Forward Port from OpenWrt IP (LAN) to internal IP Adress


I've this setup:

  • OpenWRT Firewall
    • IP Adress: / Gateway / Subnet
    • WAN Interface not used & not configured
    • Installed behind a Third-Party-Firewall what resides behind Internet (
    • The OpenWRT is used mainly as a VPN-Server within an existing network
    • A wireguard VPN-Server/ Client configuration makes the network accessible trough the VPN Tunnel
    • From the OpenWRT I can ping and curl

Because of some firewall limitations of the external network, I want to add a port forwarding rule that when I access my Firewall-IP on Port I get forwarded to the TCP port.

I already tried this with a firewall-rule:

config redirect
	option target 'DNAT'
	option name 'test'
	option src 'lan'
	option dest 'lan'
	option proto 'tcp'
	option src_dip ''
	option src_dport '88'
	option dest_ip ''
	option dest_port '80'
	option enabled '1'

Is this possible? Did I miss something?

The Wireguard-Tunnel is maybe something complex, but I also did not managed it with a internal forwarding rule to my own LAN.

From to

config redirect
	option target 'DNAT'
	option name 'test'
	option src 'lan'
	option dest 'lan'
	option proto 'tcp'
	option src_dip ''
	option src_dport '88'
	option dest_ip ''
	option dest_port '80'
	option enabled '1'

What did I wrong?

This is not possible it do because the traffic on the same LAN is switched, not routed. As a result, it never hits the firewall on the router.

That's correct - but what I'd like to do is to access the IP from the Firewall (OPENWRT Interface) - so a port-forwarding must be possible? is the IP of the OpenWRT Firewall and I would access to the forwarding rule by opening this url:


I just do not get how many devices / networks / interfaces you have, and how do they relate.

You seem to have a firewall with just one interface?
You want to redirect to an IP address not connected directly to the device?

You don't have a firewall you have a VPN server (or client, Wireguard is symmetric). In other words it is a gateway to the VPN network.

If someone on the .50 network wants to access the .178 network there are two ways it can happen. If their OS has an entry for via in its routing table, the packet will go directly to your VPN server and down the VPN. This entry can be made manually or with a DHCP option.

The other way is to leave the PCs alone and install a route to .178 on the .50.1 main router. A PC user going to will, like everything else outside .50, use the default route of This will then be re-forwarded by that router to your VPN server.

Either way it is all conventional routing, not NAT.

What does the overall physical topology look like for your network and what are you access goals over the VPN?

I know that this can be done with traditional routing, this is already working.
But the question is if I am able to set - up a port-forwarding what is doing this with DNAT

The problem is related to a firewall-rule (and probably also a company policy from the other Organization managing the another Firewall) for devices what only can access the - net.

I know the simple solution would be the static route, but the question is if we can set up a port-forwarding with DNAT on the lan side ->

@mat1 - I asked a question about your goals -- if we better understand what you are trying to do (in a broader sense), we can likely help you with a working solution.

FWIW, I have an OpenWrt router running WG behind my main router. I have access to my entire LAN including the both routers.

I think I was on the wrong way, I found the thing I want:

iptables -t nat -A PREROUTING -p tcp -i br0 --dport 201 -j DNAT --to-destination
iptables -A FORWARD -p tcp -d --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -d -p tcp --dport 22 -j SNAT --to-source

But routing the Subnet's and also routing them correctly from the main Firewall is the most cleanest solution.

Thank you for your help!

I've still one issue:

This are the correct rules:

iptables -t nat -A PREROUTING -p udp --dport 1628 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -j MASQUERADE

enabling them via SSH works without problems, but when Adding them in Luci under Custom Rules they're not applying.


Create a DNAT + SNAT rule, or enable zone masquerading:

Custom rules are tricky, so it's best to avoid when possible.

When I've the Firewall at and want to forward TCP to how does the rules should look like?

I tried:

config redirect
	option name 'DNAT'
	option src 'lan'
	option src_dport '8888'
	option dest 'lan'
	option dest_ip ''
	option dest_port '80'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option enabled '1'
	option target 'SNAT'
	option src_dip ''
	option src_dport '8888'
	option name 'SNAT'
	option proto 'tcp'
	option dest_ip ''
	option dest_port '80'

Remove the SNAT rule options:

Instead specify the proper src and dest zones.

Then perform testing and collect the output:

iptables-save -c -t nat | grep -e [DS]NAT
root@VPNGW:/etc/config# iptables-save -c -t nat | grep -e DNAT
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 8888 -m comment --comment "!fw3: DNAT" -j DNAT --to-destination

This is not working, I'm unable to access the port :8888.

If i manually change the rule via SSH it works:

-A PREROUTING -p tcp -m tcp --dport 8888 -m comment --comment "!fw3: DNAT" -j DNAT --to-destination

Post the output:

iptables-save -c -t nat
root@FW-VPNGW:~# iptables-save -c -t nat
# Generated by iptables-save v1.8.3 on Sat Jan 16 11:17:26 2021
:GL_SPEC_DMZ - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wireguard_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wireguard_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wireguard_postrouting - [0:0]
:zone_wireguard_prerouting - [0:0]
[7:975] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3:729] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wireguard_prerouting
[7:1621] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wireguard_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 8888 -m comment --comment "!fw3: DNAT" -j DNAT --to-destination
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wireguard_postrouting -m comment --comment "!fw3: Custom wireguard postrouting rule chain" -j postrouting_wireguard_rule
[3:729] -A zone_wireguard_prerouting -m comment --comment "!fw3: Custom wireguard prerouting rule chain" -j prerouting_wireguard_rule
# Completed on Sat Jan 16 11:17:26 2021
1 Like

Assign LAN and VPN interfaces to the appropriate firewall zone.

When reviewing Firewall Zones I think I've some misconfiguration within the firewall zones....

Does any zone needs do have an interface? If yes, then this zone is useless - correct?

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network ' '
	option forward 'REJECT'

I also see one zone what has a device assigned to - but the device is not shown within Luci.

config zone 'wireguard'
	option name 'wireguard'
	option output 'ACCEPT'
	option device 'wg0'
	option masq6 '1'
	option input 'ACCEPT'
	option network 'wireguard'
	option forward 'REJECT'

Would it be better to create a interface with the name "wireguard" and assign the wg0-device to that interface and then assign the interface to the zone?

Are interfaces just virtual interfaces (like firewall zones) to better manage interface in groups or are these interfaces created also on the device?


  • If I create a wireguard vpn, the physical interface wg0 is created
  • The Interface wg0 is missing in the LUCI Gui under interfaces
  • In this case I can easily create a Interface within luci, assign the wg0 and Select Wireguard VPN as protocol type or do I break something if I do this?

Sorry for the "noob" questions - but my experience with OpenWrt is not so much (until now).

Thank you