it’s firewall day today. I have been doing Linux firewalling since 1998, and I am having a hard time to map Teltonika’s terminology in “my world’s” terminology.
For example, I have switched the “masquerading” switch on my lan => wan zone rule off:
and would expect my Internet access to stop working with this setting. However, even after rebooting the router (to get rid of any connection tracking table entries that might still reflect thw own setting), my Internet still works.
What did I actually change by switching off the Masquerade switch? I expected that to remove a rule in the POSTROUTING rule, that would pronbably say –in-int lan –out-int wan –jump MASQUERADE, but it looks like my router still does source NAT.
Where does this originate?
How can I set source NAT for lan => wan traffic and no source NAT for lan => openvpn traffic? It looks like this part of WebUI doesn’t allow me to define a second rule with lan as the source.
The Masquerading option enables Network Address Translation (NAT). When this feature is active, the router replaces the private IP addresses of devices on the LAN with its own public or WAN IP address when sending traffic to the internet.
This allows multiple local devices to share a single internet connection securely while keeping their internal IP addresses hidden from external networks. It’s commonly used on routers to provide internet access to all LAN devices without exposing them directly.
You’ll most likely have to use custom rules under the firewall section for this. Perhaps something like the following: iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 10.8.0.0/24 -j ACCEPT
Please. This is beginner level information that you are giving to a person with 25 years of experience in working with Linux firewalls and packet filters.
Why does my Internet access still work when I disable that option?
The option is disabled by default, and the internet is supposed to work when it is even enabled or disabled. It could be your mobile carrier performing a CGNAT (or perhaps some other device in the network?)
That is indeed possible, I know that both routers I am currently working with are being an AVM Fritzbox and one of them is possibly behind CGNAT. But I doubt that the Fritzbox would let anything pass that doesn’t have a source address from the Fritzbox’ internal LAN.
I will do some experiments in a controlled lab setting where I can tcpdump on the Teltonika’s WAN interface. Will probably take until after the weekend.
Never mind, this issue can be closed. Thank you for providing unrestricted ssh access so that the expert user could figure out for myself.
The solution to my question is:
Setting of the “Masquerading” option in the Network/Firewall/Zones settings influences packets going OUT of the Interface that is listed as SOURCE in the respective line:
In this case, a MASQUERADING rule is inserted in the zone_wan_postrouting chain which is called from the POSTROUTING chain for packets tht have eth1 (my WAN interface) as OUTGOING interface:
Turning the option on on the LAN interface makes an identical rule appear in the zone_lan_postrouting chain:
This is somewhat counterintuitive and can only be figured out by people like me who’ve been having complex iptables expressions for breakfast for two decades. For normal users, this needs to be explained in the docs.
