Posted: Mon Oct 20, 2014 10:47 Post subject: Masquerading LAN-to-LAN source IP through RNAT?
Hi,
How can I masquerade the source IP of a machine inside a private network while connecting by nat reflection to another machine inside the same private network?
I know NAT reflection was a problem until ~rev 19000, whereas, even if you enabled the specific option in the GUI, it would still not work.
Example network:
Code:
workstation-1:192.168.1.2
workstation-2:192.168.1.3
dd-wrt: 192.168.1.1
public ip: 1.2.3.4
public ip port forwards:
1.2.3.4:223 -> 192.168.1.2:22
1.2.3.4:224 -> 192.168.1.3:22
What I do right now:
workstation-1 # ssh 1.2.3.4 -p 223
connects correctly to 192.168.1.2
workstation-2 # ssh 1.2.3.4 -p 224
connects correctly to 192.168.1.3
What is my problem:
workstation-1 # last | grep 192.168.1.2
#
(nothing)
What i expect to find:
izua pts/x 192.168.1.2 Mon Oct 20 06:00 - 09:00 (03:00)
What i actually find:
izua pts/x 192.168.1.1 Mon Oct 20 06:00 - 09:00 (03:00)
tl;dr - when connecting from a LAN IP to another LAN IP by NAT reflection, I want the source IP from the NAT to appear as the originating IP instead of the router's IP.
There probably is a special name for this, since I can't figure out the iptables command (a forward from -i eth0 to -o eth0 would make no sense, for example).
Last edited by izua on Tue Nov 04, 2014 1:15; edited 1 time in total
Connect to a service (public ip:port only) from inside or outside the LAN. Have the target service see the source IP masquaraded in both cases (public IP when originating from the internet and lan ip - not the router's - when originating from inside the lan). Or in other words, route a lan-to-lan connection through the external IP and have the target service see the source IP.
I specifically need the connection to be routed through and masqueraded, and not connect directly (for example, by figuring out the IP through a network-wide nameserver).
The problem that I see is that the service sees the router's IP when accessed from inside the LAN.
Last edited by izua on Tue Nov 04, 2014 1:02; edited 1 time in total
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Mon Nov 03, 2014 19:34 Post subject:
Use two name servers. One for internal that give the private address for the name and another that gives the public address for clients outside the network.
Yeah, that's what I'm currently doing, however, I want to do this by bouncing through the router.
There is also the problem that by, bypassing the router and its port forwards, I have to open the forwarded ports on the lan machines (223 and 224 in my example). Not a problem for sshd, but other apps won't like it. I could do this locally, on every machine, for every service, in iptables, though.
I'm not sure I understand. Bouncing through the router obviously works because RNAT is working and I see the source IP as the router on the destination. What makes it conflicting for the router to rewrite the source IP to one originating from the local private network, as it is already doing with packets coming from the Internet?
