I have been battling this for some time now and vacuumed the internet for examples but it does not simply work for me.
Some data:
Router: RT-AX88U
Firmware Version: Merlin 386.7_2
Router IP: 192.168.1.1
Server local IP: 192.168.1.23
I'm sure there is something trivial that I have missed or what I'm trying to do is impossible.
There is LAN, WAN, TUN11 & TUN12 + Guest network configured.
I "only" need to sort out the TUN11 <-> LAN bit.
Any help I can get is highly appreciated since I have very little knowledge with iptables etc.
OK, I'll try to explain my issue as good as I can.
What does work:
Accessing the server from outside the local network works perfectly.
These are the current rules that allows outside connections:
If I put my computer on it's own VPN client on the computer itself I gain access, but I guess I am leaving the LAN in that scenario.
What does not work:
Connections are being dropped when accessing my server through the EXT_IP from a device within the LAN.
From TCPDUMP I see that the local IP is not masqueraded so I believe the server is replying to the local IP instead of the router that has NAT:ed the package.
What I have tried:
And different variants of the above and also tried setting --to-source to external IP.
But no matter what I do the local IP is always present when looking at TCPDUMP and connection is refused.
Here's the rest of the pertinent IP tables (I think).
I see in the POSTROUTING that tun11 already is MASQ'd but I'm not sure I'm reading all this correctly.
Thanks in advance!
Some data:
Router: RT-AX88U
Firmware Version: Merlin 386.7_2
Router IP: 192.168.1.1
Server local IP: 192.168.1.23
I'm sure there is something trivial that I have missed or what I'm trying to do is impossible.
There is LAN, WAN, TUN11 & TUN12 + Guest network configured.
I "only" need to sort out the TUN11 <-> LAN bit.
Any help I can get is highly appreciated since I have very little knowledge with iptables etc.
OK, I'll try to explain my issue as good as I can.
What does work:
Accessing the server from outside the local network works perfectly.
These are the current rules that allows outside connections:
Code:
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.23 --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.23
If I put my computer on it's own VPN client on the computer itself I gain access, but I guess I am leaving the LAN in that scenario.
What does not work:
Connections are being dropped when accessing my server through the EXT_IP from a device within the LAN.
From TCPDUMP I see that the local IP is not masqueraded so I believe the server is replying to the local IP instead of the router that has NAT:ed the package.
What I have tried:
Code:
iptables -t nat -I POSTROUTING -i tun11 -p tcp --dst 192.168.1.23 --dport 80 -j SNAT --to-source 192.168.1.1
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp --dport 80 -j MASQUERADE
And different variants of the above and also tried setting --to-source to external IP.
But no matter what I do the local IP is always present when looking at TCPDUMP and connection is refused.
Here's the rest of the pertinent IP tables (I think).
I see in the POSTROUTING that tun11 already is MASQ'd but I'm not sure I'm reading all this correctly.
Code:
iptables -t nat -vL -n
Chain PREROUTING (policy ACCEPT 15374 packets, 1374K bytes)
pkts bytes target prot opt in out source destination
42 1800 DNSVPN1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
26385 1711K DNSVPN1 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
42 1800 DNSVPN2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
4877 309K DNSVPN2 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
922 50440 DNAT tcp -- tun11 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.23
25824 1195K GAME_VSERVER all -- * * 0.0.0.0/0 EXTERNAL IP
25824 1195K VSERVER all -- * * 0.0.0.0/0 EXTERNAL IP
4982 315K DNSFILTER udp -- br+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
20 820 DNSFILTER tcp -- br+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain INPUT (policy ACCEPT 1886 packets, 269K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1092 packets, 134K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3341 packets, 213K bytes)
pkts bytes target prot opt in out source destination
145K 15M MASQUERADE all -- * tun11 0.0.0.0/0 0.0.0.0/0
24727 3832K MASQUERADE all -- * tun12 0.0.0.0/0 0.0.0.0/0
4375 1719K MASQUERADE all -- * br101 !EXTERNAL IP 0.0.0.0/0
19605 4714K MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Code:
iptables -vL -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2723 197K INPUT_PING icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
12M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1172 68920 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2294K 447M PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
1793K 663M PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
2 80 DROP tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5152
1793K 663M ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
2189K 440M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
335 13500 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 656 ACCEPT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
790 130K DROP all -- br2 * 0.0.0.0/0 0.0.0.0/0
104K 7179K OVPNSI all -- * * 0.0.0.0/0 0.0.0.0/0
104K 7179K OVPNCI all -- * * 0.0.0.0/0 0.0.0.0/0
48405 2024K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3569 335K ACCEPT tcp -- tun11 * 0.0.0.0/0 192.168.1.23 tcp dpt:80
0 0 DROP all -- br0 vlan1 0.0.0.0/0 0.0.0.0/0
3162K 3354M ACCEPT all -- tun11 br0 0.0.0.0/0 0.0.0.0/0
2831K 1045M ACCEPT all -- br0 tun11 0.0.0.0/0 0.0.0.0/0
6248K 6757M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
51808 7299K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
11934 752K WGNPControls all -- br2 * 0.0.0.0/0 0.0.0.0/0
15 960 ACCEPT all -- br2 br101 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 br101 0.0.0.0/0 0.0.0.0/0
217 15565 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
7652 338K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
43924 6945K NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
31927 6189K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
11997 755K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DNSFILTER_DOT tcp -- br+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:853
0 0 OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Thanks in advance!