Feedback -- RT-AC87U, /tmp/nat_rules_vlan2_vlan2, Goal: Convert to a pure router for an IT Lab

[jgarrigan]

Hi, I am attempting to convert a RT-AC87U to a pure router with non-blocking/non-altering iptables/ip6tables rules for an internal IT lab.

I resolved my problem. I set LAN - Switch Control - "NAT Acceleration" to "Disabled".

After I disabled NAT via the web interface the traffic stops flowing. From within the web interface both the IPv4 firewall and the IPv6 firewall are disabled.

As shown below I removed all the iptables/ip6tables rules except for -A POSTROUTING ! -s 10.a.b.c/32 -o vlan2 -j MASQUERADE [this rule exists within /tmp/nat_rules_vlan2_vlan2]
After I remove the rule from above traffic stops traversing from the "br0" network to the "vlan2" network.

As expected, after I disable NAT via the web interface the rule is removed.

Interestingly enough even after I remove the NAT rule I am able to confirm via traceroute that ICMP traffic flows back and forth between two test machines, one on each network. However other traffic does not flow. If this was a mission critical issue then I would have installed wireshark in the client machines ...

It appears the device will not allow anyone to alter its primary function, to exist as a "gateway" router with the NAT rule.

Has anyone gone down this rabbit hole and emerged with a functioning configuration that is similar to my goal? If you have been successful may I impose on you to please share your configuration with me?

Thank you

Shown below are the current iptables/ip6tables rules and further down I included the IPv4 and IPv6 routes. The data has been altered for public posting.

iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

iptables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT

iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N DNSFILTER_DOT
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-N other2wan

iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N LOCALSRV
-N PCREDIRECT
-N PUPNP
-N VSERVER
-N VUPNP
-A POSTROUTING ! -s 10.a.b.c/32 -o vlan2 -j MASQUERADE

ip6tables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

ip6tables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N NSFW
-N PControls
-N UPNP
-N logaccept
-N logdrop


Notes: 10.a.b.c (altered for public posting) is the IPv4 address assigned to VLAN2
10.d.e.0/24 (altered for public posting) is the network on the br0 side

/tmp/nat_rules_vlan2_vlan2 [I added a space after the colon because the text was being altered with images.]
*nat
: PREROUTING ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
: VSERVER - [0:0]
: LOCALSRV - [0:0]
: PUPNP - [0:0]
: VUPNP - [0:0]
: DNSFILTER - [0:0]
: PCREDIRECT - [0:0]
-A PREROUTING -d 10.a.b.c -j VSERVER
-A VSERVER -j VUPNP
-A POSTROUTING -o vlan2 -j PUPNP
-A POSTROUTING -o vlan2 ! -s 10.a.b.c -j MASQUERADE
-A POSTROUTING -o br0 -s 10.d.e.0/24 -d 10.d.e.0/24 -j MASQUERADE
COMMIT

route
Kernel IP routing table (altered for public posting)
Destination Gateway Genmask Flags Metric Ref Use Iface
10.a.b.c * 255.255.255.255 UH 0 0 0 vlan2
169.254.39.0 * 255.255.255.0 U 0 0 0 br0
10.d.e.0 * 255.255.255.0 U 0 0 0 br0
10.a.b.0 * 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default router1.asus.ho 0.0.0.0 UG 0 0 0 vlan2

route -A inet6 (altered for public posting)
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
2001:AAA:BBBB::1/128 2001:AAA:BBBB::1 UC 0 0 5431 vlan2
2001:AAA:BBBB::1/128 :: U 1 0 1 vlan2
2001:AAA:BBBB::/64 :: U 256 0 0 vlan2
2001:AAA:BBBB:1::188/128 2001:AAA:BBBB:1::188 UC 0 0 14940 br0
2001:AAA:BBBB:1::/64 :: U 256 0 0 br0
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 vlan1
fe80::/64 :: U 256 0 0 vlan2
fe80::/64 :: U 256 0 0 br0
fe80::/64 :: U 256 0 0 ifb0
fe80::/64 :: U 256 0 0 ifb1
fe80::/64 :: U 256 0 0 aux0
::/0 2001:AAA:BBBB::1 UG 1 0 1161 vlan2
::/0 :: !n -1 6 197342 lo
::1/128 :: Un 0 1 24 lo
2001:AAA:BBBB::/128 :: Un 0 1 0 lo
2001:AAA:BBBB::254/128 :: Un 0 1 35960 lo
2001:AAA:BBBB:1::/128 :: Un 0 1 0 lo
2001:AAA:BBBB:1::1/128 :: Un 0 1 48491 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::b471:ccff:fe4a:bced/128 :: Un 0 1 0 lo
fe80::c4c7:9aff:fe8b:2632/128 :: Un 0 1 0 lo
fe80::d217:c2ff:feb3:3b40/128 :: Un 0 1 0 lo
fe80::d217:c2ff:feb3:3b40/128 :: Un 0 1 0 lo
fe80::d217:c2ff:feb3:3b40/128 :: Un 0 1 3744 lo
fe80::d217:c2ff:feb3:3b40/128 :: Un 0 1 3997 lo
fe80::d217:c2ff:feb3:3b40/128 :: Un 0 1 0 lo
ff02::1/128 ff02::1 UC 0 0 10119 vlan2
ff02::1/128 ff02::1 UC 0 0 10126 br0
ff02::fb/128 ff02::fb UC 0 0 2 vlan2
ff02::1:ff00:103/128 ff02::1:ff00:103 UC 0 0 1 vlan2
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 vlan1
ff00::/8 :: U 256 0 0 vlan2
ff00::/8 :: U 256 0 0 br0
ff00::/8 :: U 256 0 0 ifb0
ff00::/8 :: U 256 0 0 ifb1
ff00::/8 :: U 256 0 0 aux0
::/0 :: !n -1 6 197342 lo

 

[dave14305]

Have you disabled NAT on the WAN page and disabled Firewall on the Firewall page as a first step?

 

[jgarrigan]

Hi Dave, After I disabled NAT via the web interface the traffic stops flowing. From within the web interface both the IPv4 firewall and the IPv6 firewall are disabled.

 

[ColinTaylor]

Hi Dave, After I disabled NAT via the web interface the traffic stops flowing. From within the web interface both the IPv4 firewall and the IPv6 firewall are disabled.

"stops flowing" - How are you testing this? If you're testing from a client on the Asus' LAN the upstream router will need a static route to tell it how to get to the Asus' LAN network (because there's no masquerading).

 

[jgarrigan]

The routes exist. Interestingly enough even after I remove the NAT rule I am able to confirm via traceroute that ICMP traffic flows back and forth between two test machines, one on each network. However other traffic does not flow. If this was a mission critical issue then I would have installed wireshark in the client machines ...

 

[ColinTaylor]

I've not had a problem doing this in the past on my RT-AC68U. As above, I just disabled NAT and the firewall, setup the static route and job done. I've not tried it with IPv6 enabled though. I suggest you disable that for the moment just to simplify diagnosis.

 

[jgarrigan]

I've not had a problem doing this in the past on my RT-AC68U. As above, I just disabled NAT and the firewall, setup the static route and job done. I've not tried it with IPv6 enabled though. I suggest you disable that for the moment just to simplify diagnosis.

Only the IPv4 traffic is affected. This device does not have a NAT table within ip6tables. Have you executed iptables -t nat -S ? It is also possible our respective devices function a bit differently.

 

[ColinTaylor]

Have you executed iptables -t nat -S ? It is also possible our respective devices function a bit differently.

I don't have that device setup anymore. It's possible there are hardware or firmware differences at play. What firmware version are you using. It might be worth going back to 380.70 and seeing if that's any better.

 

[jgarrigan]

Firmware version 384.13_10, the last version available for this model. Thank you for the suggestions. I allocated too much time to this challenge. I created a Vyos router in VMware workstation for my simulation.

 

[jgarrigan]

"stops flowing" - How are you testing this? If you're testing from a client on the Asus' LAN the upstream router will need a static route to tell it how to get to the Asus' LAN network (because there's no masquerading).

I resolved my problem. I set LAN - Switch Control - "NAT Acceleration" to "Disabled".

 

[jgarrigan]

Have you disabled NAT on the WAN page and disabled Firewall on the Firewall page as a first step?

I resolved my problem. I set LAN - Switch Control - "NAT Acceleration" to "Disabled".