Routing & NAT issue

[xfgavin]

Hi all,

I requested a binary for ocserv(Openconnect vpn server) from ent-ware and made it running in asuswrt-merlin.
However, I can't make VPN clients NATed to the internet. I am not sure whether it is a iptables nat issue or not. Please advise.

Thank you.

Here is the configuration:
Lan: 192.168.79.0/24
VPN: 172.16.79.0/24

VPN running on port 443 with interface of vpns*

INTERFACES
br0 Link encap:Ethernet HWaddr 38:2C:4A:E3:C2:28
inet addr:192.168.79.1 Bcast:192.168.79.255 Mask:255.255.255.0
inet6 addr: fe80::3a2c:4aff:fee3:c228/64 Scope:Link
inet6 addr: 2001:xxx:xxx:xxx::1/64 Scope:Global
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 38:2C:4A:E3:C2:28
inet6 addr: fe80::3a2c:4aff:fee3:c228/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 38:2C:4A:E3:C2:28
inet6 addr: fe80::3a2c:4aff:fee3:c228/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

eth2 Link encap:Ethernet HWaddr 38:2C:4A:E3:C2:2C
inet6 addr: fe80::3a2c:4aff:fee3:c22c/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1

ppp10 Link encapoint-to-Point Protocol
inet addr:192.168.79.1 P-t-P:192.168.79.79 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1

tap21 Link encap:Ethernet HWaddr C2:4E:4E:8F:E9:60
inet6 addr: fe80::c04e:4eff:fe8f:e960/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

v6in4 Link encap:IPv6-in-IPv4
inet6 addr: 2001:xxx:xxx:xxx::2/64 Scope:Global
inet6 addr: fe80::6bb8:3303/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1

vlan1 Link encap:Ethernet HWaddr 38:2C:4A:E3:C2:28
inet6 addr: fe80::3a2c:4aff:fee3:c228/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

vlan2 Link encap:Ethernet HWaddr 38:2C:4A:E3:C2:28
inet addr:xxx.xxx.51.3 Bcast:107.184.63.255 Mask:255.255.240.0
inet6 addr: fe80::3a2c:4aff:fee3:c228/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

vpns0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.79.1 P-t-P:172.16.79.196 Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1267 Metric:1


ROUTING TABLE
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.48.1 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
192.88.99.1 107.184.48.1 255.255.255.255 UGH 5 0 0 vlan2
172.16.79.196 0.0.0.0 255.255.255.255 UH 0 0 0 vpns0
192.168.79.79 0.0.0.0 255.255.255.255 UH 0 0 0 ppp10
192.168.79.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
xxx.xxx.48.0 0.0.0.0 255.255.240.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 xxx.xxx.48.1 0.0.0.0 UG 0 0 0 vlan2

IP TABLES
:filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.79.0/24 anywhere
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 41 -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 172.16.79.0/24
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 172.16.79.0/24 0.0.0.0/0 ctstate NEW
ACCEPT all -- 192.168.79.0/24 172.16.79.0/24 ctstate NEW
ACCEPT all -- 172.16.79.0/24 192.168.79.0/24 ctstate NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
SECURITY all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain SECURITY (1 references)
target prot opt source destination
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "ACCEPT "
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "DROP "
DROP all -- 0.0.0.0/0 0.0.0.0/0

:nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:9 to:192.168.79.255
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
VSERVER all -- 0.0.0.0/0 107.184.51.3

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE !41 -- !xxx.xxx.51.3 0.0.0.0/0
MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0 mark match 0x8000/0x8000
MASQUERADE all -- 172.16.79.0/24 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain DNSFILTER (0 references)
target prot opt source destination

Chain LOCALSRV (0 references)
target prot opt source destination

Chain PCREDIRECT (0 references)
target prot opt source destination

Chain PUPNP (0 references)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
VUPNP all -- 0.0.0.0/0 0.0.0.0/0

Chain VUPNP (1 references)
target prot opt source destination

:mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
MARK all -- 0.0.0.0/0 xxx.xxx.51.3 MARK or 0x8000

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 state NEW MARK xset 0x1/0x7

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

 

[xfgavin]

Solved, a wildcard error in iptables command