tutsde
June 20, 2024, 2:14pm
1
Hello,
i have a special hardwareconfig:
Router A connected to Internet and manage traffic (default Gateway) from my privat network (192.168.44.0).
Router B connected to Internet and the privat network (192.168.44.0) but not used as Gateway for this privat network. It has also an VPN-connection (10.0.10.0).
Router C connected to Internet, manage traffic (default Gateway) for an other privat network (172.16.1.0) and connected to the VPN-connection from Router B (10.0.10.0).
The VPN-connection is working well. all traffic from 172.16.1.0 was routed to the internet-connection to Router B.
Now I want to reach a system from network 172.16.1.0 that is located in 192.168.44.0 over the VPN-connection.
I think i must activate some NAT on Router B because it handles the VPN but is not the default router for destination network. but i not know exactly how and where and for which networks ...
Is router B connected directly to router A? Just to clarify, please show us a topology diagram with devices and their IP addresses labeled.
Are all routers running OpenWrt?
tutsde
June 20, 2024, 7:36pm
3
Ok i painted somthing, Hope it will help to unterstand.
Yes the LAN-Ports from Router A and Router B are connected.
On all Router openwrt is installed.
From System with ip 172.16.1.2 i want to Connect to Server with ip 192.168.44.3
On Router C i have setup a static Route to 192.168.44.0 via vpn 10.0.10.1
On router A, add a route that is 172.16.1.0/24 via 192.168.44.2.
tutsde
June 21, 2024, 7:00am
5
this does not work. I think because of Router B can send the traffic directly to the destination and so the response must take the same way back.
Let’s see the configs from all 3 devices. Please make it clear which is which.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
tutsde
June 21, 2024, 7:44am
7
===ROUTER A===
{
"kernel": "5.15.150",
"hostname": "ROUER-A",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACS",
"board_name": "linksys,wrt1900acs",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8b:f5bd:5374::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
list dns '8.8.8.8'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr 'x.x.x.x'
option netmask '255.255.255.0'
option gateway 'x.x.x.x'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config route
option interface 'lan'
option target '172.16.1.0/24'
option gateway '192.168.44.2'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
===ROUTER B===
{
"kernel": "5.15.150",
"hostname": "Router-B",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbb:a8f2:97bc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.2'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr 'x.x.x.x'
option netmask '255.255.255.0'
option gateway 'x.x.x.x'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'tun0'
option proto 'none'
config interface 'VPN'
option device 'tun0'
option _orig_ifname 'tun0'
option _orig_bridge 'false'
option proto 'none'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config rule
option name 'VPN'
list proto 'udp'
option src 'wan'
option dest_port '1194'
option target 'ACCEPT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option network 'VPN'
option forward 'ACCEPT'
option masq '1'
config forwarding
option dest 'Intern'
option src 'vpn'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
===ROUTER C===
{
"kernel": "5.15.150",
"hostname": "Router-C",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde6:4f18:bab6::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.16.1.1'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'tun0'
option proto 'none'
config interface 'vpn'
option device 'tun0'
option defaultroute '0'
option peerdns '0'
option proto 'none'
config route
option interface 'lan'
option target '192.168.44.0/24'
option gateway '10.0.10.1'
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'VPN'
option forward 'ACCEPT'
option network 'vpn'
option masq '1'
config forwarding
option dest 'lan'
option src 'VPN'
config forwarding
option dest 'VPN'
option src 'lan'
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
config rule
option name Support-UDP-Traceroute
option src wan
option dest_port 33434:33689
option proto udp
option family ipv4
option target REJECT
option enabled false
trendy
June 21, 2024, 7:57am
8
Verify that ping works, this doesn't open connections.
uci set firewall.lan.masq_allow_invalid='1'
uci commit firewall
service firewall restart
You also probably want to remove the
tutsde:
option masq '1'
from Router B and C firewall for vpn zone.
tutsde
June 21, 2024, 8:25am
9
it brings an error:
And if i remove masq=1 on C i can not use the vpn-connection anymore ...
If this is not a copy/paste mistake, Router B does not have a lan firewall zone defined.
Most likely, this static route was not created because you specified the wrong interface. However, this should not be a problem if indeed all traffic is routed via the vpn to Router B.
Create a SNAT rule on router B to see if it makes a difference.
nft insert rule inet fw4 srcnat ip daddr 192.168.44.0/24 counter snat ip to 192.168.44.2
Use nft list chain inet fw4 srcnat to check the rule counters.
trendy
June 21, 2024, 10:02am
11
What about the ping? Does this work?
Do it via Luci, Network-Firewall-Edit Lan zone- Conntrack Settings tab.
1 Like
tutsde
June 21, 2024, 10:26am
12
Thanks.
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
I have created the snat and now it works ...
table inet fw4 {
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
ip daddr 192.168.44.0/24 counter packets 78 bytes 4096 snat ip to 192.168.44.2
oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
}
}
how can i make this rule permanent in my config files ?
uci add firewall nat
uci set firewall.@nat[-1].name='snat_to_servers'
uci set firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='192.168.44.2'
uci set firewall.@nat[-1].dest_ip='192.168.44.0/24'
uci commit firewall
fw4 restart
system
July 1, 2024, 10:42am
15
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
