Skip to main content
Super User

Return to Answer

Expanded answer to allow responses from 192.168.178.0/24
Source Link
Marcks Thomas
Marcks Thomas
  • 6.3k
  • 2
  • 24
  • 37

Traffic from behind the OpenWrt router should now arrive at the 192.168.178.0/24 subnet, but there will be no response; the machines behind the internet router do not know how to route packets with a destination in the range 192.168.1.0/24. The easiest way to deal solve this problem is to have the OpenWrt router perform NAT. Using iptables:

iptables -t nat -A POSTROUTING -i br-lan -i br-wan -j MASQUERADE

My educated guess would be a similar rule will be created automatically by inserting the line option masq 1 in the wan zone configuration in '/etc/config/firewall'.

There are some disadvantages to using NAT. All traffic forwarded in this way will appear to machines behind the internet router to have 192.168.178.20 as a source. Moreover, you will need to set up port forwards to initiate connections from the WAN side of the OpenWrt router.

Avoiding NAT will require further changes to the firewall and the routing table on the internet router. You would need to add the route '192.168.1.0/24 via 192.168.178.20'. If the router does not allow the routing table to be configured manually, you would have to add them to machines on the 192.168.178.0/24 subnet individually. Also, the following lines would have to be appended to '/etc/config/firewall' on the OpenWrt router:

config forwarding
    option src      wan
    option dest     lan

Traffic from behind the OpenWrt router should now arrive at the 192.168.178.0/24 subnet, but there will be no response; the machines behind the internet router do not know how to route packets with a destination in the range 192.168.1.0/24. The easiest way to deal solve this problem is to have the OpenWrt router perform NAT. Using iptables:

iptables -t nat -A POSTROUTING -i br-lan -i br-wan -j MASQUERADE

My educated guess would be a similar rule will be created automatically by inserting the line option masq 1 in the wan zone configuration in '/etc/config/firewall'.

There are some disadvantages to using NAT. All traffic forwarded in this way will appear to machines behind the internet router to have 192.168.178.20 as a source. Moreover, you will need to set up port forwards to initiate connections from the WAN side of the OpenWrt router.

Avoiding NAT will require further changes to the firewall and the routing table on the internet router. You would need to add the route '192.168.1.0/24 via 192.168.178.20'. If the router does not allow the routing table to be configured manually, you would have to add them to machines on the 192.168.178.0/24 subnet individually. Also, the following lines would have to be appended to '/etc/config/firewall' on the OpenWrt router:

config forwarding
    option src      wan
    option dest     lan
Source Link
Marcks Thomas
Marcks Thomas
  • 6.3k
  • 2
  • 24
  • 37

First, though I'm not familiar with UCI, the OpenWrt Wiki informs me it can accommodate manual iptables rules using an external file. You've defined one already: '/etc/firewall.user', so the solution you referred to in your comment may still be viable.

Your routes allow the 192.168.178.0/24 subnet to be reached just fine, assuming that the interface your router uses for that is in fact 'br-wan' and you just failed to copy the last character into your question. It would appear to be a firewall issue.

The output of iptables -L shows something peculiar. The rules that allow traffic from LAN to VPN are:

Chain FORWARD (policy DROP)
delegate_forward  all  --  anywhere             anywhere   

Chain delegate_forward (1 references)
zone_lan_forward  all  --  anywhere             anywhere     

Chain zone_lan_forward (1 references)
zone_ipr_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> ipr */

Chain zone_ipr_dest_ACCEPT (2 references)
ACCEPT     all  --  anywhere             anywhere

The '--verbose' flag would be required to be certain, but based on the comments and names of these chains, it seems these rules apply only to traffic forwarded to the 'tun1337' interface. Your iptables has no equivalent rules for 'br-wan'. Traffic forwarded to the internet router's subnet is eventually rejected.

To do this without manually adding rules, append the following lines to '/etc/config/firewall':

config forwarding
    option src      lan
    option dest     wan