hi mike, i still strongly discourage to use NAT inside your controlled private network.. fix your routing instead as that is the right approach.... in RFC 1918 (private ip addresses)... it says there private ip addresses are routable within your *controlled* domain and must be drop once it goes to another domain...
fooler. On Fri, Feb 21, 2014 at 1:35 AM, Michael Tinsay <[email protected]> wrote: > > It turns out that I had to add the following rules to iptables for dd-wrt to > masquerade properly: > > > iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.1.0/24 -d 10.10.10.0/21 > -j SNAT --to-source 10.10.10.69 > iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.1.0/24 -d > 192.168.200.0/24 -j SNAT --to-source 192.168.200.227 > iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.1.0/24 -d 10.20.30.0/24 > -j SNAT --to-source 10.20.30.227 > > Problem solved! On to the next tasks... > > > --- mike t. > > > ________________________________ > From: fooler mail <[email protected]> > To: Michael Tinsay <[email protected]>; Philippine Linux Users' Group > (PLUG) Technical Discussion List <[email protected]> > Sent: Friday, 21 February 2014, 12:21 > Subject: Re: [plug] dd-wrt and multiple subnets > > hi mike, > > see comments below... > >> Each subnet in the corporate lan have a different default gateway, but >> none >> of them is the router I'm tinkering with. > > above statement is indeed now the problem... in routing... there must > be a path from one end to the other end and vice versa... > > routing is pretty simple to troubleshoot... for example.. you want to > troubleshoot from subnet 1 (192.168.100.0/24) going to subnet 2 > (10.10.10.0/21) ... assuming your host ip in subnet 1 is > 192.168.100.123 and host ip in subnet 2 is 10.10.10.123.. all you have > to do is go to host 192.168.100.123 first and look at its routing > table and see what is the next hop for host 10.10.10.123.. once you > got the next hop... go to that next hop and look at its routing table > and look for what is the next hop for 10.10.10.123...and so on and so > forth until your reach the hop where its routing table has a *direct > connected* interface for 10.10.10.123/21... direct connected interface > means if one interface has an ip of 10.10.10.234/21 for example... > 10.10.10.123 is now reachable with that direct route.... > > after you trace that it is reachable from 192.168.100.123 going to > 10.10.10.123... now do the reverse trace by starting from 10.10.10.123 > going to 192.168.100.123 if it is reachable or not... you can easily > spot where is the problem by doing a route trace... > > there are two kinds of routing - symmetric and asymmetric... > symmetric routing is the same path from and to and to and from.. while > asymmetric is not... > > you can use either symmetric or asymmetric as long as both ends are > reachable.. one big disadvantage of asymmetric is that if you have > session tracking firewall along the path - it will break and drop the > connection because the firewall will see a lots of unknown session due > to asymmetric path... > >> I tested both with the built-in firewall on and off. Same behavior on >> both counts. > > ok this simply means you have a routing problem... > >> I'm thinking this is a NAT/masquerade-related issue in the dd-wrt >> firmware. > > in your situation.. you only use NAT and apply at the public IP > address interface facing the internet... don't use any NAT to those > any 4 subnets as the correct routing table in place will take care of > the routing to reach every each subnet.. if you want those 4 subnets > able to reach the internet.. make sure there is a path going to the > Internet as well as the return path to the source... > > since you mentioned subnet 1 has no problem with internet connection.. > therefore.. this is not a NAT issue.. > > you will only use NAT inside your network if another network segment > join with your existing network with the same network segment address > space... > > for example... you have two networks 1.0.0.0/24 and 2.0.0.0/24 that > are connected with each other... your company bought another company > and their network is 1.0.0.0/24 which is conflict with your existing > network... to solve this problem without touching the network of a > newly bought company... create another network segment let say > 3.0.0.0/24 and join to your existing network.. then have a one-to-one > NAT mapping of between 3.0.0.0/24 and 1.0.0.0/24 of that newly bought > company network... > > if you still have difficulty... just let me know and I will require > you to submit the full details of your network by sending to me in > private.... > > fooler. > > > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
