Posted: Wed Jun 23, 2021 8:23 Post subject: Masquerading IP-packages from tun0 to internal Net.
Good morning.
I have the following situation:
Fritzbox 192.168.1.1
PLC 192.168.1.20 Gateway Fritzbox
I do not want to / can not change the networking configuration of those two.
But I want to access the PLC (Port 102 TCP).
So I installed a Buffalo Router with DD-WRT and OpenVPN, gave it the internal IP 192.168.1.250 Gateway Fritzbox. OpenVPN just works fine. It establishes a connection to my OpenVPN-Server in my office. I can Ping the Buffalo with 192.168.1.250.
But not the PLC, which is logical, because it does not know the gateway for IPs to 192.168.66.0/24 neither does the Fritzbox.
So I want the Buffalo to masqerade the IPs coming from 192.168.66.0/24 behin dhis internal IP 192.168.1.250, so the PLC and Fritzbox thing the communicate with the Buffalo on its internal interface.
I know I need something like
iptables -t nat -I POSTROUTING -o tun0 -s 192.168.66.0/24 -j MASQUERADE
But I am not sure where to put it (Administration -> Commands -> Firewall?). And I am not sure how to tell iptables to mask from tun0 to internal net end not vice versa. Because, if iptables tries to do it from internal to tun0 the rule will never get active, because packages from internal network will never have 192.168.66.x IP.
Can anyone help?
Sincerly, Aksels
Posted: Wed Jun 23, 2021 9:52 Post subject: Solved!
Hi.
I already read the guidelines. But felt more info is not relevant.
And I was right:
Found the solution by try an error:
NAT and Firewall have to be siwtched on in OpenVPN setup.
And:
iptables -t nat -I POSTROUTING -s 192.168.66.0/24 -d 192.168.1.0/24 -j MASQUERADE
goes to Administration -> Commands -> Firewall.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Jun 23, 2021 10:45 Post subject:
Glad you solved it and good to hear you have read the forum guidelines but probably skipped item 4:
Quote:
4. When posting always state router model, build number and when applicable the Kernel version.
Your rule does not contain an out interface which can have all kinds of unwanted side effects.
Your rule specifies a destination, not wrong but unnecessary if you have a proper site-to-site setup as that already contains i.e. restrict the routing information.
To help which subnets needs NATting we need to know which subnets are used, build number is in this case necessary because OpenVPN has undergone a lot of upgrades.
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Wed Jun 23, 2021 14:55 Post subject: Re: Solved!
Aksels wrote:
I already read the guidelines. But felt more info is not relevant.
You do not choose what is relevant. This is the reference for the previously quoted point 4 of the post I made in the forum rules and guidelines based on input from @egc:
Your experience here depends on following the forum rules and guidelines. If you don't wish to get an abrasive response, especially from me, then follow the rules to the letter. Otherwise, we reserve the right to lock or delete posts and threads as we feel necessary. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net