Getting the WAN address for iptables command

Hi All,
I'm adding a rule for the nat table PREROUTING chain for inter zone NAT loopback.
The goal is to access a server in one zone from all the other zones via the external IP address.
(OpenWRT's default NAT Loopback works only for the zone the server is in)

The rule I add is:
iptables -t nat -A PREROUTING -d $wanIP/32 -p tcp -m tcp --dport XXX -j DNAT --to-destination X.X.X.X:XXX

The problem is I get the WAN IP from the command:
ip addr show pppoe-wan | awk '/inet/ {print $2}' | sed 's#/.*##'

But this happen only on startup, so if the WAN address will change the rule will fail.
Also running this command in the firewall.users is failing, so I have to do it in the rc.local at startup.
which means that any change to the firewall will require a router reboot for the rule to work again.

Is there a way to get the WAN interface (it's pppoe-wan) from inside the rule?
Also, if there is a better way for inter zone NAT loopback, it will good to know :slight_smile:


Look into hotplug scripts that run when the interface state changes.

The best way to manage NAT loopback is not to do it. On-link DNS can resolve things cleanly and robustly.

1 Like

I agree and aware that NAT loopback is not a perfect solution.
The problem with DNS based solutions is that they limit me to one internal IP address.
With NAT loopbacks I can forward each destination port to different internal IP address, something I currently not using but would like to keep this capability available.

The hotplug scripts looks like interesting solution - thanks for this, I'll check it :slight_smile:

Nope, it's incorrect planning of your infrastructure.
The correct way is: 1 service == 1 domain name.
E.g.,,,, etc.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.