Menu
What's new
By:
Filters Better Search

help with iptables / routing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

hunk-dory

hunk-dory

New Around Here
hello!

I am using voxel's firmware and kamoj's addon in my r7800 router. Cheers to them for making these!

But there is something I want to do that I can't figure out by myself, I'm a bit out of my depth here. I hope someone here can help!

So:
- I use a VPN with kamoj's addon that does not support port forwarding
- I have a server / device I want to connect to from outside my network
- I want to connect to this device through my public ISP IP, not the VPN IP (because I can't)

I've tried to connect to the device by first moving it to the VPN bypass list in kamoj's addon and using the public IP address. It works great! Port forwarding takes care of connecting to the device.

Is there any iptables or similar magic to do the same but without forcing the device to bypass the VPN?

Cheers!
 
Hello,

You have a server in your LAN you want to reach from your WAN (ISP IP, not VPN) on specific port(s), for example 80 and 443.

So you want your router to forward connections incoming to your public ISP IP ports 80 and 443 to your LAN device (let say 192.168.0.10 for the example).

You need a rule in the nat table for your router to know to forward to your server:
iptables -t nat -I PREROUTING -i brwan -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.0.10

In case your firewall is strict (deny default policy) on its filter tables (unlikely) you would need a rule like this to allow the forwarding:
iptables -I FORWARD -i brwan -o br0 -p tcp -m multiport --dports 80,443 ACCEPT
And in case the LAN would be denied to the WAN:
iptables -I FORWARD -i br0 -o brwan -p tcp -m multiport --dports 80,443 ACCEPT

The router already should already know how to reach your server on your LAN by its routing tables, so no routing rules should be needed.

This is for IPv4, you might need additional rules for IPv6.
 
HELLO_wORLD said:
Hello,

You have a server in your LAN you want to reach from your WAN (ISP IP, not VPN) on specific port(s), for example 80 and 443.

So you want your router to forward connections incoming to your public ISP IP ports 80 and 443 to your LAN device (let say 192.168.0.10 for the example).

You need a rule in the nat table for your router to know to forward to your server:
Click to expand...
Isn't just using the port-forwarding settings in the GUI adding similar iptables rules?
What would be the benefit of using plain iptables instead of the GUI settings?

And I think it won't work without some form of VPN bypassing...
Traffic to the server in LAN will arrive via brwan from the ISP. But return traffic will follow the default route via tun21 towards the VPN provider. -> asymmetric routing -> usually doesn't work.

It seems @hunk-dory wants the LAN server to use VPN for initiating outbound connections (i.e. for instance the server downloading something from internet.) but also wants to use the ISP for responding to portforwarded traffic (so that portforwards work).

This is also possible, but I don't recall that Kamoj implemented this.
I did something like this myself in the past, using a separate firewall-start script that uses iptables to mark packets that come from a specific source port on a specific source IP.
If the desired packets are marked with 0x213, then the existing kamoj bypass script should route those packets via ISP. All other (unmarked) packets will still use the VPN.

I'll need to check if I can find back the iptables commands that I used in the past.
(Kamoj only uses this trick in ebtables, to be able to bypass WiFi interfaces).
 
R. Gerrits said:
Isn't just using the port-forwarding settings in the GUI adding similar iptables rules?
What would be the benefit of using plain iptables instead of the GUI settings?

And I think it won't work without some form of VPN bypassing...
Traffic to the server in LAN will arrive via brwan from the ISP. But return traffic will follow the default route via tun21 towards the VPN provider. -> asymmetric routing -> usually doesn't work.

It seems @hunk-dory wants the LAN server to use VPN for initiating outbound connections (i.e. for instance the server downloading something from internet.) but also wants to use the ISP for responding to portforwarded traffic (so that portforwards work).

This is also possible, but I don't recall that Kamoj implemented this.
I did something like this myself in the past, using a separate firewall-start script that uses iptables to mark packets that come from a specific source port on a specific source IP.
If the desired packets are marked with 0x213, then the existing kamoj bypass script should route those packets via ISP. All other (unmarked) packets will still use the VPN.

I'll need to check if I can find back the iptables commands that I used in the past.
(Kamoj only uses this trick in ebtables, to be able to bypass WiFi interfaces).
Click to expand...
Yes, it might be what the GUI does, or something slightly similar, but I think it is better to see the solution at the iptables/route level, then see if it can be implemented using GUI.

Asymmetric routing might be an issue, and a policy based routing can prevent it, using connmark (to mark the entire flow, both ways and not just the incoming packet).

Probably something like this:
We create a routing rule saying that any connection marked (and possibly only from the LAN server IP) has to use the routing table #100.
ip rule from all fwmark 0x1 lookup table 100 or ip rule from <LAN SERVER IP> fwmark 0x1 lookup table 100

And we add a default route in the routing table #100 to send the packets through the WAN (ISP IP).
ip route add default via <WAN GATEWAY IP> dev brwan proto static src <ISP PUBLIC IP> table 100 metric 1

Then in iptables, we need to add a connmark on the incoming traffic coming from WAN (ISP) to the LAN server (to mark all the connection, including the server's answer):
iptables -t raw -I PREROUTING -i brwan -p tcp -m multiport --dports 80,443 -j CONNMARK --set-mark 1

To be tried.
 
Last edited:
Thank you both so much for your help: this works!

I can access my home server through HTTPS (the port forward) but the remaining traffic (initiated by the server in the LAN) is routed through the VPN.

The rules / commands you provided worked without any tweaking, although I was a bit lost trying to find the WAN GATEWAY IP. Searching around, I found an example for brwan already there with `ip route ls`

I'm not sure how I would debug this though, if I had made a mistake. Is there an easy way to generate logs for this? I know we can use LOG as an action in iptables. How would you approach it?
 
You must log in or register to reply here.

Similar threads

M
Kamoj Kamoj Addon 5.5 Beta for Netgear R7800/R8900/R9000 with Voxel FW - Continuation
Replies
3
Views
330
kamoj
kamoj
A
x3mRouting x3mRouting vs Domain based VPN routing
2
Replies
29
Views
2K
ComputerSteve
C
P
Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware
Replies
9
Views
218
eibgrad
eibgrad
D
Issue with openVPN port forward in ASUS ac88u
Replies
4
Views
208
deeph203
D
S
Spicy Analyzer - can it determine WireGuard traffic shape?
Replies
1
Views
186
eibgrad
eibgrad

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 868 (members: 24, guests: 844)
Top