Portforward and how to access via vpn cli adress

[ispyisail]

[ispyisail]

you also need to get this part correct

[ispyisail]

When creating the OpenVPN key file for the R2 router

the IP address will be 192.168.15.0

[ispyisail]

Make sure you copy other stuff from this post exactly.

viewtopic.php?f=11&t=9260

[karljboe]

This is the architecture i have chosen. gargoyile with openvpn is brilliant for this setup, only i cant figure out a way to access the forwarded ports coming from the vpn subnet

[karljboe]

The "route subnet behind client is working fine, no problem there. however i can not use that since all my clients are identical on lan side. thats why i need the NAT function to forward incoming from tun0 same way as it does from eth1 or wan.

[karljboe]

this would be a awsome feature

[karljboe]

-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.2/32 -p tcp -m tcp --dport 9600 -m comment --comment "PLC (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.2/32 -p udp -m udp --dport 9600 -m comment --comment "PLC (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.1/32 -p udp -m udp --dport 21845 -m comment --comment "HMI_Display (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.1/32 -p tcp -m tcp --dport 80 -m comment --comment "HMI_Http (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.1/32 -p udp -m udp --dport 80 -m comment --comment "HMI_Http (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.127/32 -p tcp -m tcp --dport 22 -m comment --comment "raspberry (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.127/32 -p udp -m udp --dport 22 -m comment --comment "raspberry (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p tcp -m tcp --dport 9600 -m comment --comment "PLC (reflection)" -j DNAT --to-destination 192.168.250.2:9600
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 9600 -m comment --comment "PLC (reflection)" -j DNAT --to-destination 192.168.250.2:9600
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 21845 -m comment --comment "HMI_Display (reflection)" -j DNAT --to-destination 192.168.250.1
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p tcp -m tcp --dport 800 -m comment --comment "HMI_Http (reflection)" -j DNAT --to-destination 192.168.250.1:80
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 800 -m comment --comment "HMI_Http (reflection)" -j DNAT --to-destination 192.168.250.1:80
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p tcp -m tcp --dport 3322 -m comment --comment "raspberry (reflection)" -j DNAT --to-destination 192.168.250.127:
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 3322 -m comment --comment "raspberry (reflection)" -j DNAT --to-destination 192.168.250.127:
-A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 9600 -m comment --comment PLC -j DNAT --to-destination 192.168.250.2:9600
-A zone_wan_prerouting -p udp -m udp --dport 9600 -m comment --comment PLC -j DNAT --to-destination 192.168.250.2:9600
-A zone_wan_prerouting -p udp -m udp --dport 21845 -m comment --comment HMI_Display -j DNAT --to-destination 192.168.250.1:21845
-A zone_wan_prerouting -p tcp -m tcp --dport 800 -m comment --comment HMI_Http -j DNAT --to-destination 192.168.250.1:80
-A zone_wan_prerouting -p udp -m udp --dport 800 -m comment --comment HMI_Http -j DNAT --to-destination 192.168.250.1:80
-A zone_wan_prerouting -p tcp -m tcp --dport 3322 -m comment --comment raspberry -j DNAT --to-destination 192.168.250.127:22

im thinking my solution lies within here. i will read some more about iptables before i do any more tampering.

[karljboe]

/etc/config/firewall

config redirect 'redirect_enabled_number_0'
option name 'raspberry'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '3322'
option dest_ip '192.168.250.127'
option dest_port '22'

how about if i change Option src 'wan' to 'tun0'
do you think that will sort my problem?

[ispyisail]

Maybe someone more clever that me can find you a solution

But the way I see it an IP address is like a mail box number/address. When you have many address all the same how does the mail man know which one to deliver to?

This is on the edge of my skills but I think the problem is the subnet mask 255.255.255.x (or whatever subnet mask you are using)

The networks need to be on a different subnet.

https://www.techopedia.com/6/28587/inte ... subnetting