I want to be able to connect to my ISP IP address of the first router and then forward that traffic to the NAS behind an OpenVPN client on a second router. It does work after disabling the OpenVPN client but that would defeat the purpose. It looks like the router is sending the packets back through the OpenVPN connection. I ultimately want to reach services on TCP ports 5001 and 8080 on the NAS. Situation My Fritz is connected to my ISP and it runs a local wired and wireless network. The LAN1 on the Fritz is connected to the WAN on the ASUS. The ASUS router runs the recent Tomato-K26USB-1.28.7502.1MIPSR2Toastman-RT-VPN-NOCAT firmware. The Fritz runs stock firmware. The whole purpose of my setup is to run one extra network that goes through a VPN service. This way I can browse anonymously, circumvent geo restrictions and all the rest. I can switch networks with my wireless devices in order to change from my ISP IP to my VPN IP. The Fritz hands out IP addresses in the 192.168.178.x range. The ASUS in the 172.16.1.x range. Connection between networks When connected to the ASUS I can access the web GUI of the Fritz by going to 192.168.178.1, I can also connect to or ssh into my Apple TV on the other network by connecting to 192.168.178.3. Similarly, when connected to my main Fritz network, I can connect to my NAS by going to 172.16.1.2:5001. Also, the Apple TV can stream from the XBMC library that is on the NAS fine. I can't however connect to the web GUI of the ASUS on 172.16.1.1. This just hangs for a while and then stops. Port forwarding and reaching my NAS The ASUS Tomato router is on 'Router' mode. NAT loopback on the Tomato is enabled for 'All'. Accept DNS configuration on the Tomato is on 'strict'. There's a static ip routing table entry in my Fritz for the 172.16.1.0 network with a 192.168.178.2 gateway and 255.255.255.0 subnet mask. This enables devices on both networks to reach each other. I port forward TCP 5001 and 8080 from the Fritz to the ASUS router, and then again from that router to the NAS on 172.16.1.2. DNS on the ASUS Tomato is now on 220.127.116.11 or 18.104.22.168. I also forward UDP 1194 in my Fritz to the ASUS which permanently runs an OpenVPN client in Tomato. No problems here. Port forwarding to other devices on my Fritz network works fine too. Trying to reach my NAS from the outside using this setup now just hangs for a while and then stops, giving this dropped package warning in logs: Code: unknown user.warn kernel: DROP IN=vlan2 OUT= MACSRC=c0:25:06:7a:55:36 MACDST=60:a4:4c:65:fd:e9 MACPROTO=0800 SRC=<redacted VPN IP> DST=192.168.178.2 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=23004 DF PROTO=TCP SPT=61122 DPT=5001 SEQ=2689429389 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02040558010303040101080A3CB714E10000000004020000) Traffic comes in through vlan2 (WAN) but gets dropped. Do I maybe need UPnP or NAT-PMP configured? Scripts I left my Firewall script empty. I'd like to know what I need to put there, if anything. Should I put something like: Code: iptables -I FORWARD -i tun11 -p tcp -d 172.16.1.2 --dport 5001 -j ACCEPT iptables -I FORWARD -i tun11 -p udp -d 172.16.1.2 --dport 5001 -j ACCEPT iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 5001 -j DNAT --to-destination 172.16.1.2 iptables -t nat -I PREROUTING -i tun11 -p udp --dport 5001 -j DNAT --to-destination 172.16.1.2 Or should I use a different IP here? Or are these wrong rules? There are lots or different ones posted online. I've tried several WAN up scripts, including the most promising one: http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/ I had hoped it would work by letting the ports I needed bypass the VPN. This is my script: Code: # # First it is necessary to disable Reverse Path Filtering on all # current and future network interfaces: # for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done # # Delete and table 100 and flush any existing rules if they exist. # ip route flush table 100 ip route del default table 100 ip rule del fwmark 1 table 100 ip route flush cache iptables -t mangle -F PREROUTING # # Copy all non-default and non-VPN related routes from the main table into table 100. # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1" # # NOTE: Here I assume the OpenVPN tunnel is named "tun11". # # ip route show table main | grep -Ev ^default | grep -Ev tun11 \ | while read ROUTE ; do ip route add table 100 $ROUTE done ip route add default table 100 via $(nvram get wan_gateway) ip rule add fwmark 1 table 100 ip route flush cache # Ports 5001 and 8080 will bypass the VPN iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 5001,8080 -j MARK --set-mark 1 I think it's bypassing those ports, but it still shows the same error as above. I've also tried bypassing all traffic with the following line to test if this would work, which it doesn't. Code: # By default all traffic bypasses the VPN iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 Any ideas? I've been pulling my hair out over this for a couple of weeks now, it's driving my nuts. I've tried many of the things here on the forums, but I don't understand iptables enough to hack something together that works for me. If there is any more info I need to provide, let me know.