, remote one 192.168.3.0/24. Again, the tunnel starts up and pings all inside and outside it from both ends.
# Completed on Wed Jan 11 12:38:35 2023
-ash: nft: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 100
inet 555.55.5.55/28 brd 555.55.5.255 scope global eth1
valid_lft forever preferred_lft forever
default via 192.168.3.1 dev vti0 table vpn
default via 999.999.9.9 dev eth1 proto static src 555.55.5.55
777.77.7777.7/22 dev eth1 proto kernel scope link src 555.55.5.55
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.3.0/24 dev vti0 scope link src 192.168.1.1
broadcast 777.77.7777.7 dev eth1 table local proto kernel scope link src 555.55.5.55
local 555.55.5.55 dev eth1 table local proto kernel scope host src 555.55.5.55
broadcast 777.77.7.255 dev eth1 table local proto kernel scope link src 555.55.5.55
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev eth0 table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.1
0: from all lookup local
218: from 192.168.1.76 lookup vpn
219: from 192.168.1.99 lookup vpn
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
First of all you are in a very old version
Second the problem is a bit obvious. You are trying to ping some other address outside of the remote subnet. And it needs to be defined in ipsec.
Third you cannot use the 3.1 as gateway, which I understand is the lan IP of the other router, right?
Yes, on one device. Unfortunately, it's discontinued. But "old" not necessarily means "bad". )
This is exactly what I'm trying to do. Access internet via remote VPN end - this is one of the things what VPN was supposed to do.
Will dig it.
So, you're saying it's impossible to access Internet through VPN. I believe that's a bit not correct. Probably you meant that 192.168.3.1 doesn't belong to 192.168.1.0/24 subnet, so you can't assign 3.1 a "traditional gateway status". But I guess it's solvable by routing/forwarding means.
...if properly configured. In your case you have a site to site ipsec vpn, which is what it's configured for.
It is very possible, however not as you have configured it.
What I meant is that the 1.1 router doesn't have any interface in the 3.0/24 subnet of the 3.1 router. Therefore you cannot use as gateway an address which is not reachable directly. Moreover the ipsec will not transfer traffic which isn't in the SAs.
And a piece of advice, forget about the ipsec and go for wireguard. You'll achieve your goal much easier.
TNX, will do some more research... I think split-tunneling is what I need first.
PS Now I solve the issue by establishing PPTP inside Ipsec from 1.99 to 3.1, at the same time blocking 1.99 WAN access by firewall. Odd and I don't like it. But it's temporarily.
OK guys, SOLVED (not by means of macvlan, but Policy-Based-Routing, please admins adjust the topic name accordingly, if possible)
Once again, the task was:
local LAN host ONLY routes to <--> Default route to IPSEC site-site tunnel remote endpoint <--> WAN
append ,0.0.0.0/0 to remote_ts in your LOCAL swanctl configuration (IKEv2 is required)
append ,0.0.0.0/0 to local_ts in your REMOTE swanctl configuration (IKEv2)
add routing table, rule and route, as described here to LOCAL tunnel endpoint
adjust local and remote traffic firewall forwarding rules (allow forwarding from local LAN host to IPSEC on local tunnel Openwrt endpoint, allow forwarding from IPSEC zone to WAN on remote tunnel Openwrt endpoint)
