    Hi !

    I use 2 router with FreshTomato-ARM Tomato1 and Tomato2. Behind each router I have an nextcloud instance on a raspberry pi, Pi1 and PI2.
    Tinc Vpn is up and, when I'm on Tomato1 I have acces on PI1 and PI2 and when I'm on Tomato2 I have acces on PI1 and PI2.

    Tomato1 have a public adress and I can connect with it to PI1 not PI2. I can't connect to Tomato2 with public adress (ISP limitation...). So I wondering what kind of iptables rules I can write on "script, firewall" on Tomato1 to re routing to PI2 ??
    I found lot of thing on internet... like "PREROUTING" rules, but I have not the skill to adapt this for my usage :(

    So, if somebody have an idee to translate this in iptable rule !! :

    Tomato1 public adress -- PI2 (with tinc)

    when you say "can't connect to Tomato2 with public adress (ISP limitation...)" how do you access the LAN devices exactly?

    Regardless how about VPN into Tomato1 and get access to all your devices in your network that way?
    I make port forwaring rules on Tomato2 like I do on Tomato1 but the ISP for tomato2 block port.... I try differents way but I can't acces with tomato2's public IP. But Tomato2 can acces everythin on internet :d !!!!!!

    Yes I want to use Tomato1 (with his public adress) for connecting PI2 through TINC VPN !!!

    When I'm connected on WIFI on TOMATO1 or TOMATO2 I can acces on each PI ! So, do you know if I can't add iptable rules to redirect my connection to TOMATO2 through tomato1, when I 'm connecting on the public IP adress of Tomato1 ?

    PS : Sorry, but english isn't my native language :(
    I think I got this what you want to do and my answer was: is creating a VPN between client (in Internet) and Tomato1 possible? This is the quickest and most effective way to resolve this.

    If not you'll have to work with port forwarding and snat but I warn you, this is rather complicated.
    I guess you'll need to present communication from Internet into your tinc-ed network via Tomato1 as SNAT-ed by Tomato1 LAN IP. What command you need to type depends on your network config, search this forum there are many threads discussing snat.
    Okay, I will try the VPN way !!

    Thx :d
