[RESOLVED] NAT through VPN do not work

This topic is empty.

Viewing 15 posts - 1 through 15 (of 17 total)

1 2 →

Author

Posts
December 11, 2015 at 3:20 pm #44459

ochambelant
Member

Hello,

I have a problem when I try to NAT.

LAN A:
192.168.2.0 /24

LAN B:
192.168.0.0 /24

Both lan are connected with OpenVPN Lan-to-Lan. Without NAT, I can reach each other.

I want to NAT, for LAN A, 192.168.0.0 /24 to 172.20.0.0 /24 in order to join LAN B.

So I created Virtual Server on LAN A:
– Input Interface: VPN00
– IP Address: 172.20.0.254
– Protocol: TCP/UDP
– Local Port: 22,443,161-162
– Real Servers: 192.168.0.254:22,443,161-162.

Router configuration on LAN A:
– Destination: 172.20.0.0
– Netmask: 255.255.255.0
– Type: Net
– Metric: 0
– Gateway: 1.1.1.2 (end point tunnel)
– State: Up

Router configuration on LAN B:
– Destination: 192.168.2.0
– Netmask: 255.255.255.0
– Type: Net
– Metric: 0
– Gateway: 1.1.1.1 (end point tunnel)
– State: Up

What did I forget ?

Thanks for help.

Best regards.

December 12, 2015 at 8:47 pm #53962

ochambelant
Member

Hey,

As you can see, 0 bytes is used for NAT :s

Chain PREROUTING (policy ACCEPT 11491 packets, 1209K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — VPN00 * 0.0.0.0/0 172.20.0.254 to:192.168.0.254
19 988 Proxy tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain POSTROUTING (policy ACCEPT 8028 packets, 1158K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — * VPN00 192.168.0.254 0.0.0.0/0 to:172.20.0.254
8177 1169K SNATVS all — * * 0.0.0.0/0 0.0.0.0/0

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

Why ?

Thanks for help 🙂

December 13, 2015 at 9:14 am #53963

redfive
Participant

What goal exactly would you achieve ? Since you already have two different networks, and L3 transparency, you should be already ok …
Based on

So I created Virtual Server on LAN A:
– Input Interface: VPN00
– IP Address: 172.20.0.254
– Protocol: TCP/UDP
– Local Port: 22,443,161-162
– Real Servers: 192.168.0.254:22,443,161-162.

seems you expect packets with dest.ip address 172.20.0.254 , but just below

Router configuration on LAN A:
– Destination: 172.20.0.0
– Netmask: 255.255.255.0
– Type: Net
– Metric: 0
– Gateway: 1.1.1.2 (end point tunnel)
– State: Up

you are telling that the same network is reacheable via the vpn tunnel …
I think that is possible to do something, knowing what is your goal ….. 😉
Regards

December 13, 2015 at 2:00 pm #53964

ochambelant
Member

Hey,

Thanks for your reply.

I want to connect to remote LAN which have same IP address: 192.168.0.0 through VPN.

So I have to NAT each remote LAN with following address:
1 – 192.168.0.0 –> 172.20.0.0
2 – 192.168.0.0 –> 172.21.0.0
3 – …

Am I clear ? 😀

Best regards. 😛

December 13, 2015 at 2:34 pm #53965
redfive
Participant
Now yes !
try as follows … firstly, remove all virtual server rules, as well as the static routes regarding the remote networks, then add, Scripts/Cron, NAT and Virtual Servers script, these lines
on siteA
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 192.168.2.0/24 -j NETMAP --to 192.168.1.0/24

iptables -t nat -I PREROUTING -i VPN00 -s 192.168.1.0/24 -d 192.168.2.0/24 -j NETMAP --to 192.168.0.0/24
```
on siteB
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 192.168.1.0/24 -j NETMAP --to 192.168.2.0/24

iptables -t nat -I PREROUTING -i VPN00 -s 192.168.2.0/24 -d 192.168.1.0/24 -j NETMAP --to 192.168.0.0/24
```
Enable the script, save, look if the rules are applied (in case, reboot)
```
iptables -t nat -nvL
```
Then static routes, on siteA
```
192.168.2.0 255.255.255.0 via 1.1.1.2
```
on siteB
```
192.168.1.0 255.255.255.0 via 1.1.1.1
```
The commands above will translate the whole network portion of the ip address, leaving intact the host portion, so, for eg. for reaching a server located in siteB at 192.168.0.10, from siteA you will type 192.168.2.10…..
It should* work …. (or, at least I believe … :lol:)
Regards
December 14, 2015 at 8:22 am #53966

ochambelant
Member

Hello Buddy,

Thanks for your help.

I have few questions.

What’s 192.168.1.0 address ?

My LAN A (192.168.2.0) want to reach 192.168.0.0 (LAN B) through 172.20.0.0 which is NAT address.

My LAN B (192.168.0.0) want to reach 192.168.2.0 (LAN A) through 172.31.255.0 which is NAT address.

I do not understand what’s 192.168.1.0.

Best regards 🙂

December 14, 2015 at 11:32 am #53967

redfive
Participant

Later I’ll post the changes to the rules, but ….sorry for the maybe stupid question.. why you can’t reach directly the remote networks via a couple of simple static routes ( since are different networks..) and you want instead use the NAT ?
Regards

December 14, 2015 at 12:31 pm #53968
redfive
Participant
Case 1

I want to connect to remote LAN which have same IP address: 192.168.0.0 through VPN.

So I have to NAT each remote LAN with following address:
1 – 192.168.0.0 –> 172.20.0.0
2 – 192.168.0.0 –> 172.21.0.0

SiteA
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.21.0.0/24 -j NETMAP --to 172.20.0.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.21.0.0/24/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.0.0/24
```
```
ip route 172.21.0.0 255.255.255.0 via 1.1.1.2
```
SiteB
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.21.0.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.21.0.0/24 -j NETMAP --to 192.168.0.0/24
```
```
ip route 172.20.0.0 255.255.255.0 via 1.1.1.1
```
Case 2

My LAN A (192.168.2.0) want to reach 192.168.0.0 (LAN B) through 172.20.0.0 which is NAT address.
My LAN B (192.168.0.0) want to reach 192.168.2.0 (LAN A) through 172.31.255.0 which is NAT address.

SiteA
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.2.0/24
```
```
ip route 172.31.255.0 255.255.255.0 via 1.1.1.2
```
SiteB
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24
```
```
ip route 172.20.0.0 255.255.255.0 via 1.1.1.1
```
Could being ??
December 14, 2015 at 1:59 pm #53969

ochambelant
Member

Hey,

I have an error:

iptables v1.4.13: host/network _172.31.255.0/24′ not found
Try _iptables -h’ or ‘iptables –help’ for more information.

[NAT and Virtual Servers]: ERROR (2)

:s

December 14, 2015 at 2:22 pm #53970
redfive
Participant
Mmm … seems that I did a typo, from copy and paste…. the netmask is double
SiteA

iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP –to 172.20.0.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24/24 -d 172.20.0.0/24 -j NETMAP –to 192.168.2.0/24

SiteB

iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP –to 172.31.255.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP –to 192.168.0.0/24

SiteA
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.2.0/24
```
SiteB
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24
```
December 14, 2015 at 7:24 pm #53971
ochambelant
Member
Hello buddy,

It’s still not working.

On my LAN B (192.168.0.0), when I try to reach 172.31.255.48 (real address is 192.168.2.48 on LAN A ) it’s going to Internet and not VPN00:

WARNING: the host 172.31.255.48 is not directly connected on the ETH00 LAN but is reachable via
the gateway 78.221.182.254: ARP is a Layer 2 Protocol and it cannot be routed by routers!
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0

iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24
```
```
ip route 172.20.0.0 255.255.255.0 via 1.1.1.1
```
But, 172.20.0.0 is NAT address from LAN A to reach 192.168.0.0 (LAN B).

– My LAN A (192.168.2.0) have to reach LAN B (192.168.0.0) through 172.20.0.0 which is NAT address.

– My LAN B (192.168.0.0) have to reach LAN A (192.168.2.0) through 172.31.255.0 which is NAT address.

Thanks again for your help !!!!
December 14, 2015 at 8:06 pm #53972

redfive
Participant

If you want to reach, from the Lan B (192.168.0.0) the ‘real’ sever located in Lan A at 192.168.2.48, you should search for it at 172.20.0.48 ….Or , at least as per the rules are now written, the LanA should reach the Lan B, presenting itself as the network 172.20.0.0/24, while the Lan B, is for the Lan-A the 172.31.255.0/24 network ….
You can modify the prerouting/postrouting rules and the static routes if you want that the LanA ‘present’ itself as 172.31.255.0/24 to the Lan B, and the Lan B ‘present’ itself as 172.20.0.0/24 to the Lan A ……
But wouldn’t be simpler without any nat rule ?? Or you have the same networks on both ends ?
Regards

December 14, 2015 at 8:50 pm #53973
redfive
Participant
Found an error… my fault …. 🙄
Do you remember the previous ‘double’ netmask ? because the one which was doubled before, is missing in the last rules …
and , since we are here, these should be the correct rules that you need, with the NAT as you wish (lan-A 192.168.2.0 >> 172.31.255.0 and lanB 192.168.0.0 >> 172.20.0.0)
Lan-A
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.20.0.0/24  -j NETMAP --to 172.31.255.0/24

iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.2.0/24
```
```
ip route 172.20.0.0 255.255.255.0 via 1.1.1.2
```
Lan-B
```
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0/24

iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.0.0/24
```
```
ip route 172.31.255.0 255.255.255.0 via 1.1.1.1
```
Assuming that 1.1.1.1 is the vpn-tunnel inner address of Lan-A, and 1.1.1.2 is the vpn-tunnel inner address of Lan-B …. correct the rules in the Scripts and the static routes, reboot and try… once again
Regards
December 14, 2015 at 9:03 pm #53974

ochambelant
Member

Man…. you’re GOD !!!

Thanks a lot dude !!!!

June 18, 2016 at 8:35 pm #53975

aitistu
Member

hi
i have a similar setup maybe redfive can help me (many thanks in advance}

box A has 4 3g modems ppp0… ppp3, vpn0….vpn3 bonded in bond00 10.99.99.2 eth00 192.168.0.75

box B has vpn0…vpn3 bonded in bond00 10.99.99.1 eth00 192.168.0.99

box B has internet from dlink 804hv forwarded vlans

can ping between boxes , if static routes can ping between 192.168 lan’s

can ping google.com (does resolve) and any internet ip from box B

can ping any internet ip from boxA but google.com or any other domain dosnt resolve

no internet conectivity on box A lan

the ideea is to get more speedy mobile internet. i have a fat pipe at home
with dynamic ip adress

tryed the NETMAP rules with no success, before it was working the same with nat (with nat i had some poor conectivity but intermitently)

thanks again
regards
cris
Author

Posts

Viewing 15 posts - 1 through 15 (of 17 total)

1 2 →

You must be logged in to reply to this topic.