I've been struggling with this problem for months, and my limited networking knowledge doesn't allow me to progress further, so here I am asking for an advice.
I have an OpenWRT Router with two subnets, 192.168.1.x and 192.168.2.x. On 192.168.1.x I have a client PC running an application I don't have sources of, and on 192.168.2.x runs a server of the same software. In order to discover other servers, the client sends a broadcast on the local network that obviously won't traverse the subnet. But since I know where the server is, I would like to somehow "transform" such broadcast in a unicast UDP packet with the destination address of that server.
I know the most simple thing to do would be to bring both the client and the server on the same subnet, but since the server is also exposed on Internet with different people logging in with TeamViewer I'd really want to keep it as isolated as possible.
So fare I've come up with
iptables -t mangle -A PREROUTING -p udp -s 192.168.1.0/24 -d 255.255.255.255 -m udp --dport 10308 -j TTL --ttl-set 128 -m comment --comment "Broadcast Traverse Test TTL"
iptables -t nat -A zone_lan_prerouting -p udp -s 192.168.1.0/24 -d 255.255.255.255 -m udp --dport 10308 -j DNAT --to-destination 192.168.2.36:10308 -m comment --comment "Broadcast Traverse Test"
I also added an ebtables rule to overwrite the destination MAC so that it's not treated as a broadcast:
ebtables -t nat -A PREROUTING -p ip --ip-protocol udp -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff --ip-destination-port 10308 -j dnat --to-destination 9c:c9:eb:15:dd:ce
This way the packet actually reaches the server, who in turn sends its reply. Unfortunately something is still wrong, since I see these log entries in the OUTPUT chain, related to the reply itself:
IN= OUT=wlan0 MAC source = 9c:c9:eb:15:dd:ce MAC dest = 50:2f:9b:2a:ba:9d proto = 0x0800 IP SRC=255.255.255.255 IP DST=192.168.1.227, IP tos=0x00, IP proto=17 SPT=10308 DPT=51719
IN= OUT=wlan0 MAC source = 9c:c9:eb:15:dd:ce MAC dest = 50:2f:9b:2a:ba:9d proto = 0x0800 IP SRC=255.255.255.255 IP DST=192.168.1.227, IP tos=0x00, IP proto=17 SPT=10308 DPT=51719
I would have expected IP SRC to be 192.168.2.36, and the packet go through the FORWARD chain and not the OUTPUT chain. I'm afraid this is somehow related to conntrack, who registers this entry as soon as the request is received from the router:
[NEW] udp 17 60 src=192.168.1.227 dst=255.255.255.255 sport=65137 dport=10308 [UNREPLIED] src=192.168.2.36 dst=192.168.1.227 sport=10308 dport=65137
[UPDATE] udp 17 60 src=192.168.1.227 dst=255.255.255.255 sport=65137 dport=10308 src=192.168.2.36 dst=192.168.1.227 sport=10308 dport=65137
[UPDATE] udp 17 60 src=192.168.1.227 dst=255.255.255.255 sport=65137 dport=10308 src=192.168.2.36 dst=192.168.1.227 sport=10308 dport=65137 [ASSURED]
So... Do I have any chance to somehow achieve my result?
