I have a remote gateway from which I wish to forward everything to the next hop over a tunnel, except for traffic for the gateway itself.
In other platforms I'd just do a catch all rule with higher precedence rules to negate the traffic meant for the firewall away from the catch all rule. It's both (1) less rules which is better for performance, and (2) it would avoid natting the traffic destined to the firewall in the first place since it's an exception, not a translation to "self", which in the end should also best for performance.
There's unspecified but there's no indication of what would that entail, and there's no tools to aid on that by maybe helping visualizing the traffic, such as pftop for instance, or some formatted live log of the traffic. The closest is …/status/realtime/connections but it lack rejected and blocked traffic, source and destination interface, and the NAT or filter rule that put it there.
I had been offloading the job to another firewall sitting in front of since I can't figure out how to do full cone NAT (or PBR, or reusable aliases/ipsets) in OpenWRT either, but that's becoming a bit of a headache and negates the point of having OpenWRT in line in the first place. OSPF on the other hand, is almost offensively easy to do, and that's supposed to be the harder stuff, not this.
Could you guide me out, please? Just the big picture is fine, I'll do my homework if needed.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
First, you will not see any performance issues. The net filter devs do periodically perf test and even with more then 10k rules and 10k sets you see at max a 5% penalty on x86. Smaller plastic boxes how ever are more effected but of you use these for these jobs then that's an other issue...
Regarding priority of rules. First come first serve, if you need a rule before nat kicks in, then configure your rule before the masquerade on wan.
And if you need no nat rule at all because there is another edge device doing it then why not remove the masquerade rule at all? If I understand your topology correct.
And if someone does not overcomplicate things then yes, ospf is magically easy peacy as lemon squeezeee
It sucks that I spend hours doing the perfect little graphic only to find the answer myself minutes after posting. It was unspecified.
I re-read all the documentation pertaining NAT1 there's nothing about it. So, because I'd like for the next one user with this question to have a better experience (and maybe somebody grabs it and accidentally drops it in the docs. What? I didn't see anything ) I made another quick one:
I'm sorry, I got caught up in Designer — it's like therapy to me — and I only saw your answer after answering to myself.
Yeah, I had another device doing masquerading but not anymore. I needed to quit relying on that crutch because one of these firewalls is somewhere in a datacenter in Virginia. I don't have the supporting infrastructure there. I mean I could, but it'd cost me.
Now the only remaining things to get a handle on is policy routing, and lists/groups. Thanks for answering.
I'm running virtualized by the way, as you seem to correctly have deducted.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have: