Answer the question
In order to leave comments, you need to log in
F
F
fanya2492015-02-14 14:36:30
fanya249, 2015-02-14 14:36:30
How to make NAT between openvpn and iptunnel?
The situation is this:
openvpnclient(10.8.0.6)<--ovpn-->(10.8.0.1)linux-router(192.168.9.105)<--ipip-->(192.168.9.106)mikrotik(192.168.11.1)<-- ethernet-->{192.168.11.0/29}
mikrotik has a route to 192.168.0.0/16 via 192.168.9.105
Cannot make NAT for openvpn clients.
ifconfig
tun4 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
tun30 Link encap:IPIP Tunnel HWaddr
inet addr:192.168.9.105 P-t-P:192.168.9.106 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1ip r
10.8.0.0/24 via 10.8.0.2 dev tun4
192.168.11.0/29 via 192.168.9.106 dev tun30router:/# ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
64 bytes from 192.168.11.1: icmp_req=1 ttl=64 time=7.75 mstcpdump -i tun30 -n
14:03:49.380280 IP 192.168.9.105 > 192.168.11.1: ICMP echo request, id 17531, seq 2, length 64
14:03:49.388094 IP 192.168.11.1 > 192.168.9.105: ICMP echo reply, id 17531, seq 2, length 64iptables -A POSTROUTING -t nat -s 10.8.0.0/24 -d 192.168.11.0/29 -j SNAT --to-source 192.168.9.105c:\openvpnclient>ping 192.168.11.1
Обмен пакетами с 192.168.11.1 по с 32 байтами данных:
Превышен интервал ожидания для запроса.tcpdump -i tun30 -n
14:18:25.587304 IP 10.8.0.6 > 192.168.11.1: ICMP echo request, id 1280, seq 64262, length 40
14:18:31.087791 IP 10.8.0.6 > 192.168.11.1: ICMP echo request, id 1280, seq 64518, length 40
14:18:36.587831 IP 10.8.0.6 > 192.168.11.1: ICMP echo request, id 1280, seq 64774, length 40iptables -L -v -n -t nat does not show packets for SNAT rule. TRACE shows:
Feb 14 12:14:05 router kernel: [1471412.532494] TRACE: raw:PREROUTING:policy:2 IN=tun4 OUT= MAC= SRC=10.8.0.6 DST=192.168.11.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7586 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=45313
Feb 14 12:14:05 router kernel: [1471412.532515] TRACE: mangle:PREROUTING:policy:1 IN=tun4 OUT= MAC= SRC=10.8.0.6 DST=192.168.11.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7586 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=45313
Feb 14 12:14:05 router kernel: [1471412.532522] TRACE: mangle:FORWARD:policy:21 IN=tun4 OUT=tun30 SRC=10.8.0.6 DST=192.168.11.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7586 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=45313
Feb 14 12:14:05 router kernel: [1471412.532527] TRACE: filter:FORWARD:rule:1 IN=tun4 OUT=tun30 SRC=10.8.0.6 DST=192.168.11.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7586 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=45313
Feb 14 12:14:05 router kernel: [1471412.532533] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=tun30 SRC=10.8.0.6 DST=192.168.11.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7586 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=45313
и дальше пакет заворачивается в ipip туннельThat is, packets do not end up in table 'nat' .
How can this be fixed? Registering a route to 10.8.0.0/24 on mikrotik is not considered as a solution, you need to implement it through NAT.
1 answer(s)
@ifaustrue
C
Cool Admin, 2015-02-14 @ifaustrue
What about this?
iptables -t nat -A POSTROUTING -o tun30 -j MASQUERADE
Similar questions
A
K
P
D
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question