1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port forwarding across LAN subnets on same VLAN

Discussion in 'Tomato Firmware' started by patram1121, Jun 26, 2014.

  1. patram1121

    patram1121 Network Newbie Member

    Thank you to the community for Tomato! We've enjoyed using it so far.

    I am having a hard time figuring out how to configure Shibby Tomato to port forward across LAN subnets (on the same VLAN) and was hoping one of the experts might know right away. I'm assuming something with the firewall is blocking it.

    A. Our environment

    - Asus R66U with latest Shibby AIO
    - WAN IP is X.X.X.187 with subnet of 255.255.255.248 (gateway is .190)
    - LAN IP is 192.168.40.4
    - We have a Cisco router at 192.168.40.1 which routes to all our internal subnets (192.168.0.0)
    - I added routing and port forwarding statements to Tomato using the GUI

    B. Objective

    Trying to port forward from (WAN) X.X.X.187:3390 to (LAN) 192.168.16.22:3389

    C. Config files

    I'm assuming these would be most helpful to troubleshooting. Plz let me know if I should provide anything else.

    # cat /etc/iptables

    Code:
    *mangle
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -I PREROUTING -i vlan2 -j DSCP --set-dscp 0
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :WANPREROUTING - [0:0]
    -A PREROUTING -d X.X.X.187 -j WANPREROUTING
    -A PREROUTING -i vlan2 -d 192.168.40.4/255.255.255.0 -j DROP
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.40.4
    -A WANPREROUTING -p tcp  --dport 3390 -j DNAT --to-destination 192.168.16.22:3389
    -A POSTROUTING  -o vlan2 -j MASQUERADE
    -A POSTROUTING -o br0 -s 192.168.40.4/255.255.255.0 -d 192.168.40.4/255.255.255.0 -j SNAT --to-source 192.168.40.4
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -N shlimit
    -A shlimit -m recent --set --name shlimit
    -A shlimit -m recent --update --hitcount 4 --seconds 60 --name shlimit -j DROP
    -A INPUT -p tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
    -A INPUT -p udp --dport 33434:33534 -m limit --limit 5/second -j ACCEPT
    -A INPUT -p tcp  --dport 8080 -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -m account --aaddr 192.168.40.0/255.255.255.0 --aname lan
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A wanin  -p tcp -m tcp -d 192.168.16.22 --dport 3389 -j ACCEPT
    COMMIT
    # route

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    X.X.X.190   *               255.255.255.255 UH    0      0        0 vlan2
    X.X.X.184   *               255.255.255.248 U     0      0        0 vlan2
    192.168.40.0    *               255.255.255.0   U     0      0        0 br0
    192.168.0.0     192.168.40.1    255.255.255.0   UG    1      0        0 br0
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         X-X-X-190-s 0.0.0.0         UG    0      0        0 vlan2
    
    Thank you for any assistance.
     
  2. patram1121

    patram1121 Network Newbie Member

Share This Page