Can I enable SNAT instead of MASQUERADE from the WEB UI?

shodanx · December 4, 2025, 6:25pm

Hi,

My GPON ISP required that I obtain a commercial Fixed IP address as the only way to obtain a bridge ONU (for 20$/month).

However this is quite expensive and when I asked to just be put on DHCP but keep the bridge, this was no possible to do easily due to the GPON management software.

But they suggested an alternative that would cost only 5$/month as it would only burn one IP address instead. I love that option

So my current setup

WAN port set to static address mode

IP Address 69.69.69.69

netmask 255.255.255.252

gateway address 69.69.69.68

everything else left as openwrt default

New setup suggested

WAN port static ip address

IP Address 100.69.69.69

netmask 255.255.240.0

gateway 10.69.69.1

Also create new interface called PUBLIC_LOOPBACK

IP address 69.69.69.69

netmask 255.255.255.255

no gateway

Do not use masquerade (Use SNAT(?))

My question how can I do this ?

Can I do this using only the Web UI ?

Thanks !

Bob.Dig · December 4, 2025, 6:53pm

Yes, create a NAT rule for that.

brada4 · December 4, 2025, 8:28pm

Add a file /etc/nftables.d/whatever.nft

chain srcnat_wan {
        meta nfproto ipv4 meta l4proto { icmp, tcp , udp } snat to to 69.69.69.69:1024-65535 
}

That will be prepended to default wan nat rule in its chain.

shodanx · December 4, 2025, 8:50pm

Do I need to disable the MASQUERADE somewhere else ?

Would this work ?

@brada4 your example starts at port 1024 but I need the other inbound ports as well, especially for email and http reverse proxy running on my router device

Also do I not need to refer to the “lo” device or “br-lan” or the zones like LAN and WAN ?

brada4 · December 4, 2025, 9:50pm

masquerade can stay after snat.

shodanx · December 4, 2025, 11:12pm

@brada4

Thank you, your directive worked

(well there was a typo, “to” is repeated twice)

Also I changed the port range to 0-65535 but I am wondering why you started it from 1024 ?

(I have not yet tested in the mail or http works yet)

so I created

nano /etc/nftables.d/publicsnat.nft

chain srcnat_wan {
        meta nfproto ipv4 meta l4proto { icmp, tcp , udp } snat to to 69.69.69.69:0-65535 
}

and that worked

but I deleted this file and I created this from the webui

This also works !

Thanks !

brada4 · December 5, 2025, 12:11am

You dont need to specify ports, that i added for completeness of syntax. Low ports need to be excluded for random as great half of games and cdns reject those.

_bernd · December 5, 2025, 8:15am

Port 1 to 1024 are reserved for local services. The so called high ports are used for outgoing connections.
Iirc the default on Linux starts even with 32k or 16k