Access redirected IP from LAN

Hello all,

I have the topology described below.

The ISP provides me with a subnet of 16 IP addresses ( that are routed to various (virtual) machines running in the subnet. My office laptops are behind a second router.

What I can do:

  • ssh from laptop to open-wrt router
  • access (see picture, same is true from any other ip in this subnet) from the laptop if the VPN is enabled (say, ssh into it);
  • access from the outside world (eg. ssh into it);
  • access outside world from (eg. ping

What I cannot do:

  • access from the laptop if the VPN is disabled.

Tracert from the laptop shows

  1    <1 ms    <1 ms    <1 ms   <- this is the second router where office computers connect
  2     1 ms    <1 ms    <1 ms   <- this is the OpenWRT router
  3     2 ms     1 ms     1 ms    <- don't know what this is, I suppose ISP internal router
  4     *        *        *     Request timed out.

Detailed information including iptables-save


You have redirect config sections containing wan as src, but there are no with lan as src. And you also may need nat sections with lan as dst.

But have you considered using static routes (one for each destination) instead of hundreds of NAT rules?

You could assign the public IP address to the loopback interface or a dummy interface on the VMs. And then configure a default route with the public IP address as preferred source in static routes on the VMs. (Disable the original default route.)

Or use split brain DNS which resolves your servers to the private IP addresses on your lan.

1 Like

Thank you for taking the time to reply.

This indeed works:

config redirect
        option src 'lan'
        option src_dip ''
        option target 'DNAT'
        option dest 'my_servers'
        option dest_ip ''
        option name 'reverse lan DNAT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option reflection_src 'external'

config nat
        option proto    'all'
        option name     'reverse lan SNAT'
        option src_ip   ''
        option target   'SNAT'
        option snat_ip  ''
        option src      'my_servers'
        option dst      'lan'

Any insight about why the tracert showed the outside router but was not reentering?

Thanks for the other suggestions as well, I will read the docs on them.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.