Sorry for the delay, I didn't see this response until now.
>>>> I'm having problems getting port forwarding to work after a change in >> >>>> network layout. Essentially the network is now: >>>> Host: 172.27.1.10 >>>> <--172.27.0.1/21--> OpenWRT #1 (No NAT) >> <--10.24.83.1/24--> OpenWRT >>>> #2<-- Public IP (NAT) --> Internet >> >I am presuming owrt#1 is acting as >>>> a WiFi AP and owrt#2 like a gateway (no WiFi). If that is the case why not >>>> put owrt#1 on the 10. network and simplify your topology? Or Is this some >>>> kind of a bastion host topology? Actually I just moved into a new place, >>>> where I had setup the router with OpenWRT previously. I wanted to keep my >>>> old network topology (on the 172.27.0.1/24) network around. So essentially >>>> I just turned of IP Masquerading on the WAN port and plugged in OWRT#2. To >>>> ensure that hosts on the 10.24.83.1/24 network can see my hosts, I added >>>> some static routes on OWRT#1. Both routers are WiFi enabled. >>>> I have >>>> some port forwarding rules configured on OpenWRT #2, and from the >> >>>> internet they largely work, I can connect to the public IP on port 25 for >>>> >> instance and get the SMTP server on host 172.27.1.10. I can also >>>> connect >> externally on port 80 and get host 10.24.83.10. The problem is >>>> that when I'm >> on either LAN (172.27.0.1/21 or 10.24.83.1), if I access >>>> the external IP >> address on say port 25 it doesn't work, I get >>>> Connection Refused. Oddly if I >> access on port 80, I get a connection >>>> (remember the it maps to something on >> the 10.24.83.1/24 subnet). >>>> >>>> As far as I can tell from tcpdumps, OpenWRT #2 is simply rejecting this >> >>>> packet locally, (the SYN packet just gets a reset packet generated >>>> locally). >> I don't know that much about iptables, and I'm hesitant to >>>> start adding >> rules directly, instead of using /etc/config/firewall. >> >>>> >Output of 'traceroute -n <external IP>' would help trace the path. >To >>>> the best of my understanding, the gw device whose external IP you >are >>>> trying to reach, should figure out that the request is coming from >an >>>> internal IP. traceroute to 70.68.116.61 (70.68.116.61), 30 hops max, 60 >>>> byte packets 1 172.27.0.1 0.191 ms 0.240 ms 0.236 ms 2 70.68.116.65 0.540 ms 0.638 ms 0.711 ms >>>> root at OpenWrt:~# route >> Kernel IP routing table >> Destination Gateway >>>> Genmask Flags Metric Ref Use >> Iface >> default 70.68.116.1 0.0.0.0 UG 0 >>>> 0 0 eth1 >> 10.24.83.0 * 255.255.255.0 U 0 0 0 >> br-lan >> 10.27.83.0 >>>> 10.24.83.2 255.255.255.0 UG 1 0 0 >> br-lan >> 70.68.116.0 * 255.255.252.0 >>>> U 0 0 0 eth1 >> 172.27.0.0 10.24.83.2 255.255.248.0 UG 1 0 0 >> br-lan >> >>>> root at OpenWrt:~# >>>> >Where does 10.27.83.0/24 fit in the topology >>>> outlined in the beginning? 10.27.83.0/24 is the network used by OpenVPN >>>> hosts. I can also say that if in the iptables-save format, I add a bunch >>>> of lines for instance: -A nat_reflection_in -s 172.27.0.1/21 -d 70.68.116.61/32 -p tcp -m tcp --dport 25 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:25 -A nat_reflection_out -s 172.27.0.1/21 -d 172.27.1.10/32 -p tcp -m tcp --dport 25 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 n the same section as where the other nat_reflection_in and nat_reflection_out lines are set, and then iptables-restore it I can connect properly and everything works. I'm just not sure how I actually do this in a more stable matter. Steve Ramage >-- Arun Khan
_______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
