Forward with VPN to VLAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
djdimitrimartin
DD-WRT Novice


Joined: 27 Jan 2025
Posts: 8

PostPosted: Mon Jan 27, 2025 4:59    Post subject: Forward with VPN to VLAN Reply with quote
I use a ACM3200 Linksys with DD-WRT such as Gateway to set up NordVPN with my Static IP (provided by NordVPN). Since, I successfully manually setup the VPN


Then, behind the ACM3200 Linksys Gateway, I use my LRT-214 which handle my VLAN network for my MAIL Server like :

<Xplore>----<ACM3200 VPN: NordVPN IP STATIC (xxx.xxx.xxx.xxx) WAN IP: 100.68.5.154 >-------<LRT-214 WAN IP: 192.168.1.200 (VLAN)>---------[MAIL IP 192.168.214.200]

Now, when pinging Mail server using my NordVPN Static IP with DOS Shell CMD , it looks like if the response is given by the ACM3200 Gateway instead Mail server behind my LRT-214 LinkSys .

In other words, how to setup the Gateway in order to send MAIL request through server behind the LRT-214

Using the Gateway with Forward option with following port #110,#587,#25, it doesn't work anymore because I don't know exactly how to set up

Then, need to know exactly what need to setup properly forward option for SOURCE NET in order to reach server behind LRT-214 on my network

I'm not sure about SOURCE NET, NordVPN IP STATIC (xxx.xxx.xxx.xxx) ?? ACM3200 Gateway WAN Address: 100.68.5.154 ??? ACM3200 Gateway LAN Address : 192.168.1.1 ??


Regards
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 7008
Location: Romerike, Norway

PostPosted: Mon Jan 27, 2025 7:42    Post subject: Reply with quote
You need static route to 192.168.214.0/24 via 192.168.1.200
djdimitrimartin
DD-WRT Novice


Joined: 27 Jan 2025
Posts: 8

PostPosted: Sat Feb 01, 2025 4:52    Post subject: Reply with quote
Not working, I am newbies, let me know if I am wrong.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 7008
Location: Romerike, Norway

PostPosted: Sat Feb 01, 2025 14:13    Post subject: Reply with quote
Can you ping the [MAIL IP 192.168.214.200] from the ACM3200?

Then you need to Port forward the port UDP:587 to 192.168.214.200

Source net can be left blank as this is the address of the sender (can be anything)
djdimitrimartin
DD-WRT Novice


Joined: 27 Jan 2025
Posts: 8

PostPosted: Sun Feb 02, 2025 5:06    Post subject: Reply with quote
Answering to your question, unfortunately, not able to ping 192.168.214.200 from ACM32000 ( I sent a request to Linksys support for this case)

I perform this configuration (see Attachment)


Since, unable to ping 192.168.214.200

Regards
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 7008
Location: Romerike, Norway

PostPosted: Sun Feb 02, 2025 12:31    Post subject: Reply with quote
The two last entries in the routing is wrong.

It shall be 192.168.214.0 netmask 255.255.255.0
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13532
Location: Netherlands

PostPosted: Sun Feb 02, 2025 13:09    Post subject: Reply with quote
To recap:
You have a router behind CGNAT so no public IP address.

In order to connect to your router from outside you have a NordVPN connection with a public IP address which you want to use to connect to your router.

The routers LAN has 192.168.1.1/24

In this LAN is a server with Address 192.168.1.200?

This server host services on other subnets(VMs?) e.g. 192.168.214.0/24?

If all this is the case and you simply want to port forward to 192.168.1.200 then you cannot use the GUI as this only port forwards from the WAN and not from tun1.

So you have to do that manually.
A port forward consists of a DNAT rule and a FORWARD ACCEPT rule an example:
Code:
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 80 -j DNAT --to 192.168.1.200:80
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 80 -j ACCEPT


Of course the server 192.168.1.200 must also port forward to its VMs if there are VMs running on other subnets

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djdimitrimartin
DD-WRT Novice


Joined: 27 Jan 2025
Posts: 8

PostPosted: Tue Feb 04, 2025 6:45    Post subject: Reply with quote
You right, LRT-214 WAN port is 192.168.1.200 and the LAN port has those VLAN:

192.168.206.*
192.168.212.*
192.168.214.*

Especially,
192.168.214.200 [MySQL-MAIL]
192.168.214.201 [WEB SERVER]

The LRT-214 as already FORWARD cmd

Then, my understanding configuration will look like this :

# web port
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 80 -j DNAT --to 192.168.1.200:80
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 8080 -j DNAT --to 192.168.1.200:8080
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 8080 -j ACCEPT

# email port
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 25 -j DNAT --to 192.168.1.200:25
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 25 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 587 -j DNAT --to 192.168.1.200:587
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 587 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 110 -j DNAT --to 192.168.1.200:110
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 110 -j ACCEPT

# mysql port
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 3306 -j DNAT --to 192.168.1.200:3306
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 3306 -j ACCEPT

# ftp port
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 21 -j DNAT --to 192.168.1.200:21
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 21 -j ACCEPT

# rdp port
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 3389 -j DNAT --to 192.168.1.200:3389
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 3389 -j ACCEPT



Also, let me know how to manually erase these commands in case I did a mistake

Regards
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13532
Location: Netherlands

PostPosted: Tue Feb 04, 2025 6:55    Post subject: Reply with quote
You can add those commands to Administration > Commands and Save as Firewall you can just comment those out if you no longer want to use it
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 7008
Location: Romerike, Norway

PostPosted: Tue Feb 04, 2025 14:20    Post subject: Reply with quote
Your rules are in the wrong order. When inserting with -I, the last one will be the first. In the file they must appear with what shall be the first rule last.

In your case, you check destination that will be set on the next rule. It will never match.
djdimitrimartin
DD-WRT Novice


Joined: 27 Jan 2025
Posts: 8

PostPosted: Tue Feb 04, 2025 15:59    Post subject: Reply with quote
To : Per Yngve Berg

Good order mean this?

iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 80 -j DNAT --to 192.168.1.200:80
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 3389 -j DNAT --to 192.168.1.200:3389
iptables -t nat xxxxxxxxxxxxxxxxxx others xxxxxxxxxxxxxxxxxxx
iptables -I FORWARD xxxxxxxxxxxxxxxxxx others xxxxxxxxxxxxxxxxxxx
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 3389 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.200 --dport 80 -j ACCEPT

regards
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 7008
Location: Romerike, Norway

PostPosted: Tue Feb 04, 2025 20:29    Post subject: Reply with quote
Yes, but in the Startup Script you must reverse the order and start with the last Line
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3450
Location: Germany

PostPosted: Tue Feb 04, 2025 21:02    Post subject: Reply with quote
That's not true at all.
This only applies to commands that are in the same chain.

PREROUTING and FORWARD are different chains, so it doesn't matter whether you insert one or the other rule first.

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
djdimitrimartin
DD-WRT Novice


Joined: 27 Jan 2025
Posts: 8

PostPosted: Wed Feb 05, 2025 7:09    Post subject: Reply with quote
I believe I made it correctly, but always unable to ping 192.168.214.200
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13532
Location: Netherlands

PostPosted: Wed Feb 05, 2025 11:32    Post subject: Reply with quote
You Port forwarding rules are in neat order which is not necessary but does not hurt either.

Do not use the Command shell that is highly unreliable, telnet/SSH into the router, if you are using Windows you can use Putty.

What has the ping command to do with the port forwarding?
Besides you might be pinging something which is likely behind a firewall?

What is the appliance on 192.168.1.200 is that a router?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum