GL-MT300N-V2 - Help in how to route all traffic: WAN - LAN and OpenVPN - LAN

lumiere · 2018-07-02T11:35:59.181Z

Hello,

thank you for your answer.
Have you a tutorial or a doc page where to see how to implement DNAT?

Thank you

kyson-lok · 2018-07-02T15:48:14.027Z

For example, if you want to redirect all traffic to lan device which ip address is 192.168.8.123, edit /etc/config/firewall and add those lines:

config redirect               
        option target 'DNAT'   
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_port '80'
        option name 'test'      
        option dest_ip '192.168.8.123'
        option src_dport '80'

For more details Firewall Redirect Docs.

lumiere · 2018-07-02T18:07:57.938Z

Thank you for your help

lumiere · 2018-07-03T14:22:19.915Z

Hello again,

I have tried your settings for both WAN to LAN and VPN_zone to LAN but none of them work.
These are my settings added to the firewall.


config redirect ‘wan_lan’

option target ‘DNAT’

option src ‘wan’

option dest ‘lan’

option proto ‘tcp udp’

option dest_port ‘80’

option name ‘wan_lan’

option dest_ip ‘172.16.0.1’

option src_dport ‘80’
config redirect ‘vpn_lan’

option target ‘DNAT’

option src ‘VPN_client’

option dest ‘lan’

option proto ‘tcp udp’

option dest_port ‘80’

option name ‘vpn_lan’

option dest_ip ‘172.16.0.1’

option src_dport ‘80’

I have also change the redirect for wan and VPN zones from reject to accept but it does not work.

kyson-lok · 2018-07-03T15:43:16.629Z

Could you draw a topology and specify ip address for me? If it doese, it’s convenient for me to have a solution.

lumiere · 2018-07-03T18:37:39.507Z

First of all, thank you for your support

I have modified my image adding all the IP address, let me know if you need more info.

I’ll try to better explain my needs:

Every device I build has inside a GL-MT300N-V2 with its own OpenVPN client certificate and it’s unique IP address (I have written a series of IP address in the image only to explain), we can user 10.210.0.11 as an example.

If a user connects to the OpenVPN server and types the GL-MT300N-V2 VPN IP address, it must be forwarded to the web interface into the IP address of the device connected to the GL-MT300N-V2 LAN port.
If a user tries to connect to the GL-MT300N-V2 inside the home network (typing the GL-MT300N-V2 IP Address, it must be forwarded to the web interface into the IP address of the device connected to the GL-MT300N-V2 LAN port.

Only the system administrator can access to the GL-MT300N-V2 with ssh or thought the GL-MT300N-V2 WiFi port and use the GL-MT300N-V2 admin web interface.

Connection3238×2341 557 KB

Thank you

kyson-lok · 2018-07-04T04:41:26.187Z

On MT300N-V2, you missed open port, the firewall configuration as below:

config redirect                                   
		option target 'DNAT'   
		option src 'wan'       
		option dest 'lan'      
		option proto 'tcp udp'    
		option dest_port '80' 
		option name 'wan_lan'     
		option dest_ip '172.16.0.1'
		option src_dport '80'

config rule 
		option name 'Allow-web'
		option dest_port '80'
		option proto 'tcp udp'
		option src 'wan'
		option target 'ACCEPT'

config redirect                                   
		option target 'DNAT'   
		option src 'VPN_client'       
		option dest 'lan'      
		option proto 'tcp udp'    
		option dest_port '80' 
		option name 'vpn_lan'     
		option dest_ip '172.16.0.1'
		option src_dport '80'

Besides, the 80 port should be opened on your LAN device.

lumiere · 2018-07-04T10:19:36.034Z

Does not work, in both cases, when I type the LAN or VPN IP address, the MT300N-V2 open its own web interface after the 2 seconds message.

Also, If I enable the VPN forwarding, after the 2 seconds message, after the digited IP address appears /HTML/ and a connection error.
I have added your suggested config rule and I have tried to add another forward rule but without success.
Can help if I upload my configuration backup?
If yes, do you need all the zip archive or only specific files?

Thank you

kyson-lok · 2018-07-05T01:25:55.446Z

Does wan to lan work? It works for my testing. It’s okay to send me your zip archive file.

%E5%BE%AE%E4%BF%A1%E5%9B%BE%E7%89%87_201807050908593236×2924 698 KB

lumiere · 2018-07-06T08:03:13.922Z

Hello, sorry for the delay to answer.
Here you can find the configuration archive:

https://www.luxolab.com/glinet/backup-GL-MT300N-V2-2018-07-05.tar.gz

root password is: admin

I have deleted from it my OpenVPN certificate, please upload your own.

This is the result of my tests:

Ethernet Wan to Lan redirect: Does not work
WiFi to Lan:Work, I can configure the router at 172.16.0.254 and my device at 172.16.0.1
OpenVPN to Lan: Does not work, also I need to disable the forward rule to connect again to the configuration interface of GL-MT300N-V2.

Thank you

lumiere · 2018-07-10T14:15:39.842Z

Hello kyson-lok,

have you tried with my configuration backup?

Thank you

alzhao · 2018-07-11T05:28:52.389Z

You need to use @kyson-lok so that he can get a ping.

kyson-lok · 2018-07-11T13:49:51.812Z

Not yet, will testing it tomorrow.

lumiere · 2018-07-11T14:23:33.374Z

Ok, thank you.

kyson-lok · 2018-07-14T01:56:31.169Z

@lumiere Hey! I restore from your configuration achieve, it’s okay that WAN to LAN and VPN to LAN. I think the issue lie in the LAN device, you can use gli router instead of your LAN device, and try again.

lumiere · 2018-07-15T10:32:00.716Z

@kyson-lok thank you for your answer.
Sorry but I don’t understand.
You say in a previous reply:

Does wan to lan work? It works for my testing. It’s okay to send me your zip archive file.

What are the differences between your and mine configuration?
Can you share your configuration to test in my device?

kyson-lok · 2018-07-16T14:32:51.284Z

Not difference, I use your archive to test. As you know, restore backup by luci. If you have any question, I can online support via teamviewer.

lumiere · 2018-07-16T16:56:32.012Z

@kyson-lok, thank you for your support.
It’s ok for me to give you a TeamViewer access.

I don’t understand what you mean with:

kyson-lok:

I think the issue lie in the LAN device, you can use gli router instead of your LAN device, and try again.

GL-MT300N-V2 is connected to my LAN but I have made some test in two different locations without success.
Please let me know what you need to connect in order to help me.

Thank you

kyson-lok · 2018-07-17T00:50:37.769Z

Hi guy! What I mean the LAN device is this one.

%E5%9B%BE%E7%89%87

lumiere · 2018-07-17T07:05:33.793Z

Hi @kyson-lok,

It’s not a problem with the LAN device.
It’s a simple device without particular functions except setting the IP address.
In fact, I can reach it but only If I connect to the wireless LAN of the GL-MT300N-V2.

Connecting to the Wireless, my client obtains an IP address (172.16.0.X) and I’m able to type 172.16.0.1 and see my LAN device interface.

It’s like the firewall does not route from WAN to LAN and VPN to LAN.