How to route specific client's traffic to VPN (PPTP)?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












The setup:



  • I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).

  • It connects to the internet via pppoe (ppp0) using eth0 device.

  • The eth1 is connected to a router acting as an access point.

  • Through the access point clients can connect via ethernet or wifi.

  • Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.

  • IPV6 is also set up the same way.

  • The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.

  • The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.

What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.



I've tried to setup iptables with the following rules:



iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE


But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.







share|improve this question























    up vote
    0
    down vote

    favorite












    The setup:



    • I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).

    • It connects to the internet via pppoe (ppp0) using eth0 device.

    • The eth1 is connected to a router acting as an access point.

    • Through the access point clients can connect via ethernet or wifi.

    • Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.

    • IPV6 is also set up the same way.

    • The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.

    • The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.

    What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.



    I've tried to setup iptables with the following rules:



    iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
    iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE


    But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.







    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      The setup:



      • I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).

      • It connects to the internet via pppoe (ppp0) using eth0 device.

      • The eth1 is connected to a router acting as an access point.

      • Through the access point clients can connect via ethernet or wifi.

      • Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.

      • IPV6 is also set up the same way.

      • The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.

      • The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.

      What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.



      I've tried to setup iptables with the following rules:



      iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
      iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE


      But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.







      share|improve this question











      The setup:



      • I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).

      • It connects to the internet via pppoe (ppp0) using eth0 device.

      • The eth1 is connected to a router acting as an access point.

      • Through the access point clients can connect via ethernet or wifi.

      • Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.

      • IPV6 is also set up the same way.

      • The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.

      • The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.

      What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.



      I've tried to setup iptables with the following rules:



      iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
      iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE


      But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.









      share|improve this question










      share|improve this question




      share|improve this question









      asked Jul 3 at 22:21









      yce

      31




      31




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.



          2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).



          If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do



          ip rule add from <source address> lookup <table name>


          and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.



          ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.



          3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.






          share|improve this answer























          • Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
            – yce
            Jul 5 at 20:24











          • Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
            – yce
            Jul 5 at 20:41










          • It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
            – dirkt
            Jul 6 at 3:44










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453326%2fhow-to-route-specific-clients-traffic-to-vpn-pptp%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote



          accepted










          1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.



          2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).



          If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do



          ip rule add from <source address> lookup <table name>


          and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.



          ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.



          3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.






          share|improve this answer























          • Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
            – yce
            Jul 5 at 20:24











          • Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
            – yce
            Jul 5 at 20:41










          • It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
            – dirkt
            Jul 6 at 3:44














          up vote
          0
          down vote



          accepted










          1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.



          2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).



          If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do



          ip rule add from <source address> lookup <table name>


          and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.



          ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.



          3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.






          share|improve this answer























          • Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
            – yce
            Jul 5 at 20:24











          • Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
            – yce
            Jul 5 at 20:41










          • It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
            – dirkt
            Jul 6 at 3:44












          up vote
          0
          down vote



          accepted







          up vote
          0
          down vote



          accepted






          1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.



          2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).



          If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do



          ip rule add from <source address> lookup <table name>


          and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.



          ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.



          3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.






          share|improve this answer















          1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.



          2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).



          If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do



          ip rule add from <source address> lookup <table name>


          and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.



          ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.



          3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.







          share|improve this answer















          share|improve this answer



          share|improve this answer








          edited Jul 6 at 3:40


























          answered Jul 4 at 6:00









          dirkt

          13.9k2930




          13.9k2930











          • Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
            – yce
            Jul 5 at 20:24











          • Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
            – yce
            Jul 5 at 20:41










          • It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
            – dirkt
            Jul 6 at 3:44
















          • Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
            – yce
            Jul 5 at 20:24











          • Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
            – yce
            Jul 5 at 20:41










          • It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
            – dirkt
            Jul 6 at 3:44















          Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
          – yce
          Jul 5 at 20:24





          Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
          – yce
          Jul 5 at 20:24













          Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
          – yce
          Jul 5 at 20:41




          Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
          – yce
          Jul 5 at 20:41












          It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
          – dirkt
          Jul 6 at 3:44




          It's ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
          – dirkt
          Jul 6 at 3:44












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453326%2fhow-to-route-specific-clients-traffic-to-vpn-pptp%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?