1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mode Gateway / Router + missing iptables -- bug?

Discussion in 'Tomato Firmware' started by vmixus, Dec 27, 2013.

  1. vmixus

    vmixus Serious Server Member

    Hey all,
    There are 3 routers (Primary, Guest, Public) setup as pictured in diagram:
    [​IMG]
    Background:
    I wanted to have the ability to access clients connected to the Guest Network from the Primary network. My understanding is that the difference between Gateway / Router mode is that Router mode disables NAT and allows clients behind the router to be visible with their LAN IP's to clients on the other side of the routers WAN port. So, I setup a static route on the Primary router then switched the Guest router to Router mode and added the following to the Firewall tab under [Administration -> Scripts]
    Code:
    # Allow traffic from primary router
    iptables -I INPUT -s 10.10.10.0/24 -j ACCEPT
    After this, I was successfully able to access client shares on the Guest network from the Primary network but then two other problems cropped up.

    Problem:
    After switching the Guest router to Router mode [Advanced -> Routing -> Miscellaneous -> Mode]:
    • Clients connected to VLAN (br1) 192.168.50.0/24 on the Guest router are unable to access internet.
    • Also, the IP Traffic Monitor on the Guest router stops working (i.e. not reporting anything)
    Note: Both, the VLAN internet connection and IP Traffic Monitor start working again once the Guest router is put back in Gateway mode.

    Troubleshooting:
    After comparing firewall rules on the Guest router for both Gateway and Router modes, several rules were missing in Router mode which is likely causing the problems. I've posted output for the following commands from both Gateway / Router modes:
    Code:
    iptables -vnL --line-numbers
    iptables -vnL --line-numbers --table nat
    
    Goal:
    So it's understandable that the nat rules would be gone but is it a bug that there are other chains and rules missing such as the monitor chain and FORWARD chain rules? Or is this working as designed?

    If someone knows better please enlighten me but my guess is I need one of the following solutions:
    In Router mode:
    How to replace the missing rules to make the IP Traffic Monitor work and enable internet on the VLAN.
    - OR -
    In Gateway mode:
    How to modify the firewall rules so that clients on the guest network can be accessed from the Primary network.
     
    Last edited: Dec 27, 2013
  2. vmixus

    vmixus Serious Server Member

    Guest Router - Gateway Mode

    iptables -vnL --line-numbers
    Code:
    Chain INPUT (policy DROP 79 packets, 20493 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 ACCEPT     all  --  *      *       10.10.10.0/24        0.0.0.0/0          
    2      104 42133 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    3    30402 8751K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    4        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
    5       74  9906 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    6    29047 2457K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    7      137 23460 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0          
    8        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1    4185K 2998M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.100.0/255.255.255.0 name: lan
    2     1112  831K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.50.0/255.255.255.0 name: lan1
    3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
    4        0     0 ACCEPT     all  --  br1    br1     0.0.0.0/0            0.0.0.0/0          
    5     2389  141K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    6    35040 1957K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    7    1895K  298M monitor    all  --  *      vlan3   0.0.0.0/0            0.0.0.0/0          
    8    4128K 2994M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    9        0     0 DROP       all  --  br0    br1     0.0.0.0/0            0.0.0.0/0          
    10       0     0 DROP       all  --  br1    br0     0.0.0.0/0            0.0.0.0/0          
    11       0     0 wanin      all  --  vlan3  *       0.0.0.0/0            0.0.0.0/0          
    12   54945 5154K wanout     all  --  *      vlan3   0.0.0.0/0            0.0.0.0/0          
    13   54917 5153K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    14      28  1776 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0          
    Chain OUTPUT (policy ACCEPT 43257 packets, 11M bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    Chain monitor (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBMON --max_domains 5000 --max_searches 5000
    Chain shlimit (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source
    2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    Chain wanin (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    Chain wanout (1 references)
    num   pkts bytes target     prot opt in     out     source               destination          
    iptables -vnL --line-numbers --table nat
    Code:
    Chain PREROUTING (policy ACCEPT 75846 packets, 7304K bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    1       79 20493 WANPREROUTING  all  --  *      *       0.0.0.0/0            192.168.10.100      
    2      149 10188 DROP       all  --  vlan3  *       0.0.0.0/0            192.168.100.0/24    
    3        0     0 DROP       all  --  vlan3  *       0.0.0.0/0            192.168.50.0/24     
    Chain POSTROUTING (policy ACCEPT 67 packets, 9767 bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    1    49025 4622K MASQUERADE  all  --  *      vlan3   0.0.0.0/0            0.0.0.0/0           
    2      188 57479 SNAT       all  --  *      br0     192.168.100.0/24     192.168.100.0/24    to:192.168.100.100 
    3        1   328 SNAT       all  --  *      br1     192.168.50.0/24      192.168.50.0/24     to:192.168.50.100 
    Chain OUTPUT (policy ACCEPT 4993 packets, 386K bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    Chain WANPREROUTING (1 references)
    num   pkts bytes target     prot opt in     out     source               destination         
    1        0     0 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.100.100  
     
  3. vmixus

    vmixus Serious Server Member

    Guest Router - Router Mode

    iptables -vnL --line-numbers
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 ACCEPT     all  --  *      *       10.10.10.0/24        0.0.0.0/0          
    2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    3       63 14481 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    4        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
    5        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    6       25  2559 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    7        0     0 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0          
    8        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    Chain FORWARD (policy ACCEPT 5490 packets, 3834K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    Chain OUTPUT (policy ACCEPT 97 packets, 83378 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    Chain shlimit (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source
    2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 
    iptables -vnL --line-numbers --table nat
    Code:
    Chain PREROUTING (policy ACCEPT 91 packets, 11461 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    Chain POSTROUTING (policy ACCEPT 80 packets, 10433 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    Chain WANPREROUTING (0 references)
    num   pkts bytes target     prot opt in     out     source               destination  
     
  4. unoriginal

    unoriginal Serious Server Member

    I am a layman, not an expert, and won't be able to tell you anything at all about iptables, but looking at your network topography it makes perfect sense that you'd need to use Gateway mode instead of Router, since your Guest Router is in fact handing out its own DHCP leases in separate ranges from the Primary Router, creating a Double NAT situation.

    Router mode is for when you're using that Guest Router (and the Public Router) as a "dumb" switch or access point that then passes along the packets to the Primary Router, or internet gateway, which does the DHCP, the NAT, the firewall, and all the other good stuff. Doing it that way gives you much simpler network topography. Don't know your exact needs or plans but what you've got seems a little jury-rigged.

    If it is in fact a jury-rigged system you've got going, I assure you that you CAN still keep your "home" and "guest" network discrete, even across multiple access points, if you use virtual lans (vlans) and 802.1q port/packet tagging. Tagging takes the place of assigning DHCP "right then and there" on whichever router happens to see the traffic first, a way to turn all the separate routers into effectively one large, distributed home router.

    Whenever I'm on this board there always seems to be at least one thread active on the topic.
     
    Last edited: Dec 27, 2013
  5. vmixus

    vmixus Serious Server Member

    Thanks for your input, this experimental network is really just to help me learn and understand things better as I'm no expert either.
     

Share This Page