Masquerading specific subnets

mariusono · February 20, 2019, 9:34am

This is a question about using masq and masq_src on zone records. Do I have to specifically set masq to 1 to have masq_src working? I'm worried that setting masq to 1 will masquerade everything.

A bit of background, got 3 zones in my config UNSEC, SEC and VPN. UNSEC and SEC are routed networks (got static routes published to the clients via DHCP), but VPN is not. I'd like VPN clients to be masqueraded when accessing SEC/UNSEC resources.

I've tried setting just masq_src on SEC and UNSEC zones, but it didn't do anything, but then I've also set masq to 1 and seems to do the trick. Unfortunately I can't easily test whether SEC is masqueraded when accessing UNSEC as I've got no machines attached to SEC (this will change in a weeks time).

Thanks!

vgaetera · February 20, 2019, 10:01am

# uci set firewall.@zone[1].masq="0"; uci set firewall.@zone[1].masq_src="192.168.2.0/24 192.168.3.0/24"; service firewall restart 2>/dev/null; iptables-save | grep -e MASQUERADE -e 192.168; uci revert firewall; service firewall restart 2>/dev/null

# uci set firewall.@zone[1].masq="1"; uci set firewall.@zone[1].masq_src="192.168.2.0/24 192.168.3.0/24"; service firewall restart 2>/dev/null; iptables-save | grep -e MASQUERADE -e 192.168; uci revert firewall; service firewall restart 2>/dev/null
-A zone_wan_postrouting -s 192.168.2.0/24 -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_postrouting -s 192.168.3.0/24 -m comment --comment "!fw3" -j MASQUERADE

trendy · February 20, 2019, 11:39am

Yes

If you use the source, it will masquerade only that. Or you can exclude what should not be masqueraded.

If Openwrt is the only router in your network, adding static routes is not necessary. The default route to the Openwrt will do.

You can check it in iptables -t nat -L -nv

mariusono · February 20, 2019, 12:24pm

Thanks for this, will give it a go, unfortunately OpenWRT isn't the only router. The default gateway is an ISP router so had to push routes to devices to point to OpenWRT for SEC connectivity.

mariusono · February 20, 2019, 12:29pm

Was able to test and indeed both settings are required. Without masq_src everything is masqueraded, but when applying the filter only specific subnets will be.

Thanks!

system · March 2, 2019, 12:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.