Masquerading to gateway only

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I'm trying to find a solution to only nat/masquerade traffic that goes to 0.0.0.0 via a specific gateway (ie: 192.168.0.1) and let traffic going to all the other IPs in 192.168.1.0/24 without masquerading.

I've tried to add in the firewall rule/advanced Settings/Restrict masquerading to destination = 192.168.0.1/32

but this rule, even if it is in wan_postrouting, only masquerade traffic to 192.168.0.1 and not traffic routed to 192.168.0.1.

Any idea to do this whithout leaving openwrt web interface (I may create a specific rule and by-pass the default one, but will it appear on the web interface ?)

Thanks for your ideas or help :slight_smile:

2

Are you saying you have 2 gateways in the same LAN?

You fail to describe the OpenWrt's location in the network and where these "gateways" reside.

3

Screenshot 2021-03-13 at 09.55.02
Screenshot 2021-03-13 at 09.55.02902×571 55.2 KB

I just learnt this yesterday. Firewall settings for two site-to-site OpenWrt routers - #7 by vgaetera

Goto Advance of your WAN zone with masquerading enable. Note the '!' before the destination subnet - it means traffic going to that subnet will not masquerade.

The uci command for my router of that option is:

uci add_list firewall.@zone[1].masq_dest="!192.168.104.0/24"
1 Like
4

First, thanks for your replies :slight_smile:

Net map: my mistake, this is how my network looks like:
Wifi networks (multiple SSID) --> openWRT AP --> DMZ_LAN --> GW1

I have a couple of SSID, some needs minimum traffic modification, and always masquerade to GW1 (192.168.0.1)

Others can have their traffic going (ideally not masqueraded) to a second GW2 that can be up or down.
I have a apinger running and modifying the routing table on the fly. (This GW2 has more filtering things, but can be off from time to time).

you're idea is great and lean to deny masquerading on the DMZ_Lan (!192.168.0.0/24), I'll take it as last ressort option, but I would like to activate masquerading only on traffic routed to GW1 (192.168.0.1)

I tried to find tutorials about masquerading depending on gateway, I only found stuff with interfaces. I can't rely on vlan, and I don't think we can create local loop to do it.

5

Without knowing where is GW1 connected, it is hard to say how it can be done.

1 Like
6

GW1 is a cable operator basic box, my openwrt is connect via wifi
option network 'wwan'

the subnet between the two is 192.168.0/24
I've tried to create a second IP for the openWRT box and use it to route traffic, but the masquerading rules are based on real interfaces, so it just sees both the two IP as the same interface and makes no difference of rules with or without masquerading

I'm going to check if I can play with mark to mark the "need to be masqueraded traffic" versus the non masqueraded one.

7

Sorry, I meant where is GW2.

1 Like
8

GW2 is also on the same subnet, but I put it at the opposite 192.168.0.253 to split the network in two subnets (to interfaces on the vapp)

9

You should probably disable masquerading on the downstream router entirely.
Just add static routes to the downstream router's subnet on each upstream router/gateway.

10

Hello vgaetea,

This was my first guess :slight_smile:
But as you may imagine, no way to add static route on this box :frowning:

11

I've spent hours to see different solution, but it looks to be not possible as is, so I've added a couple of lines in my apinger scripts.

This is the things that I've done:
echo 100 >>/etc/iproute2/rt_tables

  • I use two scripts, command on: command on "/etc/apinger.alarm %t %a %A"
#!/bin/sh

case "$1" in
"192.168.0.1")
#LED OFF
echo 0 > /sys/class/leds/mr16\:green\:wifi1/brightness
;;
"192.168.0.254")
#LED OFF
echo 0 > /sys/class/leds/mr16\:green\:wifi2/brightness
ip rule del prio 169
ip rule del prio 169

iptables -F zone_wan_postrouting -t nat
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

;;
esac
  • then the command off: command off "/etc/apinger.cancelled %t %a %A"
#!/bin/sh

case "$1" in
"192.168.0.1")
#LED ON
echo 1 > /sys/class/leds/mr16\:green\:wifi1/brightness
;;
"192.168.0.254")
#LED ON
echo 1 > /sys/class/leds/mr16\:green\:wifi2/brightness
iptables -F zone_wan_postrouting -t nat
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -A zone_wan_postrouting -s ALWAYSMASQUERADEDNET -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -A zone_wan_postrouting -d 192.168.0.0/24 -m comment --comment "!fw3" -j RETURN
iptables -t nat -A zone_wan_postrouting -d NEVERMASQNET1 -m comment --comment "!fw3" -j RETURN
iptables -t nat -A zone_wan_postrouting -d NEVERMASQNET2 -m comment --comment "!fw3" -j RETURN
#Need a fix here
ip rule add from NEVERMASQNET1 table newgw prio 100
ip rule add from NEVERMASQNET2 table newgw prio 100
ip route add 192.168.0.0/24 dev wlan0 table newgw
ip route add default via 192.168.0.254 dev wlan0 table newgw
;;
esac

Not really smart, but it does the job

12

Configure the masquerading exception as follows:

uci add_list firewall.@zone[1].masq_dest="!192.168.0.253/32"
uci commit firewall
/etc/init.d/firewall restart
1 Like
13

Hello vgaetera,

this disables masquerading for traffic terminating to 192.168.0.253. In case of routing, it is not taken in account.

I've search and tested lots of things, and I wasn't able to find a lean solution to disallow masquerading if traffic goes via a specific gateway.

That's also why I'm tweaking the configuration "on-the-fly" with apinger.

It works now (at least this part is ok now), I've just discovered a new issue with packets disapearing.

Thanks for your help

1 Like
14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.