› Forums › Network Management › Networking › [RESOLVED] NAT through VPN do not work
- This topic is empty.
-
AuthorPosts
-
December 11, 2015 at 3:20 pm #44459
ochambelant
MemberHello,
I have a problem when I try to NAT.
LAN A:
192.168.2.0 /24LAN B:
192.168.0.0 /24Both lan are connected with OpenVPN Lan-to-Lan. Without NAT, I can reach each other.
I want to NAT, for LAN A, 192.168.0.0 /24 to 172.20.0.0 /24 in order to join LAN B.
So I created Virtual Server on LAN A:
– Input Interface: VPN00
– IP Address: 172.20.0.254
– Protocol: TCP/UDP
– Local Port: 22,443,161-162
– Real Servers: 192.168.0.254:22,443,161-162.Router configuration on LAN A:
– Destination: 172.20.0.0
– Netmask: 255.255.255.0
– Type: Net
– Metric: 0
– Gateway: 1.1.1.2 (end point tunnel)
– State: UpRouter configuration on LAN B:
– Destination: 192.168.2.0
– Netmask: 255.255.255.0
– Type: Net
– Metric: 0
– Gateway: 1.1.1.1 (end point tunnel)
– State: UpWhat did I forget ?
Thanks for help.
Best regards.
December 12, 2015 at 8:47 pm #53962ochambelant
MemberHey,
As you can see, 0 bytes is used for NAT :s
Chain PREROUTING (policy ACCEPT 11491 packets, 1209K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — VPN00 * 0.0.0.0/0 172.20.0.254 to:192.168.0.254
19 988 Proxy tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80Chain POSTROUTING (policy ACCEPT 8028 packets, 1158K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — * VPN00 192.168.0.254 0.0.0.0/0 to:172.20.0.254
8177 1169K SNATVS all — * * 0.0.0.0/0 0.0.0.0/0Chain SNATVS (1 references)
pkts bytes target prot opt in out source destinationWhy ?
Thanks for help π
December 13, 2015 at 9:14 am #53963redfive
ParticipantWhat goal exactly would you achieve ? Since you already have two different networks, and L3 transparency, you should be already ok …
Based onSo I created Virtual Server on LAN A:
– Input Interface: VPN00
– IP Address: 172.20.0.254
– Protocol: TCP/UDP
– Local Port: 22,443,161-162
– Real Servers: 192.168.0.254:22,443,161-162.seems you expect packets with dest.ip address 172.20.0.254 , but just below
Router configuration on LAN A:
– Destination: 172.20.0.0
– Netmask: 255.255.255.0
– Type: Net
– Metric: 0
– Gateway: 1.1.1.2 (end point tunnel)
– State: Upyou are telling that the same network is reacheable via the vpn tunnel …
I think that is possible to do something, knowing what is your goal ….. π
RegardsDecember 13, 2015 at 2:00 pm #53964ochambelant
MemberHey,
Thanks for your reply.
I want to connect to remote LAN which have same IP address: 192.168.0.0 through VPN.
So I have to NAT each remote LAN with following address:
1 – 192.168.0.0 –> 172.20.0.0
2 – 192.168.0.0 –> 172.21.0.0
3 – …Am I clear ? π
Best regards. π
December 13, 2015 at 2:34 pm #53965redfive
ParticipantNow yes !
try as follows … firstly, remove all virtual server rules, as well as the static routes regarding the remote networks, then add, Scripts/Cron, NAT and Virtual Servers script, these lines
on siteAiptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 192.168.2.0/24 -j NETMAP --to 192.168.1.0/24
iptables -t nat -I PREROUTING -i VPN00 -s 192.168.1.0/24 -d 192.168.2.0/24 -j NETMAP --to 192.168.0.0/24on siteB
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 192.168.1.0/24 -j NETMAP --to 192.168.2.0/24
iptables -t nat -I PREROUTING -i VPN00 -s 192.168.2.0/24 -d 192.168.1.0/24 -j NETMAP --to 192.168.0.0/24Enable the script, save, look if the rules are applied (in case, reboot)
iptables -t nat -nvL
Then static routes, on siteA
192.168.2.0 255.255.255.0 via 1.1.1.2
on siteB
192.168.1.0 255.255.255.0 via 1.1.1.1
The commands above will translate the whole network portion of the ip address, leaving intact the host portion, so, for eg. for reaching a server located in siteB at 192.168.0.10, from siteA you will type 192.168.2.10…..
It should* work …. (or, at least I believe … :lol:)
RegardsDecember 14, 2015 at 8:22 am #53966ochambelant
MemberHello Buddy,
Thanks for your help.
I have few questions.
What’s 192.168.1.0 address ?
My LAN A (192.168.2.0) want to reach 192.168.0.0 (LAN B) through 172.20.0.0 which is NAT address.
My LAN B (192.168.0.0) want to reach 192.168.2.0 (LAN A) through 172.31.255.0 which is NAT address.
I do not understand what’s 192.168.1.0.
Best regards π
December 14, 2015 at 11:32 am #53967redfive
ParticipantLater I’ll post the changes to the rules, but ….sorry for the maybe stupid question.. why you can’t reach directly the remote networks via a couple of simple static routes ( since are different networks..) and you want instead use the NAT ?
RegardsDecember 14, 2015 at 12:31 pm #53968redfive
ParticipantCase 1
I want to connect to remote LAN which have same IP address: 192.168.0.0 through VPN.
So I have to NAT each remote LAN with following address:
1 – 192.168.0.0 –> 172.20.0.0
2 – 192.168.0.0 –> 172.21.0.0SiteA
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.21.0.0/24 -j NETMAP --to 172.20.0.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.21.0.0/24/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.0.0/24ip route 172.21.0.0 255.255.255.0 via 1.1.1.2
SiteB
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.21.0.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.21.0.0/24 -j NETMAP --to 192.168.0.0/24ip route 172.20.0.0 255.255.255.0 via 1.1.1.1
Case 2
My LAN A (192.168.2.0) want to reach 192.168.0.0 (LAN B) through 172.20.0.0 which is NAT address.
My LAN B (192.168.0.0) want to reach 192.168.2.0 (LAN A) through 172.31.255.0 which is NAT address.SiteA
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.2.0/24ip route 172.31.255.0 255.255.255.0 via 1.1.1.2
SiteB
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24ip route 172.20.0.0 255.255.255.0 via 1.1.1.1
Could being ??
December 14, 2015 at 1:59 pm #53969ochambelant
MemberHey,
I have an error:
iptables v1.4.13: host/network _172.31.255.0/24′ not found
Try _iptables -h’ or ‘iptables –help’ for more information.[NAT and Virtual Servers]: ERROR (2)
:s
December 14, 2015 at 2:22 pm #53970redfive
ParticipantMmm … seems that I did a typo, from copy and paste…. the netmask is double
SiteAiptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP –to 172.20.0.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24/24 -d 172.20.0.0/24 -j NETMAP –to 192.168.2.0/24SiteB
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP –to 172.31.255.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP –to 192.168.0.0/24SiteA
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.2.0/24SiteB
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24December 14, 2015 at 7:24 pm #53971ochambelant
MemberHello buddy,
It’s still not working.
On my LAN B (192.168.0.0), when I try to reach 172.31.255.48 (real address is 192.168.2.48 on LAN A ) it’s going to Internet and not VPN00:
WARNING: the host 172.31.255.48 is not directly connected on the ETH00 LAN but is reachable via
the gateway 78.221.182.254: ARP is a Layer 2 Protocol and it cannot be routed by routers!iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24ip route 172.20.0.0 255.255.255.0 via 1.1.1.1
But, 172.20.0.0 is NAT address from LAN A to reach 192.168.0.0 (LAN B).
– My LAN A (192.168.2.0) have to reach LAN B (192.168.0.0) through 172.20.0.0 which is NAT address.
– My LAN B (192.168.0.0) have to reach LAN A (192.168.2.0) through 172.31.255.0 which is NAT address.
Thanks again for your help !!!!
December 14, 2015 at 8:06 pm #53972redfive
ParticipantIf you want to reach, from the Lan B (192.168.0.0) the ‘real’ sever located in Lan A at 192.168.2.48, you should search for it at 172.20.0.48 ….Or , at least as per the rules are now written, the LanA should reach the Lan B, presenting itself as the network 172.20.0.0/24, while the Lan B, is for the Lan-A the 172.31.255.0/24 network ….
You can modify the prerouting/postrouting rules and the static routes if you want that the LanA ‘present’ itself as 172.31.255.0/24 to the Lan B, and the Lan B ‘present’ itself as 172.20.0.0/24 to the Lan A ……
But wouldn’t be simpler without any nat rule ?? Or you have the same networks on both ends ?
RegardsDecember 14, 2015 at 8:50 pm #53973redfive
ParticipantFound an error… my fault …. π
Do you remember the previous ‘double’ netmask ? because the one which was doubled before, is missing in the last rules …
and , since we are here, these should be the correct rules that you need, with the NAT as you wish (lan-A 192.168.2.0 >> 172.31.255.0 and lanB 192.168.0.0 >> 172.20.0.0)
Lan-Aiptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0/24
iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.2.0/24ip route 172.20.0.0 255.255.255.0 via 1.1.1.2
Lan-B
iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0/24
iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.0.0/24ip route 172.31.255.0 255.255.255.0 via 1.1.1.1
Assuming that 1.1.1.1 is the vpn-tunnel inner address of Lan-A, and 1.1.1.2 is the vpn-tunnel inner address of Lan-B …. correct the rules in the Scripts and the static routes, reboot and try… once again
RegardsDecember 14, 2015 at 9:03 pm #53974ochambelant
MemberMan…. you’re GOD !!!
Thanks a lot dude !!!!
June 18, 2016 at 8:35 pm #53975aitistu
Memberhi
i have a similar setup maybe redfive can help me (many thanks in advance}box A has 4 3g modems ppp0… ppp3, vpn0….vpn3 bonded in bond00 10.99.99.2 eth00 192.168.0.75
box B has vpn0…vpn3 bonded in bond00 10.99.99.1 eth00 192.168.0.99
box B has internet from dlink 804hv forwarded vlans
can ping between boxes , if static routes can ping between 192.168 lan’s
can ping google.com (does resolve) and any internet ip from box B
can ping any internet ip from boxA but google.com or any other domain dosnt resolve
no internet conectivity on box A lan
the ideea is to get more speedy mobile internet. i have a fat pipe at home
with dynamic ip adresstryed the NETMAP rules with no success, before it was working the same with nat (with nat i had some poor conectivity but intermitently)
thanks again
regards
cris -
AuthorPosts
- You must be logged in to reply to this topic.