OpenWrt Forum Archive

Topic: How to add multiple subnets in the masq_dest option

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all.

I'm facing problems with my vpn traffic being masquerading, I need to use masquerade but not to my vpns.
If I use masq_dest option like

option masq_dest !192.168.1.0/24

it works like a charm, but I have a dozens of vpns.
So, I tried to use

option masq_dest !192.168.1.0/24 !192.168.5.0/24 !10.10.0.0/16

but all the vpn's traffic dies.

Is there a way to not masq multiple subnets?

thanks in advance

masq_dest     list of subnets

Since it's a list I guess it should be:

list masq_dest !192.168.1.0/24
list masq_dest !192.168.5.0/24
list masq_dest !10.10.0.0/16

Hi mikma.

I've already tried this way.
Option or list didn't change the behavior.

thanks

Until now the only way I could make it work was disabling masquerade in the wan zone and adding the following rules to the /etc/firewall.user:

iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 192.168.5.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 10.10.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j MASQUERADE

I'd like to use a more clean way to set these options, preferably using LUCI.

You only have to add the exceptions and it is probably better to use the user chain for postrouting, such as postrouting_wan_rule.

The following can be used in /etc/firewall.user:

iptables -t nat -A postrouting_wan_rule -s 192.168.20.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 192.168.20.0/24 -d 192.168.5.0/24 -j ACCEPT
iptables -t nat -A postrouting_wan_rule -s 192.168.20.0/24 -d 10.10.0.0/16 -j ACCEPT

If they are ipsec vpns then one line should be enough:

iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec -j ACCEPT

The discussion might have continued from here.