Community discussions

 
cgallery
newbie
Topic Author
Posts: 35
Joined: Tue Apr 24, 2018 5:25 am

What is this NAT fule for?

Fri Mar 15, 2019 12:31 am

I have a router setup some time ago to act as an L2TP (ipsec) server to Windows 7/iPhone devices. Works great.

I tried to duplicate that today for someone else and was basically copying my rules over to a new device.

I have two NAT rules:

0 chain=srcnat action=masquerade out-interface-list=WAN log=no
log-prefix="" ipsec-policy=out,none

1 ;;; (needed for VPN clients!)
chain=srcnat action=masquerade src-address=192.168.1.0/24
dst-address=!192.168.1.1 log=no log-prefix=""

Without the "(needed for VPN clients!)" rule enabled, the VPN client connects to the router, and I can ping the router and WebCfg the router, but I cannot get BEYOND the router to computers/printers etc. that are connected to that router.

I'm trying to figure out why I would need that rule and how I came upon it. I'm sure when I was doing this the first time I must have googled it (should have copied the http for the comment) and found that it worked.

Any ideas?

The router's IP is 192.168.1.1. The rule seems to indicate the router should masquerade anything coming from the network behind the router, that isn't destined FOR the router.

I'm obviously a little confused and any insight would be helpful.
 
Sob
Forum Guru
Forum Guru
Posts: 4050
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is this NAT fule for?

Fri Mar 15, 2019 12:44 am

If you give addresses to VPN clients from other subnet than 192.168.1.0/24, they would not be able to connect to Windows devices with default config (even ping wouldn't work), because their firewall allows access only from same subnet by default. Correct way to fix it would be to change firewall on those devices, but you'd have to do it on all of them. Or you can use the masquerade rule you have as simple workaround, because it will make all connections from VPN clients look as if they come from 192.168.1.1.
 
cgallery
newbie
Topic Author
Posts: 35
Joined: Tue Apr 24, 2018 5:25 am

Re: What is this NAT fule for?

Fri Mar 15, 2019 1:14 am

If you give addresses to VPN clients from other subnet than 192.168.1.0/24, they would not be able to connect to Windows devices with default config (even ping wouldn't work), because their firewall allows access only from same subnet by default. Correct way to fix it would be to change firewall on those devices, but you'd have to do it on all of them. Or you can use the masquerade rule you have as simple workaround, because it will make all connections from VPN clients look as if they come from 192.168.1.1.
The L2TP server is handing-out addresses from the same dhcp pool as the machines behind the router, everything is 192.168.1.1 - .254.
 
Sob
Forum Guru
Forum Guru
Posts: 4050
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is this NAT fule for?  [SOLVED]

Fri Mar 15, 2019 2:25 am

In that case, do you have proxy ARP enabled on LAN interface?
 
cgallery
newbie
Topic Author
Posts: 35
Joined: Tue Apr 24, 2018 5:25 am

Re: What is this NAT fule for?

Fri Mar 15, 2019 3:47 am

In that case, do you have proxy ARP enabled on LAN interface?
Right. So I tried enabling proxy ARP earlier today on the LAN interface (Ether2) but it didn't seem to make any difference.

I had thought I should enable proxy ARP on the bridge, but didn't want to do so in case it interrupted their service, but now that they're gone I tried it and it did the trick.

So thanks for bringing that up!

Who is online

Users browsing this forum: Google [Bot] and 80 guests