-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux Client fails to create iptables Masquerade rules in [Synology] #1976
Comments
It will be best for a Dev to actually try SYnology on his self to verify everything related. For that task he can easily use this : https://github.com/vdsm/virtual-dsm This is a virtual Synology Server running isolated in Docker, so you can test anything you want about itables without any fear of breaking the machine. You may hijack the mechanism that handles the iptables, or find other more clever way. Fingers crossed. |
Hello @zzecool thanks for reporting this issue and sharing the virtual dsm project. We will have a look at it and report soon. |
Actually, can you confirm if it works on userspace mode too? see steps to enabled here: #1983 (comment) |
@mlsmaycon Yes that will be great. The underlying mechanism in Synology not only deleting the FORWARD chain, it flushes every rule that has been added manually not by using their GUI firewall rule. The think is that this tool is useless for our case as it doesnt support masquerade etc. Lets hope for a clean solution but a dirty will also be acceptable. |
Hi, this ticket is now one month old. was there any progress? we also have a similar usecase and it would be cool to make it via our internal syno nas. regards m. |
+1 from me :). Having the same Problem |
Describe the problem
Running Native Linux Client version 0.27.5 in Synology.
The iptables version is :
iptables v1.8.3 (legacy): Couldn't load match comment':No such file or directory
and cant change.
The Client fails to address the Routes assigned to him either if it is network range or an exit node.
Dirty fix :
If i manual do :
sudo iptables -t nat -A POSTROUTING -o ovs_bond0 -d 192.168.1.0/24 -j MASQUERADE
I can have access to the 192.168.1.0/24 network
or
sudo iptables -t nat -A POSTROUTING -o ovs_bond0 -j MASQUERADE
If i want to make him an Exit node ( access to internet )
ovs_bond0 is my interface
Now for the FORWARD chain that the Native Client is tryhing to use, the Chain is doesnt exist, if i create it it fails on the next set of rules like this :
Not only that but there is a mechanism that deletes the FORWARD chain after a while. So maybe the proper appoach would be to check if iptables is iptables v1.8.3 (legacy) and the system is Synology and use the dirty way on the POSTROUTING chain that exists.
for identifying Synology you can use something like this :
Another hint is that WGeasy works out of the box even as docker ( bridge mode )
With the following rules :
Cause in the config we have : AllowedIPs = 0.0.0.0/0
That way client can decide what networks he will route to, as 0.0.0.0/0 is allowed.
The text was updated successfully, but these errors were encountered: