What's new

Forwarding wireless traffic (wl0.1)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Martin Fishkov

Regular Contributor
Hi all,

I am trying, unsuccessfully, to route all traffic from one of my guest networks. I thought I'd copy the routing that Merlin used for the TOR setup (I want to route to the TOR proxy) so I tried this:

iptables -t nat -A PREROUTING -i wl0.1 -p udp --dport 53 -j REDIRECT --to-ports 9053

iptables -t nat -A PREROUTING -i wl0.1 -p tcp --syn ! -d 192.168.169.0/24 --match multiport --dports 80,443 -j REDIRECT --to-ports 9040

but no cigar. I'm quite clueless re iptables and routing, it turns out. Any help is appreciated!
(oh, my RT-AC68U runs Merlin 380.62_1)
 
How to setup a TOR transparent proxy on the 2.4GHz Guest Network #2 and also use Dnsmasq to resolve the .onion domains.

Example: Route an entire interface (wl0.2) through the TOR network

/jffs/scripts/firewall-start
Code:
#!/bin/sh
/sbin/ifconfig wl0.2 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
/usr/sbin/ebtables -t broute -I BROUTING -i wl0.2 -p ! 0x886c -j DROP
/usr/sbin/iptables -I INPUT -i wl0.2 -m state --state NEW -j ACCEPT
/usr/sbin/iptables -t nat -I PREROUTING -i wl0.2 -p tcp --syn ! -d 192.168.0.0/16 -j DNAT --to-destination 192.168.1.1:9040
/usr/sbin/iptables -t nat -I PREROUTING -i wl0.2 -p udp --dport 53 -j DNAT --to-destination 192.168.1.1:9053
/usr/sbin/iptables -t nat -I PREROUTING -i wl0.2 -p udp --dport 123 -j DNAT --to-destination 192.168.1.1

/jffs/configs/dnsmasq.conf.add
Code:
interface=wl0.2
dhcp-range=wl0.2,192.168.2.100,192.168.2.254,255.255.255.0,86400s
dhcp-option=wl0.2,3,192.168.2.1
dhcp-option=wl0.2,252,"\n"
server=/onion/127.0.0.1#9053

/jffs/configs/torrc
Code:
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
GeoIPFile /rom/tor/geoip
GeoIPv6File /rom/tor/geoip6
SocksPort localhost:9050
SocksPort 192.168.1.1:9050
DNSPort localhost:9053
DNSPort 192.168.1.1:9053
TransPort localhost:9040
TransPort 192.168.1.1:9040
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
ExitPolicy reject *:* # no exits allowed
User tor

/jffs/scripts/init-start
Code:
#!/bin/sh
# Cloudflare is (b-i-t-c-h-i-n-g) at me, so you must fix the names below.
echo "tor:x:111:111:tor:/dev/null:/dev/null" >> /etc/p-a-s-s-w-d
echo "tor::0:0:99999:7:0:0:" >> /etc/s-h-a-d-o-w
echo "tor:x:111:"  >> /etc/g-r-o-u-p

Firefox browser (about:config)
Code:
network.dns.blockDotOnion=false
 
Last edited:
Wow, thanks!
That's a lot more involved than I thought. I assume this will also work for tun interfaces (vpn connection)?
Is there a man or tutorial page for this stuff? I'd like to understand these configs (some of them, like the torrc are pretty straightforward, but the BROUTING -i wl0.2 -p ! 0x886c -j and entire init-start confuse me lots!)
Anyway, enough material to keep me occupied for a few dark, cold evenings. Thanks again!
 
the BROUTING -i wl0.2 -p ! 0x886c -j and entire init-start confuse me lots!)
For Ebtables BROUTING chain, the DROP target means to un-bridge the frame (br0)->(wl0.2), and the ACCEPT target means to stay bridged (br0). This is necessary to match the physical interface (wl0.2) for the NAT rules. It's why your NAT rules not working.

And init-start creates a 'tor' user, for TOR to run as non-root user. Cloudfare was blocking my post because it thinks I'm trying to hack your Linux password file. So, we change the suspect keywords to something less suspicious, and it allows the post.
 
Last edited:
It appears wl0.1 is not an existing interface, so trying to configure it gives errors. Will try with a top level wl tonight...
 
Sadly, this doesn't seem to work for me- not on wl0.1 and not on wl0 Gettin a ' not an existing interface' error :(
I don't see why this is so tricky..?..
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top