Archive for the ‘openwrt’ Category

SNAT + DNAT = router as source address for port mapping

Wednesday, September 2nd, 2009

problem: In got multiple routes to the internet and port mapping from different public ips to internal services. If the port mapping origins from the default gateway of the destination server, everything is straight forward. If a public ip other than the default gateway is used, one option is to change the source ip of incoming packets for the port mapped service on the router. Thus all requests arriving at the destination server appear to origin from router and the server knows how to route back.

environment: router is running openwrt, but I'm using standard iptables stuff. In the below samples 192.168.1.1 is the router and 192.168.1.2 is the destination server (http). 123.1.1.2 is the public ip.

solution:

iptables -t nat -A PREROUTING -d 123.1.1.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -t nat -I POSTROUTING 1 -s 0.0.0.0/0 -d 192.168.1.12 -j SNAT --to 192.168.1.1

openwrt MPPE required, but kernel has no support

Tuesday, December 2nd, 2008

add

arc4
sha1

to /etc/modules.d/31-mppe

removing default range (.100-.150) from dnsmasq

Saturday, March 22nd, 2008
  1.  
  2. start="$(dhcp_calc "${start:-100}")"
  3. limit="$((${limit:-150} + 1))"
  4. eval "$(ipcalc.sh $ipaddr $netmask $start $limit)"
  5.  
  6. # COMMENT NEXT LINE
  7. # append args "--dhcp-range=$name,$START,$END,$NETMASK,$leasetime${options:+ $options}"
  8.  

dnsmasq and dns servers for specific domains

Sunday, April 15th, 2007

environment OpenWrt, dnsmasq

problem A dns server for a specific domain (e.g. abc.com) is either not available from outside OR due to firewall/vpn restrictions has a different ip than publicly available

solution Edit dnsmasq.conf and add

server=/abc.com/10.1.1.2

OpenWrt, DHCP and static IPs

Saturday, April 7th, 2007

Environment OpenWrt on LinkSys WRT54GL

Problem Configure static IPs in DHCP server

Solution Edit /etc/ethers

# Machine Name (this is a comment)
#  
xx:xx:xx:xx:xx:xx 1.2.3.4

Activation on OpenWrt

killall dnsmasq
rm /tmp/dhcp.leases
/etc/init.d/S60dnsmasq

Activation on Windows

 ipconfig /renew 

Debugging

tail /tmp/dhcp.leases
tcpdump -avn -i br0 not host and not host and not ip6

You should see the DHCP requests

Site-2-Site IPsec with ISA 2006/Windows 2003 and OpenSwan/OpenWrt/Linux

Friday, March 30th, 2007

Task Establish Site-to-Site IPsec between ISA 2006 and OpenWrt 0.9 on a Linksys WRT54GL using OpenSwan (2.4.6-1 or 2.4.4-1)

Solution Use the following settings in ipsec.conf

conn isa2openwrt
    authby=secret
    esp=3des-sha1
    ike=3des-sha1
    leftid=<public-ip isa>
    left=<public-ip isa>
    leftsubnet=<private subnet behind isa>
    leftnexthop=%defaultroute
    rightid=<public-ip openwrt>
    right=<public-ip openwrt>
    rightsubnet=<private subnet behind isa>
    rightnexthop=%defaultroute
    pfs=yes
    ikelifetime=1h
    keylife=1h
    rekey=no
    keyingtries=5
    auto=start

Note leftid and rightid MUST correspond to the public IPs, because ISA 2006 expects this.

authby=secret relates to pre-shared key (I didn't wanna mess with certificates).

ISA 2006 configuration is straight forward. Just provide the public IPs and the sub-networks you want to expose. IMPORTANT In IPSec Configuration/Phase I set "Authenticate and generate new key every" to 3600 (instead of the 28800) - see solution.

If you have multiple subnets (or just want to be able to connect to the public IP of the opposite site) OpenSwan requires you to have a seperate conn section for each subnet.

Solved Issues Right now the tunnel stops working after some idle time (e.g. no traffic). Interestingly the tunnel can be re-established by restarting the OpenWrt end (/etc/init.d/S60ipsec restart).

An upgrade of OpenSwan 2.4.4-1 to 2.4.6-1 didn't help. Up to now I'm too busy/lazy to enable the Oakley log on the ISA 2006 server.

Paul Wouters suggested to use Dead Peer Detection, but that didn't help.

SolutionI found this posting that I'm currently testing.

Firewall Don't forget to enable IKE/ISAKMP and ESP traffic on the OpenWrt with iptables


iptables -A input_rule -p esp -s <public ip of ISA server> -j ACCEPT
iptables -A input_rule -p udp -s <public ip of ISA server> --dport 500 -j ACCEPT

and you probably want to make sure, traffic to the private subnet on the opposite tunnel site isn't getting NAT'ed by


iptables -t nat -A postrouting_rule -d 10.1.1.0/24 -j ACCEPT

Debugging On ISA 2006 the Log Viewer is pretty helpful and don't forget to check the alerts.

On OpenWrt enable syslog with


nvram set log_ipaddr=
nvram commit

and Windows Syslog Daemon works well. ipsec.conf needs

config setup
   plutodebug="all"
   ...

or something similar.

Some barely related commands

  • ipkg list_installed
  • ipkg install openswan
  • ipconfig /flushdns

Links