New Member
Posts: 7
Registered: ‎05-14-2014
Accepted Solution

Help with NATting a point-to-point VPN

I'm a software guy by day. I bought myself an EdgeRouter Lite for home usage. I used the wizard to get the SOHO NAT configuration up and going. I came from a router running Tomato firmware so I'm not a complete networking newbie, but this is a completely different world.

I'm trying to setup a point-to-point OpenVPN. I use this to an off-site server which allows more services over VPN than its public address. For example, my Unifi software is running on this off-site server.

I have the OpenVPN tunnel and can ping the server (10.8.0.1) from SSH on the ERL (192.168.1.1). However, I'm having issues with the NAT configuration.

Here's the relavant portions of my config -

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group linode_afitz_net {
            description "linode newark vpn"
            network 10.8.0.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description "Trusted LAN"
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
...
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Guest LAN"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/user-data/openvpn/openvpn-client.conf
    }
}
service {
    nat {
        rule 5000 {
            destination {
                group {
                }
            }
            log enable
            outbound-interface tun0
            protocol all
            source {
                group {
                    network-group linode_afitz_net
                }
            }
            type masquerade
        }
        rule 5001 {
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth1
        }
    }
}

 I did some fiddling with NAT rule 5000 with hard-coded 10.8.0.1, a hardcoded subnet, and finally abstrating it to a network group. Additionally, I tried moving all 3 permutations from the source to the destination side of the NAT rule. It was a little unclear to me which side they should be on. I'm also a little confused; the count on the web GUI never incremented unless I used interface name 'tun0', but its called 'vtun0' everywhere else?

When I try to ping 10.8.0.1 from a PC on the 192.168.1.0/24 network, this comes up in the log -

kernel: [WAN_LOCAL-default-D]IN=pppoe0 OUT= MAC= src=x.x.x.x DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=60298 DPT=10001 LEN=12
kernel: [NAT-5000-MASQ] IN= OUT=tun0 src=10.8.0.100 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52317 DPT=10001 LEN=12

x.x.x.x is my WAN PPPoE address. Is this the firewall blocking the outgoing NAT packet? What rule would need to be added? If any needs to be added, why doesn't a rule need to exist for the general Internet access NAT rule I have?

Thanks for your help.


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: Help with NATting a point-to-point VPN

[ Edited ]

@aaronfitz wrote:

The problem I'm having is routing between the LAN 192.168.1.0/24 and the VPN server. When I ping from a PC on the 192.168.1.0 network, I can see the ping going out to the ERL. I can also see the masquerade stat count increase on the ERL. However, the PC never gets a response. I'm not sure how to track where this packet is lost.


From the config, the masquerade rule for the VPN looks like:

        rule 5000 {
            description "MASQ for Linode VPN"
            outbound-interface vtun0
            protocol all
            source {
                group {
                    network-group linode_afitz_net
                }
            }
            type masquerade
        }

but the source match, group "linode_afitz_net" is defined as 10.8.0.0/24, which doesn't seem correct? If I understand your description correctly, shouldn't the NAT rule be applied to traffic whose source is 192.168.1.0/24 instead?

View solution in original post


All Replies
New Member
Posts: 7
Registered: ‎05-14-2014

Re: Help with NATting a point-to-point VPN

It just occurred to me that there's no reason for me to not use a site-to-site tunnel, which should be more straightforward. I'll give that a try tomorrow

However, I'd still like to understand why my NAT over point-to-point isn't working.
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: Help with NATting a point-to-point VPN

Probably your "openvpn-client.conf" file has a line "dev tun", which would cause OpenVPN to use the device name "tun0" and that could be an issue. If so, changing that line to "dev-type tun" should preserve the "vtun0" interface name.

New Member
Posts: 7
Registered: ‎05-14-2014

Re: Help with NATting a point-to-point VPN

This fixed the device naming but I'm still struggling with the NAT. Anyone see anything wrong?

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group linode_afitz_net {
            description "linode newark vpn"
            network 10.8.0.0/24
        }
        port-group forward_to_aaron {
            description "port forwards external to aaron"
            port 22
        }
        port-group forward_to_nas {
            description "port forwards external to synology nas"
            port 80
            port 443
            port 5000
            port 5001
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "accept aaron portforwards"
            destination {
                address 192.168.1.3
                group {
                    port-group forward_to_aaron
                }
            }
            log disable
            protocol tcp_udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 3 {
            action accept
            description "accept nas portforwards"
            destination {
                address 192.168.1.25
                group {
                    port-group forward_to_nas
                }
            }
            log disable
            protocol tcp_udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 4 {
            action accept
            description "accept all traffic on linode vpn"
            log disable
            protocol all
            source {
                group {
                    network-group linode_afitz_net
                }
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description "Trusted LAN"
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password ...
            user-id ...
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Guest LAN"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/user-data/openvpn/openvpn-client.conf
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.155 {
                    stop 192.168.1.254
                }
                static-mapping ..
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description "nas port forwards"
            destination {
                group {
                    port-group forward_to_nas
                }
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.1.25
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 2 {
            description "aaron port forwards"
            destination {
                group {
                    port-group forward_to_aaron
                }
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.1.3
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 3 {
            description "NAT Reflection forwards to NAS"
            destination {
                group {
                    address-group ADDRv4_pppoe0
                    port-group forward_to_nas
                }
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.25
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 4 {
            description "NAT Reflection forwards to aaron"
            destination {
                group {
                    address-group ADDRv4_pppoe0
                    port-group forward_to_aaron
                }
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.3
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5000 {
            description "MASQ for Linode VPN"
            destination {
                group {
                }
            }
            log enable
            outbound-interface vtun0
            outside-address {
            }
            protocol all
            source {
                group {
                    network-group linode_afitz_net
                }
            }
            type masquerade
        }
        rule 5001 {
            description "MASQ for NAT Reflection"
            destination {
                address 192.168.1.0/24
            }
            log disable
            outbound-interface eth0
            protocol tcp_udp
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
        rule 5002 {
            description "MASQ for Internet"
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth0 {
            outbound-interface eth1
        }
    }
}
system {
    host-name FitzEdgeRouter
    login {
        user ...
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
        repository squeeze-security {
            components main
            distribution squeeze/updates
            password ""
            url http://security.debian.org
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 192.168.1.25 {
            facility all {
                level err
            }
        }
    }
    time-zone America/Chicago
}

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: Help with NATting a point-to-point VPN

Could you provide more details on what the exact NAT issue is now with the new config?

New Member
Posts: 7
Registered: ‎05-14-2014

Re: Help with NATting a point-to-point VPN

It's been hectic around here; so finally getting back to this.

The VPN tunnel itself is OK. I can, from the ERL, ping the VPN server at 10.8.0.1. I can also ping the ERL from the other side of the VPN connection.

The problem I'm having is routing between the LAN 192.168.1.0/24 and the VPN server. When I ping from a PC on the 192.168.1.0 network, I can see the ping going out to the ERL. I can also see the masquerade stat count increase on the ERL. However, the PC never gets a response. I'm not sure how to track where this packet is lost.

The ERL has the correct routing table since it's able to ping across the VPN. So would that leave the firewall dropping the data? Am I missing any rules? 

Emerging Member
Posts: 44
Registered: ‎05-20-2014
Kudos: 12
Solutions: 2

Re: Help with NATting a point-to-point VPN

Do you have the ability to disconnect nonessential devices on both ends and open the firewall on both sides. Usually easier to troubleshoot NAT without the firewall. Just to make sure.

Emerging Member
Posts: 44
Registered: ‎05-20-2014
Kudos: 12
Solutions: 2

Re: Help with NATting a point-to-point VPN

Success. After a second reboot, it took.

It was not adding interface l2tp0 to my zone policy. The following are for zone-based firewall and are not complete.

Firewall

rule 510 {
     action accept
     description "Allow IKE traffic to ERL"
     destination {
         port 500
     }
     log disable
     protocol udp
 }
 rule 520 {
     action accept
     description "Allow ESP traffic to ERL"
     log disable
     protocol esp
 }
 rule 530 {
     action accept
     description "Allow NAT-T traffic to ERL"
     destination {
         port 4500
     }
     log disable
     protocol udp
 }

 

Nat

 rule 5040 {
     description "Masquerade VPN subnet"
     disable
     log disable
     outbound-interface eth0
     protocol all
     source {
         address 10.90.91.0/24
     }
     type masquerade
 }

 

VPN

vpn {
 ipsec {
     disable-uniqreqids
     esp-group ESP_GROUP {
         compression disable
         lifetime 1800
         mode tunnel
         pfs disable
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }
     ike-group IKE_GROUP {
         lifetime 28800
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     logging {
         log-modes all
         log-modes control
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username **** {
                     password ****
                 }
             }
             mode local
         }
         client-ip-pool {
             start 10.90.91.1
             stop 10.90.91.10
         }
         dns-servers {
             server-1 8.8.8.8
             server-2 8.8.4.4
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret ****
             }
             ike-lifetime 3600
         }
         mtu 1500
         outside-address ****Static
         outside-nexthop ****Gateway
     }
 }
}

 

Zone Policy

zone-policy zone LAN {
 default-action drop
 from GUEST_WLAN {
     firewall {
         name GUEST_WLAN-LAN
     }
 }
 from LOCAL {
     firewall {
         name LOCAL-LAN
     }
 }
 from WAN {
     firewall {
         name WAN-LAN
     }
 }
 from WLAN {
     firewall {
         name WLAN-LAN
     }
 }
 interface eth1
 interface vtun0
 interface l2tp0
}

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: Help with NATting a point-to-point VPN

[ Edited ]

@aaronfitz wrote:

The problem I'm having is routing between the LAN 192.168.1.0/24 and the VPN server. When I ping from a PC on the 192.168.1.0 network, I can see the ping going out to the ERL. I can also see the masquerade stat count increase on the ERL. However, the PC never gets a response. I'm not sure how to track where this packet is lost.


From the config, the masquerade rule for the VPN looks like:

        rule 5000 {
            description "MASQ for Linode VPN"
            outbound-interface vtun0
            protocol all
            source {
                group {
                    network-group linode_afitz_net
                }
            }
            type masquerade
        }

but the source match, group "linode_afitz_net" is defined as 10.8.0.0/24, which doesn't seem correct? If I understand your description correctly, shouldn't the NAT rule be applied to traffic whose source is 192.168.1.0/24 instead?

Highlighted
New Member
Posts: 7
Registered: ‎05-14-2014

Re: Help with NATting a point-to-point VPN


@UBNT-ancheng wrote:

@aaronfitz wrote:

The problem I'm having is routing between the LAN 192.168.1.0/24 and the VPN server. When I ping from a PC on the 192.168.1.0 network, I can see the ping going out to the ERL. I can also see the masquerade stat count increase on the ERL. However, the PC never gets a response. I'm not sure how to track where this packet is lost.


From the config, the masquerade rule for the VPN looks like:

        rule 5000 {
            description "MASQ for Linode VPN"
            outbound-interface vtun0
            protocol all
            source {
                group {
                    network-group linode_afitz_net
                }
            }
            type masquerade
        }

but the source match, group "linode_afitz_net" is defined as 10.8.0.0/24, which doesn't seem correct? If I understand your description correctly, shouldn't the NAT rule be applied to traffic whose source is 192.168.1.0/24 instead?


Aha! That's the ticket. Stupid mistake on my part.

I disabled the firewall and moved this network group match to destination instead of source. I can now ping 10.8.0.0/24 from 192.168.1.0/24. Thanks.

This evening I'll rebuild the firewall and will check back in if I have any problems.