1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[SOLVED] iptables with Tomato no go but works on DD-WRT

Discussion in 'Tomato Firmware' started by TheBlumman, Sep 1, 2013.

  1. TheBlumman

    TheBlumman Reformed Router Member

    Hi guys,

    Background, I'm running an OpenVPN TUN site-to-site tunnel. The OpenVPN server/client hosts are stand-alone servers (I'm not using the built-in Tomato OpenVPN server/client services). I'm having issues getting the iptables letting traffic flow bi-directionally and unrestricted between site A and site B.

    I recently ran two Linksys routers (E4200 & E3200) loaded with DD-WRT for site A and site B which worked well. Recently I replaced the E4200 with an ASUS RT-AC66U on site A running Merlin's build 3.0.0.4.372.31_0. At the same time I decided to go from DD-WRT to Tomato by Shibby (Tomato Firmware 1.28.0000 MIPSR2-112 K26 USB AIO) because of Tomato's 5 Ghz WLAN support, on the Linksys E3200 router. This is where the problems begun.

    Problem, I had similar issues with the two Linksys routers running DD-WRT before until I did the following:

    1. Setting up static routes on both routers, telling local clients that VPN traffic should go to the OpenVPN box in their respective subnets.
    2. Add iptables on the routers to let the incomming/outgoing VPN traffic pass between the two sites using the following two lines:

    Code:
    # OpenVPN Server
    ; Enable ping from OpenVPN Client to Server subnet. LET IN.
    iptables -A PREROUTING -t mangle -i <ethernet interface> -d <local subnet>/255.255.255.0 -j ROUTE --gw <openvpn server>
    ; Enable traffic from Server subnet to OpenVPN client. GO OUT.
    iptables -A PREROUTING -t mangle -i <ethernet interface> -d <openvpn subnet>/255.255.255.0 -j ROUTE --gw <openvpn server>
    
    # OpenVPN Client
    ; Enable ping from OpenVPN Server to Client subnet. LET IN
    iptables -A PREROUTING -t mangle -i <ethernet interface> -d <local subnet>/255.255.255.0 -j ROUTE --gw <openvpn server>
    ; Enable traffic from Client subnet to OpenVPN server. GO OUT.
    iptables -A PREROUTING -t mangle -i <ethernet interface> -d <openvpn subnet>/255.255.255.0 -j ROUTE --gw <openvpn server>
    Merlin's build accept these iptables, same as DD-WRT but Tomato does not like them rendering my OpenVPN connection rather handicapped. If I try to apply these iptables on the Tomato router I get the following "error" message.
    Code:
    iptables: No chain/target/match by that name
    On router A (ASUS RT-AC66U) I can see the following.
    Code:
    iptables -t mangle -nvL
    
    Chain PREROUTING (policy ACCEPT 4525K packets, 453M bytes)
    pkts bytes target    prot opt in    out    source              destination
    14336  809K MARK      all  --  !eth0  *      0.0.0.0/0            public_ip        MARK set 0xd001
    17066 2704K ROUTE      all  --  br0    *      0.0.0.0/0            192.168.10.0/24    ROUTE gw:192.168.100.10
      29  3573 ROUTE      all  --  br0    *      0.0.0.0/0            172.16.10.0/24    ROUTE gw:192.168.100.10
    
    Chain INPUT (policy ACCEPT 694K packets, 106M bytes)
     pkts bytes target  prot opt in  out  source  destination
    
    Chain FORWARD (policy ACCEPT 3734K packets, 323M bytes)
     pkts bytes target  prot opt in  out  source  destination
    
    Chain OUTPUT (policy ACCEPT 551K packets, 153M bytes)
     pkts bytes target  prot opt in  out  source  destination
    
    Chain POSTROUTING (policy ACCEPT 4210K packets, 473M bytes)
     pkts bytes target  prot opt in  out  source  destination
    I suspect that I should see something similar if the iptables had been accepted on router B. This is how it looks.
    Code:
    iptables -t mangle -nvL
    Chain PREROUTING (policy ACCEPT 4792 packets, 2880K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain INPUT (policy ACCEPT 1096 packets, 107K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain FORWARD (policy ACCEPT 3630 packets, 2754K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain OUTPUT (policy ACCEPT 1177 packets, 109K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain POSTROUTING (policy ACCEPT 4807 packets, 2863K bytes)
    pkts bytes target    prot opt in    out    source              destination
    Are there other ways of achieving the same thing but with different iptables for the Tomato loaded router? The iptables and kernels used on both routers are the same version. I don't really understand why I can't apply the same iptables on the Tomato router.

    Goal
    , I want both sites to use their own WAN connection but if either site wants to communicate with each other through the VPN tunnel they should be able to do so on any port/protocol to any host.

    Topology site A
    Code:
                              +-------------------------+
                  (public IP)|                        |
      {INTERNET}=============={    ASUS Router        |
                              |                        |
                              |        LAN switch      |
                              +------------+------------+
                                          | (192.168.100.1)
                                          |
                                          |              +-----------------------+
                                          |              |                      |
                                          |              |        OpenVPN        |  eth0: 192.168.100.10/24
                                          +--------------{eth0    server        |  tun0: 172.16.10.1/24
                                          |              |                      |
                                          |              |          {tun0}      |
                                          |              +-----------------------+
                                          |
                                  +--------+-----------+
                                  |                    |
                                  |  Other LAN clients |
                                  |                    |
                                  |  192.168.100.0/24 |
                                  |  (internal net)  |
                                  +--------------------+
    - Any local client can ping the remote OpenVPN client in subnet B.
    - Any local client can SSH/FTP(S)/HTTP(s)/Acccess SAMBA shares etc. to the remote OpenVPN client.
    - None of the local clients (Win, Linux and OSX) can reach any remote clients (Win and Linux) in site B.

    Topology site B
    Code:
                              +-------------------------+
                  (public IP)|                        |
      {INTERNET}=============={    Linksys Router      |
                              |                        |
                              |        LAN switch      |
                              +------------+------------+
                                          | (192.168.10.1)
                                          |
                                          |              +-----------------------+
                                          |              |                      |
                                          |              |        OpenVPN        |  eth0: 192.168.10.10/24
                                          +--------------{eth0    client        |  tun0: 172.16.10.2/24
                                          |              |                      |
                                          |              |          {tun0}      |
                                          |              +-----------------------+
                                          |
                                  +--------+-----------+
                                  |                    |
                                  |  Other LAN clients |
                                  |                    |
                                  |  192.168.10.0/24  |
                                  |  (internal net)  |
                                  +--------------------+
    - None of the local clients can ping the OpenVPN server in the remote subnet A.
    - The OpenVPN client can reach all local clients in subnet A.
    - The OpenVPN client can e.g. SSH to clients in subnet A.
     
  2. TheBlumman

    TheBlumman Reformed Router Member

    Oh no!

    This was embarrassing. It turns out that I forgot to make "net.ipv4.ip_forward=1" permanent on the OpenVPN client and that the Tomato router actually doesn't need the iptables.
     

Share This Page