The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hi all.
I'm facing problems with my vpn traffic being masquerading, I need to use masquerade but not to my vpns.
If I use masq_dest option like
option masq_dest !192.168.1.0/24
it works like a charm, but I have a dozens of vpns.
So, I tried to use
option masq_dest !192.168.1.0/24 !192.168.5.0/24 !10.10.0.0/16
but all the vpn's traffic dies.
Is there a way to not masq multiple subnets?
thanks in advance
masq_dest list of subnets
Since it's a list I guess it should be:
list masq_dest !192.168.1.0/24
list masq_dest !192.168.5.0/24
list masq_dest !10.10.0.0/16Hi mikma.
I've already tried this way.
Option or list didn't change the behavior.
thanks
Until now the only way I could make it work was disabling masquerade in the wan zone and adding the following rules to the /etc/firewall.user:
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 192.168.5.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 10.10.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j MASQUERADE
I'd like to use a more clean way to set these options, preferably using LUCI.
You only have to add the exceptions and it is probably better to use the user chain for postrouting, such as postrouting_wan_rule.
The following can be used in /etc/firewall.user:
iptables -t nat -A postrouting_wan_rule -s 192.168.20.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 192.168.20.0/24 -d 192.168.5.0/24 -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 192.168.20.0/24 -d 10.10.0.0/16 -j ACCEPTIf they are ipsec vpns then one line should be enough:
iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec -j ACCEPTThe discussion might have continued from here.