Hi Merlin / ppl: I donated $20 for your fine work on this, it is doing 90% of what I need on my Asus RT-3200AC including:
- Dual WAN load balancing
- Custom port forwarding with scripts in JFFS
- Custom VLAN port on one of the available LAN ports
I have one remaining issue and I've *torn* what hair I have left out over it: I can't get port forwarding to work to my custom VLAN port.
My configuration is this: I have a block of public IP addresses being served to VLAN2 which is my primary WAN port. The address of that WAN port is a private IP (say 192.168.2.253) and the upstream gateway is sending it a block of IPs on a /29 subnet (say 1.2.3.0/29). I'm using NAT to do effectively 1-1 NAT forwarding of ports from one public IP (say 1.2.3.161) to a single server on my internal LAN network. Right now what works is this:
- Ports forwarded from 1.2.3.161 to 192.168.1.249 (internal LAN 192.168.1.0/24) WORKS
What does NOT work is this:
- Ports forwarded from 1.2.3.161 to 192.168.3.249 (internal VLAN 192.168.3.0/24) NOT WORKING
I've done a lot of troubleshooting, but I'm left thinking there's a subtle thing I've left our when creating the new VLAN that makes it different than the existing ports included in the br0 bridged interface used by the 192.168.1.0 network. I know that routing works because I can do this:
- "telnet 192.168.3.249 25" WORKS from internal LAN 192.168.1.0/24
Below are some config elements, happy to post more!
The contents of /jffs/scripts/nat-start:
And the resulting iptables contents:
Some misc items:
- Dual WAN load balancing
- Custom port forwarding with scripts in JFFS
- Custom VLAN port on one of the available LAN ports
I have one remaining issue and I've *torn* what hair I have left out over it: I can't get port forwarding to work to my custom VLAN port.
My configuration is this: I have a block of public IP addresses being served to VLAN2 which is my primary WAN port. The address of that WAN port is a private IP (say 192.168.2.253) and the upstream gateway is sending it a block of IPs on a /29 subnet (say 1.2.3.0/29). I'm using NAT to do effectively 1-1 NAT forwarding of ports from one public IP (say 1.2.3.161) to a single server on my internal LAN network. Right now what works is this:
- Ports forwarded from 1.2.3.161 to 192.168.1.249 (internal LAN 192.168.1.0/24) WORKS
What does NOT work is this:
- Ports forwarded from 1.2.3.161 to 192.168.3.249 (internal VLAN 192.168.3.0/24) NOT WORKING
I've done a lot of troubleshooting, but I'm left thinking there's a subtle thing I've left our when creating the new VLAN that makes it different than the existing ports included in the br0 bridged interface used by the 192.168.1.0 network. I know that routing works because I can do this:
- "telnet 192.168.3.249 25" WORKS from internal LAN 192.168.1.0/24
Below are some config elements, happy to post more!
The contents of /jffs/scripts/nat-start:
Code:
#!/bin/sh
WAN1=1.2.3.161
WAN1MASK=255.255.255.248
LAN1=192.168.1.249
/usr/sbin/iptables -t nat -A PREROUTING -i vlan2 -d $WAN1 -j DNAT --to-destination $LAN1
for PORT in 25 143 221 465 587 993 1194
do
/usr/sbin/iptables -A FORWARD -i vlan2 -p tcp --dport $PORT -d $LAN1 -j ACCEPT
done
/usr/sbin/iptables -t nat -I POSTROUTING -s $LAN1 -j SNAT --to $WAN1
/usr/sbin/iptables -I FORWARD -i br0 -j ACCEPTAnd the resulting iptables contents:
Code:
admin@RT-AC3200-10D0:/jffs/scripts# iptables -L FORWARD -v
Chain FORWARD (policy DROP 271 packets, 18430 bytes)
pkts bytes target prot opt in out source destination
19627 1395K ACCEPT all -- br0 any anywhere anywhere
13888 1234K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 ACCEPT all -- lo lo anywhere anywhere
8 480 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:smtp
0 0 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:imap2
0 0 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:221
0 0 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:ssmtp
0 0 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:587
4 228 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:imaps
0 0 ACCEPT tcp -- vlan2 any anywhere 192.168.1.249 tcp dpt:1194
admin@RT-AC3200-10D0:/jffs/scripts# iptables -L PREROUTING -t nat -v
Chain PREROUTING (policy ACCEPT 1259 packets, 164K bytes)
pkts bytes target prot opt in out source destination
185 21634 VSERVER all -- any any anywhere 192.168.2.253
666 44578 VSERVER all -- any any anywhere my.other.WAN.network.IP
33 2168 DNAT all -- vlan2 any anywhere 1.2.3.161 to:192.168.1.249
admin@RT-AC3200-10D0:/jffs/scripts# iptables -L POSTROUTING -t nat -v
Chain POSTROUTING (policy ACCEPT 84 packets, 15578 bytes)
pkts bytes target prot opt in out source destination
13 988 SNAT all -- any any 192.168.1.249 anywhere to:1.2.3.161
1987 191K MASQUERADE all -- any vlan2 !192.168.2.253 anywhere
2308 215K MASQUERADE all -- any vlan3 !my.other.WAN.network.IP anywhere
342 39565 MASQUERADE all -- any br0 192.168.1.0/24 192.168.1.0/24Some misc items:
Code:
admin@RT-AC3200-10D0:/tmp/home/root# nvram show | grep vlan | sort
size: 59596 bytes (5940 left)
lan_ifnames=vlan1 eth2 eth1 eth3
landevs=vlan1 wl0 wl1 wl2
port5vlans=1 2 3 4 5 16
vlan1hwname=et0
vlan1ports=1 2 3 5*
vlan2hwname=et0
vlan2ports=0 5
vlan3hwname=et0
vlan3ports=4 5
vlan4hwname=et0
vlan4ports=3 5*
wan0_gw_ifname=vlan2
wan0_ifname=vlan2
wan1_gw_ifname=vlan3
wan1_ifname=vlan3
wan_ifnames=vlan2 vlan3
wandevs=vlan2 vlan3
wl0_vlan_prio_mode=off
wl1_vlan_prio_mode=off
wl2_vlan_prio_mode=off
wl_vlan_prio_mode=off
Code:
admin@RT-AC3200-10D0:/tmp/home/root# ip link show
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether hidden:d4 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether hidden:d8 brd ff:ff:ff:ff:ff:ff
6: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
7: vlan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
8: vlan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
9: vlan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether hidden:d0 brd ff:ff:ff:ff:ff:ff
