Forwarding all incoming traffic to one ip


#1

Hello,

I have the latest openwrt 18.06.1 installed on my avm 4020. The following behaviour I want to implement:

Route all incoming traffic, that means addressed to the routers ip, of the WAN side to one specific address on the LAN side. There will be just one device connected to LAN side. Of cause I want the same way back: Traffic from the LAN side should go outside of the WAN side using the ip of the router.

From outside it should look like communicating with a PC (which is located on the LAN side ) when using the routers wan ip address.

Routers IP address is 10.1.1.50, PCs IP address can be any IP also 10.1.1.x. A script has at the end to detect which PC is connected.

I tried a lot of SNAT and DNAT examples but I stucked always with having no access to the router at the end.

I am very unused with this topic and appreciate your help. At the moment I am using the LUCI interface, there custom firewall rules.

Thank you.


#2

Is there a reason you're not using a different subnet for your target machine?

If the target machine is on the same network, you'll likely have to play some static-routing games to get it to pass return packets back through the router. If they don't pass back through the router, then the static NAT won't be "undone" and the client machine will wonder why it sent a packet to 10.1.1.50 and got no response, but got an unsolicited packet from 10.1.1.nnn.

It's also "highly unusual" for a router to have the same subnet on two interfaces. Again, "routing games" needed to make things work.

Edit:

I'm not sure what you're trying to accomplish. It seems as though you'd be better off just assigning 10.1.1.50 to the target machine and directly connecting it to the network.


#3

@Edge, perhaps you want to put a transparent firewall in front of your machine ? If so, instead of routing use a bridge, and bridge netfilter. Basically you create a bridge between two vlans on your "router" say eth0.1 and eth0.2, you put VLAN1 on one port and VLAN2 on another port, then you plug your wide network into the first port, and your PC into the second port.

enable bridge netfilter using appropriate sysctls:

https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

and then set up your custom firewall to filter appropriate packets. Custom firewall will be required as the "zone" concept in OpenWrt is probably not going to work here.

Edit: if you go this route, I recommend to set up a 3rd VLAN on which you can connect to control / configure the device.


#4

Hello all,

thank you for your answers.And sorry that I did not explain the reason for the router not clear enough.

The issue is that I have changing ip addresses on the lan side.

The setup is as following:

I have a network of PCs and PLCs here. For the PCs and some PLCs I can set fixed IP addresses as I want, typically I use 10.1.1.x, but it can be some different. These devices form a network, lets say network A. Now for some other PLCs the functionality of there default factory installed firmware shall be tested. Due to this fact, unfortunately, for these PLCs I cannot change the IP addresses. It can be any ip address. Each of these PLCs will be integrated into the network A via its own router and shall be, accesable via the routers IP address.

Thank you for your help.


#5

Ok so it sounds like you want to be able to NAT a device that has a factory fixed IP so it can integrate into a larger network. In this case just put a router in front that does the snat and dnat, but create a separate vlan on the router and have it listen on this VLAN. For convenience I suggest you set up ipv6 only on the command and control vlan and connect there with a PC.