dd-wrt not forwarding packets between vpn and wan
I hope I am missing something obvious, but I really need a second set of eyes.
In summary, the problem is that I can see traffic entering my dd-wrt router from tun0, but the traffic is not exiting on vlan2. How do I fix this ?
The DD-WRT box with an office-to-office VPN. (DD-WRT is acting as a VPN client here) There is no problem for offices talking to each other, nor is there a problem from users behind the DD-WRT box from accessing the wider Internet.
I need to access the modem in front of the DD-WRT box through the VPN (ie using http) but I can't get this working. Using tcpdump on the DD-WRT box I can see packets for the modem (which is on 192.168.5.1) entering through the tun0 interface, but they are not leaving the vlan2 (or any) interface. VLAN2 is, of-course, the WAN Interface.
/proc/sys/net/ipv4_ip_forward = 1
(indeed ipv4_ip_forward is 1 on all interfaces as well. Similarly, rp_filter is 0 for all interfaces)
The iptables on the dd-wrt box looks as follows:
# Generated by iptables-save v1.3.7 on Wed Jul 11 11:58:08 2018
*raw
:PREROUTING ACCEPT [47865311:28994994909]
:OUTPUT ACCEPT [9163855:1799452886]
COMMIT
# Completed on Wed Jul 11 11:58:08 2018
# Generated by iptables-save v1.3.7 on Wed Jul 11 11:58:08 2018
*nat
:PREROUTING ACCEPT [1057208:133049889]
:INPUT ACCEPT [345811:25454876]
:OUTPUT ACCEPT [89626:6090987]
:POSTROUTING ACCEPT [155806:10976951]
-A PREROUTING -d 192.168.5.150 -p icmp -j DNAT --to-destination 10.113.3.254
-A PREROUTING -d 192.168.5.150 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A POSTROUTING -s 10.113.3.0/255.255.255.0 -o vlan2 -j SNAT --to-source 192.168.5.150
-A POSTROUTING -m mark --mark0x80000000/0x80000000 -j MASQUERADE
COMMIT
# Completed on Wed Jul 11 11:58:08 2018
# Generated by iptables-save v1.3.7 on Wed Jul 11 11:58:08 2018
*mangle
:PREROUTING ACCEPT [47865077:28994974549]
:INPUT ACCEPT [10833466:7689826180]
:FORWARD ACCEPT [36687562:21242777711]
:OUTPUT ACCEPT [9163804:1799448597]
:POSTROUTING ACCEPT [45776394:23034636218]
-A PREROUTING -d 192.168.5.150 -i ! vlan2 -j MARK --set-xmark 0x80000000/0x80000000
-A PREROUTING -j CONNMARK --save-mark
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Jul 11 11:58:08 2018
# Generated by iptables-save v1.3.7 on Wed Jul 11 11:58:08 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9163399:1799420708]
:advgrp_1 - [0:0]
:advgrp_10 - [0:0]
:advgrp_2 - [0:0]
:advgrp_3 - [0:0]
:advgrp_4 - [0:0]
:advgrp_5 - [0:0]
:advgrp_6 - [0:0]
:advgrp_7 - [0:0]
:advgrp_8 - [0:0]
:advgrp_9 - [0:0]
:grp_1 - [0:0]
:grp_10 - [0:0]
:grp_2 - [0:0]
:grp_3 - [0:0]
:grp_4 - [0:0]
:grp_5 - [0:0]
:grp_6 - [0:0]
:grp_7 - [0:0]
:grp_8 - [0:0]
:grp_9 - [0:0]
:lan2wan - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
-A INPUT -d 192.168.5.1 -j ACCEPT
-A INPUT -s 10.109.0.0/255.255.0.0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 10.104.0.0/255.255.0.0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 10.109.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.104.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.112.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 114.23.127.210 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.109.4.0/255.255.254.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.105.4.0/255.255.254.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.253 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.108.98.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.7 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.224.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vlan2 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i vlan2 -p udp -m udp --dport 520 -j DROP
-A INPUT -i br0 -p udp -m udp --dport 520 -j DROP
-A INPUT -p udp -m udp --dport 520 -j ACCEPT
-A INPUT -i vlan2 -p icmp -j ACCEPT
-A INPUT -p igmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
-A FORWARD -d 192.168.5.1 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.113.3.0/255.255.255.0 -o vlan2 -p gre -j ACCEPT
-A FORWARD -s 10.113.3.0/255.255.255.0 -o vlan2 -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -d 224.0.0.0/240.0.0.0 -i vlan2 -p udp -j ACCEPT
-A FORWARD -i vlan2 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -d 192.168.5.1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Wed Jul 11 11:58:08 2018
Traffic is originating on 10.109.4.18 and destined for 192.168.5.1. 192.168.5.1 is the internal IP address of the modem, and I can ping it from the DD-WRT router.
10.109.4.18 is my computers IP address, and it is being routed down the tunnel and is visible on the DD-WRT router on the tun0 interface.
The LAN for the office is 10.113.0.0/16. (I don't think thats very relevant to the problem).
The route table for the DD-WRT box is
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.5.1 0.0.0.0 UG 0 0 0 vlan2
10.103.0.0 172.17.0.13 255.255.0.0 UG 0 0 0 tun0
10.104.0.0 172.17.0.13 255.255.0.0 UG 0 0 0 tun0
10.108.0.0 172.17.0.13 255.255.0.0 UG 100 0 0 tun0
10.109.0.0 172.17.0.13 255.255.0.0 UG 0 0 0 tun0
10.112.0.0 172.17.0.13 255.255.0.0 UG 300 0 0 tun0
10.113.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
52.64.171.0 172.17.0.13 255.255.255.0 UG 0 0 0 tun0
52.79.94.0 172.17.0.13 255.255.255.0 UG 0 0 0 tun0
103.245.173.26 172.17.0.13 255.255.255.255 UGH 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
172.17.0.0 172.17.0.13 255.255.255.128 UG 0 0 0 tun0
172.17.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.0.0 172.17.0.13 255.255.128.0 UG 0 0 0 tun0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
192.168.100.0 172.17.0.13 255.255.255.0 UG 100 0 0 tun0
192.168.128.0 172.17.0.13 255.255.128.0 UG 100 0 0 tun0
192.168.190.0 172.17.0.13 255.255.255.0 UG 100 0 0 tun0
192.168.200.0 172.17.0.13 255.255.255.0 UG 100 0 0 tun0
192.168.201.0 172.17.0.13 255.255.255.0 UG 100 0 0 tun0
192.168.202.0 172.17.0.13 255.255.255.0 UG 100 0 0 tun0
202.49.205.0 172.17.0.13 255.255.255.0 UG 100 0 0 tun0
203.171.55.96 172.17.0.13 255.255.255.240 UG 100 0 0 tun0
210.48.103.120 172.17.0.13 255.255.255.248 UG 100 0 0 tun0
210.48.111.208 172.17.0.13 255.255.255.240 UG 0 0 0 tun0
MTR from my computer shows:
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. gwbox.companyname.co.nz 0.0% 2 0.3 0.3 0.3 0.3 0.0
2. 172.17.0.14 0.0% 2 76.5 76.7 76.5 76.9 0.0
3. ???
The DD-WRT router shows:
tcpdump -n -i tun0 src or dst 192.168.5.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
12:27:19.956766 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 59776, length 44
12:27:20.043487 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 60032, length 44
12:27:20.146912 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 60288, length 44
12:27:20.246477 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 60544, length 44
12:27:20.353698 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 60800, length 44
12:27:20.447131 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 61056, length 44
12:27:20.556747 IP 10.109.4.18 > 192.168.5.1: ICMP echo request, id 65027, seq 61312, length 44
While tcpdump -n -i vlan2 src or dst 192.168.5.1 does not show anything.
davidgo0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0