OpenWRT: NAT fuer statisches Netz ausschalten

Problem:
Ich verwende OpenWRT als Router mit VDSL-Bridge.
Mein Provider stellt mir eine dynamische IP und ein statisches /29-Netz zur Verfuegung.
Die dynamische WAN-IP moechte ich fuer meine Rechner im LAN und das statische /29-Netz fuer Server in der DMZ nutzen.
Im Web-Interface (LuCI) laesst sich NAT jedoch nicht deaktivieren.

LAN (VLAN 2, eth0.2) --> WAN: NAT, SRC-IP: dynamische IP
DMZ (VLAN3, eth0.3) --> WAN: Forwarding ohne NAT

Loesung:

1) LuCI: Network - Firewall - dmz - Forwarded Traffic Default Policy: accept

2) /etc/firewall.postrun erstellen:

# vorher: pruefen mit iptables -t nat -L -n -v --line-numbers
#
#Chain zone_dmz_nat (0 references)
#num   pkts bytes target     prot opt in     out     source               destination
#1        0     0 MASQUERADE all --       eth0.3 0.0.0.0/0            0.0.0.0/0
#
#Chain zone_wan_nat (1 references)
#num   pkts bytes target     prot opt in     out     source               destination
#1      103 6148 MASQUERADE all --       ppp0    0.0.0.0/0            0.0.0.0/0

# alle masquerade rules in table:nat, chain:zone_dmz_nat loeschen
MASQDMZ=`iptables -t nat -L zone_dmz_nat -n -v --line-numbers|grep MASQUERADE|cut -d' ' -f1`
for RULENUM in $MASQDMZ; do
iptables -t nat -D zone_dmz_nat $RULENUM
done

# alle masquerade rules in table:nat, chain:zone_wan_nat mit MASQUERADE und ppp0 ersetzen
MASQWANPPP=`iptables -t nat -L zone_wan_nat -n -v --line-numbers|grep MASQUERADE|grep "ppp0"|cut -d' ' -f1`
NOMASQSRC=208.77.188.160/29
for RULENUM in $MASQWANPPP; do
iptables -t nat -R zone_wan_nat $RULENUM -o ppp0 ! -s $NOMASQSRC -j MASQUERADE
done

# debugging zone_wan_nat
# herausgefunden, dass man nicht nach dem src interface filtern kann (IN= OUT=ppp0)
#
#iptables -t nat -I zone_wan_nat -o ppp0 -j LOG
#iptables -t nat -D zone_wan_nat 1

# nachher: pruefen mit iptables -t nat -L -n -v --line-numbers
#
# Chain zone_dmz_nat (0 references)
# pkts bytes target     prot opt in     out     source               destination
#
# Chain zone_wan_nat (1 references)
# pkts bytes target     prot opt in     out     source               destination
#   10 1251 MASQUERADE all -- *      ppp0   ! 208.77.188.160/29      0.0.0.0/0

3) /lib/firewall/uci_firewall.sh editieren:
fw_init() {
        (...)
        for interface in $INTERFACES; do
                fw_event ifup "$interface"
        done

        #jke/20101128
        echo "Loading include /etc/firewall.postrun"
        [ -e /etc/firewall.postrun ] && . /etc/firewall.postrun
}

No comments

Add Comment

Name

Homepage

Comment

In reply to

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enter the string from the spam-prevention image above:

Remember Information?

Submitted comments will be subject to moderation before being displayed.