[SOLVED] Help for 1:1 NAT

Hi

I am using OpenWrt 18.06.2 and want to setup an IPv4 1:1 NAT.

This is what I want to achieve

[ WAN ]---( PPPoE )---[ OpenWrt ]---( 1:1 NAT )---[ pfSense ]---[ LAN ]
(OpenWrt) 192.168.0.1 --<-->-- 192.168.0.2 (pfSense)

I have seen the HowTo fw3 NAT but my problem is, I have a dynamic IPv4 Address and using a dynamic DNS service to connect from the outside.

I added the following port forwarding using LuCI:

Match

IPv4-TCP+UDP
From any host in wan
Via any router IP

Foward

IP 192.168.0.2 in lan

Now even if this works I'm not sure if this is correctly setup as I have read something about SNAT and DNAT and for me it looks like only the DNAT is now somehow setup?

Is this even possible to set it up without having a static public IPv4 address which can be used in an iptables rule?

And this HowTo DD-WRT One-to-one NAT with the following sample config:

iptables -t nat -I PREROUTING -d [PUBLIC_IP] -j DNAT --to-destination [LAN_IP]

but how to get an iptables rule for the dynamic public IP? :wink:

SNAT is usually handled with a masquerade rule:

root@OpenWrt:~# iptables-save | grep MASQ
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

The dynamic IPv4 address is inserted automatically by MASQUERADE, and the reverse traffic for a connection that was initiated in the LAN->WAN direction is handled by connection tracking.

For connections initiated in the WAN->LAN direction, your DNAT rule matches on the WAN interface. It does not use the dynamic IP address as a filter. Again, connection tracking takes care of the rest.

Is your setup working?

I have not tried such an "exposed host" setup, but I believe this should be possible.

May I ask why you are using OpenWrt and pfSense in combination here, and not just a single box?

1 Like

Thank you for your response.

Sure, because of this FreeBSD Bug which prevents full-speed for 1 Gbit connections using PPPoE.

OpenWrt is not FreeBSD based and can handle 1 Gbit over PPPoE (using the same Hardware).
pfSense can handle 1 Gbit but not over PPPoE and I simply know better how to setup stuff on pfSense like FreeRADIUS, Captive Portal, OpenVPN, ...

Can I add your suggested configuration somehow in the Custom rules section in the Firewall configuration using LuCI?

I run FreeBSD on most everything, though 12 stock, not pfSense. I do have an APU3C4 running Debian as my interface to Comcrap for different reasons and route from there to my second firewall, which runs FreeBSD. This provides address independence for that FreeBSD firewall (fixed, immutable rules with elevated kernsecurelevel) as well as two layers of firewall with different technologies. The Debian box uses “normal” NAT as well. The only notable downside to this over full one-to-one NAT is that opening a port for incoming traffic requires adding a rule to both firewalls, but that, to me, is an advantage of the setup and wouldn’t be different with all-port mapping. All-port mapping would prevent outside access to the Debian box over SSH, which I consider a significant limitation.

With all-port mapping, maybe I’m missing something, but how would you get the default route via your ISP’s router installed on your pfSense instance?

(Then there’s IPv6...)

I did not mean to suggest any changes to your configuration, but rather described my understanding of your current OpenWrt firewall/NAT configuration. That's why I asked whether it works. If it does work, there's no need to change it from my point of view.

You can enter raw iptables rules in the /etc/firewall.user or in the custom rules in Luci.
However in your case the SNAT is not needed, everything going from the LAN to WAN will be Masqueraded to the public IP of the WAN. Moreover you don't have a static public IP, so one extra reason to just do Masquerade only.

@trendy thx for clarification, it works indeed as it should :slight_smile:

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.