Yeah. Solved the NAT puzzle ;)

Some time ago I wrote about my issues with NAT not working as expected on my multi-uplink OpenWRT-based always-on access point. Pondering one night in Austria about it (I was preparing it for the trip home), I think I finally solved the issue.

To recap:

The current issue at hand is this: all 3G routers are set to do SNAT (masquerading to be precise) on anything leaving the box via their 3G interface (funnily named 3g-wwan in OpenWRT). All but one do as ordered; that one refuses to properly masquerade all traffic, or, to be more precise: it insists on not masquerading the OpenVPN traffic coming from the OpenVPN node. All other traffic destined to the only destination reachable via that 3G link, from any of the connected boxes, is properly NATed

Illustration of the setup

I always suspected that it might have to do with timing (OpenVPN on the central AP starts early, so the boxes with the 3G/4G USB sticks get traffic way before they even have any connection via a mobile network), but all fiddling with IP tables did not lead anywhere.

Yesteday I found a bug report that links to some explanation as well as to some other bug report that includes a kludge: I now flush the conntrack table on establishment of an mobile connection, this seems to do the trick. I just added the call to the conntrack binary in my /etc/hotplug.d/iface/80-routes:

                /usr/sbin/iptables -t nat -I POSTROUTING -o $DEVICE -j MASQUERADE
                /usr/sbin/conntrack -F

Please note that I dumped the whole firewalling code of OpenWRT (/etc/init.d/firewall got an exit 0 right after the comments), as I simply don’t need that complexity.

One remaining issue I still have with the MR-3020’s: occasionally — every few minutes actually when trying to link to the Austrian locacation’s WiFi, which I only received at -82 to -90 dBm — the 3020 (and the 3040 as well) just reboot. I saw this when connected to a Laptop’s USB port as power source as well as on a 1.4 A USB wall plug (the standard plug for the 3020 is rated 1 Ampere at 5 Volt), thus I don’t think it’s power related. As I suspect a 3G stick to draw more power than a WiFi one, an uptime of 55 Minutes for my 3G link points away from power issues as well, IMHO. After I stopped trying to connect to the hardly accessible WiFi (30+ percent of loss), the 3020 now seems to be rock-stable again. Any hint on how to solve that issue would be apprecieated.