Recent content by k.alle

Status update. NAT loopback working through tun11. Finally found the magic bullet, this rule was missing which caused the router to drop the packages coming from LAN. iptables -t nat -I PREROUTING -s 192.168.1.0/24 -d EXT_IP -p tcp --dport 80 -j DNAT --to-destination 192.168.1.23 Public cert...

Hang on a minute... I just realized that if I connect to the server using DDNS on a local machine the packets never arrive at the server (verified with TCPDUMP on server). They seem to be dropped by the router. This maybe can explain the connection refused message? If I think about it...

The DDNS is pointing at tun11 IP, not the WAN/ISP connection. It is an OpenVPN client which has port forwarding enabled from the VPN service provider. Hence tun11 -> LAN. Not WAN -> LAN. And this works perfectly from the outside. I can see how this might cause confusion though, most people...

Not sure. If loopback was working, would it not be possible to SNAT the external IP on the incoming LAN request? That way the server would see the external IP and return it to the router thus not trip up on the cert. I am not at all familiar how all this works in practice. However, there are...

Yes of course it is a convenience. And for some services hosted on the server it is a huge pain in the back having to deal with self signed certificates (which some services refuse due to security) for LAN access when I have a perfectly working LetsEncrypt cert on the public facing side. If...

OK, got it. Stupid question incoming. Could I move the (currently failed by router) SNAT/MASQ downstream to the server? It's a linux machine with iptables. E.g. some iptable rule on the server that rewrites the incoming IP to router IP before answering? [EDIT] In pseudo code: 1. If...

Yes, might do that as a last resort. But we have no other way to force SNAT/MASQ with HW accel on? Using iptables, ip route and such?

Don't know what this tells me. Maybe our models are too different? RT-AX88U:/tmp/home/root# nvram show | grep ctf size: 78837 bytes (52235 left)

Oh, I see. Some good information right there. Thanks! I have a symmetric 1Gbps internet connection and I can fully saturate it with the AX88U. So it would hurt to miss out on that. Nevertheless, it would be nice to see if the loopback can start to work with NAT accl disabled in order to...

I see.. Will disabling NAT acceleration lower throughput? It would be nice to test this theory out. However I don't have that option available to me under Switch Control. The QoS and AiProtection options is forcing me to accept some terms from a 3rd party service. Not to keen on that if...

Thank you for the swift response, very kind! FORWARD rule You are correct, I removed it and it still works. Good catch! It must be a remnant from when I was trying to get the port forward over TUN11 working. POSTROUNTING rule Right again! My mistake, copied from a "work in progess"...

I have been battling this for some time now and vacuumed the internet for examples but it does not simply work for me. Some data: Router: RT-AX88U Firmware Version: Merlin 386.7_2 Router IP: 192.168.1.1 Server local IP: 192.168.1.23 I'm sure there is something trivial that I have missed or...

I have added that code now so on next reboot it will be cleaned I guess. A massive thank you for taking the time to help me out. I would not have been able to piece this together without you!

Thank you. I have tried to modify it to fit my scenario. My nat-start now looks like this: #!/bin/sh sleep 10 # During the boot process nat-start may run multiple times so this is required # Create the RPDB rules ip rule add from 0/0 fwmark 0x8000/0x8000 table main prio 9990 # WAN...

Wow, you are fast and to me like a friendly wizard. Thank you so much for helping me even though it is currently off-topic for your project and to a lot of other people reading this. I will try this and see how it goes and obviously change the variables that I can see, as use VPN1 instead of 4...