[RESOLVED] NAT through VPN do not work

Home Page Forums Network Management Networking [RESOLVED] NAT through VPN do not work

This topic contains 15 replies, has 0 voices, and was last updated by  ochambelant 3 years, 5 months ago.

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #44459

    ochambelant
    Member

    Hello,

    I have a problem when I try to NAT.

    LAN A:
    192.168.2.0 /24

    LAN B:
    192.168.0.0 /24

    Both lan are connected with OpenVPN Lan-to-Lan. Without NAT, I can reach each other.

    I want to NAT, for LAN A, 192.168.0.0 /24 to 172.20.0.0 /24 in order to join LAN B.

    So I created Virtual Server on LAN A:
    – Input Interface: VPN00
    – IP Address: 172.20.0.254
    – Protocol: TCP/UDP
    – Local Port: 22,443,161-162
    – Real Servers: 192.168.0.254:22,443,161-162.

    Router configuration on LAN A:
    – Destination: 172.20.0.0
    – Netmask: 255.255.255.0
    – Type: Net
    – Metric: 0
    – Gateway: 1.1.1.2 (end point tunnel)
    – State: Up

    Router configuration on LAN B:
    – Destination: 192.168.2.0
    – Netmask: 255.255.255.0
    – Type: Net
    – Metric: 0
    – Gateway: 1.1.1.1 (end point tunnel)
    – State: Up

    What did I forget ?

    Thanks for help.

    Best regards.

    #53962

    ochambelant
    Member

    Hey,

    As you can see, 0 bytes is used for NAT :s

    Chain PREROUTING (policy ACCEPT 11491 packets, 1209K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT all — VPN00 * 0.0.0.0/0 172.20.0.254 to:192.168.0.254
    19 988 Proxy tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

    Chain POSTROUTING (policy ACCEPT 8028 packets, 1158K bytes)
    pkts bytes target prot opt in out source destination
    0 0 SNAT all — * VPN00 192.168.0.254 0.0.0.0/0 to:172.20.0.254
    8177 1169K SNATVS all — * * 0.0.0.0/0 0.0.0.0/0

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    Why ?

    Thanks for help πŸ™‚

    #53963

    redfive
    Participant

    What goal exactly would you achieve ? Since you already have two different networks, and L3 transparency, you should be already ok …
    Based on

    So I created Virtual Server on LAN A:
    – Input Interface: VPN00
    – IP Address: 172.20.0.254
    – Protocol: TCP/UDP
    – Local Port: 22,443,161-162
    – Real Servers: 192.168.0.254:22,443,161-162.

    seems you expect packets with dest.ip address 172.20.0.254 , but just below

    Router configuration on LAN A:
    – Destination: 172.20.0.0
    – Netmask: 255.255.255.0
    – Type: Net
    – Metric: 0
    – Gateway: 1.1.1.2 (end point tunnel)
    – State: Up

    you are telling that the same network is reacheable via the vpn tunnel …
    I think that is possible to do something, knowing what is your goal ….. πŸ˜‰
    Regards

    #53964

    ochambelant
    Member

    Hey,

    Thanks for your reply.

    I want to connect to remote LAN which have same IP address: 192.168.0.0 through VPN.

    So I have to NAT each remote LAN with following address:
    1 – 192.168.0.0 –> 172.20.0.0
    2 – 192.168.0.0 –> 172.21.0.0
    3 – …

    Am I clear ? πŸ˜€

    Best regards. πŸ˜›

    #53965

    redfive
    Participant

    Now yes !
    try as follows … firstly, remove all virtual server rules, as well as the static routes regarding the remote networks, then add, Scripts/Cron, NAT and Virtual Servers script, these lines
    on siteA

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 192.168.2.0/24 -j NETMAP --to 192.168.1.0/24
    iptables -t nat -I PREROUTING -i VPN00 -s 192.168.1.0/24 -d 192.168.2.0/24 -j NETMAP --to 192.168.0.0/24

    on siteB

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 192.168.1.0/24 -j NETMAP --to 192.168.2.0/24
    iptables -t nat -I PREROUTING -i VPN00 -s 192.168.2.0/24 -d 192.168.1.0/24 -j NETMAP --to 192.168.0.0/24

    Enable the script, save, look if the rules are applied (in case, reboot)

    iptables -t nat -nvL

    Then static routes, on siteA

    192.168.2.0 255.255.255.0 via 1.1.1.2

    on siteB

    192.168.1.0 255.255.255.0 via 1.1.1.1

    The commands above will translate the whole network portion of the ip address, leaving intact the host portion, so, for eg. for reaching a server located in siteB at 192.168.0.10, from siteA you will type 192.168.2.10…..
    It should* work …. (or, at least I believe … :lol:)
    Regards

    #53966

    ochambelant
    Member

    Hello Buddy,

    Thanks for your help.

    I have few questions.

    What’s 192.168.1.0 address ?

    My LAN A (192.168.2.0) want to reach 192.168.0.0 (LAN B) through 172.20.0.0 which is NAT address.

    My LAN B (192.168.0.0) want to reach 192.168.2.0 (LAN A) through 172.31.255.0 which is NAT address.

    I do not understand what’s 192.168.1.0.

    Best regards πŸ™‚

    #53967

    redfive
    Participant

    Later I’ll post the changes to the rules, but ….sorry for the maybe stupid question.. why you can’t reach directly the remote networks via a couple of simple static routes ( since are different networks..) and you want instead use the NAT ?
    Regards

    #53968

    redfive
    Participant

    Case 1

    I want to connect to remote LAN which have same IP address: 192.168.0.0 through VPN.

    So I have to NAT each remote LAN with following address:
    1 – 192.168.0.0 –> 172.20.0.0
    2 – 192.168.0.0 –> 172.21.0.0

    SiteA

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.21.0.0/24 -j NETMAP --to 172.20.0.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.21.0.0/24/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.0.0/24
    ip route 172.21.0.0 255.255.255.0 via 1.1.1.2

    SiteB

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.21.0.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.21.0.0/24 -j NETMAP --to 192.168.0.0/24
    ip route 172.20.0.0 255.255.255.0 via 1.1.1.1

    Case 2

    My LAN A (192.168.2.0) want to reach 192.168.0.0 (LAN B) through 172.20.0.0 which is NAT address.
    My LAN B (192.168.0.0) want to reach 192.168.2.0 (LAN A) through 172.31.255.0 which is NAT address.

    SiteA

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.2.0/24
    ip route 172.31.255.0 255.255.255.0 via 1.1.1.2

    SiteB

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24
    ip route 172.20.0.0 255.255.255.0 via 1.1.1.1

    Could being ??

    #53969

    ochambelant
    Member

    Hey,

    I have an error:

    iptables v1.4.13: host/network _172.31.255.0/24′ not found
    Try _iptables -h’ or ‘iptables –help’ for more information.

    [NAT and Virtual Servers]: ERROR (2)

    :s

    #53970

    redfive
    Participant

    Mmm … seems that I did a typo, from copy and paste…. the netmask is double
    SiteA

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP –to 172.20.0.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24/24 -d 172.20.0.0/24 -j NETMAP –to 192.168.2.0/24

    SiteB

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP –to 172.31.255.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP –to 192.168.0.0/24

    SiteA

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.2.0/24

    SiteB

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24
    #53971

    ochambelant
    Member

    Hello buddy,

    It’s still not working.

    On my LAN B (192.168.0.0), when I try to reach 172.31.255.48 (real address is 192.168.2.48 on LAN A ) it’s going to Internet and not VPN00:

    WARNING: the host 172.31.255.48 is not directly connected on the ETH00 LAN but is reachable via
    the gateway 78.221.182.254: ARP is a Layer 2 Protocol and it cannot be routed by routers!

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.20.0.0/24 -j NETMAP --to 172.31.255.0
    iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.0.0/24

    ip route 172.20.0.0 255.255.255.0 via 1.1.1.1

    But, 172.20.0.0 is NAT address from LAN A to reach 192.168.0.0 (LAN B).

    – My LAN A (192.168.2.0) have to reach LAN B (192.168.0.0) through 172.20.0.0 which is NAT address.

    – My LAN B (192.168.0.0) have to reach LAN A (192.168.2.0) through 172.31.255.0 which is NAT address.

    Thanks again for your help !!!!

    #53972

    redfive
    Participant

    If you want to reach, from the Lan B (192.168.0.0) the ‘real’ sever located in Lan A at 192.168.2.48, you should search for it at 172.20.0.48 ….Or , at least as per the rules are now written, the LanA should reach the Lan B, presenting itself as the network 172.20.0.0/24, while the Lan B, is for the Lan-A the 172.31.255.0/24 network ….
    You can modify the prerouting/postrouting rules and the static routes if you want that the LanA ‘present’ itself as 172.31.255.0/24 to the Lan B, and the Lan B ‘present’ itself as 172.20.0.0/24 to the Lan A ……
    But wouldn’t be simpler without any nat rule ?? Or you have the same networks on both ends ?
    Regards

    #53973

    redfive
    Participant

    Found an error… my fault …. πŸ™„
    Do you remember the previous ‘double’ netmask ? because the one which was doubled before, is missing in the last rules …
    and , since we are here, these should be the correct rules that you need, with the NAT as you wish (lan-A 192.168.2.0 >> 172.31.255.0 and lanB 192.168.0.0 >> 172.20.0.0)
    Lan-A

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.2.0/24 -d 172.20.0.0/24  -j NETMAP --to 172.31.255.0/24
    iptables -t nat -I PREROUTING -i VPN00 -s 172.20.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 192.168.2.0/24
    ip route 172.20.0.0 255.255.255.0 via 1.1.1.2

    Lan-B

    iptables -t nat -I POSTROUTING -o VPN00 -s 192.168.0.0/24 -d 172.31.255.0/24 -j NETMAP --to 172.20.0.0/24
    iptables -t nat -I PREROUTING -i VPN00 -s 172.31.255.0/24 -d 172.20.0.0/24 -j NETMAP --to 192.168.0.0/24
    ip route 172.31.255.0 255.255.255.0 via 1.1.1.1

    Assuming that 1.1.1.1 is the vpn-tunnel inner address of Lan-A, and 1.1.1.2 is the vpn-tunnel inner address of Lan-B …. correct the rules in the Scripts and the static routes, reboot and try… once again
    Regards

    #53974

    ochambelant
    Member

    Man…. you’re GOD !!!

    Thanks a lot dude !!!!

    #53975

    aitistu
    Member

    hi
    i have a similar setup maybe redfive can help me (many thanks in advance}

    box A has 4 3g modems ppp0… ppp3, vpn0….vpn3 bonded in bond00 10.99.99.2 eth00 192.168.0.75

    box B has vpn0…vpn3 bonded in bond00 10.99.99.1 eth00 192.168.0.99

    box B has internet from dlink 804hv forwarded vlans

    can ping between boxes , if static routes can ping between 192.168 lan’s

    can ping google.com (does resolve) and any internet ip from box B

    can ping any internet ip from boxA but google.com or any other domain dosnt resolve

    no internet conectivity on box A lan

    the ideea is to get more speedy mobile internet. i have a fat pipe at home
    with dynamic ip adress

    tryed the NETMAP rules with no success, before it was working the same with nat (with nat i had some poor conectivity but intermitently)

    thanks again
    regards
    cris

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.