What's new

Disable NAT for certain destination addresses

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

grogi

Occasional Visitor
Because of ISP that is forcing me to use certain hardware and outlets, rooms etc. location, I ended up with a bit awkward setup:

Code:
                                  .178.1          .178.4            .64.1   .64.xxx
(internet) <------> DSL Modem/Router +---------------> Merlin rt-ac68u +------ Pc1
                                     |                                 +------ Pc2
                                     |                                 +------ Phone1
                                     |                                 +------ TV
                                     |                                 +------ .....
                                     |
                                     |                                      .178.xxx
                                     +---------------------------------------- Srv1
                                     +---------------------------------------- Srv2


I can connect from Pc1 to Srv1 no problem. On the Asus, I have also disabled firewall and on the DSL Router I entered static route to network 192.168.64.0/24. This allows me to ping Srv1 from Pc1 etc. All good.

The only issue I have is that the traffic going from Pc1 to Srv1 still goes through the NAT and Srv1 sees it as coming from Merlin 192.168.178.4, not Pc1. How to disable NAT for packets that are addressed to 192.168.178.0/24 network? I don't want to disable NAT completely.
 
Why don't you disable NAT completely on the Asus? Any traffic to or from the internet will still be NATed by the ISP router.

Your existing Asus NAT rule should look something like this:
Code:
-A POSTROUTING ! -s 192.168.178.4/32 -o eth0 -j MASQUERADE
Your WAN interface might be vlan2 depending on whether you have hardware acceleration enabled.
 
Why don't you disable NAT completely on the Asus? Any traffic to or from the internet will still be NATed by the ISP router.

On top of the regular, physical clients I have a good bunch of virtual IPs from Docker containers floating around. That ISP router starts to get bananas when it sees ~30 or more IPs on the LAN side. Putting majority of my physical clients behind second NAT running at the Asus RT-AC68u reduces that numer to approximately 15 addresses it sees.
 
Last edited:
All right. I've put this into /jffs/scripts/firewall-start. Seems to be working.

Bash:
#!/bin/sh
iptables        -I FORWARD 1     -s 192.168.178.0/24 -d 192.168.64.0/24 -i vlan2 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -d 192.168.178.0/24                    -o vlan2 -j RETURN

-- edit

The above works fine only for Wireless clients. Hardware NAT acceleration gets confused with rules like that and I had to disable it and replace vlan2 with eth0.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top