Hi!
I have a web server running in a DMZ, which is an interface defined on its own VLAN (you can find plenty of guide on how to configure a DMZ). This web server correctly connects to the internet and is reachable from WAN, so the port forward rules work. These rules are nothing special:
WAN 80/tcp -> internalIP 80/tcp
WAN 443/tcp -> internalIP 443/tcp.
Now, I'd like to reach the web server from LAN by using my domain instead of its internal hostname, possibly without defining hostnames from LuCI, as I'm using plenty of subdomains (a.mydomain.org, b.mydomain.org...) and I'm lazy. So here's when I discovered about NAT Loopback, but it doesn't work. curling https://a.mydomain.org returns "Connection refused", whereas http://a.mydomain.org returns "Rejected request from RFC1918 IP to public server address", so I think in this case it's LuCI that's replying.
What's the correct way to set up NAT Loopback?
I know of no direct way to setup a "NAT loopback" on OpenWrt - except for the exact IP in question (as there is a check box).
Since you don't want to edit your DNS, I'd suggest making a redirect that drops the packet back in the same network, so it forwards to the VLAN with the private IP. FYI, the domain method is most recommended on the forum - as this takes CPU resources on the router to NAT.
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.x.y'
option dest_port '80'
option src_ip '192.168.1.0/24'
option dest 'lan'
option name 'REDIRECT_HTTP_LAN'
This seems like it's a reply from your web server, as the source IP is a private address to a Public...it also reminds me of an OpenWrt security error...
I only tried the first two lines because I think, although I'm not sure, I only need those. Anyway, they both return an error: "iptables: No chain/target/match by that name."
OK, these commands did the trick!
Apparently I only need these ones:
iptables -t nat -A zone_lan_prerouting -s 192.168.1.0/24 -d 95.237.136.248/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Web server HTTP (reflection)" -j DNAT --to-destination 192.168.3.10:80
iptables -t nat -A zone_lan_prerouting -s 192.168.1.0/24 -d 95.237.136.248/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Web server HTTPS (reflection)" -j DNAT --to-destination 192.168.3.10:443
The first 2 lines @trendy posted seem to be unnecessary to me, and the rules referring to 192.168.0.2 are related to my modem interface, in this case I'm sure I don't need them.
My IP address is dynamic, but since /etc/firewall.user is a shell script I could just fire up some commands and save my current address in a variable
Actually it was converted to a feature request, because it works as intended. I'm not sure how you missed that on the page you linked.
Did you see my post:
Most importantly, did you see the developer's response in the bug report, who says it should work for the zone too and addresses the future of your said request:
This is by design. The setup of NAT loopback rules is currently tied to the zone of the target host.
I might look into introducing a new option "reflection zones" or similar to change set but I can't promise that it'll happen anytime soon.
Easy @lleachii, I didn't mean to be rude or to complain, my intention was just to point future readers to that ticket. It is a feature wanted not by just a single individual, apparently.
Also, some people call "bug" any report filed in a bug tracker, regardless of its kind, and the LuCI "bug" was closed not because it's a pointless feature but because it's not implemented in backend to begin with.
Anyway, @trendy kindly provided me a solution, so I'm not stuck doing what I want.