OpenWrt Forum Archive

Topic: UCI commands for MASQ of VPN interface tap0?

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
drama
7 Jan 2009, 10:52

Hi,

could someone with deep insight into uci firewall & networking tell me, how to translate these simple iptables rules:

iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -o tap0 -j ACCEPT
iptables -A FORWARD -i tap0 -j ACCEPT

into uci commands (using 8.09_RC1)? I tried to make something like this:

1) make an interface in /etc/config/network
config interface tap0
        option ifname "tap0"
2) define a zone in /etc/config/firewall
config 'zone'
        option 'name' 'tap0'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'masq' '1'

but the problem is, that the fw_addif function things, that the tap0 is down (but it is up from openvpn).
I know I could do it using "config include", but I'd like to use the clean UCI way...

Post #2
aboaboit
7 Sep 2009, 11:04
drama wrote:

... I'd like to use the clean UCI way...

Same here, I got as far as figuring out that sourcing /lib/firewall/uci_firewall.sh and running "addif vpn tun0 vpn" once the server is up will set things right. I guess the fact that tun0 does not have an address is preventing zone_vpn_forward from being referenced when the firewall rules are compiled from UCI configuration.

I am exploring two possibilities:
1) running the openvpn initscript from UCI when tun0 is activated
2) detecting zone and if information and run addif from hotplug

Stay tuned.

Post #3
Dogge
7 Sep 2009, 14:45
drama wrote:

1) make an interface in /etc/config/network
config interface tap0
        option ifname "tap0"

uci set network.tap0=interface      # create a named section
uci set network.tap0.ifname=tap0    # add ifname option to the new section
uci commit network                  # save changes
drama wrote:

2) define a zone in /etc/config/firewall
config 'zone'
        option 'name' 'tap0'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'masq' '1'

uci add firewall rule                           # create an anonymous section at the end of the config file
uci set firewall.@rule[-1].name=tap0            # add name option
uci set firewall.@rule[-1].input=ACCEPT         # add input option
uci set firewall.@rule[-1].output=ACCEPT        # add output option
uci set firewall.@rule[-1].forward=ACCEPT       # add forward option
uci set firewall.@rule[-1].masq=1               # add masq option
uci commit firewall                             # save changes

(Last edited by Dogge on 7 Sep 2009, 14:54)

Post #4
aboaboit
7 Sep 2009, 15:09

It seems to me that you're adding an extra firewall rule for no purpose: running "/sbin/ifup vpn" after the openvpn server has been started will happily create the proper rules from the zone definitions.

Of the two ways I envisioned for doing that, only one turns out to be possible: calling an external script.
That's what I am doing now.

EDIT: might have spoken too soon... if you reload the firewall settings via the gui, the zone_vpn_forward chain becomes again unreferenced, so much for my clever hack.

(Last edited by aboaboit on 8 Sep 2009, 14:11)

The discussion might have continued from here.