Menu
What's new
By:
Filters Better Search

YazFi NAT Masquerading

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K

kriskbx

New Around Here
Hey there.

I have some Xiaomi IoT devices in a YazFi guest network (w0.1, 192.168.2.0/24). Unfortunately, some Xiaomi devices only respond when a request comes from the same subnet. So, I'm trying to do some masquerading with custom iptables rules.

To be clear, what I'm trying to do: Whenever a device from the main network (192.168.50.0/24) tries to access this guest network it will get the IP 192.168.2.2 (which is not used by any device afaik). But unfortunately, it's not working as intended. I'm pretty stuck and need some help. This is the custom rule I'm using right now, it shows up when running iptables -L -t nat -v but doesn't seem to do anything.

Code: 
iptables -t nat -A POSTROUTING -o w0.1 -s 192.168.50.0/24 -d 192.168.2.0/24 -p all -j SNAT --to 192.168.2.2

Any idea, what I'm doing wrong? Any help is highly appreciated. Thanks a lot in advance!

Edit: I'm testing if the IP gets masqueraded by running an Nginx server on a machine in the guest network and looking at it's access logs when triggering requests from the main network. As a said before, it still shows the original IP from the 50.0/24 subnet...

Cheers,
Kris
 
Last edited:
For one thing (there may be more), -D deletes a rule! You need either -I (to insert, which is normally preferrable) or -A (append) the rule.

Also, you don't need the '-p all' since the default is to allow ALL for a given option if NOT specified.
 
Let me start off by making this a bit more simple to deal with. Do a show command and capture all of the rules and put them into notepad. Much easier to deal with them in that setting vs CLI in the router.

For the rule just simplify it.


Code: 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT

So, here I'm NAT'ing two interfaces. Norlynx for VPN and bo0 for the WAN.

Since you're using a sub-if anyway w0.1 just make a rule using that and skip the IP completely.

Code: 
-A POSTROUTING -o w0.1 -j MASQUERADE


Here's a monitoring view of all of my rules I'm using:
Code: 
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
152289165 194790399374 PERMIT-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
 6526817 6005002703 PERMIT-FWD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
91059393 133859088789 PERMIT-OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PERMIT-FWD (1 references)
    pkts      bytes target     prot opt in     out     source               destination
 6456313 5977969003 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   67719 26890039 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    2785   143661 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PERMIT-IN (1 references)
    pkts      bytes target     prot opt in     out     source               destination
11170712 11913984669 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
50335718 61831927401 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
90744224 121034449301 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   38512 10038135 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PERMIT-OUT (1 references)
    pkts      bytes target     prot opt in     out     source               destination
11170739 11913986549 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
49865413 110312582601 ACCEPT     all  --  *      br0     0.0.0.0/0            0.0.0.0/0
29508977 11589419024 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  498602 42283249 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
   15662   817366 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Here's what monitoring looks like on the NAT
Code: 
335009  45435736  MASQUERADE  all  --  *  nordlynx  0.0.0.0/0  0.0.0.0/0
23497   2111276   MASQUERADE  all  --  *  bo0       0.0.0.0/0  0.0.0.0/0
 
You must log in or register to reply here.

Similar threads

G
subnet of home LAN - did I overlook anything important?
Replies
4
Views
393
gretter
G
J
YazFi Guest Network with YazFi assigning LAN IPs, not the IPs of my guest settings.
2
Replies
20
Views
2K
jorgsmash
J
B
YazFi Help with IPTables Script
Replies
2
Views
542
binky
B
R
One router, two segments desired.
Replies
4
Views
389
Rombo
R
R
ASUS RT-AX88U Network Segmentation (Help Needed)
Replies
6
Views
894
drinkingbird
drinkingbird

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 652 (members: 12, guests: 640)
Top