Gargoyle Forum

you also need to get this part correct

When creating the OpenVPN key file for the R2 router

the IP address will be 192.168.15.0

Make sure you copy other stuff from this post exactly.

viewtopic.php?f=11&t=9260

This is the architecture i have chosen. gargoyile with openvpn is brilliant for this setup, only i cant figure out a way to access the forwarded ports coming from the vpn subnet

The "route subnet behind client is working fine, no problem there. however i can not use that since all my clients are identical on lan side. thats why i need the NAT function to forward incoming from tun0 same way as it does from eth1 or wan.

this would be a awsome feature

-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.2/32 -p tcp -m tcp --dport 9600 -m comment --comment "PLC (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.2/32 -p udp -m udp --dport 9600 -m comment --comment "PLC (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.1/32 -p udp -m udp --dport 21845 -m comment --comment "HMI_Display (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.1/32 -p tcp -m tcp --dport 80 -m comment --comment "HMI_Http (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.1/32 -p udp -m udp --dport 80 -m comment --comment "HMI_Http (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.127/32 -p tcp -m tcp --dport 22 -m comment --comment "raspberry (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_postrouting -s 192.168.250.0/24 -d 192.168.250.127/32 -p udp -m udp --dport 22 -m comment --comment "raspberry (reflection)" -j SNAT --to-source 192.168.250.250
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p tcp -m tcp --dport 9600 -m comment --comment "PLC (reflection)" -j DNAT --to-destination 192.168.250.2:9600
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 9600 -m comment --comment "PLC (reflection)" -j DNAT --to-destination 192.168.250.2:9600
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 21845 -m comment --comment "HMI_Display (reflection)" -j DNAT --to-destination 192.168.250.1
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p tcp -m tcp --dport 800 -m comment --comment "HMI_Http (reflection)" -j DNAT --to-destination 192.168.250.1:80
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 800 -m comment --comment "HMI_Http (reflection)" -j DNAT --to-destination 192.168.250.1:80
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p tcp -m tcp --dport 3322 -m comment --comment "raspberry (reflection)" -j DNAT --to-destination 192.168.250.127:
-A zone_lan_prerouting -s 192.168.250.0/24 -d 192.168.8.105/32 -p udp -m udp --dport 3322 -m comment --comment "raspberry (reflection)" -j DNAT --to-destination 192.168.250.127:
-A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 9600 -m comment --comment PLC -j DNAT --to-destination 192.168.250.2:9600
-A zone_wan_prerouting -p udp -m udp --dport 9600 -m comment --comment PLC -j DNAT --to-destination 192.168.250.2:9600
-A zone_wan_prerouting -p udp -m udp --dport 21845 -m comment --comment HMI_Display -j DNAT --to-destination 192.168.250.1:21845
-A zone_wan_prerouting -p tcp -m tcp --dport 800 -m comment --comment HMI_Http -j DNAT --to-destination 192.168.250.1:80
-A zone_wan_prerouting -p udp -m udp --dport 800 -m comment --comment HMI_Http -j DNAT --to-destination 192.168.250.1:80
-A zone_wan_prerouting -p tcp -m tcp --dport 3322 -m comment --comment raspberry -j DNAT --to-destination 192.168.250.127:22

im thinking my solution lies within here. i will read some more about iptables before i do any more tampering.

/etc/config/firewall

config redirect 'redirect_enabled_number_0'
option name 'raspberry'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '3322'
option dest_ip '192.168.250.127'
option dest_port '22'

how about if i change Option src 'wan' to 'tun0'
do you think that will sort my problem?

Maybe someone more clever that me can find you a solution

But the way I see it an IP address is like a mail box number/address. When you have many address all the same how does the mail man know which one to deliver to?

This is on the edge of my skills but I think the problem is the subnet mask 255.255.255.x (or whatever subnet mask you are using)

The networks need to be on a different subnet.

https://www.techopedia.com/6/28587/inte ... subnetting