I have been using TomatoUSB for quite a while on my Linksys E3000. I now use the Toastman variety because it has VLAN support (Tomato Firmware v1.28.7500 MIPSR2Toastman-RT K26 USB VLAN-VPN).
I have divided my network into 3 different subnets, 192.168.0.0/24 (vlan1, br0), 192.168.1.0/24 (vlan3, br1) and 192.168.2.0/24 (vlan4, br2). (WAN is on vlan2). Each of these subnets have their own VLAN. All VLANs are tagged on port 1, which is then connected to a smart switch.
The problem I have now is that my server network (192.168.2.0/24) can't be reached from my private or guest networks (the other 2 subnets) using the domain that is linked to my WAN IP. NAT loopback will only loop back to the same subnet. If I open up a port to a web server on the 192.168.0.0/24 subnet, and try to connect to the domain in a browser, it will work. When I instead open up the same port to the server subnet (192.168.2.0/24), NAT loopback will not work anymore.
I have tried to solve this using iptables, but I have not had any success with this. I have tried the following rules:
iptables -t mangle -A PREROUTING -i ! WAN -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001 iptables -t mangle -A PREROUTING -j CONNMARK --save-mark iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Can anyone help me get this working?
I know that it's bad practice to rely on NAT loopback, but I would like not having two different configurations for SSH, FTP and web clients depending on if I'm at home or not. I also like having the networks completely isolated from each other.
Reaching the server network from the WAN side works just fine.