Did you exchange eth1 with wlan0?
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all ā 10.8.0.0/24 192.168.0.0/24 ctstate NEW
ACCEPT all ā 10.8.0.0/24 anywhere ctstate NEW
ACCEPT all ā anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all ā 10.8.0.0/24 192.168.0.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
yeah
root@osmc:/etc# tcpdump -i wlan0 host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:12:59.999984 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 169, length 40
16:13:02.270081 IP 10.8.0.2.58751 > dns.google.domain: 58148+ A? update.googleapis.com. (39)
16:13:04.780300 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 170, length 40
16:13:05.257970 IP 10.8.0.2.58751 > dns.google.domain: 58148+ A? update.googleapis.com. (39)
16:13:05.540419 IP 10.8.0.2.58497 > dns.google.domain: 60177+ A? mobile.pipe.aria.microsoft.com. (48)
16:13:08.550027 IP 10.8.0.2.58497 > dns.google.domain: 60177+ A? mobile.pipe.aria.microsoft.com. (48)
16:13:09.283659 IP 10.8.0.2.58751 > dns.google.domain: 58148+ A? update.googleapis.com. (39)
16:13:09.770371 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 171, length 40
16:13:10.390256 IP 10.8.0.2.59760 > dns.google.domain: 12255+ A? skype.msz.su. (30)
16:13:12.550337 IP 10.8.0.2.58497 > dns.google.domain: 60177+ A? mobile.pipe.aria.microsoft.com. (48)
16:13:13.399991 IP 10.8.0.2.59760 > dns.google.domain: 12255+ A? skype.msz.su. (30)
16:13:14.780335 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 172, length 40
16:13:15.054539 IP 10.8.0.2.57829 > dns.google.domain: 51297+ A? clients2.google.com. (37)
16:13:17.401430 IP 10.8.0.2.59760 > dns.google.domain: 12255+ A? skype.msz.su. (30)
16:13:18.061914 IP 10.8.0.2.57829 > dns.google.domain: 51297+ A? clients2.google.com. (37)
16:13:27.080173 IP 10.8.0.2.50924 > dns.google.domain: 61171+ A? clients2.google.com. (37)
16:13:30.060516 IP 10.8.0.2.50924 > dns.google.domain: 61171+ A? clients2.google.com. (37)
16:13:33.060196 IP 10.8.0.2.51888 > dns.google.domain: 41706+ A? update.googleapis.com. (39)
16:13:34.059958 IP 10.8.0.2.50924 > dns.google.domain: 61171+ A? clients2.google.com. (37)
16:13:35.982523 IP 10.8.0.2.55534 > dns.google.domain: 32348+ A? dns.google. (28)
16:13:36.060012 IP 10.8.0.2.51888 > dns.google.domain: 41706+ A? update.googleapis.com. (39)
16:13:39.000566 IP 10.8.0.2.55534 > dns.google.domain: 32348+ A? dns.google. (28)
16:13:39.154575 IP 10.8.0.2.51375 > dns.google.domain: 57452+ A? 9.tlu.dl.delivery.mp.microsoft.com. (52)
16:13:40.077584 IP 10.8.0.2.51888 > dns.google.domain: 41706+ A? update.googleapis.com. (39)
So masquerade rule not working.
Show iptables -t nat -L -n -v
root@osmc:/etc# iptables-legacy -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 349 packets, 29716 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 49 packets, 6935 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35 packets, 2509 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 335 packets, 25290 bytes)
pkts bytes target prot opt in out source destination
So you are sure you ran this iptables -t nat -I POSTROUTING -o wlan0 -s 10.8.0.0/24 -j MASQUERADE
1 Like
ooh hold on. Iāve just run this command and this is the output of āiptables -t nat -L -n -vā
root@osmc:/etc# iptables-legacy -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all ā * wlan0 10.8.0.0/24 0.0.0.0/0
and there we go. successful pings to 8.8.8.8 from client
Successful ping tests to a variety of internal 192.168.0.x addresses and web access to local web services and external WWW sites. @fzinken youāve done it again pal!
My testing set up is on a W10 laptop, usually I would be using a PC to access the Pi remotely, would a solution be so simple as to copy the .ovpn profile to the PC and the solution should work seamlessly?
yes
Just tested with wifi dongle and iPhone tether and I can connect to the Pi remotely with the same .ovpn profile. Thanks again @fzinken youāre the best!
@fzinken Iāve just installed the Pi at my remote site (parents house) and configured normal port forwarding rules on router to allow remote connection. For some reason the MASQUERADE mode was disabled when Iād set the Pi up at my parents house and therefore could not remotely navigate to LAN/WWW addresses. I ran the
command again and now all is well and I can reach the places I need to with no problem. Any ideas why the Pi reverted back to disabling the MASQUERADE setting? And how can I avoid this in the future (is there a iptables config I can hard edit to permanently enable the MAQUERADE mode?)
Did you configure a script to save and restore the settings?
No, I VPNād to the Pi and manually executed the command. Then I was able to navigate to WWW and internal LAN web services. Iām a Linux novice, would a script be as simple as putting the āiptables -t nat -I POSTROUTING -o wlan0 -s 10.8.0.0/24 -j MASQUERADEā in a file, making is executable, and running that file as a cron job every day?
Just check this solutions and try the debian one.
Hi,
Easier way to save and restore iptables, as it comes systemd start scripts to restore is:
To Install apt package:
sudo apt-get install iptables-persistent
Save rules:
sudo netfilter-persistent save
Restore with out reboot:
sudo netfilter-persistent reload
Enable rule restore on start up:
sudo systemctl enable netfilter-persistent
Thanks Tom.
2 Likes
Great, have done these commands as specified.
Thanks
1 Like