A problem on routing the tcp traffic from one local IP to another IP

[qb0097]

Recently I installed a VPN on my PC (192.168.1.52) and I set it listen on address 0.0.0.0:1081. Then I tried to route all tcp packet from my Nintendo Switch (192.168.1.151) to the proxy by using following command:

iptables -t nat -A PREROUTING -s 192.168.1.151 -p tcp -j DNAT --to-destination 192.168.1.52:1081
iptables -t nat -A FORWARD -d 192.168.1.52 -dport 1081 -j ACCEPT

But it did not work. So I used Wireshark to check the packet traffic on my PC, and I found that my PC do have received tcp packet on Port 1081. But It's source IP is 192.168.1.1. I did some research and changed my my command to following:

iptables -t nat -A PREROUTING -s 192.168.1.151 -p tcp -j DNAT --to-destination 192.168.1.52:1081
iptables -t nat -A POSTROUTING -d 192.168.1.52 -dport 1081 -p tcp -j SNAT --to-source 192.168.1.151
iptables -t nat -A FORWARD -d 192.168.1.52 -dport 1081 -j ACCEPT

But it still did not work. The source IP of the received tcp packet was still 192.168.1.1. Now I have no idea on this issue. Could someone help me out of this problem?

 

[qb0097]

I have googled again and again. And found some people explained that CTF causes this problem. I tried to turn off CTF. But it still NOT work.

 

[ColinTaylor]

Maybe I'm missing something but I can't see how this could achieve anything useful.

Say your Nintendo wants to communicate with a web server at 111.222.333.444:80. Your DNAT rule changes the destination from 111.222.333.444:80 to 192.168.1.52:1081. So it will have successfully reached the specified destination. The fact that you are running a VPN server on 192.168.1.52 is largely irrelevant because you need (in this example) to be running a web server at the destination.

You referred to a "proxy" earlier, but a VPN server is not a proxy.

 

[qb0097]

Maybe I'm missing something but I can't see how this could achieve anything useful.

Say your Nintendo wants to communicate with a web server at 111.222.333.444:80. Your DNAT rule changes the destination from 111.222.333.444:80 to 192.168.1.52:1081. So it will have successfully reached the specified destination. The fact that you are running a VPN server on 192.168.1.52 is largely irrelevant because you need (in this example) to be running a web server at the destination.

You referred to a "proxy" earlier, but a VPN server is not a proxy.

Thanks for your reply.

Sorry for my unclear description, I am running a VPN client on 192.168.1.52 and it works well. Now the problem is how to redirect the packet from 192.168.1.151 to the client correctly. I am confused about what makes the source IP of those packet change to 192.168.1.1.

 

[Jack Yaz]

Thanks for your reply.

Sorry for my unclear description, I am running a VPN client on 192.168.1.52 and it works well. Now the problem is how to redirect the packet from 192.168.1.151 to the client correctly. I am confused about what makes the source IP of those packet change to 192.168.1.1.

Surely you need to adjust the gateway of the Switch to the 192.168.1.52 address, assuming the Switch allows for manual network configuration?

 

[ColinTaylor]

The source IP address changes because of your DNAT rule. This is how it's supposed to work. The router maintains a conntrack table with allows it to "reverse" this change when traffic replies from the destination.

Without knowing exactly what you're trying to achieve it's hard to speculate. If you're trying to route the Nintendo through your PC you need to change the routing, not DNAT stuff. You also need to be running more than just a VPN client on your PC.

 

[qb0097]

Surely you need to adjust the gateway of the Switch to the 192.168.1.52 address, assuming the Switch allows for manual network configuration?

Thanks. In this way, my PC can recieve the packet sent from Nintendo which the source IP is correct. But now I have no idea how to redirect those packet to my VPN client port on my PC. Is there any tool can do this?

 

[qb0097]

The source IP address changes because of your DNAT rule. This is how it's supposed to work. The router maintains a conntrack table with allows it to "reverse" this change when traffic replies from the destination.

Without knowing exactly what you're trying to achieve it's hard to speculate. If you're trying to route the Nintendo through your PC you need to change the routing, not DNAT stuff. You also need to be running more than just a VPN client on your PC.

Thanks, it's my first timeto hear this. But some example I found through google say DNAT can work well. Is that something changed on firmware recently that makes DNAT not work an more?

 

[ColinTaylor]

Thanks, it's my first timeto hear this. But some example I found through google say DNAT can work well. Is that something changed on firmware recently that makes DNAT not work an more?

I think the answer is don't believe everything you read on the internet, especially from "gamers" who rarely understand networking (but think they do).

Nothing has changed regarding DNAT. It redirects traffic to a different destination. From what you've said it sounds like you still want the Nintendo to go to the same destination, you just want it to go via a different route (i.e. via your VPN). So your question is about routing and nothing to do with DNAT.

 

[qb0097]

I think the answer is don't believe everything you read on the internet, especially from "gamers" who rarely understand networking (but think they do).

Nothing has changed regarding DNAT. It redirects traffic to a different destination. From what you've said it sounds like you still want the Nintendo to go to the same destination, you just want it to go via a different route (i.e. via your VPN). So your question is about routing and nothing to do with DNAT.

I agree. Is there any other solution can do this?

 

[ColinTaylor]

I agree. Is there any other solution can do this?

What router and firmware version are you running? Who is your VPN provider?

If your VPN provider is compatible with the router's built-in VPN client then you can do it on the router and not have to bother with the PC at all.

 

[qb0097]

What router and firmware version are you running? Who is your VPN provider?

If your VPN provider is compatible with the router's built-in VPN client then you can do it on the router and not have to bother with the PC at all.

Asus RT-AC68U and firmware version is 384.8_alpha1. VPN provider is V2Ray. It can install into router, but it's not convinent and I'm afraid that it would cause some unknown problem.

 

[ColinTaylor]

Sorry, I'm not familiar with VPN proxy software for the PC. It's not my area of knowledge. Hopefully some other members can suggest something.

 

[qb0097]

Sorry, I'm not familiar with VPN proxy software for the PC. It's not my area of knowledge. Hopefully some other members can suggest something.

Thank you all the way！

 

[CaptainSTX]

I have never tried sharing a VPN client running on a PC but a couple of things I would check with your VPN provider.
1. Have you signed up for a plan that lets more than one device to connect at the same time?
2. Does your provider's app allow facilitate sharing a VPN connection running on PC?

I know one of the VPN providers I have used offers the option to share a connection, but I never have tired it nor do I know if they charge for it. I either run a VPN client on devices when I am using public WiFi or run the VPN client on a router.

 

[qb0097]

I have never tried sharing a VPN client running on a PC but a couple of things I would check with your VPN provider.
1. Have you signed up for a plan that lets more than one device to connect at the same time?
2. Does your provider's app allow facilitate sharing a VPN connection running on PC?

I know one of the VPN providers I have used offers the option to share a connection, but I never have tired it nor do I know if they charge for it. I either run a VPN client on devices when I am using public WiFi or run the VPN client on a router.

It is an open source VPN tool and it can share connections with other device.

 

[qb0097]

Sorry, I'm not familiar with VPN proxy software for the PC. It's not my area of knowledge. Hopefully some other members can suggest something.

I try to setup a vpn client on my router. It creates a tun interface tun100, and a subnet 10.222.2.0. Now there is a problem on Routing the traffic from 192.168.1.150/24 to tun100. Could you please help me out?

 

[ColinTaylor]

I try to setup a vpn client on my router. It creates a tun interface tun100, and a subnet 10.222.2.0. Now there is a problem on Routing the traffic from 192.168.1.150/24 to tun100. Could you please help me out?

On the VPN Client page look at "Redirect Internet traffic" = "Policy Rules (strict)."

I thought you only wanted your Nintendo to go through the VPN, therefore create a rule that routes 192.168.1.151 through the VPN (don't use 192.168.1.150/24 because that is the whole subnet). By default, all traffic goes through the WAN so you don't need a rule for that.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing