1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to set up Port Forwarding to a vpn client?

Discussion in 'Tomato Firmware' started by quinezhu, Oct 22, 2010.

  1. quinezhu

    quinezhu Addicted to LI Member

    my tomato router as an openvpn server.
    its WAN ip: PPPoE, so I have to use DDNS like xxx.3322.org
    LAN ip: 192.168.1.1
    it supports NAT.

    vpn client ip: 192.168.1.101 (tap mode).
    vpn client has its own wan ip assigned by mobile operator but it doesn't support NAT.

    Now it's OK for vpn client to access internet or 192.168.1.0/24 via openvpn server, and also OK for 192.168.1.0/24 to access vpn client (192.168.1.101).

    But it doesn't work (accessing vpn client over internet) after setting up a NAT rule to 192.168.1.101 on tomato router like the following
    Code:
    Chain wanin (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  0.0.0.0/0            192.168.1.101       tcp dpt:12345
    Is there any ideas? thx.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That isn't a NAT rule at all. If you want to see the NAT rules, print the nat table:
    Code:
    iptables -t nat -nvL
    Is your VPN client set up to redirect internet traffic? Without that, the natted traffic will reach the client, but the client won't know to send return traffic back over the tunnel.
     
  3. quinezhu

    quinezhu Addicted to LI Member

    Thanks for your quick reply.

    Code:
    Chain PREROUTING (policy ACCEPT 6718 packets, 745K bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       0    --  ppp+   *       0.0.0.0/0            192.168.1.0/24
       28  1696 DNAT       icmp --  *      *       0.0.0.0/0            x.x.x.x         to:192.168.1.1
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            x.x.x.x         tcp dpt:xxxxx to:192.168.1.1:22
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            x.x.x.x         tcp dpt:12345 to:192.168.1.101:12345
        0     0 upnp       0    --  *      *       0.0.0.0/0            x.x.x.x 
    
    Chain POSTROUTING (policy ACCEPT 9008 packets, 545K bytes)
     pkts bytes target     prot opt in     out     source               destination
       12   720 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.101        tcp dpt:12345 to:x.x.x.x
     6051  687K MASQUERADE 0    --  *      ppp+    0.0.0.0/0            0.0.0.0/0
      209 60210 MASQUERADE 0    --  *      *       192.168.1.0/24       0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 1306 packets, 129K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    x.x.x.x is my tomato router's WAN ip.
    If the vpn client ip of 192.168.1.101 here replaced by any real LAN ip under tomato router, the NAT function is OK.


    Yes. When vpn client accessing an ip check web page over internet it echoes with the tomato router's WAN ip.

    I've installed a TCP&UDP debug program as the tcp server on the side of vpn client for testing. When I accessed the vpn client via tomato router over internet (x.x.x.x:12345) the tcp server responded but I didn't receive anything. It seems that the natted traffic reached the tcp server but the return traffic didn't reach me.
     
  4. quinezhu

    quinezhu Addicted to LI Member

    I've got where the problem is after I occasionally found the vpn client (virtual 192.168.1.101) could not ping through x.x.x.x (tomato router's WAN ip) while the real LAN ip (192.168.1.0/24) could.

    After I change the SNAT rule as follows
    Code:
     pkts bytes target     prot opt in     out     source               destination
       12   720 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.101        tcp dpt:12345 [COLOR="Red"]to:x.x.x.x[/COLOR]
    to
    Code:
     pkts bytes target     prot opt in     out     source               destination
       12   720 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.101        tcp dpt:12345 [COLOR="Red"]to:192.168.1.1[/COLOR]
    it works. :)

    So I'm going to cancel the rule in the Port Forwarding page of Tomato, then add them in the Firewall page manually like the following
    Code:
    iptables -t nat -A PREROUTING [B][COLOR="Red"]-d x.x.x.x[/COLOR][/B] -p tcp -m tcp --dport 12345 -j DNAT --to-destination 192.168.1.101:12345
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.101 -p tcp -m tcp --dport 12345 -j SNAT --to-source 192.168.1.1
    iptables -A FORWARD -d 192.168.1.101 -p tcp --dport 12345 -j ACCEPT
    Cause I don't know how to make the router's real WAN ip be converted automatically in the DNAT rule like the Port Forwarding page does? So I have to delete "-d x.x.x.x" actually. It still works, but I don't know whether there are some hidden troubles in future.
     

Share This Page