Redirect port between network br0 and tun11

[Greeno]

Hi.
I'm trying to set up port forwarding between network interfaces tun11 and br0. I have a problem with this theme for a few days, and somehow I do not go. my network diagram below:

10.0.0.1 br0
eth0 internet address
tun11 10.8.0.6 (openvpn client address)

Because of that, my main ISP assigns a dynamic public IP me, I used the vps with constant public on which I have placed openvpn server. I used VPS server as a relay with a fixed public IP on which I have set up port forwarding.

vps public ip 80 10.8.0.6 80
vps public ip 25 10.8.0.6 25
vps public ip 8080 10.8.0.6 8080

Redirect to ports 80 and 25 is working properly, but I have a problem with NAT, because I need to redirect the address 10.0.0.13 on port 8080 on which I have connected the camera ip

I would also like to forward packets coming from 10.0.0.1 br0 interface on port 25 on tun11 10.8.0.6 (mail server)

I tried according to the tutorial but somehow it does not work:
https://airvpn.org/topic/11264-asus-merlin-wrt-port-forwarding-script-setup/

jffs/scripts/nat-start

#!/bin/sh
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p tcp -d 10.0.0.13 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.13:8080

Please help.

 

[RMerlin]

NAT/port forwarding will have to be done by your OpenVPN tunnel provider - not all of them do.

 

[Greeno]

I do not know whether he understood. Just then I'm open vpn server operator. Openvpn server installed and configured the virtual server on VPS-debian. Ports 80, 25 and 8080 on the server vps also already redirects. Webserver and mail server runs on vps server address. These services are listening on the address br0 - 10.0.0.1 and 10.8.0.6 work at the same time. However, I have a problem with the camera, which is to address 10.0.0.13:8080, and I would like to be visible to the public at vps.

 

[AdvHomeServer]

Hi.
I'm trying to set up port forwarding between network interfaces tun11 and br0. I have a problem with this theme for a few days, and somehow I do not go. my network diagram below:

10.0.0.1 br0
eth0 internet address
tun11 10.8.0.6 (openvpn client address)

Because of that, my main ISP assigns a dynamic public IP me, I used the vps with constant public on which I have placed openvpn server. I used VPS server as a relay with a fixed public IP on which I have set up port forwarding.

vps public ip 80 10.8.0.6 80
vps public ip 25 10.8.0.6 25
vps public ip 8080 10.8.0.6 8080

Redirect to ports 80 and 25 is working properly, but I have a problem with NAT, because I need to redirect the address 10.0.0.13 on port 8080 on which I have connected the camera ip

I would also like to forward packets coming from 10.0.0.1 br0 interface on port 25 on tun11 10.8.0.6 (mail server)

I tried according to the tutorial but somehow it does not work:
https://airvpn.org/topic/11264-asus-merlin-wrt-port-forwarding-script-setup/

jffs/scripts/nat-start

#!/bin/sh
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p tcp -d 10.0.0.13 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.13:8080

Please help.

I've started a personal project to be able to read and write iptables. So far I'm a little along the way to being able to read them.

Your firewall says to reject all input from tun11, then if the firewall fails to reject it then to nat the output. vlan1 also appears to be toast. While I may be wrong in my understanding, it still looks contradictory.

After rejecting it and sending it out on tun11, then forward it via tcp if intended for port 8080.

Some parts I still can't read.

When I solved my iptables problem for something else, i found a ton of contradictory information. Good luck, but I think you're on the wrong track here.

A DDNS arrangement will get you connected back home reliably. Contact the camera mfgr to see how others solve the problem of using it from afar.

 

[Greeno]

Hello. Sorry DDNS not solve my problem, because I need a permanent public IP address (not dynamic) to be able to use your own mail server (reverse dns). With vps server I have a second permanent public IP address with its own reverse DNS entry. All services with whom I have a problem working on a public IP address which is assigned to me by my ISP. I need to duplicate it on the second ip address that I got from the VPS.

It seems to me that the problem is to configure iptables. Unfortunately, this only started to learn iptables. With simple rules somehow I'm doing, but as you can see this is not a simple matter.

 

[AdvHomeServer]

Hello. Sorry DDNS not solve my problem, because I need a permanent public IP address (not dynamic) to be able to use your own mail server (reverse dns). With vps server I have a second permanent public IP address with its own reverse DNS entry. All services with whom I have a problem working on a public IP address which is assigned to me by my ISP. I need to duplicate it on the second ip address that I got from the VPS.

It seems to me that the problem is to configure iptables. Unfortunately, this only started to learn iptables. With simple rules somehow I'm doing, but as you can see this is not a simple matter.

When I shopped around for my DDNS account I dimly remember seeing no-ip and possibly others selling a service that included MX records. Worth a look.

 

[Greeno]

MX record is also not a problem and I do not need to use ddns. The problem is that the same public IP address pool is dynamic and most mail servers reject messages.

 

[AdvHomeServer]

MX record is also not a problem and I do not need to use ddns. The problem is that the same public IP address pool is dynamic and most mail servers reject messages.

no-ip mentions something on their pages about bypassing mail server issues that have the problem you mentioned. I find it hard to believe an easy solution is not out there. It's doubtful you're the first person to do what you want. Find out what the last one did and copy it.

 

[Greeno]

Actually, the problem is to configure iptables to rt-ac68u (merlin firmware). I want to solve this problem. I've tried a couple of days but unfortunately many rules do not work. Is a nice fellow Merlin can give me a hint if I'm a good liver trying to enter a location rules:
/JFFS/scripts/nat-start

#!/bin/sh
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p tcp -d 10.0.0.13 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.13:8080

It is possible that in general I follow the wrong path. I do not know if the problem is in the syntax of iptables if you have it set up in some other way?

 

[AdvHomeServer]

Actually, the problem is to configure iptables to rt-ac68u (merlin firmware). I want to solve this problem. I've tried a couple of days but unfortunately many rules do not work. Is a nice fellow Merlin can give me a hint if I'm a good liver trying to enter a location rules:
/JFFS/scripts/nat-start

Good luck with your iptables project. I'm sure it's only a line or two off. If that.

 

[Greeno]

Welcome back after a short break.
I managed to solve the above problem.
Actually, I'm an idiot because i wrote the rules were good.
But i forgot to set the permissions to the file: nat-start.

the following rule, in the file JFFS/scripts/nat-start is correct:

#!/bin/sh
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p tcp -d 10.0.0.13 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.13:8080

If someone will also have such a problem, of course, let's not forget to set the file executable nat-start!

I have, however, yet another wrinkle, because I need to redirect outgoing mail interface br0 - 10.0.0.1:25 to interface tun11 - 10.8.0.6:25

I've tried a few rules, but so far without success.
Can anyone give me a hint how something should look like such a rule in iptables?