Forwarding the client IPs to upstream firewall

Hello Geeks,
I am a new user trying to configure a secure Home Network.
I have a running system where I have used openwrt based router to partition my network using vlans . I have recently introduced a firewall solution "IPFIRE" in the upstream of the router. The setup has ISP MODEM-> IPFIRE->OPENWRT ROUTER -> devices in multiple VLANS.

ps:ignore the validity of ip ranges, they are indicative.

Currently when I see the logs on lan side of the ipfire firewall, I only see the routers IP.Is there a way to configure the openwrt to pass the real client addresses to upstream firewall?

could set up the router as a dumb AP instead, unless there's a reason for the double NAT.

1 Like

As @frollic said, or:

  • Disable masquerade on WAN of OpenWrt
  • Make a static route in IPFIRE for: via <lan_interface_of_IPFIRE> gateway <WAN _IP_of_OpenWrt>

thanks for the lightning fast response. Can I still preserve the Vlan configuration?

I can't see why, but I'm no VLAN expert, don't use it myself, let's see what @lleachii have to say :wink:


You can:

  • @frollic suggestion means you have to make a VLAN for each in the IPFIRE as I understand - I'm not sure of exact config OP has or about IPFIRE
  • my suggestion, as long as you route all relevant subnets to the OpenWrt, you're ok


  • and
  • The routes are added to IPFIRE
  • You disable masquerade on OpenWrt WAN
  • :warning: IPFIRE must masquerade upstream, some devices dont do this automatically for subnets it didnt issue, so just cautioning you
1 Like

Let me try this. Another dumb question, Where can I find setting to disable masqurade on wan in openWRT? I checked interfaces in network but could not find something relevant?

Network > Firewall

Not dumb, in Linux, masquerade/NAT originally developed in the firewall, not the networking stack.

  • Checkmark in the row of WAN

  • Uncheck
  • Save and apply
1 Like

Found it. Its controlled via Fw zones

1 Like

I have been trying this out for a while:

  1. Disabled the fw rules on ipfire.
    2)Changed the masqurade settings on OWRT.

But the moment I disable masqurade, the IPFIRE node becomes unreachable.

even tried to setup a NAT rule to forward instead of rewrite (tried both with wan masqurade enabled and disabled).
What am I be missing?

Did you setup the routes in the IPFIRE?

Yes, I did it for the vlan from which I am testing.
Tried multiple combinations in fw rule in ipfire.The below is a screenshot of most open option i could try.

Still the same behaviour.As soon as the settengs update, the connection with ipfire is lost.

That screenshot says "Firewall Rules". You need to create network routes.

Since I don't use IPFIRE, I am unable to tell you if this is a valid Wiki:

I'm confused as to why you made new firewall rules, I thought your device was working already.

Thanks for pointing out. Glad to inform you that it almost worked.Almost because I have the client ips in ip fire but the internet connection is broken.
Thanks a lot for you help.

My bad.Clearly I was thinking in the wrong direction.Did not read your instruction properly.

NAT rules for the IPFIRE WAN, maybe?

Have this enabled by default in firewall options.

Should I still try to configure a nat rule?

Tried SNAT in IPFIRE as well with a little help from this link

Still no luck with internet.

Why is the SNAT SRC range

You need to make the same ranges you placed in the static route rules (i.e. the ones on the OpenWrt VLANs).

From the screenshot, it seems you can also use the MAC address of the OpenWrt WAN interface instead of listing all 4 ranges (i.e. one rule). :wink:

(Unless I'm misunderstanding IPFIRE, that is. is one of the vlan ranges.

The NATing rule with MAC did the trick. The internet works.Thank you very much for seeing this through :slight_smile:

1 Like