Create a Public Port Forward that still works from Guest LAN [SOLUTION]

I have a fairly simple setup, a LAN network, and a Guest Network. The Guest network can't access the LAN, but has internet access.

I then have a Port Forward configured to a server on my LAN, that I also wanted to have work from the Guest Network. ie: if a guest user goes to "" they should be able to get to the site just as if they were on the public internet.

Using the LuCI interface, I couldn't get it it work, and from hours and hours of searching, I couldn't find a solution that I liked. The iptables rules just weren't doing what I needed. I considered messing with DNS (see solution further below), but too hard and requires too much maintenance with updates etc and can lead to many debugging issues (based on my past experiences).

My final solution was this:

In the Firewall - Custom Rules section I added the following lines:

PUBLIC_IP=$(ip route get | awk -F"src " 'NR==1{split($2,a," ");print a[1]}')
iptables -t nat -A PREROUTING -i br-lan.10 -m comment --comment "Guest - Working port forward" -d $PUBLIC_IP -p tcp -m tcp --dport 443 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i br-lan.10 -m comment --comment "Guest - Working port forward" -d $PUBLIC_IP -p tcp -m tcp --dport 80 -j DNAT --to-destination

The first line is to extract the current public IP address (I'm not sure if this script is called when the IP changes, but mine does not change often).

The next 2 lines create the required DNAT rules, but just for traffic that's hitting the UI, and only for traffic from my Guest LAN (which in on VLAN 10, so the interface is br-lan.10). then the --dport is obviously the port the request is for, and the --to-destination should be the IP address and port you want the port forward to go to. The values here are the same as the ones I put under Port Forwards from the WAN.

Hopefully this helps someone else (or maybe someone can tell me I have missed some thing really obvious to make this work).

Split DNS Solution

If you wanted to go with the Split DNS solution, providing your setup is what's needed, it can be done as follows.

Assume you have a dynamic IP address, with a DDNS host name of, and a Port Forward configured for both port 80 and 443 to an internal server on the LAN at The forwarded ports must forward to 80 and 443 respectively for this to work.

Then for your public host names/web address, have be a CNAME record pointing to your DDNS of

In your DDNS config, under the Advanced Settings tab, there must be a DNS-Server entry so the DDNS service does not get confused, for example put in an public DNS server such as or

You can then put in an entry into your /etc/hosts file as follows:

In LuCI, under Network > DHCP and DNS > Resolv and Hosts Files, ensure the Ignore /etc/hosts checkbox is cleared. You may need to restart to make this change take effect.

Create a Firewall > Traffic Rule to allow traffic from the Guest LAN to the server IP on port 80 and port 443.

That should be it, once all DNS caches have cleared (typically 2-5 minutes), things should work. The trick here is only overriding the dyndns entry, and leaving the public records consistent. Hopefully that combination should minimize issues down the track.

Firewall DNAT matching more than one src zone? - #14 by JuniorJPDJ

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.