I'm trying to set up a RaspberryPi running Nftables as a "router". It's running on RaspberryPi OS 64 bits with kernel 5.15.32-v8+ and Nftables v0.9.8 (E.D.S.). I would like it to allow traffic between the LAN it's connected to through its WiFi interface and an Android phone sharing it's cellular data connection through USB.
The RPi is connected to a LAN through it's WiFi interface. There is a DHCP server running on that LAN. It serves clients class C private addresses like 192.168.80.X/24. The RaspberryPi gets served as below. The network configuration allows for a range of IP addresses to be assigned manually, shall that be needed.
- RaspberryPi : interface wlan0
- IP address : 192.168.80.157
- Subnet : 255.255.255.0
- Gateway : 192.168.80.2
- DNS : 192.168.200.1 (firewall living an another VLAN) / 8.8.8.8
An Android phone is connected to the RaspberryPi through a USB cable and acts as a USB modem, sharing its cellular data. It assigns the RPi a class C private address like 192.168.X.Y/24. It changes each time I plug the Android phone in / reboot, and I can't tune the range of addresses served by the phone.
- RaspberryPi : interface usb0 (Android phone)
- IP address : 192.168.42.48 (at the moment)
- Subnet : 255.255.255.0
- Gateway : 192.168.42.105
- DNS : 192.168.42.105 (same as gateway)
I have enabled IP forwarding in the sysctl.conf
net.ipv4.ip_forward=1
Nftables is configured as follow (example from here :
table ip nat_antoine {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip protocol icmp counter meta nftrace set 1
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "usb0" masquerade
}
}
I ran the following tests. I disabled nftables and SSH'd into the RPi through the wlan0 interface. If I configure the firewall at 192.168.200.1 to allow internet access to the RPi (and disconnect the Android phone "usb0"), it works : the RPi can ping / curl / ssh into the "outside" world.
Then I revoked the internet access through wlan0 and plugged the Android phone "usb0" in. Same : I can ping / curl / ssh into the "outside" world. I have made sure that the traffic is going through usb0 and not wlan0.
Issues arise when I enable nftables and try to access internet via the RPi through another client. I took another android phone, connected it to the 192.168.80.0/24 LAN and manually configured the gateway address to be the RPi's wlan0 interface address (DNS from Quad9). Best I can get is pinging the wlan0 interface on the RPi.
"nft monitor" output when pinging 192.168.80.157 from an Android client (client gets an answer) :
trace id 98bebc6f ip nat_antoine prerouting packet: iif "wlan0" ether saddr d0:1b:49:f1:01:29 ether daddr dc:a6:32:65:a2:f4 ip saddr 192.168.80.20 ip daddr 192.168.80.157 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40158 ip length 84 icmp code net-unreachable icmp id 30 icmp sequence 1 @th,64,96 820786881435526521749372928
trace id 98bebc6f ip nat_antoine prerouting rule ip protocol icmp counter packets 1 bytes 84 meta nftrace set 1 (verdict continue)
trace id 98bebc6f ip nat_antoine prerouting verdict continue
trace id 98bebc6f ip nat_antoine prerouting policy accept
"nft monitor" output when pinging 192.168.42.48 from the same Android client (client gets no answer) :
trace id c59a6b89 ip nat_antoine prerouting packet: iif "wlan0" ether saddr d0:1b:49:f1:01:29 ether daddr dc:a6:32:65:a2:f4 ip saddr 192.168.80.20 ip daddr 192.168.42.48 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 29620 ip length 84 icmp code net-unreachable icmp id 31 icmp sequence 1 @th,64,96 56218603639456293821148039936
trace id c59a6b89 ip nat_antoine prerouting rule ip protocol icmp counter packets 1 bytes 84 meta nftrace set 1 (verdict continue)
trace id c59a6b89 ip nat_antoine prerouting verdict continue
trace id c59a6b89 ip nat_antoine prerouting policy accept
Can someone please help me / point me to the right direction for fixing this ? Thank you very much.