Gianni Romano

NAT a specific IP to go to ppp0 and others to go to eth0 coming from internal wifi interface

Recommended Posts

Ok so the title can confuse more than it really is!

So basically I have a armbian distro configured as NAT where wlan0 is the internal interface and eth0 is the "pubic" interface that provides internet (this set is provided out of the box by armbian-config).

My devices connect over wlan0 grabbing an IP, say

I have added a VPN to a remote network resulting in the creation of ppp0, with IP

Having these info, what I want to achieve is:

* Only one IP (e.g. has to always go towards ppp0 (that is all traffic back and forth should go to ppp0, so I can either reach machines and navigate on internet with the remote IP)

* All other IPs can normally go towards eth0


Starting from the configured NAT from armbian-config I have added the extra iptables rules:

  1. -A FORWARD -s -i wlan0 -o ppp0 -j ACCEPT (this is before -A FORWARD -i wlan0-o eth0 -j ACCEPT created by armbian-config)
  2. -A POSTROUTING -o ppp0 -j MASQUERADE (order shouldn't impact with -A POSTROUTING -o eth0 -j MASQUERADE created by armbian-config)
  3. -A FORWARD -i ppp0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT (just to be sure!)


These extra rules + the one from armbian-config seem to work all most well:

  1. From client I can see content of a remote web server, say ( so apparently it goes thru ppp0)
  2. From client I can navigate on internet, but unfortunately checking the IP I go out with (using a geo ip website), it still results the one from eth0
  3. All other clients correctly navigate going out thru eth0


So to summarize it, I can now reach the remote network over VPN for that IP but it is not able to navigate thru ppp0


Is there someone that can help me with this since I ran out of ideas?





Share this post

Link to post
Share on other sites

Hello there, I finally solved the issue!

For sake of information I explain how I solved it:


First the required iptables' rules are (these give access to the remote VPN's machines):

* -A FORWARD -i wlan0 -o ppp0 -j ACCEPT



Then to indicate which IP or range of IPs have to have a different route it is required the usage of policy rules:

* open /etc/iproute2/rt_tables and put your entry (ID tablename):   100   my_custom_table

* ip rule add from table my_custom_table (tells to go to another table other than the main one for the source IP 172.x.x.x)

* ip route add dev wlan0 table my_custom_table (required to receive packets back from ppp0)

*  ip route add default via dev ppp0 table my_custom_table (routes packet to the VPN's gateway)


Make sure Firewall on the VPN server allows incoming traffic from VPN IPs


Tha's all!




Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now