I've been searching the forums and can't quite find the answer.
I have an openwrt router on one location which gets internet from a separate 3g router (CG-NAT). The IP of pptp client router is 192.168.0.2 and the main router (with the 3g stick) is on 192.168.0.1. I've set up a pptp wan connection to a pptp server of my own (router 10.0.0.20, server 10.0.0.1). Now, I've managed to access the ssh of the remote router when I connect to 10.0.0.20:22 by setting the following rules:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '222'
option dest_ip '192.168.0.2'
option dest_port '222'
option name 'Router SSH'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '222'
option name 'Router SSH'
However, my intention is to access a web ui of a server on the same net as this router on port 80. I've tried setting up a redirect:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '8080'
option dest_ip '192.168.0.20'
option dest_port '80'
option name 'WEB'
But it won't work. Each time I try accessing 10.0.0.20:8080 nothing happens, the port is not forwarded.
I'm trying to bypass the CG-NAT by using a VPN server I run, but I'm doing something wrong. How can I set up the second router to allow port forwarding to LAN address:port
In case of SSH the redirect is not needed. The rule is enough. Also SSH works with TCP, no need for UDP.
I suspect that the second redirect is not working because the web server is using the main router with the 3G stick as a gateway, causing routing asymmetry and dropped packets. You would need to connect all the lan clients on the OpenWrt only and only the OpenWrt to connect to the 3g router.
Ok, I've been playing with everything trying to figure out what's the best way to do this and I've made the openwrt the main router while the 3g one is just serving internet.
However, now I need policy routing a few ports through VPN while everything else goes outside it (normal WAN - 3g router - it serves wan access through main router WAN interface).
I've been trying to use the following script:
# get vpn ip
VPN_IP=10.0.0.1 (gateway) (router ip is 10.0.0.11)
# flush table 100 and rules
ip route flush table 100
ip route del default table 100
ip rule del fwmark 100 table 100
ip route flush cache
# create table 100
ip route add default table 100 via $VPN_IP
ip rule add fwmark 100 table 100
ip route flush cache
# create torrent rules
iptables -t mangle -I PREROUTING 1 -p tcp --dport 8080 -j MARK --set-mark 100
# end
But when I connect with another client from a different network to the VPN and try to access 10.0.0.11:8080 nothing happens, it times out. I did forward the ports from 80 to 8080 VPN -> LAN.
I'm a bit of a newbie to policy routing but am trying to learn, so sorry if I made a mistake with this?
The reason for doing this is that I want remote access to this while not routing traffic through vpn for everything.
Sadly, solutions 1 and 2 are out since I'm forced to use 12.09. I've installed multiwan but it doesn't pick up the vpn as being online until I restart the service. If I set it up via cron to restart every hour, it can still break and transfer everything back to wan (stop working the way I need it to)
I manged to set wan as default by changing metric to 10 and vpn metric to 20, but I'm not sure if that's the best approach.
12.09 is ancient, vulnerable and unsupported. You won't be able to find anyone running the same version to help you troubleshoot and even if you do, there won't be much to do, since it is not supported anymore.
If you cannot upgrade it, you can find inexpensive devices which support latest versions.
