DMZ without masq but with conntrack


I'm trying to replace an OPNsense with an OpenWrt instance.
There are three downstream zones, eath with their very own IPv6 subnet.
IPv4 wise two of them have RFC1918 local prefixes but one (DMZ) has publicy routed IPs assigned to the clients..

So I chose to set masq_src to only so that my publicly routed prefix isn't being NATed.
Yet one problem remains. My DMZ hosts can reach out to the internet but the answers aren't being routed back to my hosts. I fear it's because I selectively deactivated MASQ for DMZ clients thus connection tracking is also disabled.

Is my assumption correct? If so, how can I enable connection tracking for my DMZ clients while at the same time let OpenWrt not masq the source IPs?

It's OpenWrt 21.02.1

Utilising 8 Public IP's - #102 by vgaetera

I'm sorry I didn't give all the information necessary...
This is the routed setup:

[provider's router] public /29 [my router] another public /29 for my DMZ

When I ping the internet from a DMZ host I can see the traffic going out the WAN interface of my router and I can also see the echo reply, but it's not being send back to the originator.
I have firewall logging enabled for all rejected / dropped packets and this does not show up in the log, hence me thinking it's due to the lack of connection tracking, because my router doesn't store a state for this connection.

1 Like

It should work as long as routing and firewall are configured properly.
Connection tracking is enabled in each primary chain by default.

Perhaps the interface is not assigned to the zone, or the forwarding is missing.
Or maybe there's a typo/mistake in the network configuration.

In any case, without comprehensive diagnostics, we can only make assumptions.
So, collect and analyze runtime configs for iproute and iptables.

Thank you I will double check those things.
As I'm migrating I can only do this during the night and I will have to wait for the next one to come :wink:
Then I will provide more information or hopefully the solution to my problem.

The only forwarding I have regarding this DMZ zone is one from DMZ to WAN, which is working as I can see the WAN outgoing traffic. There is no forwarding from WAN to DMZ as I want to filter incoming traffic.

1 Like

Well it was as simple as forgetting the most important WAN IP to set on my router. The one was missing over which the DMZ prefix is routed. You may hit me now :slight_smile:
No surprise that the return traffic did not arrive...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.