1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AC66U WAN aliases and NAT problem

Discussion in 'Tomato Firmware' started by HighTower, Oct 30, 2013.

  1. HighTower

    HighTower Reformed Router Member

    Hello,

    I have problem with configuration shibby build 114 for nat of different local nets via VLANs to different external ips...

    so, I have external subnet x.x.x.40/29
    to WAN I assigned x.x.x.42
    in WAP up script I wrote:
    ifconfig vlan2:0 x.x.x.43 netmask 255.255.255.248
    ifconfig vlan2:1 x.x.x.44 netmask 255.255.255.248
    ifconfig vlan2:2 x.x.x.45 netmask 255.255.255.248
    ifconfig vlan2:3 x.x.x.46 netmask 255.255.255.248

    I splited local ports into 3 VLAN
    br0 - default one with ports 1 & 2, net 192.168.1.1/24
    br1 - port 3, net 192.168.2.1/24
    br2 - port 4, net 192.168.3.1/24

    I want br0 ,br1 and br2 nets to have different external ips, so I write in firewall script:
    iptables -t nat -A POSTROUTING -o vlan2 -s 192.168.1.0/24 -j SNAT --to x.x.x.43
    iptables -t nat -A POSTROUTING -o vlan2 -s 192.168.2.0/24 -j SNAT --to x.x.x.44
    iptables -t nat -A POSTROUTING -o vlan2 -s 192.168.3.0/24 -j SNAT --to x.x.x.45
    (x.x.x.42 want to be reserved by router itself)

    the problem is that according to tcpdump I see on internal interfaces requests from client
    on external - requests from correct external ip according to local subnet and responses to them, but there are no responses on local interfaces!
    and also there are no records in /var/log/messages (syslog is enabled and configured to log firewall rejected packages)

    the same configuration perfectly works on rd-wrt... any additional configurations are needed for shiby?
     
  2. HighTower

    HighTower Reformed Router Member

    really, guys, nobody knows???
    tcpdump on vlan2 shows that there is outbound traffic from x.x.x.43,44,45 addressed and reply
    but no replays on br0 and nothing in /var/log/messages

    help me!!!
     
  3. mstombs

    mstombs Network Guru Member

    I suggest you provide a full dump of the output from
    Code:
    iptables -nvL -t nat
    iptables -nvL
    obscuring your real WAN IP address as before.

    Thoughts are maybe need "-I" rather than "-A" in your iptables commands to Insert rules above something already in that chain that matches first. Or may need something in FORWARD, the commands to provide WAN IP local nat loopback in "Forwarded Only" may be interfering.

    To do full 1-to-1 nat you will also need similar commands in nat PREROUTING - if you want to run externally visible services on those extra WAN IPs
     
  4. HighTower

    HighTower Reformed Router Member

    Here is iptables dump...
    Just want to remind, that same rules (same script) works perfect on ft-16n on dd-wrt kong mod... now I decided to upgrade it and to have AC wifi support

    Code:
    iptables -nvL -t nat
    
    Chain PREROUTING (policy ACCEPT 5664 packets, 404154 bytes)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 DNAT      udp  --  vlan2  *      0.0.0.0/0            XXX.XXX.XXX.42      multiport dports 500,4500,1702 to:192.168.100.200
          0        0 DNAT      tcp  --  vlan2  *      0.0.0.0/0            XXX.XXX.XXX.43      tcp dpt:80 to:192.168.100.100:80
          0        0 DNAT      tcp  --  vlan2  *      0.0.0.0/0            XXX.XXX.XXX.46      multiport dports 1720,1731,3220:3247 to:192.168.100.249
          0        0 DNAT      udp  --  vlan2  *      0.0.0.0/0            XXX.XXX.XXX.46      multiport dports 5060,3230:3247 to:192.168.100.249
          0        0 DNAT      all  --  *      *      0.0.0.0/0            XXX.XXX.XXX.45      to:192.168.100.5
          0        0 DNAT      all  --  *      *      0.0.0.0/0            XXX.XXX.XXX.44      to:192.168.100.3
          1      48 WANPREROUTING  all  --  *      *      0.0.0.0/0            XXX.XXX.XXX.42
          0        0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.100.0/24
          0        0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.101.0/24
          0        0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.200.0/24
    
    Chain POSTROUTING (policy ACCEPT 58 packets, 4448 bytes)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 SNAT      udp  --  *      vlan2  192.168.100.200      0.0.0.0/0          multiport sports 500,4500,1702 to:XXX.XXX.XXX.42
          0        0 SNAT      all  --  *      vlan2  192.168.101.0/24    0.0.0.0/0          to:XXX.XXX.XXX.46
          0        0 SNAT      all  --  *      vlan2  192.168.200.0/24    0.0.0.0/0          to:XXX.XXX.XXX.46
          0        0 SNAT      all  --  *      vlan2  172.16.0.0/12        0.0.0.0/0          to:XXX.XXX.XXX.43
          0        0 SNAT      all  --  *      vlan2  10.0.0.0/8          0.0.0.0/0          to:XXX.XXX.XXX.43
          0        0 SNAT      all  --  *      vlan2  192.168.100.249      0.0.0.0/0          to:XXX.XXX.XXX.46
          21    4726 SNAT      all  --  *      vlan2  192.168.100.5        0.0.0.0/0          to:XXX.XXX.XXX.45
          0        0 SNAT      all  --  *      vlan2  192.168.100.3        0.0.0.0/0          to:XXX.XXX.XXX.44
        344    17044 SNAT      all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0          source IP range 192.168.100.104-192.168.100.120 to:XXX.XXX.XXX.46
          0        0 SNAT      all  --  *      vlan2  192.168.100.0/24    0.0.0.0/0          to:XXX.XXX.XXX.43
          2      218 SNAT      all  --  *      br0    192.168.100.0/24    192.168.100.0/24    to:192.168.100.1
          0        0 SNAT      all  --  *      br1    192.168.101.0/24    192.168.101.0/24    to:192.168.101.1
          0        0 SNAT      all  --  *      br2    192.168.200.0/24    192.168.200.0/24    to:192.168.200.1
    
    Chain OUTPUT (policy ACCEPT 60 packets, 4666 bytes)
        pkts      bytes target    prot opt in    out    source              destination
    
    Chain WANPREROUTING (1 references)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.100.1
    
    Code:
    iptables -nvL
    
    
    Chain INPUT (policy DROP 0 packets, 0 bytes)
        pkts      bytes target    prot opt in    out    source              destination
          67    7452 BAN        all  --  !br+  *      0.0.0.0/0            0.0.0.0/0
          54    11865 DROP      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 113,138
          0        0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:!0x17/0x02 state NEW
          0        0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x12/0x12 state NEW reject-with tcp-reset
          0        0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          stateINVALID
          0        0 ACCEPT    tcp  --  !br+  *      0.0.0.0/0            XXX.XXX.XXX.42      tcp dpt:80 state RELATED,ESTABLISHED
          0        0 ACCEPT    tcp  --  !br+  *      0.0.0.0/0            XXX.XXX.XXX.42      tcp dpt:80 state NEW limit: avg 3/sec burst 5
          0        0 ACCEPT    tcp  --  *      *      0.0.0.0/0            XXX.XXX.XXX.42      tcp dpt:1194
          0        0 ACCEPT    udp  --  *      *      0.0.0.0/0            XXX.XXX.XXX.42      udp dpt:1194
          0        0 SIP        tcp  --  *      *      0.0.0.0/0            XXX.XXX.XXX.42      multiport dports 5060,65500:65535
          0        0 SIP        udp  --  *      *      0.0.0.0/0            XXX.XXX.XXX.42      multiport dports 5060,65500:65535
          0        0 ACCEPT    udp  --  *      *      0.0.0.0/0            XXX.XXX.XXX.42      udp dpt:53
          4    1314 ACCEPT    udp  --  br+    *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
          0        0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
        245    20658 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
          1      48 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
          6      525 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
        5152  331825 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    all  --  br2    *      0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    icmp --  *      *      192.88.99.1          0.0.0.0/0
          0        0 ACCEPT    41  --  *      *      0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0          limit: avg 5/sec burst 5
          0        0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpts:33434:33534 limit: avg 5/sec burst 5
          0        0 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
        pkts      bytes target    prot opt in    out    source              destination
          1      40 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
          0        0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.100.200    multiport sports 500,4500,1702
          0        0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.100.100    tcp dpt:80
          0        0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.100.249    multiport dports 1720,1731,3220:3247
          0        0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.100.249    multiport dports 5060,3230:3247
          0        0 ACCEPT    all  --  *      *      0.0.0.0/0            192.168.100.5
          0        0 ACCEPT    all  --  *      *      0.0.0.0/0            192.168.100.3
        8801  998024            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.100.0/255.255.255.0 name: lan
          0        0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.101.0/255.255.255.0 name: lan1
          0        0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.200.0/255.255.255.0 name: lan2
          0        0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    all  --  br2    br2    0.0.0.0/0            0.0.0.0/0
          0        0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
        705    33868 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
        8431  979732 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
          0        0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
          0        0 DROP      all  --  br0    br2    0.0.0.0/0            0.0.0.0/0
          0        0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0
          0        0 DROP      all  --  br1    br2    0.0.0.0/0            0.0.0.0/0
          0        0 DROP      all  --  br2    br0    0.0.0.0/0            0.0.0.0/0
          0        0 DROP      all  --  br2    br1    0.0.0.0/0            0.0.0.0/0
          0        0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
        370    18292 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
        370    18292 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
          0        0 ACCEPT    all  --  br2    *      0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 6615 packets, 429723 bytes)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:!0x17/0x02 state NEW
    
    Chain BAN (1 references)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 DROP      all  --  *      *      37.75.215.20        0.0.0.0/0
          0        0 DROP      all  --  *      *      10.210.40.213        0.0.0.0/0
          0        0 DROP      all  --  *      *      84.33.17.160        0.0.0.0/0
          0        0 DROP      all  --  *      *      199.255.209.168      0.0.0.0/0
          0        0 DROP      all  --  *      *      176.13.156.226      0.0.0.0/0
          0        0 DROP      all  --  *      *      41.36.168.10        0.0.0.0/0
          0        0 DROP      all  --  *      *      98.126.32.82        0.0.0.0/0
          0        0 DROP      all  --  *      *      96.9.135.22          0.0.0.0/0
          0        0 DROP      all  --  *      *      95.35.160.69        0.0.0.0/0
          67    7452 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0
    
    Chain SIP (2 references)
        pkts      bytes target    prot opt in    out    source              destination
          0        0            udp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW recent: SET name: DDOS side: source
          0        0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x17/0x02 limit: avg 1/sec burst 5
          0        0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x17/0x02
          0        0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0
    
    Chain logdrop (2 references)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW LOG flags 39 level 4 prefix `DROP '
          0        0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0
    
    Chain logreject (0 references)
        pkts      bytes target    prot opt in    out    source              destination
          0        0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          LOG flags 39 level 4 prefix `REJECT '
          0        0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset
    
    Chain shlimit (1 references)
        pkts      bytes target    prot opt in    out    source              destination
          1      48            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
          0        0 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain wanin (1 references)
        pkts      bytes target    prot opt in    out    source              destination
    
    Chain wanout (1 references)
        pkts      bytes target    prot opt in    out    source              destination
     
  5. mstombs

    mstombs Network Guru Member

    Wow, looks even more complicated than I expected, I take it the quote of IP addresses 192.168.x.1 in first post vs. implementation with 192.168.100.x was deliberate?

    Do you use "router mode" rather than "nat gateway mode", and do you wipe existing firewall commands and replace all? Last time I tried tomato in router mode I couldn't get it to work, I assume most development is in gateway mode, and user scripts essential for router mode.

    Reason for asking the latter is that the nat PREROUTING seems to have error, surely the WANPREROUTING should only apply to packets from the WAN, and it would be more efficient to put everything from interface vlan2 into there? Doesn't address your issue, just efficiency.

    I don't know dd-wrt too well to know the differences, is there buildable source-code for the kong mod, I never got on with their git system that seems to have build scripts missing, which means each developer hides what he actually uses! I assume that this is due to their commercial arm, and the need to keep private things (such as Broadcom SDK drivers) private, and when are they going to release an actual version and update the router database to remove old versions that are listed as latest?

    There are known differences in IP stats counting and QOS between Tomato and dd-wrt, but most of that happens in the mangle tables, and shouldn't break routing.

    Watch out Asus firmware and the better version by rmerlin may have different interface names (similar to issue that Linksys WRTs use vlan1 as wan interface).
     
  6. HighTower

    HighTower Reformed Router Member

    yes, configuration is rather complex... in first message I just make in simpler to show idea... may be I'm wrong somewhere...
    in my previous post I showed real configuration...

    So, WAN ip is assigned in configuration list XXX.XXX.XXX.42/255.255.255.248
    in WAN UP script I wrote
    ifconfig vlan2:1 XXX.XXX.XXX.43 netmask 255.255.255.248
    ifconfig vlan2:2 XXX.XXX.XXX.44 netmask 255.255.255.248
    ifconfig vlan2:3 XXX.XXX.XXX.45 netmask 255.255.255.248
    ifconfig vlan2:4 XXX.XXX.XXX.46 netmask 255.255.255.248

    default (br0) local network is 192.168.100.0/24

    Also I did a simple experiment:
    iptables -t nat -F PREROUTING
    iptables -t nat -F POSTROUTING
    iptables -F FORWARD

    try to set up ONE-TO-ONE nat for ip 192.168.100.5 <-> XXX.XXX.XXX.45
    wan ip alias is used, not the main one

    iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.100.5 -j SNAT --to XXX.XXX.XXX.45
    iptables -t nat -I PREROUTING -d XXX.XXX.XXX.45 -j DNAT --to 192.168.100.5
    iptables -I FORWARD -d 192.168.100.5 -j ACCEPT

    then from 192.168.100.5 try to ping 8.8.8.8

    tcpdump -npi br0 host 8.8.8.8 shows:
    Code:
    12:42:58.237664 IP 192.168.100.5 > 8.8.8.8: ICMP echo request, id 768, seq 27174, length 40
    12:42:59.234549 IP 192.168.100.5 > 8.8.8.8: ICMP echo request, id 768, seq 27686, length 40
    12:43:00.250434 IP 192.168.100.5 > 8.8.8.8: ICMP echo request, id 768, seq 28198, length 40
    12:43:01.250400 IP 192.168.100.5 > 8.8.8.8: ICMP echo request, id 768, seq 28710, length 40
    
    tcpdump -npi vlan2 host 8.8.8.8
    Code:
    12:42:58.237825 IP XXX.XXX.XXX.45 > 8.8.8.8: ICMP echo request, id 768, seq 27174, length 40
    12:42:58.272110 IP 8.8.8.8 > XXX.XXX.XXX.45: ICMP echo reply, id 768, seq 27174, length 40
    12:42:59.234711 IP XXX.XXX.XXX.45 > 8.8.8.8: ICMP echo request, id 768, seq 27686, length 40
    12:42:59.265110 IP 8.8.8.8 > XXX.XXX.XXX.45: ICMP echo reply, id 768, seq 27686, length 40
    12:43:00.250576 IP XXX.XXX.XXX.45 > 8.8.8.8: ICMP echo request, id 768, seq 28198, length 40
    12:43:00.280089 IP 8.8.8.8 > XXX.XXX.XXX.45: ICMP echo reply, id 768, seq 28198, length 40
    12:43:01.250563 IP XXX.XXX.XXX.45 > 8.8.8.8: ICMP echo request, id 768, seq 28710, length 40
    12:43:01.300043 IP 8.8.8.8 > XXX.XXX.XXX.45: ICMP echo reply, id 768, seq 28710, length 40
    Where I can find "router mode"? I found only NAT settings (Advanced->Firewall)

    According to dd-wrt firmware has problems with AC mode..
    dd-wrt kong mod works, but it uses kernel version 3 (not 2.6) and smth wrong with FPU emulation, because of this optware can't be used, and I need it... (asterisk at least, bird,...).. I found that "basmaf" is making new repository of packages for kernel 3, but he uses sources from openwrt and, for example, asterisk has limited modules in it and not all I use... so at the moment this is not a point for me ((((

    actually what I need:
    - stable fw with 5Hz and AC mode support
    - optware support
    - all my freaky nat/routing works..
     
  7. mstombs

    mstombs Network Guru Member

    Router/Gateway is usually on advanced routing page under miscellaneous. Probably there to discourage use, Gateway is default, router mode doesn't use nat, see for example.

    http://victek.is-a-geek.com/virtual/tomatok26/advanced-routing.html

    The route table there may be of interest (route -n), but there's also more advanced options ip commandds that can be used.

    In your example you need the usual ESTABLISHED/RELATED accept rule in FORWARD to let replies back through.

    Why Optware? I thought Entware was a modern replacement for Tomato and Asus/Rmerlin.

    I assume K3.x will be good for IPV6/USB/Filesystems but trying dd-wrt on RT-N16 just gives practise at recovery from soft-brick!
     
  8. HighTower

    HighTower Reformed Router Member

    I'll try changing router/gataway mode at monday and write here results
    Btw, in my simple example in prev post, incoming connections to XXX.45 -> .100.5 was not seen on br0 also... And from my point of view ESTABLISHED/RELATED plays no role for incoming in this case...

    I know about entware as a modern replacement, and as I wrote I need asterisk, but if to check Entware and basmaf repo for kong kernel v3 they both are based on openwork sources, and, for example, there is no package for asterisk "app_group", "app_cdr" modules and some more.
    Also personally for me it is difficult to understand idea of splitting package to big amount of packages... I remember that with entware I also stuсked with perl. One of my scripts requires Carp.. I failed to find package which contains it (((
    I really appreciate work people do to support entware and similar, but what to do if I really need this features (see above) )) and while there is optware and it works fine - I'm happy )
    And in tomato there is build in script /usr/sbin/optware-install.sh and it installs optware.
    May be after some time then entware will have at least the same set of packages I'll try it once again...
     
  9. HighTower

    HighTower Reformed Router Member

    last update: changed router mode to "gateway" after that in FORWARD chain disappeared RELATED,ESTABLISHED rule, put it manually in Firewall script
    and miracle - after reboot everything start to work!!!

    but, only while clients are connected via wifi...
    it I plug network cables to router, several seconds everything works and after router goes to reboot...
    reboots, again 3-5 seconds everything ok and reboot....
    if to unplug cables - no reboots...

    same cables now plugged into rt-16u and leads to no reboot...
     

Share This Page