Need Help - How to forward ICMP Packets to a lan device

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Sat Oct 26, 2013 17:33    Post subject: Need Help - How to forward ICMP Packets to a lan device Reply with quote
Hello,
how can i forward ICMP Packets from WAN to a LAN Device (192.168.1.134). Is there a Firewall rule?
How would they look like?
I need this to get a ptunnel connection to my Raspberry.
Back to top View user's profile Send private message
Sponsor
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Sat Oct 26, 2013 23:24    Post subject: Reply with quote
Or is it possible to run ptunnel on the Router directly? I have installed ptunnel on my Wrt320n, but if i want to Start ptunnel, i only got permission denied ...
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway
PostPosted: Sun Oct 27, 2013 8:50    Post subject: Reply with quote
http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html
Back to top View user's profile Send private message
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Sun Oct 27, 2013 10:01    Post subject: Reply with quote
Thats not the problem, my IP is pingable.
But i dont want that the Router answer to ICMP Requests, i want that the raspberry do this.
Back to top View user's profile Send private message
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Sun Oct 27, 2013 18:44    Post subject: Reply with quote
I hav now tried this:

iptables -t nat -A PREROUTING -p icmp --icmp-type 0 -j DNAT --to-destination 192.168.1.134

but it wont work Sad

Nobody here who can help me?
Back to top View user's profile Send private message
basmaf
DD-WRT Guru


Joined: 24 Feb 2011
Posts: 1074
PostPosted: Sun Oct 27, 2013 18:56    Post subject: Reply with quote
You need to insert a rule in the forward chain which accepts the ping to destination
Back to top View user's profile Send private message
rocky13
DD-WRT User


Joined: 25 Apr 2008
Posts: 158
PostPosted: Sun Oct 27, 2013 19:43    Post subject: Reply with quote
cyberdev wrote:
I hav now tried this:

iptables -t nat -A PREROUTING -p icmp --icmp-type 0 -j DNAT --to-destination 192.168.1.134

but it wont work Sad

Nobody here who can help me?



You can try the following, should do what you want,

iptables -I FORWARD -i br0 -s 192.168.1.134 -p ICMP -j ACCEPT

OR

iptables –I FORWARD –i br0 –s 192.168.1.0/24 –p ICMP –j ACCEPT
Back to top View user's profile Send private message
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Sun Oct 27, 2013 19:59    Post subject: Reply with quote
Quote:
You can try the following, should do what you want,

iptables -I FORWARD -i br0 -s 192.168.1.134 -p ICMP -j ACCEPT

OR

iptables –I FORWARD –i br0 –s 192.168.1.0/24 –p ICMP –j ACCEPT


Thank you, but itr wont work Sad
Here is the whole FW Config of my Router

Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -s 192.168.1.134 -p ICMP -j ACCEPT
Back to top View user's profile Send private message
basmaf
DD-WRT Guru


Joined: 24 Feb 2011
Posts: 1074
PostPosted: Sun Oct 27, 2013 20:19    Post subject: Reply with quote
Try this

iptables -t nat -I PREROUTING -p icmp -d [wanip] -j DNAT --to-destination 192.168.1.134
iptables -I FORWARD -d 192.168.1.134 -p ICMP -j ACCEPT
Back to top View user's profile Send private message
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Sun Oct 27, 2013 21:23    Post subject: Reply with quote
OK ... it works ... a little bit :/

On ptunnel client i got:

Code:
[xfr]: Send: 36 [0] bytes [seq = 47] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 47] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[dbg]: Resending packet with seq-no 0.
[xfr]: Recv: 56 [0] bytes [seq = 0] [type = start] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[xfr]: Send: 36 [0] bytes [seq = 48] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 48] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[xfr]: Send: 36 [0] bytes [seq = 49] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 49] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[dbg]: Resending packet with seq-no 0.
[xfr]: Recv: 56 [0] bytes [seq = 0] [type = start] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[xfr]: Send: 36 [0] bytes [seq = 50] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 50] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]


On ptunnel Server i got:

Code:
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535

 
Back to top View user's profile Send private message
basmaf
DD-WRT Guru


Joined: 24 Feb 2011
Posts: 1074
PostPosted: Mon Oct 28, 2013 5:33    Post subject: Reply with quote
Never used ptunnel so im guessing.

Does ping work?
You say that this is your whole firewall config.
Are those additional rules or only those then, how about related, established
Back to top View user's profile Send private message
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76
PostPosted: Mon Oct 28, 2013 8:31    Post subject: Reply with quote
Ping works, i think its the routerconfig of my neighbor - i use his WLAN for test.

The other rules are additional rules, so that i can reach my internal devices over my external adress.

And the other rule is to split br0 (my network) from br1 (guest network)

If ptunnel works, i will see in the next days


Thank you basmaf for your help Smile




Edit:
P.s.: for

Code:
iptables -t nat -I PREROUTING -p icmp -d [wanip] -j DNAT --to-destination 192.168.1.134


i have set

Code:
iptables -t nat -I PREROUTING -p icmp -d `nvram get wan_ipaddr` -j DNAT --to-destination 192.168.1.134



so it get the WAN IP directly from nvram
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum