Forward Traffic from LAN to WAN IP to different net

Hi,
I have my router in OpenWRT and I have multiple networks configured in OpenWRT (ending in different VLANs): wan (PPPoE), lan (for end-users) and lanserver (for the server and the VMs of them). On the server multiple websites are running. They are also exposed to WAN with the following config:

config redirect
    option name 'http wan'
    option src 'wan'
    option src_dport '80'
    option dest 'lanserver' 
    option dest_ip '10.1.4.3'
    option target 'DNAT'

On the server (10.1.4.3) is a dyndns service running that sets the public ipv4 of the wan network in DNS. When the end-users in the lan-net try to access one of the websites running on the server the traffic is only going to the OpenWRT but is not forwarded. I know that I've not configured it, so that what's happening is right with the currently set rules. But I don't know how to forward the traffic to the server. Maybe you can help me with this.

Two options:

  • NAT reflection aka hairpin.
  • Configure the DNS on the router to answer with the server's internal IP address when requested the external name.
3 Likes

Hi,
thank you. For me the second option is really complicated but I tried the first option again. Now it's working. I think I tried this also before, but it's seems like I did something wrong.

Yesterday it worked but I tried this now again (the only thing I did in between was restarting the firewall once) and now it's not working. The current config is the following block:

config redirect
    option name 'http wan'
    option src 'wan'
    option src_dport '80'
    option dest 'lanserver'
    option dest_ip '10.1.4.3'
    option target 'DNAT'
    option reflection_src 'external'

Has anyone an idea about why it doesn't work. I would not like to locally change DNS because I have a lot domains on the local server.

# LAN client
nmap -Pn -p 80 ${WAN_IP_ADDR}

# OpenWrt
iptables-save -c | grep -e http

I understood the reflection setting in fw3 wrong. It only added the reflection in the lanserver-net. Now I added the following custom roles (which are re-applyed on reload of the firewall):

source /lib/functions/network.sh
network_get_ipaddr wan wan

iptables -t nat -A zone_lan_prerouting -d $wan/32 -p tcp -m tcp --dport 80 -m comment --comment "fw3_firewall_user: Port Forward http lan (reflection)" -j DNAT --to-destination 10.1.4.3:80
iptables -t nat -A zone_lan_prerouting -d $wan/32 -p tcp -m tcp --dport 443 -m comment --comment "fw3_firewall_user: Port Forward https lan (reflection)" -j DNAT --to-destination 10.1.4.3:443
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.