YazFi NAT Masquerading

kriskbx

New Around Here
Hey there.

I have some Xiaomi IoT devices in a YazFi guest network (w0.1, 192.168.2.0/24). Unfortunately, some Xiaomi devices only respond when a request comes from the same subnet. So, I'm trying to do some masquerading with custom iptables rules.

To be clear, what I'm trying to do: Whenever a device from the main network (192.168.50.0/24) tries to access this guest network it will get the IP 192.168.2.2 (which is not used by any device afaik). But unfortunately, it's not working as intended. I'm pretty stuck and need some help. This is the custom rule I'm using right now, it shows up when running iptables -L -t nat -v but doesn't seem to do anything.

Code:
iptables -t nat -A POSTROUTING -o w0.1 -s 192.168.50.0/24 -d 192.168.2.0/24 -p all -j SNAT --to 192.168.2.2

Any idea, what I'm doing wrong? Any help is highly appreciated. Thanks a lot in advance!

Edit: I'm testing if the IP gets masqueraded by running an Nginx server on a machine in the guest network and looking at it's access logs when triggering requests from the main network. As a said before, it still shows the original IP from the 50.0/24 subnet...

Cheers,
Kris
 
Last edited:

eibgrad

Part of the Furniture
For one thing (there may be more), -D deletes a rule! You need either -I (to insert, which is normally preferrable) or -A (append) the rule.

Also, you don't need the '-p all' since the default is to allow ALL for a given option if NOT specified.
 

Tech Junky

Very Senior Member
Let me start off by making this a bit more simple to deal with. Do a show command and capture all of the rules and put them into notepad. Much easier to deal with them in that setting vs CLI in the router.

For the rule just simplify it.


Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT

So, here I'm NAT'ing two interfaces. Norlynx for VPN and bo0 for the WAN.

Since you're using a sub-if anyway w0.1 just make a rule using that and skip the IP completely.

Code:
-A POSTROUTING -o w0.1 -j MASQUERADE


Here's a monitoring view of all of my rules I'm using:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
152289165 194790399374 PERMIT-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
 6526817 6005002703 PERMIT-FWD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
91059393 133859088789 PERMIT-OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PERMIT-FWD (1 references)
    pkts      bytes target     prot opt in     out     source               destination
 6456313 5977969003 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   67719 26890039 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    2785   143661 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PERMIT-IN (1 references)
    pkts      bytes target     prot opt in     out     source               destination
11170712 11913984669 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
50335718 61831927401 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
90744224 121034449301 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   38512 10038135 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PERMIT-OUT (1 references)
    pkts      bytes target     prot opt in     out     source               destination
11170739 11913986549 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
49865413 110312582601 ACCEPT     all  --  *      br0     0.0.0.0/0            0.0.0.0/0
29508977 11589419024 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  498602 42283249 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
   15662   817366 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Here's what monitoring looks like on the NAT
Code:
335009  45435736  MASQUERADE  all  --  *  nordlynx  0.0.0.0/0  0.0.0.0/0
23497   2111276   MASQUERADE  all  --  *  bo0       0.0.0.0/0  0.0.0.0/0
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top