How to NAT traffic inbound to a specific host or network ?

[mekabe remain]

This might not be a Asuswrt-Merlin specific question and might have a solution on plain/official firmware. However, I preferred to post here because maybe there is a specific solution on merlin fw.
Since I am using the Merlin fw, I believe this might be the correct place.

I have 2 houses with separate internet access. On one of them I have Asus AX88U and Asus mesh and also a static IP address.
On the other house I have Keenetic router and Keenetic's wifi extenders. On this house I don't have static IP address.

Keenetic router has OpenVPN client feature and connects to the Asus router's OpenVPN server.
LAN subnet on Keenetic is 192.168.1.0/24
LAN subnet on Asus is 192.168.254.0/24

OpenVPN provides free access between these 2 subnets and I can access resources on both network from any house's LAN.
I can also access resources on Asus network remotely (mobile) using port forwarding on Asus router. (192.168.254.0)

Now, I want to use port forwarding on Asus router to be able to access resources on Keenetic network (192.168.1.0) using the static IP on Asus router.

So for example, I want to access Radarr server on 192.168.1.40 port 7878
I added port forwarding on external port 17878 to internal 192.168.1.40 and port 7878

Packets from outside reach to the static IP address on Asus and are redirected to 192.168.1.40 on Keenetic router through the VPN.
I can see this on the server side.
external -> Asus:17878 -> OpenVPN tunnel -> Keenetic -> 192.168.1.40

However, the packet reaching the server at 192.168.1.40 has external (global) Ip address as source.
So the server tries to return through its default route on Keenetic router (Keenetic's internet access)

That's why I want to use NAT on Asus router for the incoming packet. How can I make Asus use NAT on the source address if the destination is behind VPN tunnel ?
If it could change the source with Asus router's internal IP address , my problem would be resolved.

Or any other alternative solution ?

 

[eibgrad]

This sounds like a site-to-site configuration. And in such cases, you normally do NOT NAT the tunnel in either direction. But in this case, you need to NAT the tunnel on the server side in order to force replies from mobile devices that reach the Keenetics router back through that same tunnel. You could do this for ALL traffic initiated from the server side, or specifically that traffic NOT being sourced from 192.168.254.x.

iptables -t nat -I POSTROUTING ! -s 192.168.254.0/24 -d 192.168.1.0/24 -j MASQUERADE

Of course, you could get even more specific by including the destination port(s), but I left it more generalized in case you changed or added ports later.

 

[mekabe remain]

This sounds like a site-to-site configuration. And in such cases, you normally do NOT NAT the tunnel in either direction. But in this case, you need to NAT the tunnel on the server side in order to force replies from mobile devices that reach the Keenetics router back through that same tunnel. You could do this for ALL traffic initiated from the server side, or specifically that traffic NOT being sourced from 192.168.254.x.

iptables -t nat -I POSTROUTING ! -s 192.168.254.0/24 -d 192.168.1.0/24 -j MASQUERADE

Of course, you could get even more specific by including the destination port(s), but I left it more generalized in case you changed or added ports later.

ok thanks. How can I make this iptables command permanent ?

 

[eibgrad]

You need to create a nat-start script, as explained in the following link.

RT-AX86U + OpenVPN + AdGuard Home = No Internet on Android

Good evening, all. This site always comes up when Googling questions about my routers so I figured I'd sign up and ask a question I have not been able to find an answer for. My current setup is an RT-AX86U router running OpenVPN server. I also have AdGuard Home installed on a Windows PC. I have...

www.snbforums.com

 

[mekabe remain]

thanks. that works.
But any port forwarding rule added after that time overrides this iptables command.
is there any script that would run after any new NAT rule ?

 

[eibgrad]

I'm not sure what you mean. Any port forward (added, changed, removed) only affects the VSERVER chain of the NAT table.

iptables -t nat -vnL VSERVER

But we added the nat rule to the POSTROUTING chain.

iptables -t nat -vnL POSTROUTING

I just tested it, and when I added a port forward, as expected, the rule from the nat-start was still there.

 

[mekabe remain]

the rule is still there but new incoming NAT rule did not take affect. My new rule was for incoming to the server on 192.168.1.0 , maybe because of that.
Maybe I did not test well, I'll check again