OpenWrt Forum Archive

Topic: Masquerding br-lan to a tap-device does not work

The content of this topic has been archived on 5 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I have a Linksys WRT54GS with the upcoming kamikaze pre1 branch. I have configured openvpn a a point-to-multipoint setup is running fine so far.

wds1 /root # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
84.59.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
0.0.0.0         84.59.0.1       0.0.0.0         UG    0      0        0 ppp0

If I do a ping from the router to a connected client, everything is doing as expected. If doing the same from i.e. 192.168.3.150, my desktop machine, the request ends up on the router.

All changes that I made to the firewall.user script is shown here:

iptables -t nat -A prerouting_wan -p tcp --dport 2222 -j DNAT --to 192.168.3.150:22
iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.3.150 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT -m limit --limit 3/min --limit-burst 3
iptables        -A input_wan      -p tcp --dport 443 -j ACCEPT

iptables        -A forwarding_rule -m ipp2p --ipp2p -j DROP

iptables -t nat -A postrouting_rule -j MASQUERADE -o tap+ -d 192.168.200.0/24
iptables        -A input_wan -i tap+ -j ACCEPT

And I had restarted the router. I checked iptables:

wds1 /root # iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 38686 packets, 2700K bytes)
 pkts bytes target     prot opt in     out     source               destination         
18814 1004K NEW        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
38686 2700K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5263  461K prerouting_wan  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 219 packets, 70350 bytes)
 pkts bytes target     prot opt in     out     source               destination         
24540 1450K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
24319 1379K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2814 packets, 303K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain NEW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
18814 1004K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 50/sec burst 100 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   168 MASQUERADE  all  --  *      tap+    0.0.0.0/0            192.168.200.0/24    

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 to:192.168.3.150:22

Even ip_forward:

wds1 /root # cat /proc/sys/net/ipv4/ip_forward 
1

The 168 bytes you can see on the masquerading chain for tap+ are not coming from the pings, I checked that with

while true; do
  clear;
  iptables -t nat -L postrouting_rule -nv
  sleep 1
done

while pinging from the client.

I have no idea, why I cannot contact machines behind the tap+ device. Do you have any ideas on that? Please :-)

Kind regards

Christian

Added

iptables        -A forwarding_rule -i br-lan -o tap+ -j ACCEPT

and now it works

The discussion might have continued from here.