GL-MT300N-V2 - Help in how to route all traffic: WAN - LAN and OpenVPN - LAN

lumiere · June 29, 2018, 10:36am

Hello,

I have a GL-MT300N-V2 connected to another router “home router” (GL-MT300N-V2 WAN port to main router LAN port with a static IP address).
Also, I have another device connected to the GL-MT300N-V2 LAN port, this device has it’s own web configuration interface.

Into the GL-MT300N-V2 I have configured an OpenVPN connection to an external OpenVPN Server (that work correctly).

I need to configure the GL-MT300N-V2 in order to:

If a user connects to the OpenVPN server and types the GL-MT300N-V2 VPN IP address, it must be forwarded to the web interface into the IP address of the device connected to the GL-MT300N-V2 LAN port.
If a user tries to connect to the GL-MT300N-V2 inside the home network (typing the GL-MT300N-V2 IP Address, it must be forwarded to the web interface into the IP address of the device connected to the GL-MT300N-V2 LAN port.

In other words, I need to make the GL-MT300N-V2 transparent to the connection in both VPN and WAN to LAN connections.

Please, can anyone help me?

Thank you

kyson-lok · June 30, 2018, 2:48am

It’s simple to implement with DNAT.

lumiere · July 2, 2018, 11:35am

Hello,

thank you for your answer.
Have you a tutorial or a doc page where to see how to implement DNAT?

Thank you

kyson-lok · July 2, 2018, 3:48pm

For example, if you want to redirect all traffic to lan device which ip address is 192.168.8.123, edit /etc/config/firewall and add those lines:

config redirect               
        option target 'DNAT'   
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_port '80'
        option name 'test'      
        option dest_ip '192.168.8.123'
        option src_dport '80'

For more details Firewall Redirect Docs.

lumiere · July 2, 2018, 6:07pm

Thank you for your help

lumiere · July 3, 2018, 2:22pm

Hello again,

I have tried your settings for both WAN to LAN and VPN_zone to LAN but none of them work.
These are my settings added to the firewall.


config redirect ‘wan_lan’

option target ‘DNAT’

option src ‘wan’

option dest ‘lan’

option proto ‘tcp udp’

option dest_port ‘80’

option name ‘wan_lan’

option dest_ip ‘172.16.0.1’

option src_dport ‘80’
config redirect ‘vpn_lan’

option target ‘DNAT’

option src ‘VPN_client’

option dest ‘lan’

option proto ‘tcp udp’

option dest_port ‘80’

option name ‘vpn_lan’

option dest_ip ‘172.16.0.1’

option src_dport ‘80’

I have also change the redirect for wan and VPN zones from reject to accept but it does not work.

kyson-lok · July 3, 2018, 3:43pm

Could you draw a topology and specify ip address for me? If it doese, it’s convenient for me to have a solution.

lumiere · July 3, 2018, 6:37pm

First of all, thank you for your support

I have modified my image adding all the IP address, let me know if you need more info.

I’ll try to better explain my needs:

Every device I build has inside a GL-MT300N-V2 with its own OpenVPN client certificate and it’s unique IP address (I have written a series of IP address in the image only to explain), we can user 10.210.0.11 as an example.

If a user connects to the OpenVPN server and types the GL-MT300N-V2 VPN IP address, it must be forwarded to the web interface into the IP address of the device connected to the GL-MT300N-V2 LAN port.
If a user tries to connect to the GL-MT300N-V2 inside the home network (typing the GL-MT300N-V2 IP Address, it must be forwarded to the web interface into the IP address of the device connected to the GL-MT300N-V2 LAN port.

Only the system administrator can access to the GL-MT300N-V2 with ssh or thought the GL-MT300N-V2 WiFi port and use the GL-MT300N-V2 admin web interface.

Thank you

kyson-lok · July 4, 2018, 4:41am

On MT300N-V2, you missed open port, the firewall configuration as below:

config redirect                                   
		option target 'DNAT'   
		option src 'wan'       
		option dest 'lan'      
		option proto 'tcp udp'    
		option dest_port '80' 
		option name 'wan_lan'     
		option dest_ip '172.16.0.1'
		option src_dport '80'

config rule 
		option name 'Allow-web'
		option dest_port '80'
		option proto 'tcp udp'
		option src 'wan'
		option target 'ACCEPT'

config redirect                                   
		option target 'DNAT'   
		option src 'VPN_client'       
		option dest 'lan'      
		option proto 'tcp udp'    
		option dest_port '80' 
		option name 'vpn_lan'     
		option dest_ip '172.16.0.1'
		option src_dport '80'

Besides, the 80 port should be opened on your LAN device.

lumiere · July 4, 2018, 10:19am

Does not work, in both cases, when I type the LAN or VPN IP address, the MT300N-V2 open its own web interface after the 2 seconds message.

Also, If I enable the VPN forwarding, after the 2 seconds message, after the digited IP address appears /HTML/ and a connection error.
I have added your suggested config rule and I have tried to add another forward rule but without success.
Can help if I upload my configuration backup?
If yes, do you need all the zip archive or only specific files?

Thank you

kyson-lok · July 5, 2018, 1:25am

Does wan to lan work? It works for my testing. It’s okay to send me your zip archive file.

lumiere · July 6, 2018, 8:03am

Hello, sorry for the delay to answer.
Here you can find the configuration archive:

https://www.luxolab.com/glinet/backup-GL-MT300N-V2-2018-07-05.tar.gz

root password is: admin

I have deleted from it my OpenVPN certificate, please upload your own.

This is the result of my tests:

Ethernet Wan to Lan redirect: Does not work
WiFi to Lan:Work, I can configure the router at 172.16.0.254 and my device at 172.16.0.1
OpenVPN to Lan: Does not work, also I need to disable the forward rule to connect again to the configuration interface of GL-MT300N-V2.

Thank you

lumiere · July 10, 2018, 2:15pm

Hello kyson-lok,

have you tried with my configuration backup?

Thank you

alzhao · July 11, 2018, 5:28am

You need to use @kyson-lok so that he can get a ping.

kyson-lok · July 11, 2018, 1:49pm

Not yet, will testing it tomorrow.

lumiere · July 11, 2018, 2:23pm

Ok, thank you.

kyson-lok · July 14, 2018, 1:56am

@lumiere Hey! I restore from your configuration achieve, it’s okay that WAN to LAN and VPN to LAN. I think the issue lie in the LAN device, you can use gli router instead of your LAN device, and try again.

lumiere · July 15, 2018, 10:32am

@kyson-lok thank you for your answer.
Sorry but I don’t understand.
You say in a previous reply:

Does wan to lan work? It works for my testing. It’s okay to send me your zip archive file.

What are the differences between your and mine configuration?
Can you share your configuration to test in my device?

kyson-lok · July 16, 2018, 2:32pm

Not difference, I use your archive to test. As you know, restore backup by luci. If you have any question, I can online support via teamviewer.

lumiere · July 16, 2018, 4:56pm

@kyson-lok, thank you for your support.
It’s ok for me to give you a TeamViewer access.

I don’t understand what you mean with:

GL-MT300N-V2 is connected to my LAN but I have made some test in two different locations without success.
Please let me know what you need to connect in order to help me.

Thank you