Allowing clients to reach internal network via public wan ip

I am setting up an email server and it is reachable on port 25 at mx.example.tld when I am coming from outside the LAN.
All good so far.
But when I try to connect to it from LAN the connection gets refused because it originates from LAN and wants to get in via WAN.

ow can I allow this type of connections?

hope you've disabled open relay.

Set it to listen to all interfaces, or make sure your public DNS resolves to you LAN subnet IP from within your LAN.

1 Like


could you please elaborate on that? what should be set to listen on all interfaces?

the email server ?

1 Like

:wink: already listening on all interfaces. I have worked around the issue for now using hostnames functionality in openwrt. returning the local lan ip. I was hoping for a solution that does not need that

The keyword here would be "nat loopback" or "hairpin" in case that port 25 is port forwarded.

yes it is port forwarded. how do I allow nat loopback or hairpin?

The OpenWrt uci firewall should take care of this by default. How did you configure the forward?

I used LUCI -> network -> firewall - port forwards

NAT loopback (i.e. the OpenWrt setting) only works for the IP in question (i.e. testing the server from the server's IP).

You will have to:

  • Make a local DNS entry for mx.example.tld for the LAN IP as @frollic noted; or
  • Make a firewall port forward that places the packet into the originating zone, this will cause the packet to forward using the normal rules for the zone

I advise the DNS method

# in /etc/config/dhcp

config domain
	option ip ''
	option name 'mx.example.tld'
# in /etc/config/firewall

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '25'
	option dest_port '25'
	option src_ip ''
	option name 'REDIRECT_SMTP_LAN'
	option dest_ip ''
	option dest 'lan'
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.