Hi all, new OpenWrt user here.
I have multiple internal routed subnets and was having issues with NAT relfection rules not being applied to these subnets until I found this thread which gave a solution:
NAT loopback/reflection problem: local static routed subnets are not covered by fw3 reflection rules
Based on this, I then explicitly defined all of my internal subnets within the "LAN" zone as described
in the thread above and confirmed that associated DNAT prerouting and SNAT postrouting rule pairs had been created automatically for each of my explicitly defined LAN subnets to accommodate the required relections.
However, the problem is that the auto created SNAT rules are not using OpenWrts internal lan interface IP for the SNAT "--to-source" IP, and instead are using the original source network address?! In the original port foward rule for my webserver ("HTTPS_to_NginX"), in the advanced options, NAT loopback is checked (as per default) and I have selected the Internal IP adddress as as the SNAT address for the relected traffic.
Let me provide specifics:
My OpenWrt internal LAN interface address is 192.168.10.19/24. I have since created the common RFC1918 private subnets in the LAN firewall zone (Zone > Advanced Settings > Covered Subnets) to cover reflection for all possible current and future internal LAN addresses:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
WIth this, the following auto NAT loopback rules are in place (ive manually obfuscated my public WAN IP):
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.0.0.0/255.0.0.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 172.16.0.0/255.240.0.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.0.0/255.255.0.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 192.168.10.19
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.0.0.0/255.0.0.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 10.0.0.0
iptables -t nat -A zone_lan_postrouting -p tcp -s 172.16.0.0/255.240.0.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 172.16.0.0
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.0.0/255.255.0.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 192.168.0.0
You will notice that the auto created NAT loopback rules for my OpenWrt LAN interface use the correct internal IP for the SNAT, but that the other auto created rules for my additionally defined LAN zone subnets DONT, and instead use the network address corresponding to the original source LAN network. This is my problem.
I have another firewall that sits in front of my webserver and can confirm that it receives inbound HTTPS requests from the incorrectly translated IPs.
Could anyone shed any light on this behaviour as to why the SNAT is not being correctly applied?
Many thanks for any help,
BAM