Routing Issue

[luetm]

Hi!

I have an issue with my routing using a 4 RT-AC66U routers. Here is my network:

My goal is to make the 192.168.42.0 subnet and the 192.168.47.0 subnet talk to each other (use each others printers, access servers, ...). But Merlin seems to block traffic that is coming from the WAN. This is showing in the following way:

Ping from 192.168.42.101 to 192.168.41.1 OK
Ping from 192.168.41.1 to 192.168.42.1 OK
Ping from 192.168.42.1 to 192.168.42.101 OK
Ping from 192.168.41.1 to 192.168.42.101 FAIL

A trace shows:

admin@RTR-MAIN:/tmp/home/root# traceroute 192.168.42.101

traceroute to 192.168.42.101 (192.168.42.101), 30 hops max, 38 byte packets
1  RTR-42 (192.168.41.42)  0.574 ms  0.262 ms  0.162 ms
2  *  *

So the packet is dying on the RTR-42. These are the IP table rules (iptables-save) on RTR-42:

# Generated by iptables-save v1.4.14 on Thu May 21 09:11:03 2015
*raw
:PREROUTING ACCEPT [13828:4327569]
:OUTPUT ACCEPT [1797:1471046]
COMMIT
# Completed on Thu May 21 09:11:03 2015
# Generated by iptables-save v1.4.14 on Thu May 21 09:11:03 2015
*nat
:PREROUTING ACCEPT [172:14529]
:INPUT ACCEPT [89:9675]
:OUTPUT ACCEPT [35:4015]
:POSTROUTING ACCEPT [114:8741]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 192.168.41.42/32 -j VSERVER
-A POSTROUTING -s 192.168.42.0/24 -o tun12 -j MASQUERADE
-A POSTROUTING -s 192.168.42.0/24 -o tun11 -j MASQUERADE
COMMIT
# Completed on Thu May 21 09:11:03 2015
# Generated by iptables-save v1.4.14 on Thu May 21 09:11:03 2015
*mangle
:PREROUTING ACCEPT [13000:4253863]
:INPUT ACCEPT [1532:205764]
:FORWARD ACCEPT [11460:4047835]
:OUTPUT ACCEPT [1164:674824]
:POSTROUTING ACCEPT [12577:4726321]
COMMIT
# Completed on Thu May 21 09:11:03 2015
# Generated by iptables-save v1.4.14 on Thu May 21 09:11:03 2015
*filter
:INPUT ACCEPT [656:108175]
:FORWARD ACCEPT [10:655]
:OUTPUT ACCEPT [514:100072]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun12 -j ACCEPT
-A INPUT -i tun11 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun12 -j ACCEPT
-A FORWARD -i tun11 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu May 21 09:11:03 2015

What am I doing wrong?

Thanks in advance!

luetm

 

[luetm]

Solved it:

iptables -t nat -I POSTROUTING 1 -s 192.168.41.0/24 -o br0 -j MASQUERADE

I understand why, but how come this is not added by default? Can I enable something in t he GUI or do I have to add it manually?

 

[RMerlin]

Solved it:

iptables -t nat -I POSTROUTING 1 -s 192.168.41.0/24 -o br0 -j MASQUERADE

I understand why, but how come this is not added by default? Can I enable something in t he GUI or do I have to add it manually?

Make sure you didn't disable NAT on the interface.

 

[mstombs]

Got to ask - why? Most folk work hard to avoid double-NAT because it will break upnp on all clients etc...

 

[luetm]

Got to ask - why? Most folk work hard to avoid double-NAT because it will break upnp on all clients etc...

We have VPNs on the different routers that should only be accessed by the corresponding subnets. Is it possible to solve it without double NAT?

 

[mstombs]

I do not know how this can be done with Asuswrt, but I think a good way would be for the main router to have multiple lan IP addresses with each port an isolated vlan. The main router would then need rules to isolate or bridge all possible interconnections. Then the slave routers could be in 'no-nat router mode' not 'nat gateway'. dd-wrt and some Tomato mods have gui config for vlans, Broadcom switch drivers support this via nvram vars, so did a 10+ year old Ti AR7 adsl router I have. I have also found 'router mode' difficult to set up recently (not specifically asuswrt), most firmware development seems to assume operation in 'nat gateway' mode.

 

[luetm]

In my naive imagination I fail to see why I need to set up NAT on the lower tier routers, since we have direct routes in to the respective subnets. Shouldn't 192.168.47.101 directly be able to talk to 192.168.42.101 without NAT? We have direct routes from one net to another, so I fail to see the need for the masquerading. What is my misconception there?

 

[RMerlin]

In my naive imagination I fail to see why I need to set up NAT on the lower tier routers, since we have direct routes in to the respective subnets. Shouldn't 192.168.47.101 directly be able to talk to 192.168.42.101 without NAT? We have direct routes from one net to another, so I fail to see the need for the masquerading. What is my misconception there?

The line you added will NAT that LAN - I was just answering your question as to why it was not added by default - that was because you told the router not to, by disabling NAT.

You will have to configure static routes in all of your routers for them to be able to talk to one another. I can't guide you on this however, I've never done such a setup myself.

 

[luetm]

The line you added will NAT that LAN - I was just answering your question as to why it was not added by default - that was because you told the router not to, by disabling NAT.

You will have to configure static routes in all of your routers for them to be able to talk to one another. I can't guide you on this however, I've never done such a setup myself.

OK. I'd like to try it without NATing. Would you be interested to talk about it on the IRC Channel? Maybe we can get it to work and can report the answer here. What do you think?

 

[RMerlin]

OK. I'd like to try it without NATing. Would you be interested to talk about it on the IRC Channel? Maybe we can get it to work and can report the answer here. What do you think?

I don't really have the time for this, sorry. Already got enough on my backlog of things to do at the moment, and I just can't find the time to do it.