Connect to a device from LAN to WAN from WAN IP


I need to have the device ( on the openwrt router lan port to connect to the server (, but the server would only accepts the connection if it's coming from the router WAN port IP ( and has VLAN 10

Here is the network diagram:

             Server (
Internet -- Firewall (VLAN 10 / LAN / no DHCP)
                L Openwrt router (WAN - LAN - VLAN 10 - DHCP)
                      L device ( - tagged VLAN 10)

This is the configuration I've done but I'm missing something I guess:

Network > Switch setup:
VLAN 10: CPU (eth0): tagged / LAN: tagged / WAN: tagged

Network > Interface setup:
WAN_10: eth0.10 / static IP: / gateway: / no DHCP
LAN_10: eth0.10 / static IP: / DHCP activated

Any idea how to make it work?


1 Like

If I understand the above, it sounds like this is what you want to achieve:

  • Connect from to

It sounds like these are the obstacles to achieving that:

  • There's a firewall in the way
  • The connection to the target is only permitted if it comes from, not from

The "easy" answer is to enable masquerade in the OpenWRT router. That has the effect of making all traffic appear to originate from it, not from a client behind it. That should satisfy the firewall.

However, is that firewall transparent, or routed? If it's routed, then what are the subnet masks?

If you're using /24 ( you're going to have problems with a routed firewall because both sides of the firewall are in the same subnet (,, and are all in; the firewall won't know where to send traffic.

With those addresses, if your firewall is routed, you'd need smaller subnets, e.g. /27 or higher, to avoid routing issues.


Set up OpenWrt as router and tag only the WAN interface:

EtherType is not part of the IP datagram, so you don't need to tag the LAN interface:


I do have to tag the LAN interface as there are other VLANs on the LAN side. Not sure if I should use another tag number on the LAN side though (i.e VLAN20), but in this case I'm not sure what to do to have my VLAN20 to be passed as VLAN10 on the WAN

This looks incorrect since your LAN and WAN interfaces should have different names.

Yes, as an option.


Don't have the same port and VLAN in more than one network.

What you need is routing from the network to the network. This is usually done with NAT where the OpenWrt router would masquerade your request to the server as its IP The server answers back to the OpenWrt router then the router's connection table knows to send the reply back to

This is the default configuration of OpenWrt to NAT and masquerade from LAN to WAN. VLANs don't enter into this other than as a physical concern to have more than one network exist on a cable.


@RockPeach, welcome to the community!

Unless I misunderstood...make a redirect to Port Forward to that IP from LAN to LAN. This will edit the header in the packet and forward it as needed to the server.

Ok thanks I've done this setup and will be able to test tomorrow on the target network

1 Like

That works!
Indeed only setting up the tag to the WAN interface was enough, no need to even setup a LAN interface.
Thanks so much for your help!


Great info to know it's the default OpenWRT configuration so there was no need to try to change any configuration to get the request sent from the WAN IP address

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.