General questions on options for a redirect rule

I have some general questions on redirect rules as follows.

In regard to this example:

config redirect
	option name 'WAN12345_LAN2345'
	option target 'DNAT'
	option src 'wan'
	option src_ip '7.7.7.7'
	option src_ip '8.8.8.8'
	option src_mac 'aa:bb:cc:dd:ee:ff:gg'
	option src_mac 'hh:ii:jj:kk:ll:mm:nn'
	option src_dport '12345'
	list proto 'tcp'
	list proto 'udp'
	option dest 'lan'
	option dest_ip '192.168.0.1'
	option dest_port '2345'

Q1. Is it right that, when the same option is repeated two or more times, traffic need only satisfy one of them? In other words,

	option src_ip '7.7.7.7'
	option src_ip '8.8.8.8'

amounts to saying that the source IP must be either the one or the other?

Q2. Is it right that different options must all be satisfied. In other words,

	option src_ip '7.7.7.7'
	option src_mac 'aa:bb:cc:dd:ee:ff:gg'

amounts to saying it must both be the case that source I.P. is 7.7.7.7 and that source MAC is aa:bb:cc:dd:ee:ff:gg?

Q3. Combining Q1 and Q2, the example at the top of this post would mean something like this:

  • Source IP must be 7.7.7.7 or 8.8.8.8, and source MAC must be aa:bb:cc:dd:ee:ff:gg or hh:ii:jj:kk:ll:mm:nn, and protocol must be TCP or UDP.

Q4. It seems 'src' as in src_ip and src_dport have two different meanings. In src_ip, 'src' refers to the person (machine) out there trying to satisfy the redirect rule in your OpenWrt (thus src_ip is his public IP address). But in src_dport, 'src' means your router's port that the traffic must hit (thus src_dport is your port, i.e. a port in your router). Do I understand this right?

Q5. When the person out there has the usual setup of a computer sitting behind a router, does src_mac refer to the MAC of the computer or the router? (I believe this question amounts to asking which MAC the router sends out to the Internet.)

I'd very much appreciate answers like 'Q1 through Q4 yes, Q5 the router's.' But if I am wrong in any of my ideas, I would appreciate being told what would have been right.

Thanks very much.

Yes, you cannot have multiple source IPs to be both of them. But you need a list not option for that to work.
Redirects cannot take more than one source IPs. You either must create more redirect rules or use ipsets.

Yes, but you should not use mac address when you expect packets from the internet.

Right.

Correct.

None, mac has local application. Therefore you will only see the mac of the ISP router which connects to your modem/router.

4 Likes

Thank you very much.

I believe I understood all parts of your answer except for the above quoted.

Could you elaborate?

I just looked at:

Are you saying my code should look like:

config redirect
	option name 'WAN12345_LAN2345'
	option target 'DNAT'
	option src 'wan'
	list src_ip '7.7.7.7'
	list src_ip '8.8.8.8'
	list src_mac 'aa:bb:cc:dd:ee:ff:gg'
	list src_mac 'hh:ii:jj:kk:ll:mm:nn'
	option src_dport '12345'
	list proto 'tcp'
	list proto 'udp'
	option dest 'lan'
	option dest_ip '192.168.0.1'
	option dest_port '2345'

Oh yes, that must be it. That other post is quite clear. Thanks very much.

1 Like

Just to clarify, that you cannot use the "list" syntax specifying multiple src_ip in a redirect rule. Restarting the firewall will return a warning, and the rule will be ignored.

Warning: Option @redirect[X].src_ip must not be a list
Warning: Section @redirect[X] (rule_name) skipped due to invalid options

You will need to create a separate rule for each individual source IP address or use an IP set.

3 Likes

Thank you for not letting me go on with a wrong idea. That was very kind of you.

I presume having to create separate rules applies to multiple MACs?

But not to multiple protocols? (I know this because LuCI used list for multiple protocols).

How is one supposed to know when one could or must

  • use option with multiple items strung together
  • use list with one item per list line
  • create a separate rule per item?

Is there a giant reference manual somewhere? Only by trial and error?

I want to adopt your answer as "solution," but you were too generous in it to say "yes" to Q1. I believe I was just plain wrong. Could you amend your answer to say the code as I have it would not work because either I must use list or (if you agree with pavelgl) because a single redirect rule cannot accommodate two IP addresses. I believe you agree with pavelgl and "you cannot have multiple source IPs to be both of them" is your way of saying so.

Also to Q3, "Right" is too generous an answer. It would have to say that my code is wrong and would not work.

I am afraid adopting your answer as solution in the current form would mislead future (novice) readers of this post. Thanks.

Just for reference, MAC addresses only apply to your own internal network since they are only visible on L2 (switching). L3 (routing) doesn't use MACs, so you cannot match a MAC address from another network (i.e. on the internet).

2 Likes

I agree and I appended the answer.

It's not about the code, but about the logic which does work if applied in, let's say, an ipset.

1 Like

list src_mac will work, but as mentioned, this is almost useless when you want to redirect requests arriving on the wan port.

I would recommend using LuCI (when you are not sure) and then check the UCI files. As you can see, you can specify multiple source MAC addresses, but only one source IP address in a redirect rule.

image

2 Likes

So there was a giant reference manual, but one I couldn't find without your help. Thank you so much!