Forwarding all incoming traffic to one ip


I have the latest openwrt 18.06.1 installed on my avm 4020. The following behaviour I want to implement:

Route all incoming traffic, that means addressed to the routers ip, of the WAN side to one specific address on the LAN side. There will be just one device connected to LAN side. Of cause I want the same way back: Traffic from the LAN side should go outside of the WAN side using the ip of the router.

From outside it should look like communicating with a PC (which is located on the LAN side ) when using the routers wan ip address.

Routers IP address is, PCs IP address can be any IP also 10.1.1.x. A script has at the end to detect which PC is connected.

I tried a lot of SNAT and DNAT examples but I stucked always with having no access to the router at the end.

I am very unused with this topic and appreciate your help. At the moment I am using the LUCI interface, there custom firewall rules.

Thank you.

Is there a reason you're not using a different subnet for your target machine?

If the target machine is on the same network, you'll likely have to play some static-routing games to get it to pass return packets back through the router. If they don't pass back through the router, then the static NAT won't be "undone" and the client machine will wonder why it sent a packet to and got no response, but got an unsolicited packet from 10.1.1.nnn.

It's also "highly unusual" for a router to have the same subnet on two interfaces. Again, "routing games" needed to make things work.


I'm not sure what you're trying to accomplish. It seems as though you'd be better off just assigning to the target machine and directly connecting it to the network.

1 Like

@Edge, perhaps you want to put a transparent firewall in front of your machine ? If so, instead of routing use a bridge, and bridge netfilter. Basically you create a bridge between two vlans on your "router" say eth0.1 and eth0.2, you put VLAN1 on one port and VLAN2 on another port, then you plug your wide network into the first port, and your PC into the second port.

enable bridge netfilter using appropriate sysctls:

and then set up your custom firewall to filter appropriate packets. Custom firewall will be required as the "zone" concept in OpenWrt is probably not going to work here.

Edit: if you go this route, I recommend to set up a 3rd VLAN on which you can connect to control / configure the device.

Hello all,

thank you for your answers.And sorry that I did not explain the reason for the router not clear enough.

The issue is that I have changing ip addresses on the lan side.

The setup is as following:

I have a network of PCs and PLCs here. For the PCs and some PLCs I can set fixed IP addresses as I want, typically I use 10.1.1.x, but it can be some different. These devices form a network, lets say network A. Now for some other PLCs the functionality of there default factory installed firmware shall be tested. Due to this fact, unfortunately, for these PLCs I cannot change the IP addresses. It can be any ip address. Each of these PLCs will be integrated into the network A via its own router and shall be, accesable via the routers IP address.

Thank you for your help.

Ok so it sounds like you want to be able to NAT a device that has a factory fixed IP so it can integrate into a larger network. In this case just put a router in front that does the snat and dnat, but create a separate vlan on the router and have it listen on this VLAN. For convenience I suggest you set up ipv6 only on the command and control vlan and connect there with a PC.

1 Like

Hello dlakelan,

thank you for your reply and sorry for my late answer.

Can you give me a hint for the config files how to manage this using openwrt.

For example having at the wan side and at the lan side and how to create this with the vlan.

Thank you in advance.


Easiest thing is to do it in Luci.

Start from the default out of the box settings.

I don't know your device details myself, like how many ports, what switch layout it has, how many cpu ethernet connections, etc.

So, go to the Network > Switch settings and add a VLAN say number 5, this will be your command and control VLAN. Make this VLAN tagged in the CPU and untagged on a specific port on the switch of your device (try plugging a cable in and seeing what port Luci says it's connected to, then choose that one :wink: ) turn this vlan off for all other ports. Note that you will want to be making these edits from a different port than the one you're adding to the vlan, so that you don't lose ethernet connection after clicking save.

Now in Luci create a new "network" call it "command" and set up DHCP on this network and set its physical settings to eth0.5 (or eth1.5 depends on your hardware if it has more than one cpu ethernet connection, but the important thing is that you selected that the eth device for the CPU would be tagged above). Make the subnet say and give the router on the network.

Create its own firewall zone as well called "command". Turn off forwarding from LAN to command firewall zone (all of this is straightforward pointy clicky in Luci).

Now, your goal is to forward from WAN to LAN DNATting all inbound traffic to a specific LAN IP say which you will change depending on what your PLC or whatever needs. Let's just assume is hard-coded into your device.

Connect to the router on the command and control port we set up above if this doesn't work, something went wrong above.

Go to Network > interfaces > Lan and set up protocol "static address" for your router. Set up the DHCP server at the bottom to hand out type addresses if needed for your PLC.

Now go to Network > firewall select "Port Forwards" tab, call it "allports" select TCP+UDP external zone "wan" leave external port blank, internal zone lan, internal ip address: select the one for your PLC, leave internal port blank, click add. then click save and apply.

that should do it, now any packet coming in on WAN will be rewritten to the IP address you selected on the LAN. You'll need to change this constantly as you use different devices with different hard-coded addresses on your LAN.

see if that works.