Author
Message
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Sat Oct 26, 2013 17:33 Post subject: Need Help - How to forward ICMP Packets to a lan device
Hello,
how can i forward ICMP Packets from WAN to a LAN Device (192.168.1.134). Is there a Firewall rule?
How would they look like?
I need this to get a ptunnel connection to my Raspberry.
Back to top
Sponsor
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Sat Oct 26, 2013 23:24 Post subject:
Or is it possible to run ptunnel on the Router directly? I have installed ptunnel on my Wrt320n, but if i want to Start ptunnel, i only got permission denied ...
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6868 Location: Romerike, Norway
Back to top
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Sun Oct 27, 2013 10:01 Post subject:
Thats not the problem, my IP is pingable.
But i dont want that the Router answer to ICMP Requests, i want that the raspberry do this.
Back to top
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Sun Oct 27, 2013 18:44 Post subject:
I hav now tried this:
iptables -t nat -A PREROUTING -p icmp --icmp-type 0 -j DNAT --to-destination 192.168.1.134
but it wont work
Nobody here who can help me?
Back to top
basmaf DD-WRT Guru Joined: 24 Feb 2011 Posts: 1074
Posted: Sun Oct 27, 2013 18:56 Post subject:
You need to insert a rule in the forward chain which accepts the ping to destination
Back to top
rocky13 DD-WRT User Joined: 25 Apr 2008 Posts: 158
Posted: Sun Oct 27, 2013 19:43 Post subject:
cyberdev wrote: I hav now tried this:
iptables -t nat -A PREROUTING -p icmp --icmp-type 0 -j DNAT --to-destination 192.168.1.134
but it wont work
Nobody here who can help me?
You can try the following, should do what you want,
iptables -I FORWARD -i br0 -s 192.168.1.134 -p ICMP -j ACCEPT
OR
iptables –I FORWARD –i br0 –s 192.168.1.0/24 –p ICMP –j ACCEPT
Back to top
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Sun Oct 27, 2013 19:59 Post subject:
Quote: You can try the following, should do what you want,
iptables -I FORWARD -i br0 -s 192.168.1.134 -p ICMP -j ACCEPT
OR
iptables –I FORWARD –i br0 –s 192.168.1.0/24 –p ICMP –j ACCEPT
Thank you, but itr wont work
Here is the whole FW Config of my Router
Code: insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -s 192.168.1.134 -p ICMP -j ACCEPT
Back to top
basmaf DD-WRT Guru Joined: 24 Feb 2011 Posts: 1074
Posted: Sun Oct 27, 2013 20:19 Post subject:
Try this
iptables -t nat -I PREROUTING -p icmp -d [wanip] -j DNAT --to-destination 192.168.1.134
iptables -I FORWARD -d 192.168.1.134 -p ICMP -j ACCEPT
Back to top
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Sun Oct 27, 2013 21:23 Post subject:
OK ... it works ... a little bit :/
On ptunnel client i got:
Code: [xfr]: Send: 36 [0] bytes [seq = 47] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 47] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[dbg]: Resending packet with seq-no 0.
[xfr]: Recv: 56 [0] bytes [seq = 0] [type = start] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[xfr]: Send: 36 [0] bytes [seq = 48] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 48] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[xfr]: Send: 36 [0] bytes [seq = 49] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 49] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[dbg]: Resending packet with seq-no 0.
[xfr]: Recv: 56 [0] bytes [seq = 0] [type = start] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
[xfr]: Send: 36 [0] bytes [seq = 50] [type = ack] [ack = 65535] [icmp = 8] [user = yes]
[xfr]: Recv: 56 [0] bytes [seq = 50] [type = ack] [ack = 65535] [icmp = 0] [user = yes] [pcap = 0]
On ptunnel Server i got:
Code: [dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
[err]: Dropping duplicate proxy session request.
[dbg]: Received ack-series starting at seq 65535
[dbg]: Received ack-series starting at seq 65535
[dbg]: Resending packet with seq-no 0.
[dbg]: Received ack-series starting at seq 65535
Back to top
basmaf DD-WRT Guru Joined: 24 Feb 2011 Posts: 1074
Posted: Mon Oct 28, 2013 5:33 Post subject:
Never used ptunnel so im guessing.
Does ping work?
You say that this is your whole firewall config.
Are those additional rules or only those then, how about related, established
Back to top
cyberdev DD-WRT User Joined: 14 Sep 2008 Posts: 76
Posted: Mon Oct 28, 2013 8:31 Post subject:
Ping works, i think its the routerconfig of my neighbor - i use his WLAN for test.
The other rules are additional rules, so that i can reach my internal devices over my external adress.
And the other rule is to split br0 (my network) from br1 (guest network)
If ptunnel works, i will see in the next days
Thank you basmaf for your help
Edit:
P.s.: for
Code: iptables -t nat -I PREROUTING -p icmp -d [wanip] -j DNAT --to-destination 192.168.1.134
i have set
Code: iptables -t nat -I PREROUTING -p icmp -d `nvram get wan_ipaddr` -j DNAT --to-destination 192.168.1.134
so it get the WAN IP directly from nvram
Back to top