Author Topic: WZR-HP-G300NH2 - DD-WRT v24SP2-MULTI (10/31/11) std (SVN revision 17798) - NAT problem  (Read 2714 times)

afonya

  • Calf
  • *
  • Posts: 2

Hi,

I would like to set up the following scenario:

 

Machine A  -------Router --- ---Buffalo Router -                           Machine B (192.168.9.4)

192.168.51.51 (Mach A IP)        192.168.215.30 (Buf WAN) 192.168.9.55 (Buffalo LAN)                       

Between Machine A and Buffalo Router there is an openvpn connection working fine. The ping goes from one side to another without any problem through the VPN connection.

The ping is working from BuffaloRouter to machine B.

 

Goal: to reach from Machine A ---> Machine B using the openvpn connection (tun0).

 

The problem: The packets does not hit the iptables PREROUTING part. I have no ideea why.

When I try to ping Machine B I can't see any message within the /var/log/messages that my packets are going through the NAT PREROUTING chain.

What I see on Machine A: tracepath 10.20.0.132
 1:  10.8.0.1 (10.8.0.1)                                    0.185ms pmtu 1500
 1:  10.20.0.131 (10.20.0.131)                              2.563ms
 1:  10.20.0.131 (10.20.0.131)                              1.776ms
 2:  no reply

....

 

 

Routing table on Buffalo:

root@OpenVpn router:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.1        *               255.255.255.255 UH    0      0        0 tun0
192.168.215.1   *               255.255.255.255 UH    0      0        0 vlan2
192.168.215.0   *               255.255.255.192 U     0      0        0 vlan2
192.168.9.0     *               255.255.255.0   U     0      0        0 br0
192.168.9.0     *               255.255.255.0   U     0      0        0 br0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
239.0.0.0       *               255.0.0.0       U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.215.1   0.0.0.0         UG    0      0        0 vlan2

 

The NAT table on Buffalo:

root@OpenVpn router:~# iptables  -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix ` PREROUTING '
2        0     0 DNAT       0    --  tun0   *       0.0.0.0/0            10.20.0.132         to:192.168.9.4
3        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.215.30      tcp dpt:8080 to:192.168.9.55:80
4        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.215.30      tcp dpt:22 to:192.168.9.55:22
5        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.215.30      tcp dpt:23 to:192.168.9.55:23
6        0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.215.30      to:192.168.9.55
7        0     0 DNAT       0    --  tun0   *       0.0.0.0/0            10.20.0.132         to:192.168.9.4

Chain OUTPUT (policy ACCEPT 21934 packets, 911K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       10   938 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix ` OUTPUT NAT'

Chain POSTROUTING (policy ACCEPT 21934 packets, 911K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       10   938 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix ` POSTROUTING '
2        0     0 MASQUERADE  0    --  *      *       10.8.0.1             192.168.9.4

 

The iptables filter table is empty and it is on ACCEPT.

Chain INPUT (policy ACCEPT 334K packets, 42M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 34 packets, 8520 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 308K packets, 60M bytes)
 pkts bytes target     prot opt in     out     source               destination

 -----------------------------------------------------------

 

On Machine B (192.168.9.4) there is a wireshark running, and shows no incoming ping when I try to ping from MachineA. There are incoming and outgoing ICMP packages  only if I ping from BuffaloRouter directly to 192.168.9.4.

 

I tried also tcpdump on BuffaloRouter but there is no trace that the NATTing has been done.

 

------------------

 

Maybe there is a configuration what I missed, but I have no ideea what is the problem.

Theoretically this configuration should work.

 

 


afonya

  • Calf
  • *
  • Posts: 2

Hi All,

There is a table called raw and that contains by default the following entry:

Chain PREROUTING (policy ACCEPT 440K packets, 52M bytes)
 pkts bytes target     prot opt in     out     source               destination
 429K   51M NOTRACK    0    --  *      *       0.0.0.0/0            0.0.0.0/0

 

When I deleted this entry the NAT has started to work correctly.

http://wiki.openwrt.org/doc/uci/firewall -see NOTRACK part.

 


davo

  • Really Big Bull
  • VIP
  • *
  • Posts: 5928
Any reason why your not using one of the newer builds?
PM me for TFTP / Boot Images / Recovery files  LSRecovery.exe file.