NAT Rules OpenWrt




I hope you can tell me the problem

The addresses you're obscuring are Private IPs, they do not give away any information.

  • In this picture, your gateways are invalid, or you accidentally reversed them
  • Usually you cannot simply add 2 gateways without specifying or prioritizing them

The NAT rule is invalid and unnecessary (as what you typed in the syntax is only a traffic rule), as:

screen519

LAN allows forwarding by default.

To be clear, you were pinging from 192.168.101.x to 192.168.100.232 - correct?

1 Like

Ping from 192.168.178.201

I want ping from 192.168.101.201 to 192.168.100.232

Then fix the configuration to address the issues @lleachii already pointed out to you.

Right now your /etc/config/network file contains several errors, and you still have unnecessary NAT rules and invalid zone/interface assignments in /etc/config/firewall.

You could have achieved your desired goal with three simple changes from the factory default configuration:

  • Assign eth1 to an interface with the address 192.168.100.x/24
  • Assign eth2 to a different interface with the address 192.168.101.x/24
  • Assign both interfaces to the lan zone.

That's it. That's all you needed to do. The default firewall rules permit lan-lan traffic anyway, and the router would do what it's supposed to do and, well, route. Everything else you have done has introduced obstacles to what you claim you're trying to achieve.

2 Likes

Please make the requested changes and then post your revised config in text form. (Copy and paste it). This way we can make easy recommendations (if still necessary) by copying/editing only the very specific sections that require further fixes.

1 Like

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list device 'tun0'
list network 'ETH0'
list network 'Gateway101'
list network 'Gateway100'

config interface 'Gateway100'
option proto 'static'
option device 'eth1'
option netmask '255.255.255.0'
option ipaddr '192.168.100.254'

config interface 'Gateway101'
option proto 'static'
option device 'eth2'
option ipaddr '192.168.101.254'
option netmask '255.255.255.0'

ping from 192.168.101.201
ping 192.168.101.254 works
ping 192.168.100.254 does´t work
ping 192.168.100.232 does´t work

Thank´s for help!

Please post the complete configuration and be sure to use the formatting.

1 Like
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list device 'tun0'
        list network 'ETH0'
        list network 'Gateway101'
        list network 'Gateway100'

config zone
        option name 'wlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list device 'tun0'
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fd58:52a2:eab2::/48'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'

config interface 'wlan'
        option proto 'dhcp'

config interface 'vlan0'
        option device 'tun0'
        option proto 'dhcp'

config device
        option name 'tun0'

config device
        option name 'eth3'

config device
        option name 'eth3'

config interface 'ETH0'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.178.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'

config interface 'Gateway100'
        option proto 'static'
        option device 'eth1'
        option netmask '255.255.255.0'
        option ipaddr '192.168.100.254'

config interface 'Gateway101'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.101.254'
        option netmask '255.255.255.0'

The PI is not connected to the Internet, but remains on a local network. So the routing has to be done via NAT?

Why? What is your rationale behind that (incorrect) assumption?

Your responses indicate that you're not familiar with how TCP/IP networking (and routing) works. In and of itself, that's fine; everyone has to learn somewhere. We're not all born knowing this stuff.

But if your audience doesn't understand where your misconceptions are coming from, it's difficult for us to help correct those misconceptions.

1 Like

ok, but where is the mistake? I post the code.

You've been told what configuration entries are incorrect. Fix them first.

As for "routing has to be done via NAT", you haven't explained why you believe that. It's okay; you don't have to. But if you don't explain why you believe that, it's going to be more difficult for people here to help you learn the correct answer.

Sorry, because I don't understand how the packet from x.x.100.201 of the IP address x.x.100.x is translated into the e.g. IP range x.x.102.x. I send a packet from x.x.100.201 in ETH1 interface of the PI, which has the IP x.x.100.254. From the ETH2 interface, the packet is to be sent in the address range x.x.102.254 to a participant with the IP x.x102.232. On the local network. How does it work?

See NAT Rules OpenWrt - #19 by iplaywithtoys

I'll try to summarise, as best I can.

Device A: I want to talk to Device B. This is Device B's IP address. Is Device B on the same subnet as me?
...
Device A: Oh. Device B is not on the same subnet as me. I cannot send my message directly, but must send it through an intermediary (a router). Do I know a specific route for Device B? Or do I know a general route for all messages to everywhere?
...
Device A: Ah! I know a general route for all messages to everywhere. I'll send the message via that route.
Hello? Router?
...
Router: Hello! What's this? Device A wants to send a message to Device B. Okay, then. Is Device B on any subnet that I am also on?
...
Router: Yes! I have another interface on the same subnet as Device B. Hello! Device B?
...
Device B: Yes? What is it?
...
Router: I have a message for you from Device A. Here it is.
...
Device B: Excellent. Message received. Please tell Device A that I received the message.
...
Router: Hello? Device A? Device B has received your message.

Your configuration contains 100 and 101, but does not contain 102.

Hi

let's try this way
you have a:
network on left side 192.168.100.x/24
router in the middle (192.168.100.254 / 192.168.102.254)
network on right side 192.168.102.x/24

so, PC on left side have gateway pointed to router
and PC on right side have gateway pointed to router

suppose firewall will allow passing 100 <-> 102 network

when PC on left side want to communicate with PC on right side, he send all traffic to GW in the middle. GW will pass this traffic to PC on right side
PC on right side will "see" this traffic coming from 100.x so PC on right side will reply trough GW back to left side

it is very basic L3 routing

1 Like

Thank´s!
Which Gateway IP I have to pass in G1 and G2?

config interface 'Gateway100'
        option proto 'static'
        option device 'eth1'
        option netmask '255.255.255.0'
        option ipaddr '192.168.100.254'

config interface 'Gateway101'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.101.254'
        option netmask '255.255.255.0'

Hi

clearly, you don't understand

GW address need to be set on PC !!!
either by hand, or by DHCP (automatic) protocol

so, your PC on left side (network 100) need to have GW set to 192.168.100.254
and, PC on right side(101) need to have GW set to 192.168.101.254

because 100.254 and 101.254 is your router address, and your router is in middle between 100 and 101 network

look:
PC left: IP: 192.168.100.232
Sub: 255.255.255.0
GW: 192.168.100.254

PI: `config interface 'Gateway100'
option proto 'static'
option device 'eth1'
option netmask '255.255.255.0'
option ipaddr '192.168.100.254'

config interface 'Gateway101'
option proto 'static'
option device 'eth2'
option ipaddr '192.168.101.254'
option netmask '255.255.255.0'`

PC right: IP: 192.168.101.201
SUB: 255.255.255.0
GW: 192.168.101.254

Ping from 101.201 to 100 254 works
ping from 101.201 to 100.232 doesn´t work

Firewall: `root@OpenWrt:~# cat /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list device 'tun0'
option mtu_fix '1'
list network 'Gateway100'
list network 'Gateway101'

config zone
option name 'wlan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list device 'tun0'

config zone
option name 'OPEN_VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'`

By this point it'd probably be easier to reset the thing to factory defaults and set up the configuration again. And this time, test each change as you make it. Don't apply a whole lot of configuration changes and then test; it'll be a lot harder to find and fix any errors.

By your own admission, the Pi does not have a connection to the Internet (despite the presence of a rather curious 8.8.8.8 DNS entry), so I don't imagine that resetting to defaults and starting again will cause any significant issues.

2 Likes

hmm, i have a feeling that your install is messed up :slight_smile:
please reset to default
then
setup left side
setup right side
and try to ping between networks
if you start to configure anything/everything other than left/right, then you will again be in this situation :frowning:

2 Likes