Hi All,
I'm adding a rule for the nat table PREROUTING chain for inter zone NAT loopback.
The goal is to access a server in one zone from all the other zones via the external IP address.
(OpenWRT's default NAT Loopback works only for the zone the server is in)

The rule I add is:
iptables -t nat -A PREROUTING -d $wanIP/32 -p tcp -m tcp --dport XXX -j DNAT --to-destination X.X.X.X:XXX

The problem is I get the WAN IP from the command:
ip addr show pppoe-wan | awk '/inet/ {print $2}' | sed 's#/.*##'

But this happen only on startup, so if the WAN address will change the rule will fail.
Also running this command in the firewall.users is failing, so I have to do it in the rc.local at startup.
which means that any change to the firewall will require a router reboot for the rule to work again.

Is there a way to get the WAN interface (it's pppoe-wan) from inside the rule?
Also, if there is a better way for inter zone NAT loopback, it will good to know

Thanks,

Look into hotplug scripts that run when the interface state changes.

The best way to manage NAT loopback is not to do it. On-link DNS can resolve things cleanly and robustly.

I agree and aware that NAT loopback is not a perfect solution.
The problem with DNS based solutions is that they limit me to one internal IP address.
With NAT loopbacks I can forward each destination port to different internal IP address, something I currently not using but would like to keep this capability available.

The hotplug scripts looks like interesting solution - thanks for this, I'll check it

Nope, it's incorrect planning of your infrastructure.
The correct way is: 1 service == 1 domain name.
E.g. www.example.org, smtp.example.org, imap.example.org, ldap.example.org, etc.

https://openwrt.org/docs/guide-developer/network-scripting#get_wan_address

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.