I didn't have any luck - tried with br0, ath0, eth0 and eth1 interfaces - but in all cases I could still connect to that ip address - e.g. "telnet 216.223.155.120 80" on the desktop would still connect and return output from the web server. But thank you for the suggestion.
I've just updated to this beta from yesterday: "Release: 05/06/15 (SVN revision: 26839)", but the problem persists unfortunately (i.e. from the desktop can still successfully ping and telnet on port 80 to the internet address).
It feels almost like Ethernet is using a hardware-only switch so iptables commands do nothing, whereas for WiFi clients it has a software layer too so the iptables commands do something.
... and now from the desktop I can no longer ping or telnet port 80 to that internet address. Yet it works great from the DD-wrt unit, as expected.
Yay! Success! Thank you!
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Sat May 16, 2015 13:09 Post subject:
Traffic LAN->WAN will be routed and iptables should work.
An explanation can be that "--source 192.168.0.2" does not work because the source address is already changed by NAT.
As far as I'm aware, NAT is not enabled, and it's LAN -> WAN traffic, but the iptables command seems to have no effect.
The reason I say that NAT is not enabled is that according to this page: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=78029 , NAT can be turned off by going to the WebGUI and then "Setup > Advanced Routing change the Operating Mode from Gateway to Router". And that is how it is set (i.e. already in Router operating mode).
I'm sure the modem is doing NAT, but the DD-WRT sits just before the modem, and the modem is the LAN's gateway. So to get to that Internet IP address, any traffic from the desktop goes directly to the DD-WRT unit (via ethernet), then directly to the modem (also via ethernet), then it leaves the LAN via ADSL, and goes off into the Internet.
No, under the webgui -> Setup -> Basic setup -> "Assign WAN Port to Switch" is ticked.
My understanding then was that the dd-wrt unit only has a LAN address, with anything for the WAN going via the gateway, i.e. the modem.
So the IP addresses and physical ethernet connections are as follows:
Desktop is on 192.168.0.2 <--> dd-wrt router is on 192.168.0.3 <--> modem is on 192.168.0.1
If it helps, the interfaces and routes on the dd-wrt router are as follows:
Ah, okay, thank you. My modem isn't modern enough or smart enough to allow proper iptables, or even a command prompt. Hence why I'm trying to put any function that requires smarts into the dd-wrt unit and have the modem just provide an ethernet connection to the Internet.
So it sounds like dd-wrt can do iptables rules for direct WiFi connections, or for ethernet packets that are exiting or entering a network via that dd-wrt unit, but it can't do iptables on ethernet packets travelling through it acting as a LAN switch.
What I'm hoping is that in the future nftables, which is supposed to unify ebtables and iptables and others, will be added in dd-wrt, and will be able to know whether to use ebtables or iptables in this situation (it certainly wasn't obvious beforehand to me), and will automatically do the right thing. That would make life simpler, I think, and fingers-crossed that happens in the years ahead.