Posted: Mon Aug 20, 2012 19:33 Post subject: NAT Loopback Static Routes Syntax Question
I have a question about the syntax for adding static routes to firmware more recent than 15760. I was configuring an E2500 for a business to replace their WRT-54GTM that had been working well for at least a year using 14853. I successfully flashed the E2500 with 19342 (using a 30-303-30) and configured it with the same GUI configuration as the old WRT had. Unfortunately the two static routes that were required to pull pictures and data from a separate location into an internal sales tool didn't work - all the rest of the router seemed to be working fine. I backed the E2500 down to 18777 (another 30-30-30) and tried again to reconfigure and had no luck. While troubleshooting I remembered the NAT loopback discussion and so I added Phuzi0n's script to solve the NAT loopback issue
Quote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Bus suspect that I wasn't able to properly configure the final two statements needed:
Quote:
If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001
The static routes I need to insert are 10.128.0.0 - 255.240.0.0 to the gateway and 42.0.0.0 - 255.0.0.0 to the gateway.
I tried several different commands but was unable to get them to work properly - any help in this situation would be greatly appreciated.
You shouldn't need loopback unless you're trying to access those networks via port forwards from the router's WAN IP to those networks. Even then you should only need the first group of iptables rules, the 2nd set is if you have multiple IP's assigned to the WAN interface.
You could check the output of these commands via telnet/ssh (not the gui!!!) and see if anything is different between the old router's config and the new router's config.
A more detailed rundown of how exactly everything is connected would help. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)