Can I enable SNAT instead of MASQUERADE from the WEB UI?

shodanx · December 4, 2025, 6:25pm

Hi,

My GPON ISP required that I obtain a commercial Fixed IP address as the only way to obtain a bridge ONU (for 20$/month).

However this is quite expensive and when I asked to just be put on DHCP but keep the bridge, this was no possible to do easily due to the GPON management software.

But they suggested an alternative that would cost only 5$/month as it would only burn one IP address instead. I love that option

So my current setup

WAN port set to static address mode

IP Address 69.69.69.69

netmask 255.255.255.252

gateway address 69.69.69.68

everything else left as openwrt default

New setup suggested

WAN port static ip address

IP Address 100.69.69.69

netmask 255.255.240.0

gateway 10.69.69.1

Also create new interface called PUBLIC_LOOPBACK

IP address 69.69.69.69

netmask 255.255.255.255

no gateway

Do not use masquerade (Use SNAT(?))

My question how can I do this ?

Can I do this using only the Web UI ?

Thanks !

Bob.Dig · December 4, 2025, 6:53pm

Yes, create a NAT rule for that.

anon63541380 · December 4, 2025, 8:28pm

Add a file /etc/nftables.d/whatever.nft

chain srcnat_wan {
        meta nfproto ipv4 meta l4proto { icmp, tcp , udp } snat to to 69.69.69.69:1024-65535 
}

That will be prepended to default wan nat rule in its chain.

shodanx · December 4, 2025, 8:50pm

Do I need to disable the MASQUERADE somewhere else ?

Would this work ?

@anon63541380 your example starts at port 1024 but I need the other inbound ports as well, especially for email and http reverse proxy running on my router device

Also do I not need to refer to the “lo” device or “br-lan” or the zones like LAN and WAN ?

anon63541380 · December 4, 2025, 9:50pm

masquerade can stay after snat.

shodanx · December 4, 2025, 11:12pm

@anon63541380

Thank you, your directive worked

(well there was a typo, “to” is repeated twice)

Also I changed the port range to 0-65535 but I am wondering why you started it from 1024 ?

(I have not yet tested in the mail or http works yet)

so I created

nano /etc/nftables.d/publicsnat.nft

chain srcnat_wan {
        meta nfproto ipv4 meta l4proto { icmp, tcp , udp } snat to to 69.69.69.69:0-65535 
}

and that worked

but I deleted this file and I created this from the webui

This also works !

Thanks !

anon63541380 · December 5, 2025, 12:11am

You dont need to specify ports, that i added for completeness of syntax. Low ports need to be excluded for random as great half of games and cdns reject those.

_bernd · December 5, 2025, 8:15am

Port 1 to 1024 are reserved for local services. The so called high ports are used for outgoing connections.
Iirc the default on Linux starts even with 32k or 16k

anon63541380 · January 28, 2026, 7:09pm

@shodanx @_bernd i move this to wishlist, as a minimum if fw detects static IP snat is 1mm faster than masq

shodanx · January 28, 2026, 7:41pm

Hi,

I have been using this, it works very well.
The arrangement with my ISP is that I have a /32 for a static IP address
Instead of a /30, so it costs me 5$/month, instead of 20$/month

The only little hiccup that I don't understand is that, very occasionnally, it stops working.
And the solution is simply to uncheck the "enable" checkbox, save and apply, and then re-enable it, as that fixes it every time. I don't know why, I suspect some bug.

I did it once casually while I had a ping running and tcpdump on the output, and there were apparently no outgoing packets on WAN until I did the disable/enable routine. Sorry I don't have more details than that. It is a rare intermittent problem that I can't reproduce on purpose and when it happens it is more of an emergency to restore the internet than an opportunity to figure out why it is happenning.

Note, in this situation I have masquerade on br-lan and snat on wan.

Also, they asked me to create a lo interface with my outside world IP address, I think so that my router responds to pings or something ? Don't know if this has anything to do with the routing bug.

Anyway it works good enough for me and I'll probably make a script to automatically detect when internet stops working and run the uci commands to disable/enable the snat rules and auto-resolve the problem, but I mean, while you're working in there, maybe you'll stumble on the reason why this bug occurs so that's why I'm telling you about this.

_bernd · January 28, 2026, 11:24pm

Just a gut feeling but maybe the neighbor entry in the ISP side times out or they have hiccups with their routing....

If it's "only" their neighbor cache you could simple send regular unsolicited arp to update their fdb entries... But maybe it's something totally different. Hard to impossible to check from the customer side without internals from the ISP network and setup.

anon63541380 · January 29, 2026, 8:16am

Interesting concern. Is arp liveness assured with off loads

_bernd · January 29, 2026, 3:33pm

You mean hardware offloads and such? No idea. I'm using keepalived only on x86 with "proper" NIC. Sry no idea.

shodanx · January 29, 2026, 6:02pm

I am now using

tcpdump -i wan -nne -vvv arp

and

IP_FORCE_COLOR=1 stdbuf -oL ip monitor neigh dev wan | perl -MTime::HiRes -MPOSIX=strftime -ne '($s,$us)=Time::HiRes::gettim
eofday(); printf "\e[90m%s.%03d\e[0m %s", strftime("%Y-%m-%d %H:%M:%S", localtime($s)), $us/1000, $_'

to monitor the ARP traffic
as per How can I monitor arp traffic on the WAN? - #6 by shodanx

Traffic like

2026-01-29 12:49:39.531 100.66.66.1 lladdr 34:ef:b0:0b:ba:ab REACHABLE
2026-01-29 12:49:55.210 100.66.66.1 lladdr 34:ef:b0:0b:ba:ab STALE
2026-01-29 12:50:00.410 100.66.66.1 lladdr 34:ef:b0:0b:ba:ab PROBE
2026-01-29 12:50:00.411 100.66.66.1 lladdr 34:ef:b0:0b:ba:ab REACHABLE

Is continually ongoing, this is in a working state,
Hopefully this still runs when I get the faulty state and figure out what is going on

_bernd · January 29, 2026, 10:17pm

Do you run it at least in a screen or tmux session?

shodanx · January 29, 2026, 10:40pm

I don't know yet how I am going to make this permanent.
There are occasionnal loss of power so I need something that will autorestart the process. I also need to setup external network storage as this will probably fill the small amount of nvram I have left (my router doesn't have a usb port).

So I will need to make a init process to start and restart these processes, mount a cifs share over the network and pipe all output to files on that mount and handle the cifs share not always being reachable (reboots) without dropping data or hanging on a stale cifs link.

_bernd · January 29, 2026, 10:52pm

I would it start within a screen or tmux session...

And I think you do not need to monitor the whole arp shizzle. You want to spot for instance incomplete and failed. So grep/filter the ip monitor to exclude the boring shit, and then the write to flash is not that expensive, if there are no other ways for now. You will not run it for like 3 years.... so I would assume its not an issue to write a few kB in the next days....

See https://blogs.oracle.com/linux/arp-internals

https://blogs.oracle.com/wp-content/uploads/sites/49/2025/10/ARP.png

_bernd · January 29, 2026, 10:55pm

@shodanx

As I said: YOU can't not spot these kind of issues on the ISP side!

Edit: That's why I said, you could test it by sending regular GARP, like very minute.
If you then do not see the issue any longer you would know its ARP on the ISP side. If it continues to be a problem then you would know, that the issue is probably somewhere else.