[SOLVED] Help on firewall setting through another router

Hi All,

I need Your help to get a working firewall setting which I'm struggling on.

  • my domestic lan is connected to a wrt3200acm running the latest openwrt (192.168.100.1) running mwan3.
  • I've set as a WAN another router running LEDE 17.01.7 (192.168.10.1)
  • The LEDE router uses as a WAN a smartphone by usb tethering (192.168.42.129).
  • On the smartphone there is a webcam app accessible at port 7777.

In my previous setup the smartphone were connected as wan to the linksys and the webcam were accessible from any device in the domestic lan directly to 192.168.42.129:7777

Now I tried several setting but I'm not able to reach the port 7777 from LAN now.
Since I'm able to reach the LEDE luci interface from any pc of the domestic LAN I tried setting port forwarding on LEDE from any pc on lan:7777 (the lan of the LEDE is actually the linksys) to 192.168.42.129:7777 but it doesn't work. Any suggestion?

Thanks

Why are you running mwan3? Is there a second wan connection?
If so, have you configured mwan3 to send the packets towards 192.168.42.129 via the other router?
Are you applying masquerade on both uplinks?

1 Like

Correct,

I have 4 wan connected in load balancing to the linksys: 1 x fttc + 1 x usb_cdc_ether (4g router) + 2 x usb_rndis (2 android smartphones in usb tethering).
there were some performance issues and conflicts on having 2 x rndis active at the same time that forced me to use another router as wan where I connected the second rndis device.
I made a basic schematics:

What I'm trying to do is enabling a port forwarding on a5-V11 router (running LEDE) so the devices on LAN/WLAN can connect to port 7777 opened on android phone 2.

It's not so much as running two instances of rndis, but that both smartphones have the same IP address (192.168.42.129). This is, as you would expect, a problem since IP4 routing is based on having unique addresses and subnets.

Requests for the camera have to go to the remote smartphone (192.168.42.129 via 192.168.10.1), and not the local smartphone which exists locally on the main Linksys router.

As you were thinking, inside the A5 router it might work to forward port 7777 of 192.168.10.1 to 192.168.42.129 (since the A5 doesn't know about the other smartphone). Then access the camera as 192.168.10.1:7777 I have never tried that other than as a forward back through NAT, which is not the case here.

Try enabling masquerade on the lan zone. That is ordinarily a pointless thing to do, since no traffic will originate from the wan zone into the lan, but it might get the tables set up so that a port forward works.

1 Like

I found a way:

I added this

iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to-destination 192.168.42.129:7777
iptables -t nat -A POSTROUTING -p tcp -d 192.168.42.129 -p tcp --dport 7777 -j SNAT --to-source 192.168.10.1

as a custom rules in a5-V11 lede router.

Thanks all

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.