Temat: Problem z NATem dla OpenVPN po rekonfiguracji
Witam,
mam problem z NAT po rekonfiguracji routera, mysle ze jest gdzies blad konfiguracyjny, ale musi byc na tyle oczywisty ze nie moge go znalezc. Nie jestem z tych co lubia zaorac i zrobic od nowa, wole znalezc problem chocby edukacyjnie.
Krotka historia/kontekst: router z 18.06rc1 stoi za funboxem, z pewnych powodow dawno temu WAN port byl zbridge'owany z Wifi i sluzyl mi za moj LAN domowy, zas porty LAN mialy NATa/DHCP z routera i mialy inna siec za soba. Po zmianach w sieci chcialem to uporzadkowac, robiac z WAN portu prawdziwy WAN (na razie nieuzywany) zas cale WiFi oraz LAN miec tak jak w domyslnej konfiguracji. W dodatku mam 2 VPN postawione na routerze - 1 jako NAT, 1 jako bridge z LAN.
Po calej tej rekonfiguracji wszystko dziala oprocz VPNa z NATem. Przyczyne znam - jest nia brak NATa na dla VPN mimo konfiguracji i funbox nie wie jak zawrocic odpowiedz bo nie ma statycznych routes - sprawdzone na tcpdump, ruch wychodzi nieznatowany, nie wiem jednak jak ja usunac bo moim zdaniem konfiguracja jest odpowiednia, robilem restarty procesow i calego routera. Tak jakby gdzies zostal jakis smiec albo przegapiam oczywista rzecz.
Moja konfiguracja:
Funbox ma adres 192.168.1.1 (na nim dhcp i dns i wyjscie na swiat)
root@owrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde2:4964:533a::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
option dns '192.168.1.1'
option broadcast '192.168.1.255'
option _orig_ifname 'eth0.1 tap_myvpn wlan0 radio1.network1'
option _orig_bridge 'true'
option ipaddr '192.168.1.30'
option type 'bridge'
option ifname 'eth0.1 radio1 tap0'
config interface 'wan'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'dhcp'
option ifname 'eth0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 1'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
config interface 'vpn1'
option proto 'none'
option ifname 'tap0'
option auto '1'
config route
option interface 'lan'
option target '10.8.1.0'
option netmask '255.255.255.0'
option gateway '192.168.1.23'
root@owrt:~#
(reguly firewalla zostaly z czasow kiedy WAN byl zaufany i byl de facto moim LANem stad ruch w ta i z powrotem)
root@owrt:~# cat /etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcp'
option dest_port '443'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'vpn'
option name 'Allow Forwarded VPN0 Traffic to LAN'
option family 'ipv4'
option proto 'all'
option dest '*'
option enabled '0'
config rule
option target 'ACCEPT'
option name 'Allow Forwarded LAN Traffic to VPN0'
option family 'ipv4'
option proto 'all'
option dest 'vpn'
option src '*'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'vpn'
option dest 'lan'
option name 'Allow Inbound ICMP Traffic from VPN0 to LAN'
option family 'ipv4'
option proto 'icmp'
option enabled '0'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '1883'
option name 'MQTT'
option src '*'
config rule
option src_mac '14:BB:6E:49:39:37'
option proto 'all'
option target 'DROP'
option name 'telewizor out'
option src 'lan'
option dest 'wan'
option enabled '0'
config rule
option dest 'lan'
option name 'telewizor in'
option src '*'
option dest_ip '192.168.2.143'
option target 'DROP'
option enabled '0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan vpn1'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option masq '1'
option input 'ACCEPT'
option network 'wan'
option forward 'REJECT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option network 'vpn0'
option forward 'REJECT'
option input 'ACCEPT'
option masq '1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'vpn'
option src 'wan'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
root@owrt:~#
config openvpn 'vpnNAT'
option enabled '1'
option verb '3'
option dev 'tun'
option topology 'subnet'
option server '10.8.0.0 255.255.255.0'
option ifconfig '10.8.0.1 255.255.255.0'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/dom-owrt.crt'
option key '/etc/openvpn/dom-owrt.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key'
option tls_version_min '1.2'
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.1.1'
option cipher 'AES-256-CBC'
option port '443'
option tls_server '1'
option auth 'SHA512'
option key_direction '0'
option compress 'lzo'
option proto 'tcp'
config openvpn 'vpnBridge'
option keepalive '10 60'
option compress 'lzo'
option mode 'server'
option tls_server '1'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
option client_to_client '1'
option enabled '1'
option dev 'tap0'
option persist_tun '1'
option persist_key '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/dom-owrt.crt'
option key '/etc/openvpn/dom-owrt.key'
option dh '/etc/openvpn/dh2048.pem'
option cipher 'AES-256-CBC'
option port '1194'
option proto 'udp'
option auth 'SHA512'
option tls_version_min '1.2'
option tls_auth '/etc/openvpn/tls-auth-bridge.key'
option key_direction '0'
option verb '3'