Hello fellow superusers,
I would like to use a Pi (Debian based) as router right behind the modem/router. All LAN traffic will be filtered through the Pi, with a firewall after, not covered here.
So, I have two LANs, an "inner" LAN containing my local machines, and a small LAN between the modem/router and the Pi router.
I have successfully defined the route from the "inner LAN" to the "small LAN" beyond the Pi. My problem is I have a standard Internet modem/router, which I cannot configure routes on using "via". So, to counter this limitation, I thought of enabling NAT passthrough on the Pi's interface connected to the "small LAN" (where the modem is).
I repeat, on one branch I have successfully configured ip route
setup, while on the other branch I need NAT passthrough defined at Pi's level.
For NAT I tried using ufw:
/etc/ufw/before.rules:
'# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
'# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.x.x/24 -o eth0 -j MASQUERADE
'# don't delete the 'COMMIT' line or these nat table rules won't
'# be processed
COMMIT
after reboot, disable, enable of ufw I get the following error:
error around "*nat".
actually I don't know if
-A POSTROUTING -s 192.168.x.x/24 -o eth0 -j MASQUERADE
is correct. The interface link is expected to route the traffic through, but I don't konw if it is the source link or the destination link. Anyway, the error might also be elsewhere (around *nat).
Remember, in one direction, WAN to LAN, I need to forward traffic. In the opposite direction I already have routes in place (I can't have the symmetrical because the modem is limited).
Any thoughts?
.x.x
?/24
doesn't really make sense for (the non-literal).x.x
anyway. It should either be.0.0/16
if you mean "any" byx
or.x.x/32
(and/32
can be omitted) if you mean specific numbers byx
. (Well, or.x.0/24
.)'# don't delete the 'COMMIT' line or these nat table rules won't '# be processed COMMIT
really become one line?