Masquerading IP-packages from tun0 to internal Net.

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Aksels
DD-WRT Novice


Joined: 23 Jun 2021
Posts: 2

PostPosted: Wed Jun 23, 2021 8:23    Post subject: Masquerading IP-packages from tun0 to internal Net. Reply with quote
Good morning.
I have the following situation:
Fritzbox 192.168.1.1
PLC 192.168.1.20 Gateway Fritzbox
I do not want to / can not change the networking configuration of those two.
But I want to access the PLC (Port 102 TCP).
So I installed a Buffalo Router with DD-WRT and OpenVPN, gave it the internal IP 192.168.1.250 Gateway Fritzbox. OpenVPN just works fine. It establishes a connection to my OpenVPN-Server in my office. I can Ping the Buffalo with 192.168.1.250.
But not the PLC, which is logical, because it does not know the gateway for IPs to 192.168.66.0/24 neither does the Fritzbox.
So I want the Buffalo to masqerade the IPs coming from 192.168.66.0/24 behin dhis internal IP 192.168.1.250, so the PLC and Fritzbox thing the communicate with the Buffalo on its internal interface.
I know I need something like
iptables -t nat -I POSTROUTING -o tun0 -s 192.168.66.0/24 -j MASQUERADE
But I am not sure where to put it (Administration -> Commands -> Firewall?). And I am not sure how to tell iptables to mask from tun0 to internal net end not vice versa. Because, if iptables tries to do it from internal to tun0 the rule will never get active, because packages from internal network will never have 192.168.66.x IP.
Can anyone help?
Sincerly, Aksels
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Jun 23, 2021 9:04    Post subject: Reply with quote
What is the router model and build number?

Is the Buffalo setup in Gateway mode

How is the VPN setup (I suppose TUN) what is the subnet of the server, client and OVPN?

Did you setup site-to-site (for some pointers about site-to-site see the OpenVPN server setup guide links in my signature at the bottom)

If the Buffalo is setup in Gateway mode you can consider setting it up as WAP (Wireless Access Point: https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point)

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

If you have not already read the forum guidelines, please do !!

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Aksels
DD-WRT Novice


Joined: 23 Jun 2021
Posts: 2

PostPosted: Wed Jun 23, 2021 9:52    Post subject: Solved! Reply with quote
Hi.

I already read the guidelines. But felt more info is not relevant.

And I was right:

Found the solution by try an error:
NAT and Firewall have to be siwtched on in OpenVPN setup.
And:
iptables -t nat -I POSTROUTING -s 192.168.66.0/24 -d 192.168.1.0/24 -j MASQUERADE
goes to Administration -> Commands -> Firewall.

Sincerly,
Aksels
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Jun 23, 2021 10:45    Post subject: Reply with quote
Glad you solved it and good to hear you have read the forum guidelines but probably skipped item 4:
Quote:
4. When posting always state router model, build number and when applicable the Kernel version.


Your rule does not contain an out interface which can have all kinds of unwanted side effects.

Your rule specifies a destination, not wrong but unnecessary if you have a proper site-to-site setup as that already contains i.e. restrict the routing information.

To help which subnets needs NATting we need to know which subnets are used, build number is in this case necessary because OpenVPN has undergone a lot of upgrades.

But if you are happy I am happy Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Wed Jun 23, 2021 14:55    Post subject: Re: Solved! Reply with quote
Aksels wrote:
I already read the guidelines. But felt more info is not relevant.

You do not choose what is relevant. This is the reference for the previously quoted point 4 of the post I made in the forum rules and guidelines based on input from @egc:

https://forum.dd-wrt.com/forum/viewtopic.php?t=327

Your experience here depends on following the forum rules and guidelines. If you don't wish to get an abrasive response, especially from me, then follow the rules to the letter. Otherwise, we reserve the right to lock or delete posts and threads as we feel necessary.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum