[SOLVED] About Traffic forward from LEDE/subnet via vps to internet

HI,everyone
My centos(as vpn client) has been connected vps use strongswan and the traffic of subnet can forward to internet via vps .
By add under iptables rule:

#eth0 is wan's  interface;eth1 is lan's interface of centos
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -j MASQUERADE

and the subnet can access the eth1 add "bypass-lan" parameter or add the route:
ip route add 10.0.3.0/24 dev eth1 src 10.0.3.1 table 220

However, the lede has been connected the vps,but i don't know how to append the iptables rule .
i don't know which table/chain to append to do that .

Thanks !

I guess you can put it in postrouting_rule if you want to use the above rule. But an alternative is to use postrouting_wan_rule (replace wan with the firewall zone of eth0) instead of explicitly using eth0.

iptables -t nat -A postrouting_wan_rule -s 10.0.3.0/24 -m policy --dir out --pol ipsec -j ACCEPT

The second rule with MASQUERADE shouldn't be needed f you enable masquerade on the firewall zone.

BTW you may also need input and forward rules. I use the following rules:

iptables -t nat -A prerouting_wan_rule -m policy --dir in --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec -j ACCEPT
iptables -A forwarding_rule -m policy --dir in --pol ipsec -m conntrack --ctstate NEW -j zone_vpn_forward
iptables -A input_wan_rule -m policy --dir in --pol ipsec -m conntrack --ctstate NEW -j ACCEPT

Put the lines you need in Network-Firewall-Custom Rules in the web UI or edit /etc/firewall.user directly.

It is working . thanks a lot~~

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.