OpenWrt Forum Archive

Topic: Help on forwarding between internal interfaces (tun0 and br0)

The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
dm66
4 Apr 2007, 10:02

Hi, i'm not being lazy, but have trawled and googled but not found a definitive answer.

Hopefully adding this to the list so it can be googled and may help others even if the end result is pointing me to a faq or other doc.

So, i'm not asking about forwarding from the external interface vlan1 to internal machines. That's easy enough.

Briefly, i want a certain host in my local network to have all it's traffic forwarded back and forth to a openvpn tun0 interface. Thus i need two MASQUERADING (or SNAT ??) rules i think.

So, on my openwrt, i essentially have two WAN interfaces

1. vlan1 to the WAN (lets say this ip is WAN_IP0 and gateway GW_IP0)
2. br0 internal LAN (lets say the ip addresses in the LAN is 10.0.0.x)
3. tun0 to a remote WAN p-t-p host  (lets say this is WAN_IP1 and ptp IP is GW_IP1)

Now i need all traffic from an internal lan host, say 10.0.0.5 to be routed thru tun0. I should just be able to use iproute2 to do the forwarding, but can't for the life of me get it to work.  I'm trying to integrate this into the /etc/init.d/S45firewall scripts so i don't have to make too many changes.

If i can do this then the next step would be to just tunnel HTTP(s) traffic to that interface by doing traffic classification (policy routing) using iptables and iproute, but first i need to know how to get all the traffic from a single host to be forwarded to the secondary WAN interface. I don't have the luxury to try too much combinations as i've already locked myself once out of the router and had to reboot, so wife-approval-factor is diminishing.

Thanks

(Last edited by dm66 on 4 Apr 2007, 10:12)

Post #2
heha
4 Apr 2007, 16:19

I want to know how to do too! Thx!

Post #3
dm66
4 Apr 2007, 16:41

Stoopid me, had a typo in my rules. Here is the answer.

First choose a iproute2 table that is not being used already (use 'ip rule show' to see the lookup tables).

I'm choosing table 7 (for good luck) and i mark all packets from a host in my internal lan (say 1.0.0.5) with a mark of 7 also. Then assuming my previous explanation, here is the rules (also assume my internal br0 ip address is 1.0.0.1)

ip route add table 7 default via $GW_IP1
ip route add table 7 1.0.0.0/24 dev br0 proto kernel scope link src 1.0.0.1
ip rule add fwmark 7 table 7
iptables -t mangle -A PREROUTING -s 1.0.0.5/32 -j MARK --set-mark 7
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE                               
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT

Thats it

The discussion might have continued from here.