DNAT to dynamic IPv4

slamb · July 15, 2021, 7:34pm

I want a host in my DMZ to be accessible by IPv4 from inside or outside my LAN. I'm willing to dedicate the relevant ports (http and https) on my one external dynamic IPv4 address to this.

I have three cases:

from wan: works fine. I set up port forward rules from wan to dmz. I use ddns to point the hostname to my openwrt router.
from trusted using openwrt's DNS resolver: works fine. if hosts in my trusted zone use openwrt's DNS resolver, the hostname resolves to the DMZ host's internal IP, and I allow trusted->dmz connections, so no port forwarding is necessary.
from trusted using external DNS: this is the problem. Sometimes I have guests who have hardcoded Google Public DNS, or I noticed Firefox uses DNS-over-HTTPS to somewhere else.

If I just set up a DNAT rule like the following...

config redirect
        option target 'DNAT'
        option name 'https/trusted'
        list proto 'tcp'
        option src 'trusted'
        option src_dport '443'
        option dest 'dmz'
        option dest_ip '192.168.8.3'
        option dest_port '443'
        option reflection '0'

...it breaks everything. It redirects outbound connections to any site on the Internet. It redirects connections to openwrt's LAN-side IP address.

If I go to the advanced settings tab and select External IP address: "my.external.ip.here (wan)" it adds this to the config:

    option src_dip 'my.external.ip.here'

and everything works...for now. But my external IP is dynamic, and this breaks when it changes.

Is there an easy way to tell it to redirect stuff bound for a given interface's IPv4 address and have it keep working when that changes?

slamb · July 15, 2021, 7:59pm

I think one way I could do this is to have /etc/udhcpc.user empty and re-populate the nat postrouting_trusted_rule chain with the rules I need. I feel like I'm missing something slicker from the web UI though.

jow · July 15, 2021, 7:59pm

Change the value of option src_dip to literal 'wan', this should cause the firewall to determine the IP automatically

slamb · July 15, 2021, 8:04pm

That seems to work, thanks! I'll watch it next time my IP changes to see if it keeps working. [edit: looks like it should, via /etc/hotplug.d/iface/20-firewall. neat!]

Should the luci UI let me set that? It doesn't think it's valid.

jow · July 15, 2021, 8:06pm

Yeah, just noticed . The validation in the ui is too strict/incomplete. Will fix it.

system · July 25, 2021, 8:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.