DNAT with routing, setup possible?

itsam · January 19, 2024, 3:25pm

RUTX08 LAN 192.168.5.1/24
Device1 LAN 192.168.5.2/24

OpenVPN Connection 10.1.0.100/24

Now I receive tcp packages over the VPN connection for destination 192.168.10.0/24 which I have to rewrite into 192.168.20.0/24 and route it over Device1 192.168.5.2/24.

Is this possible and how?

Edit:
Is this only possible with the custom rules (only single ip for testing)?
iptables -t nat -A PREROUTING -d 192.168.10.30 -j DNAT --to-destination 192.168.20.30
and then a static route for 192.168.20.0/24 to gateway 192.168.5.2?

AndzejJ · January 23, 2024, 7:56am

Hello,

To better understand the requirements, please, attach a simple network topology with IP addresses marked and the desired packet flow.

Kind Regards,

itsam · January 23, 2024, 10:21am

Yes you are true, here is the network topology:

Notebook has a route for 192.168.25.0/24 via 10.5.2.30 and can ping 192.168.25.1 and 192.168.25.5.
But now I need to access a device in “LAN2” with address 192.168.88.5 for example.

My idea was now to rewrite all traffic coming in of the tun (vpn) interface to address 192.168.25.100 into 192.168.88.100 (DNAT).

The other idea was to add a second route on the Notebook for example 192.168.26.0/24 and rewrite it on the RUTX08 into 192.168.88.0/24.

RUTX08 need a route for network 192.168.88.0/24 with gateway of the second router 192.168.25.5.

Routing Notebook:

192.168.25.0 255.255.255.0 10.5.2.30

Routing RUTX08:

192.168.88.0 255.255.255.0 192.168.25.5

itsam · January 23, 2024, 3:58pm

@AndzejJ
I got it, can you confirm this setup is ok?

Network > Routing > Static routes

lan | 192.168.88.0 | 255.255.255.0 | 192.168.25.5

Network > Firewall > Custom Rules

iptables -t nat -A PREROUTING -i tun_c_VPN -d 192.168.25.100 -j DNAT --to-destination 192.168.88.100

If I ping 192.168.25.100 (LAN1) from the notebook device 192.168.88.100 (LAN2) answer and the connection works.

I was not sure with -A PREROUTING or -I PREROUTING, but append sounds better to me than insert.

AndzejJ · January 24, 2024, 10:49am

Hello,

Since the routes can be configured on the laptop and you have a VPN, it should be possible to have routing between networks. However, since you already have a working setup, I guess you can leave it as it is. The forwarding itself looks fine.

When it comes to IPtable rules, insert simply ensures that the rule is at the top of the ruleset and is matched first. Keep in mind that rules are applied on the first match. When you append the rule, its added to the bottom of the ruleset and is basically the last rule against which the packet is checked.

Kind Regards.

itsam · January 24, 2024, 12:37pm

Yes that was my first idea, unfortunately there are more LAN2 networks with the same subnet behind different LAN1 networks…
The only way to handel this (in my eyes) is DNAT or I’m wrong?

AndzejJ · January 25, 2024, 7:26am

Hello @itsam,

Indeed, if there are multiple different networks with same subnets, then DNAT will likely be more appropriate for this use case. This way, you will be able to have a logical distinction between identical networks.

The setup looks fine as long as it achieves your goals. If you will ever need to route between identical networks directly in other set-ups, I would suggest checking these forum posts here:

Kind Regards,

itsam · January 25, 2024, 8:34am

Routing in not an issue for me but in this case I must learn how to use DNAT at Teltonika the first time

Products and support of Teltonika is really excellent, thank you @AndzejJ !

system · February 3, 2024, 3:25pm

This topic was automatically closed after 15 days. New replies are no longer allowed.